Monthly Archives: November 2016

Mirai botnet attack hits thousands of home routers, throwing users offline

Nearly a million users across Europe were thrown off the internet during the weekend into Monday after criminals tried to hijack home routers as part of a coordinated cyber attack.

Security researchers said that routers given to customers in Germany by their internet providers were at risk of attack from the notorious Mirai malware, most notable for its large-scale botnet that brought parts of the internet offline on the US east coast last month.

Mirai, if used to attack specific targets, can bring down websites, services, or even internet infrastructure, which can mean widescale outages.

The routers, most of which were made by Zyxel and Speedport, had port 7547 open, typically used by internet providers to remotely manage and maintain in case of outage or issue.

The exploit code used to attack the routers is believed to be derived from a modified version of Mirai, which instead of commandeering vast numbers of internet-connected surveillance cameras was used in a botched attempt to hijack home routers. According to the SANS Internet Storm Center, which was first to report the issue, honeypots pretending to be affected routers are receiving exploit orders as quickly as once every five minutes.

there are more than 41 million devices on the searchable internet with port 7547 open.

But instead of diverting those routers’ internet traffic to the criminals’ intended target to bring websites or services offline, the routers crashed.

With the deadline days away, expansion of FBI hacking powers looks likely

Rule 41 might be the least interesting name for one of the most significant factors this year in security and privacy.

Why? Because the rule is about to change, allowing the FBI to vastly broaden its spying powers.

Earlier this year, the Supreme Court proposed a new rule that would allow US judges to issue warrants outside their jurisdiction. Under existing rules, judges can only issue orders within their jurisdiction, often only a few miles across or covering a few local districts. The hope was that this rule change would make cases more efficient, such as in cyber-related cases, which typically span multiple districts and even countries.

Simply put: all it would take would be for the FBI ask a friendly judge to sign off on a search warrant that would let the agency use its so-called network investigative techniques — or NITs — to carry out hacks and conduct searches on computers and devices potentially anywhere in the world.

We’ve seen good uses of that hacking effort, such as catching users of a dark web child porn site, but one prominent privacy-minded lawmaker said in a statement that the rule change “would allow the government to get a single warrant to hack an unlimited number of Americans’ computers if their computers had been affected by criminals, possibly without notifying the victims.”

Here’s the twist. The proposed rule change will automatically go into effect on December 1 — that’s Today– unless Congress intervenes.

Hackers Advances To San Francisco transport systems

San Francisco's local transport system was targeted over the weekend
San Francisco’s local transport system was targeted over the weekend

San Francisco’s transport agency has been hit by a hack attack which led to customers being able to travel for nothing.

The hackers have made a ransom demand of 100 Bitcoin, which amounts to about $70,000 (£56,000 ; €66,000).

As a precaution, staff shut off all ticketing machines on the network.

Computers across the city’s transport network, including at stations, were disabled with screens displaying a message from the attackers.

The message read: “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter”.

Yandex is a Russian internet company that, among other things, provides email and social networking tools.

The trains themselves were not affected – and city officials said a full investigation was underway.

‘2,000 machines hacked’

“There has been no impact to the transit service, to our safety systems or to our customer’s personal information,” a spokesman told the BBC.

“The incident remains under investigation, so it wouldn’t be appropriate to provide any additional details at this point.”

The Municipal Transportation Agency – known as Muni – looks after trains, trams and buses around the city, including San Francisco’s iconic cable cars.

On Sunday, ticketing machines were back up – but it was not clear if the hack had been contained.

It appeared to include many employee terminals as well as machines that may be used to look after payroll and employees’ personal information.

The hacker told Hoodline on Sunday that Muni had “one more day” to make a deal.

Cyberattack Exposes Sensitive Data on Over 134,000 US Sailors

The U.S. Navy said hackers have gained access to the Social Security numbers and other sensitive information of more than 134,000 current and former U.S. sailors.

The data breach occurred after a hackers compromised the laptop of an employee of Navy contractor Hewlett Packard Enterprise.

In a statement released Wednesday, the Navy said that the information was accessed by “unknown individuals” and that an investigation was underway to identify and help those whose information was exposed.

The information was taken from what is known as the Career Appoints database, which is used to submit re-enlistment and occupation requests.

The statement said there was no evidence of “misuse” of the compromised information.

Hewlett Packard Enterprise informed the Navy of the breach October 27.

This is the latest in a string of data breaches in the U.S. this year. In a report issued Tuesday by the Identify Theft Resource Center, 901 breaches occurred in 2016, exposing the records of more than 34 million people.

The breaches occurred in the government, financial, business, educational and healthcare sectors.

The most breaches, 397, occurred in the business sector, exposing records on more than 5.5 million people.

There were 61 cyberattacks in the government/military sector, compromising the records of 12.9 million people.

Despite the large number of data breaches this year, none compare to the worst-ever data breach of U.S. federal government records. In 2015, the security clearance applications and other sensitive information of some 21.5 million people were compromised.

Top 5 U.S. data breaches

  • U.S. Office of Child Support Enforcement (federal agency): 5 million records exposed.
  • Banner Health (a nonprofit health health system): 3.6 million records exposed
  • Newkirk Products (a provider of healthcare identification cards for health insurance plans): almost 3.5 million records exposed
  • Washington Department of Fishing & Wildlife (a Washington state wildlife protection agency): 2.4 million records exposed
  • 21st Century Oncology (a provider of integrated cancer care services): 2.2 million records expose

AdultFriendFinder network finally comes clean to members about hack

(Image: file photo)

The company behind AdultFriendFinder.com has only just begun directly informing its users that their data has been stolen, a week after it publicly admitted that its networks had been compromised.

Friend Finder Networks, which owns several adult dating and entertainment sites including AdultFriendFinder.com and Cams.com, alerted users of a “security incident” in a message on Sunday, a little over a week after we first reported of the scale of the breach, which affected over 400 million accounts.

recently learned of a security incident that compromised certain customer usernames, passwords, and email addresses,” said the message. “Immediately upon learning this information, we took several steps to investigate the situation and retained external partners to support our investigation.”

But AdultFriendFinder was far from proactive about informing its users.

Several of the site’s users contacted me to say that they were only alerted to the security issue from a message in the user’s inbox after they logged into one of the sites.

They heard about the hack from the media, and yet had not received any emails from the company directly.

That’s a problem for the hundreds of millions of users who no longer use the site but may still be affected by the breach. AdultFriendFinder.com alone claims to have 700 million users, but according to an analysis of the last login dates, over 200 million users haven’t logged in since 2010.

Friend Finder Networks has been wholly silent — with the exception of a press release posted late in the day last Monday, two days after news of the hack first broke, confirming the hack and that it was investigating the breach. The statement said that the company was “in the process of notifying affected users to provide them with information and guidance on how they can protect themselves,” but gave no timeline on delivery.

One user, who did not want to be named, told me that they thought it was “unacceptable” that they had to hear about the hack from the media rather than the company.

aff-note.png
The message users received over the weekend. (Image: supplied)

The press release also said that the company “encourages” users to change their passwords, as opposed to forcing its users to reset their passwords when they next log in, an act that most security professionals considered to be standard practice after a data breach.

Another user who emailed told me that when they went to change their password, the page suggested users should use “characters a-z” and “numbers 0-9,” and said that passwords are not case sensitive. An analysis by LeakedSource, a breach notification site which obtained the database, first noted that the sites converted user passwords into lower-case, which if stolen makes them easier to decrypt.

A spokesperson for the company, now handled by a public relations firm known to specialize in “crisis communications,” did not comment but referred back to the previous press release.

Three mobile data breach: Company confirms data from 133,827 accounts could have been accessed

maidenheadstore-display-hi.jpg
Security breach puts Three customer data at risk.

Image: Three

Three mobile has confirmed that information about almost 134,000 customers was accessed following a data breach, although the company, one of the largest mobile network providers in the UK, has said no banking information has been obtained by outsiders.

The company says information from 133, 827 of its nine million customer accounts was accessed in total.

For 107,102 customers, the information which could have been obtained included whether they are a handset or SIM-only customer, contract start and end date, handset type, Three account number, how long they’ve been with Three, whether the bill is paid by cash or card, billing date, and name.

For a further 26,725 customers the information which could have been obtained included name, address, date of birth, gender, handset type, contract start and end date, whether they are a handset or SIM only customer, telephone number, email address, previous address, marital status, employment status, Three account number and phone number, and how long they’ve been with Three.

Three men arrested in connection with the breach have been released on bail while the National Crime Agency investigates the case.

In a message to customers, Three CEO Dave Dyson has apologised for the inconvenience caused by the breach and assured customers no bank information was accessed.

“We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently,” he said.

“I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused,” he said. “In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.”

Dyson says Three has “put in place increased security” for the affected customer accounts and that the company is “working closely with law enforcement agencies on this matter”.

The company says information was obtained after being accessed using an authorised login into its database of customers eligible for a phone upgrade. Three has warned customers to be “cautious” about anyone contacting them about the incident and to not give out their banking information.

South Korea has denied Google’s request to take mapping data to servers outside the country

South Korea said on Friday it has rejected Google’s latest request for permission to take government mapping data for use in servers outside the country, citing security issues with North Korea. Google, an Alphabet Inc company, has said it needs to use the data on servers worldwide to enable services that would give walking and driving directions in South Korea.

But South Korea, whose 1950-53 war with North Korea ended without a peace treaty, argues that if it allowed such data to leave the country, the locations of military facilities and other sensitive sites could be revealed. The government could grant permission if Google removes images of sensitive sites on its satellite imaging services, an official at the body in charge of mapping data has previously said.

But Google has rejected that condition, saying the information is widely available through satellite images that can be purchased freely. The land ministry said it would reconsider if Google changes its position. A Seoul-based spokeswoman for Google did not have immediate comment on Friday’s decision.

Separately, Google is under scrutiny in South Korea, with the antitrust regulator examining whether the U.S. firm’s agreements with handset manufacturers on the Android mobile operating system limits market competition.

Reuters

Britain has passed the ‘most extreme surveillance law ever passed in a democracy’

camera-head-man-uk.jpg

It’s 2016 going on 1984.

The UK has just passed a massive expansion in surveillance powers, which critics have called “terrifying” and “dangerous”.

 

The new law, dubbed the “snoopers’ charter”, was introduced by then-home secretary Theresa May in 2012, and took two attempts to get passed into law following breakdowns in the previous coalition government.

Four years and a general election later — May is now prime minister — the bill was finalized and passed on Wednesday by both parliamentary houses.

But civil liberties groups have long criticized the bill, with some arguing that the law will let the UK government “document everything we do online”.

It’s no wonder, because it basically does.

The law will force internet providers to record every internet customer’s top-level web history in real-time for up to a year, which can be accessed by numerous government departments; force companies to decrypt data on demand — though the government has never been that clear on exactly how it forces foreign firms to do that that; and even disclose any new security features in products before they launch.

Not only that, the law also gives the intelligence agencies the power to hack into computers and devices of citizens (known as equipment interference), although some protected professions — such as journalists and medical staff — are layered with marginally better protections.

In other words, it’s the “most extreme surveillance law ever passed in a democracy,” according to Jim Killock, director of the Open Rights Group.

The bill was opposed by representatives of the United Nations, all major UK and many leading global privacy and rights groups, and a host of Silicon Valley tech companies alike. Even the parliamentary committee tasked with scrutinizing the bill called some of its provisions “vague”.

And that doesn’t even account for the three-quarters of people who think privacy, which this law almost entirely erodes, is a human right.

There are some safeguards, however, such as a “double lock” system so that the secretary of state and an independent judicial commissioner must agree on a decision to carry out search warrants (though one member of the House of Lords disputed that claim).

A new investigatory powers commissioner will also oversee the use of the powers.

Despite the uproar, the government’s opposition failed to scrutinize any significant amendments and abstained from the final vote. Killock said recently that the opposition Labour party spent its time “simply failing to hold the government to account”.

But the government has downplayed much of the controversy surrounding the bill. The government has consistently argued that the bill isn’t drastically new, but instead reworks the old and outdated Regulation of Investigatory Powers Act (RIPA). This was brought into law in 2000, to “legitimize” new powers that were conducted or ruled on in secret, like collecting data in bulk and hacking into networks, which was revealed during the Edward Snowden affair.

Much of those activities were only possible thanks to litigation by one advocacy group, Privacy International, which helped push these secret practices into the public domain while forcing the government to scramble to explain why these practices were legal.

Google Pixel hacked in under 60 seconds by Chinese team

Google’s new flagship just got hacked by a Chinese team at in under 60 seconds.

At PwnFest, a hacking competition in Seoul, South Korea, a team of white-hat hackers known as Qihoo 360 demonstrated an exploit that allowed for remote code execution on the Pixel. In under 60 seconds, the team used a zero-day vulnerabilityto remotely install code on Google’s sought after device.

The exploit launched Google Play Store and then Google’s mobile version of Chrome before displaying a messaged that read “Pwned by 360 Alpha Team.”

pixel
Credit: The Register

Qihoo 360 won a cash prize of $120,000 for the hack and sent Google to the drawing board in trying to figure out how to patch it.

All told, the team walked away with $520,000 in cash prizes after demonstrating additional vulnerabilities in Microsoft Edge on Windows 10, and a decade-old exploit that inexplicably still works on Adobe Flash.

Google Pixel pwned in