Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[ctg]

South Korea is fingering its northern neighbours for an attack last month against a navy defence contractor.

North Korea's regime says the attribution is political and dubbed the attacks fabricated.

Details of the hack of Hanjin Heavy Industries have not been disclosed but local broadcaster Yonhap reports the government has kept open the possibility of North Korean involvement.

"After identifying signs that Hanjin Heavy Industries may have been hacked on April 20, the Defense Security Command is currently leading a security investigation into whether any military secrets were leaked and whether North Korea was involved," unnamed officials told Yonhap.

The contractor is responsible for the production of Seoul's latest naval vessels and amphibious assault vehicles including the ROKS Dokdo.

It is the latest security breach of South Korea's defence industry since hackers in November popped contractor LIG Nex1 and the Agency for Defense Development, both responsible for building its AESA radar.

North Korea is said to have well-structured elite hacking teams. One unit dubbed Bureau 121 is claimed to be situated in the nation's spy agency the General Bureau of Reconnaissance, and is fingered for intrusions into network infrastructure of foreign states.

Security researchers identified the so-called Lazarus Group as the unit behind the 2014 flaying of Sony Pictures, a hack which the US pinned firmly on Pyongyang

http://www.theregister.co.uk/2016/05/11/south_korea_fingers_north_for_defence_contractor_hack/

Pohjois-Korean Unit 121 vauhdissa.

 

[Lepukki]

Onko muille käynyt useinkin näin?:

"Hei, XXXX

Näyttää siltä, että käyttäjätilillesi yritettiin kirjautua 12. toukokuuta kello 7:09 laitteelta tuntematon laite. Käyttäjätilisi on turvassa. Haluamme vain varmistaa, että juuri sinä yritit kirjautua uudesta paikasta.

Jos kirjautuja et ollut sinä, kirjaudu sisään Facebookiin, jotta voimme opastaa käyttäjätilisi suojaamisessa.

Kiittäen
Facebook-tiimi"

IP osoitekin oli ja Facebook oli tunnistanut sijainniksi Azebaijanin... Miten ihmeessä sieltä joku koittaisi kokeilla kirjautua tunnukselleni? Voi tietty olla lähenpääkin ja joku vain peilasi osoitteensa Azerbaijaniin.

 

[ctg]

Voi tietty olla lähenpääkin ja joku vain peilasi osoitteensa Azerbaijaniin.

Aivan. Ilman syvempää tutkimusta vaikea sanoa mistä se tuli, mutta suorita mitä FB kysyy ja vaihda salasana varmuuden vuoksi.

 

[ctg]

Despite changes to the law, the U.S. National Security Agency can still request metadata from tens of thousands of private phones if they are indirectly connected to the phone number of a suspected terrorist, according to a new analysis. The study is one of the first to quantify the impact of policy changes intended to narrow the agency’s previously unfettered access to private phone records, which was first revealed by Edward Snowden in 2013.

For years before Snowden went public, the U.S. National Security Agency legally obtained metadata not only from suspects’ phones but also from those of their contacts and their contacts’ contacts (and even their contacts’ contacts’ contacts) in order to trace terrorist networks. This metadata included information about whom a user has called, when the call was placed, and how long these calls lasted.

Today, federal rules permit the NSA to recover metadata from phones within "two hops" of a suspect, which means someone who called someone who called the suspect in the past 18 months. Previously, federal regulations were more generous, permitting recovery of metadata from "three hops" away dating back to five years.

A new analysis led by researchers at Stanford University’s Computer Security Laboratory quantifies just what this policy change has meant, discovering that, under the old five-year three-hop rules the NSA could legally recover metadata from about 20 million phones per suspect and “the majority of the entire U.S. population” if it analyzed all its suspects. Now, the stricter 18-month "two hop" rule permits the agency to recover metadata from about 25,000 phones with a single request, according to the Stanford study.

http://spectrum.ieee.org/tech-talk/...-on-a-single-suspects-phone-analysis-suggests

 

[ctg]

Sydney security tester Jamieson O'Reilly has reported a since-patched vulnerability in popular video platform Vidyo, used by the likes of the US Army, NASA, and CERN, that could see videos leaked and systems compromised.

O'Reilly, director of intelligence for consultancy Content Protection, says he picked up the bug during a client test and reported it to the New Jersey video company which has since issued a patch.

Google searches for vulnerable strings reveal hits for affected clients.

The company says some 3000 Fortune 100 SMB customers and 39 of the top 100 healthcare networks in the US use the product, together clocking more than 50 million minutes in talk time.

"I ended up finding an arbitrary file disclosure vulnerability," O'Reilly told The Register.

"It's more than just [leaked] videos, also Linux filesystem files (/etc/passwd) and other conf files.

"I've never heard of this software before and thought that the risk exposure was quite low until I looked at the clients.

"There are a lot of publicly accessible Vidyo endpoints that are probably vulnerable that you can identify using Google."

O'Reilly says the patch version 3.0.1.20 has been released to close the hole

http://www.theregister.co.uk/2016/0..._tech_vidyo_throws_patch_over_data_leak_hole/

 

[ctg]

Japanin valtiollinen hyvällä asialla.

Japan will from next year conduct mock hacking exercises with governments including the United States and private sector organisations ahead of the 2020 Olympic games.

The effort will be run out of a new penetration testing arm to be created in 2017 charged with identifying vulnerabilities in physical control systems that could lead to real-world damage during the Games.

It will include critical infrastructure operators including power, gas, and chemical utilities. Telcos and transport are almost universally included in security analysis of critical infrastructure.

Governments around the world have in recent years created departments charged with bringing together critical infrastructure operators including those running utilities, banks, and transport.

In Australia that effort is part of the Trusted Information Sharing Network and the overhauled Australian Cyber Security Centre.

Japan's unit, for now called the Industrial Cybersecurity Promotion Agency, will be staffed with security wonks and seated within the Economy, Trade and Industry Ministry.

One wing of the unit will train and hire penetration testers hackers and develop attack mitigation systems, according to Yomiuri Shimbun.

Unnamed sources told the paper techies at high-profile organisations could be forced to undertake mandatory security training to protect critical data.

Mock attacks will run out of the unit's secondary research wing in conjunction with universities and foreign governments including the US Department of Homeland Security.

The US department has long run the biennial Cyber Storm hacking exercise between government agencies, major private sector organisations, and allied nations.

Australia and the UK have participated in previous Cyber Storm hacking games in 2010 and 2008. ®

http://www.theregister.co.uk/2016/0...king_mission_to_test_utilities_trains_telcos/

 

[ctg]

Valtiollinen asialla.

Ever since hackers targeted Swiss defense contractor RUAG, government officials have been tight lipped about the breach. But on Monday Switzerland’s CERT (Computer Emergency Readiness Team) spilled the beans on the attack against the firm and the how perpetrators pulled it off.

While Monday’s report falls short when it comes to outlining the type of data stolen, it goes into rare detail on how it was taken. For example, central to the attack was malware from the Turla family and the use of a sophisticated mix of Trojans and rootkits. Additionally, security experts assert that RUAG computers were infected as early as 2014, according the report, making the attack slow and methodical.

https://wp.me/p3AjUX-uLk

Central to the attack was the use of Epic Turla, a highly sophisticated and ongoing cyberespionage campaign that targets government, militaries and embassies. This type of attack, outlined in detail by Kasperky Lab researchers, uses a mix of spear-phishing and PDF-based exploits, social engineering to entice email recipients to run a malware infected .SCR extension, or a watering hole type attack leveraging Java exploit or a fake Flash Player.

“The attackers showed great patience during the infiltration and lateral movement. They only attacked victims they were interested in by implementing various measures, such as a target IP list and extensive fingerprinting before and after the initial infection,” according to the report.

 

[ctg]

En voi muuta kuin nostaa hattua heille. Päätös on tiukka, mutta onneksi normi hakkereita ei enään syytetä kuin noitavainojen aikoihin. Hyvä näin.

It’s 3 am, and his eyes are almost closed. The pack of gummy bears on his desk is empty. So’s the Chinese takeout box. Romanian white hat hacker Alex Coltuneac has had three hours of sleep tonight. And last night. And the night before that. He’s busy trying to find a vulnerability in YouTube live chat, which he plans to report to the company and hopefully get some money in return. None of the bugs he has discovered in the past few days electrifies him, so he keeps digging.

In the past four years, Coltuneac has gotten bug bounty payments from Google, Facebook, Microsoft, Adobe, Yahoo, eBay, and PayPal for flaws he reported. Such bounty programs are a chance for Eastern European hackers like him to pursue a legitimate career in cybersecurity.

And he’s only 19 years old. In a country better known for cybercrime, the teenager is part of small but growing cohort of hackers who are deciding to play it nice. This is a departure for the hacking community of Romania, known for such hits as the hackers Hackerville and Guccifer, and fraudsters who steal money from American bank accounts, perpetrate eBay frauds, and land themselves on the FBI’s most wanted list.

https://www.wired.com/2016/05/romanian-teen-hacker-hunts-bugs-resist-dark-side/

On the white market, a flaw found and reported legitimately is priced at a few hundred dollars, enough for Coltuneac to pay his rent this month. Sensitive ones are often rewarded with several thousand dollars. In very few cases, the bounty exceeds $100,000. He’s constantly hoping to find one of those. And that sum is still far less than what he would get if he sold the same vulnerabilities on the gray or black markets. (Gray markets sell exploits to nations and corporations to use against their foe; black markets sell to the highest bidder, often criminals.) Zerodium, a gray hat vulnerability broker working with law enforcement and intelligence agencies, awards a hacker up to $500,000 for a high-risk bug with fully functional exploit.

 

[ctg]

Security flaws in software can be tough to find. Purposefully planted ones—hidden backdoors created by spies or saboteurs—are often even stealthier. Now imagine a backdoor planted not in an application, or deep in an operating system, but even deeper, in the hardware of the processor that runs a computer. And now imagine that silicon backdoor is invisible not only to the computer’s software, but even to the chip’s designer, who has no idea that it was added by the chip’s manufacturer, likely in some farflung Chinese factory. And that it’s a single component hidden among hundreds of millions or billions. And that each one of those components is less than a thousandth of the width of a human hair.

In fact, researchers at the University of Michigan haven’t just imagined that computer security nightmare; they’ve built and proved it works. In a study that won the “best paper” award at last week’s IEEE Symposium on Privacy and Security, they detailed the creation of an insidious, microscopic hardware backdoor proof-of-concept. And they showed that by running a series of seemingly innocuous commands on their minutely sabotaged processor, a hacker could reliably trigger a feature of the chip that gives them full access to the operating system. Most disturbingly, they write, that microscopic hardware backdoor wouldn’t be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory.

https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/

 

[ctg]

The Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, with several incidents described internally as “espionage”, according to Fed records.

The US central bank’s staff suspected hackers or spies in many of the incidents, the records show. The Fed’s computer systems play a critical role in global banking and hold confidential information on discussions about monetary policy that drives financial markets.

The cybersecurity reports, obtained by Reuters through a Freedom of Information Act request, were heavily redacted by Fed officials to keep secret the central bank’s security procedures.

https://www.theguardian.com/business/2016/jun/01/federal-reserve-hackings-cybersecurity-espionage

Niin ne pankit suomessakin vetää mielenkiintoa puoleensa.

 

[ctg]

FireEye threat researchers have found a complex malware instance that borrows tricks from Stuxnet and is specifically designed to work on Siemens industrial control systems.

Josh Homan, Sean McBride, and Rob Caldwell named the malware "Irongate" and say it is probably a proof-of-concept that is likely not used in wild.

Industrial control system malware are complex beasts in large part because exploitation requires knowledge of often weird, archaic, and proprietary systems.

The steep learning curve required to grok such systems limits the risk presented by the many holes they contain.

It is this that makes Irongate interesting. The malware is also unique in that it employs man-in-the-middle attacks to capture normal traffic on human machine interfaces to replay it in a bid to mask anomalies during attacks.

That replay trick is reminiscent of work by IOActive researcher Alexander Bolshev who told The Register how frequency and amplitude modifications in waves generated by control programmable logic controllers could allow attacks to be masked.

Irongate is also capable of evading VMware and Cuckoo sandboxes - the use of which is indicative of white hat researchers - a standard feature of well-designed malware.

The FireEye and Mandiant team found the malware on VirusTotal, likely uploaded by authors wanting to test their trojan for antivirus detection. No security platforms detected it.

"While Irongate malware does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications, it leverages some of the same features and techniques" the team says.

"Even though process operators face no increased risk from the currently identified members of the Irongate malware family, it provides valuable insight into adversary mindset."

The malware operates in Siemens simulated programmable logic controller environments which are used before live deployment, seeking out and replacing proprietary DLL files, but does not function in standard environments.

Its infection vector is unknown.

http://www.theregister.co.uk/2016/0...re_masks_attack_with_replayed_normal_traffic/

copy-cat stuxnet, kuka mahtaa olla asialla? The Equation Group, again?

 

[ctg]

oldskool exploitti joka on hemmetin hankala toteuttaa käytännössä

Discerning secret crypto keys in computers and gadgets by spying on how they function isn't new, although the techniques used are often considered impractical.

A new paper demonstrates this surveillance can be pretty easy – well, easier than you might imagine – to pull off, even over the air from a few metres away.

http://www.theregister.co.uk/2016/06/04/sidechannel_encryption_theft/

http://m.cacm.acm.org/magazines/2016/6/202646-physical-key-extraction-attacks-on-pcs/fulltext

tässä tapauksessa RSA avaimien varastaminen

 

[OldSkool]

oldskool exploitti joka on hemmetin hankala toteuttaa käytännössä ...
tässä tapauksessa RSA avaimien varastaminen

Kiitän kohdalleni osoitetusta ansiottomasta kehusta !
Mutta vitsi sikseen... tutustun asiaan.

 

[ctg]

SECRET reports leaked by US whistleblower Edward Snowden have revealed how UK mass surveillance of phone and internet activity was accessed by Scottish police forces.


The documents confirm that a little-known policing body called the Scottish Recording Centre (SRC) was given access to information logs that include millions of communications data, including phone activity, internet histories and social media behaviour on Facebook.

The confirmation that UK state spy agency GCHQ ran a specific programme, called “Milkwhite”, to share data with devolved policing and tax authorities is the first Snowden leak to directly implicate Scottish authorities in the controversial policy of bulk data collection.

American news site The Intercept, which has access to the Snowden files, explained Milkwhite gave “an obscure Scotland-based surveillance unit” access to “huge troves of meta-data” from UK state surveillance.

Metadata includes who a surveillance target is calling, emailing, what websites they visit, and, when location data is available, a person’s movements. The scale of secret surveillance caused global outrage over a lack of transparency, invasions of privacy and abuses of power when the first Snowden documents were released in 2013.

In 2007, UK spies drew up secret plans to snoop on the activities of “every visible user on the internet”. UK state lawyers admitted six years later that the number of people targeted was an “infinite list”. New leaked government reports claim that spies are gathering so much information that it risks harming effective security operations.

http://www.thenational.scot/news/us...mme-with-secret-link-to-scottish-police.18661

 

[ctg]

Isis asialla.

The Caliphate Cyber Army (CCA), one of the smaller groups part of the United Cyber Caliphate (UCC), the ISIS de-facto hacking division, has leaked details of 800 library workers from the Arkansas Library Association (ALA).

The data breach took place in the month of May, and CCA members leaked the data in the form of an Excel file on their Telegram channel on May 26.

The FBI, along with various security firms like Kronos and SiTE, all detected and logged the incident. An FBI agent even called the Arkansas Library Association and informed them of the data breach as soon as it happened.

ALA employees more happy that their credit card data wasn't exposed
On May 31, ALA sent out an email to all affected employees, informing them of the incident. The Excel file held information such as real names, addresses and telephone numbers of 800+ ALA employees in various high school and college libraries across the state.

As usual, ISIS militants dumped the data online and asked supporters to carry out lone wolf operations against these targets. A few months earlier, the group did the same thing when they leaked the details of over 3,000 New Yorkers.

In statements to Newsweek, some ALA workers were more glad that their financial details weren't exposed, rather than worry about ISIS attacks.

ISIS hacking crews aren't the most talented hackers you'll find
Previously ISIS crews have hacked a company that contained the term Google in its name and tried to pass it as the real Google, a church's website in Michigan, and 88 random sites in a three-day hacking rampage.

Despite being quite active, ISIS hackers aren't considered to be the most talented crews, rarely achieving anything more than simple defacements or database compromises.

From the looks of the current ALA website, which shows database connection errors, it seems that the hackers got in via an SQL injection attack.

http://news.softpedia.com/news/isis...rom-arkansas-library-association-505074.shtml

 

[BlackFox]

Erittäinhyvä jakso.

 

[BlackFox]

Suomeen havitellaan jopa sataa uutta kyberpoliisia – tarkkailu halutaan ulottaa myös viestien sisältöön
Hallituksen selvitys haluaa helpottaa laitetarkkailua kyberrikollisuuden kitkemiseksi.

VESA MOILANEN

LEHTIKUVA
Jarmo Huhtanen HS
KOTIMAAJulkaistu 2:00
156
PÄÄMINISTERI Juha Sipilän (kesk) hallituksen asettama selvitysryhmä haluaa, että Suomeen palkataan jopa 101 uutta kyberrikoksiin erikoistunutta poliisia.

Lisäksi selvitysryhmä lisäisi poliisien kyberkoulutusta ja muuttaisi lainsäädäntöä niin, että tekninen laitetarkkailu olisi helpompaa.

Tiedot ilmenevät tietoverkkorikollisuuden torjuntaa koskevan selvityksen luonnoksesta, joka on ollut lausunnoilla.

KYBERRIKOLLISUUTTA koskevan selvityksen laatiminen on mainittu hallitusohjelmassa. Sen mukaan hallitus selvittää tietoverkkorikollisuuden torjuntaan tarvittavat resurssit, toimintatavat ja lainmuutostarpeet.

Tuore selvitys esitellään hallitukselle alkusyksyllä pidettävässä strategiaistunnossa.

”Selvityksessä on toimeenpanoehdotuksia. Niihin ei ole vielä ministerin kantaa”, sanoo lainsäädäntöneuvos Tiina Ferm.

Selvityksen ovat laatineet yhteistyössä sisäministeriö, poliisihallituksen työryhmä, suojelupoliisi ja keskusrikospoliisi.

Laatijat esittävät poliisiyksiköihin yhtätoista uutta virkaa tietotekniseen tutkintaan, 25:tä virkaa taktiseen tutkintaan ja 30:tä virkaa tietoverkkotiedusteluun.

Suojelupoliisille esitetään ensi vuonna viittä uutta virkaa ja seuraavina vuosina lisää siten, että uusia kybersupolaisia olisi vuonna 2020 yhteensä 17.

Lisäksi keskusrikospoliisiin viime vuonna perustettuun kyberrikostorjuntakeskuksen toiminnan laajentamiseen halutaan 18 työntekijää lisää.

SELVITYKSESSÄ esitetään laitetarkkailua koskeviin lakeihin muutoksia, jotka helpottaisivat kyberrikosten selvittämistä. Nyt televalvonta ei ole mahdollista tietoverkkorikosten eikä identiteettivarkauksien tutkimiseksi.

Poliisi haluaa, että tekninen laitetarkkailu olisi saatava ulottaa myös viestin sisältöön.

Selvityksen mukaan tilanne on nyt käytännössä sellainen, että teknisen laitetarkkailun avulla voidaan selvittää ainoastaan laitteessa oleva ohjelmisto ja itse viestiin liittymätön laitteen ohjausliikenne. Viestin sisällön selvittäminen ei ole käytännössä mahdollista lain suppean soveltamisalan vuoksi.

Identiteettivarkaus kriminalisoitiin itsenäisenä rikoksena viime syksynä. Identiteettivarkauksien määrä on lisääntynyt, mutta niitä koskeva rangaistussäännös ei mahdollista televalvontaa pakkokeinona. Selvityksessä ehdotetaan identiteettivarkautta uudeksi perusteeksi käyttää telepakkokeinoja.

”Identiteettivarkauksia on äärimmäisen vaikea muuten tutkia”, perustelee Ferm.

SELVITYSLUONNOKSEN mukaan suurin osa tietoverkkorikollisuudesta ei tule poliisin tietoon. Lisäksi poliisin tutkimista kyberrikoksista useat jäävät selvittämättä tai selviävät vain osittain.

Poliisilaitoksilla ei ole Helsinkiä lukuun ottamatta yksiköitä, joissa tutkittaisiin pelkästään tietoverkkorikoksia. Kaikissa toimii kuitenkin digitaalisen todistusaineiston käsittelyyn eli digitaaliforensiikkaan erikoistuneita yksiköitä.

Valtakunnansyyttäjänvirasto valitsi jo kaksi vuotta sitten neljä kihlakunnansyyttäjää kouluttautumaan kyberosaajiksi. He kouluttavat tulevaisuudessa muita syyttäjiä muun muassa elektronisen todistusaineiston käsittelyyn.

Selvitys esittää useita suosituksia poliisiammattikorkeakoulun kyberkoulutuksen tehostamiseksi.

Opetusohjelmaan halutaan lisättäväksi muun muassa kyberrikostorjunnan perusopintoja ja kyberiin liittyviä erikoistumisopintoja.

Uutuutena halutaan selvittää, voitaisiinko järjestää insinööristä poliisiksi -koulutusohjelma. Se olisi kyberturvallisuuden tehtäviin räätälöity kokonaisuus, jossa teknisen koulutuksen hankkineita rekrytoitaisiin koulutettaviksi poliiseiksi.

Maalasin mustalla muutaman kohdan ja lähde hs.

 

[ctg]

Ymmärrystä kannatan näille cyberpoliiseille, sillä jotkut eivät tee näitä asioita koska he ovat ilkeitä, vaan koska he ovat uteliaita siitä minne asti he pystyvät menemään ja mitä tekemään. Insinörtistä poliisiksi on hyvä rata, mutta ei ainoa.

 

[ctg]

On Tuesday, NATO decided to make cyber operations part of its war domain, along with air, sea, and land operations. NATO Secretary-General Jens Stoltenberg said the decision is not aimed at any one particular country, just that allies need to be able to better defend themselves and respond to computer network attacks. Phys.Org reports: "The decision has been long in coming, particularly amid rising tensions with Russia, which has proven its willingness to launch computer-based attacks against other nations. About a year ago, U.S. Defense Secretary Ash Carter told NATO that it must improve its ability to protect itself before it builds its cyberwar capabilities. And he pledged that the U.S. would used its expertise to help allies assess their vulnerabilities and reduce the risk to their critical infrastructure. In 2014, after years of debate, NATO finally agreed that a cyberattack could rise to the level of a military assault and could trigger the Article 5 protections, which allow the alliance to go to the collective defense of another member that has been attacked.

http://phys.org/news/2016-06-air-sea-cyber-nato-areas.html

 

[ctg]

Mielenkiinnolla odotan miten tässä käy. Naapurin hakkerit eivät ole länsimaiden kaltaisia, ja heidän ajattelumaailmansa on aivan erillainen meihin nähden. Huomatkaa, että jotkut maailman parhaista matemaattisista ja loogisista aivoista tulee naapurin puolelta.

Russia is mulling a bug bounty program to find and eliminate bugs in government-approved software.

Local media report deputy Communications Minister Aleksei Sokolov is discussing a possible bug bounty with the Russian tech sector.

http://www.theregister.co.uk/2016/06/15/russia_mulls_bug_bounty_to_harden_govt_software/