Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

  • Viestiketjun aloittaja Viestiketjun aloittaja OldSkool
  • Aloitus PVM Aloitus PVM
valtiollinen

One of the world’s “big four” accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal.

Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months.

One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.
https://www.theguardian.com/busines...-cyber-attack-revealing-clients-secret-emails
 

Electronic medical equipment is supposed to help humans save lives, but their lamentable security could result in considerable death, we were warned over the weekend.

Speaking at DerbyCon in Kentucky, USA, on Saturday, two infosec experts and two doctors who have a side interest in hacking gave an update on their work analyzing security flaws in medical machinery. And, reader, the results weren't good. On average, a connected device had about 1,000 exploitable CVE flaws, with some going over the 1,400 mark, it was claimed.

Not all of these flaws are remotely exploitable, but many are, "and it only takes one,” said Joshua Corman, director of the Atlantic Council's Cyber Statecraft Initiative and one of the aforementioned speakers. “Governments aren’t ready for this and hospitals certainly aren’t – 85 per cent of US hospitals don’t have any IT security staff,” he added.

Four years ago, Corman and others launched I am the Cavalry to investigate and tackle computer security that affects public safety. He gave his DerbyCon talk alongside his deputy director Beau Woods, and infosec-minded Dr Christian Daneff and Dr Jeff Tully.

Dr Daneff highlighted the effects of the WannaCry ransomware epidemic on the UK healthcare system, and said the US had been very, very lucky not to have similar infections of malware. The main fear is a software nasty disrupting computers and network-connected equipment to the point where patients are prevented from receiving vital treatment in time.
“When you look at stroke or heart attack victims you’ve got a very small time window to medicate and avoid further damage,” Dr Daneff explained. “A serious delay might not kill people but can certainly leave them crippled. I’m pretty confident someone died due to this [WannaCry] attack.”

The group ran a simulation exercise with the authorities in Phoenix, Arizona, that revealed alarming results. The three-day simulated cyber-disaster involved one hospital in the city being infected by destructive malware that crippled essential services, followed by other digital assaults on hospitals across the city on the second day, and then a physical attack similar to the 2013 Boston marathon bombing on day three.

To their surprise, the simulations calculated deaths would occur almost immediately on day one. With elevators and HVAC systems out, and no refrigeration for medicines, patients had to be shuttled to other medical facilities and some were not making it there alive.

By day two, doctors switched from standard to disaster triage due to the sheer volume of patients not being treated. Typically, people are triaged so that the sickest or most seriously injured get treated first, but instead doctors had to switch to prioritizing those they could realistically save and left the more seriously sick to die.
http://www.theregister.co.uk/2017/09/26/malware_hospital_simulation/
 
When cyber spies known as NetTraveler were busy snooping on hundreds of government and military victims in 40 countries a few years ago, little did they know that another hacking group was probably watching them.

During their investigation of NetTraveler, Kaspersky Lab researchers discovered an unusual backdoor that could have helped another attacker access one of their main servers, and then use the group’s infrastructure or steal data.

In the past five years, cybersecurity experts have encountered several cases in which espionage groups likely pilfered one another’s spoils, being interested in getting both data and hacking tools. Kaspersky Researchers Costin Raiu and Juan Andrés Guerrero-Saade talked about such incidents on Wednesday during the Virus Bulletin 2017 Conference in Madrid, Spain.

Government hackers sometimes “obtain data by stealing it from someone else, who took it in the first place from the victims,” Raiu told Bleeping Computer in an email interview before the conference. He and Guerrero-Saade believe that citizens’ personal data could fall into the hands of a foreign intelligence agency that’s better equipped than the domestic one.

The experts based their presentation on so far unpublished research that shows how spies walk off with other spies’ data and tools, gaining valuable insight into a foreign service’s intelligence collection methods, recruitment tactics, procedural guidelines, and the targets operatives have to monitor.

“Attackers can [...] adopt the victim threat actor’s toolkit and infrastructure, leveraging their data and access, and perpetrating attacks in their name,” the researchers wrote in their paper.
https://www.bleepingcomputer.com/news/security/spies-hack-but-the-best-spies-hack-other-spies-/

Indian antivirus and endpoint vendor Seqrite claims the nation's internet registry has suffered a data breach, but the registry's parent organisation says while it was attacked the information obtained was trivial.

Seqrite says its researchers noticed “an advertisement on DarkNet announcing secret access to the servers and database dump of over 6000 Indian businesses – ISPs, Government and private organisations.” The researchers say they then posed as an interested buyer and the advertisers provided screen shots that indicate the data comes from the Indian Registry for Internet Names and Numbers (IRINN), India's issuer of IP addresses.

Seqrite, also known as Quick Heal Technologies, says buyers who'd like to see the data need only hand over 15 Bitcoin. The company says the data is sufficiently detailed that the dark web vendor is “offering network takedown of affected organizations for an unspecified amount” and “claims to have the ability to tamper the IP allocation pool, which could result in a serious outage or Denial of Service.”
http://www.theregister.co.uk/2017/1...mes_and_numbers_attack_allegation_by_seqrite/
 
Russian government spies extracted NSA exploits from a US government contractor's home PC using Kaspersky Lab software, anonymous sources have claimed.

The clumsy snoop broke regulations by taking the classified code, documentation and other materials home to work on using his personal computer, which was running Kaspersky's antivirus, sources told the Wall Street Journal. It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them.

In effect, it means the Russian government has copies of the NSA's tools used to exploit vulnerabilities in computer systems and equipment to spy on other nations and targets. It also means Russia can turn the cyber-weapons on American corporations, government agencies and other networks, and steal secrets, cause merry havoc, and so on.

The theft, reported today, is said to have occurred in 2015, but apparently wasn't discovered until earlier this year. The allegedly stolen NSA code and dossiers sound an awful lot like the Shadow Brokers archive of stolen agency spyware. The brokers' pilfered exploits dates back to 2013, though.
http://www.theregister.co.uk/2017/1..._kaspersky_lab_software_to_steal_nsa_secrets/

The WSJ's sources didn't say if Kaspersky was actively involved in helping hack the contractor's computer, nor whether President Putin's spies exploited vulnerabilities in the security software to silently swipe the exposed documents. Don't forget, there are a lot of exploitable holes in antivirus packages for hackers to abuse.

It is also possible, under Russian law, the Kremlin instructed staff within Kaspersky to hijack the mark's computer and extract its contents. The software maker is denying any wrongdoing.

“Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company," the Moscow-based biz told The Register in a statement.

“As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.

Matthew Hickey, cofounder of British security shop Hacker House, told The Register that Kaspersky could well be blameless and the security software was simply doing its job. The Russian software maker has been detecting NSA malware since 2014, and this could be where the connection lies.

The antivirus may have identified Uncle Sam's powerful exploit code samples on the home PC, and flagged them up to Kaspersky's customers, possibly all the way to the FSB, Russia's security services.
 
John Layden jatkaa samasta Kasperskyn aiheesta.

There are two main attack vectors. First, passive attacks that involve intercepting other groups' data in transit, for example as it moves between victims and command and control servers. The second (active) approach involves hacking into another threat actor's malicious infrastructure, an approach much more likely to risk detection but which also brings potential rewards.

An active attack would allow a hacker to extract information on a regular basis, monitor its target and its target's victims or even insert its own implants or mount attacks while throwing the finger of blame towards the initial attacker. The success of active attacks depends largely on the target (e.g. another intel agency) making operational security mistakes.

Kaspersky researchers have come across two examples of backdoors installed in another hacking group's command-and-control infrastructure.

One of these was found in 2013, while analysing a server used by NetTraveler, a Chinese-language campaign targeting activists and organisations in Asia. The second one was found in 2014, while probing a hacked website used by Crouching Yeti, a Russian-language hacking crew.

Last year a website put together by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian, Chinese and South Korean-organisations, it said.

In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as the Magnet of Threats, simultaneously hosted implants for Regin and Equation Group (English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm (French-language) and Careto (Spanish). This server was the starting point for the discovery of the Equation Group, linked by the leaks of former NSA sysadmin Edward Snowden to an elite NSA hacking crew.
http://www.theregister.co.uk/2017/10/05/fog_of_cyberwar/
 
Löytyykö jostain Naton TEMPEST dokkarit SDIP-27 - 29 ja EU:n IASG07-02 joihin kansallinen ohjeisto perustuu?
 
Keeping the UK safe from cyber attacks is now as important as fighting terrorism, the new GCHQ boss has said.

Jeremy Fleming, director of the signals intelligence service, said increased funding for GCHQ was being spent on making it a "cyber-organisation" as much as an intelligence and counter-terrorism unit.

Fleming, who joined GCHQ from the security service (MI5) earlier this year, told The Telegraph: "If GCHQ is to continue to help keep the country safe as we prepare for our second century, then protecting the digital homeland – keeping our citizens safe and free online – must become and remain as much part of our mission as our global intelligence reach and our round-the-clock efforts against terrorism."

The UK's National Cyber Security Centre said last week that there had been 590 "significant" cyber attacks needing a national response in the last year, as previously reported. This included the WannaCry ransomware outbreak that disrupted the operations of several NHS trusts back in May and attacks on parliamentary email systems in June, among others.

Fleming's take on the importance of cybersecurity are the most extensive public comments he has made since leaving MI5 to head up GCHQ, but they shouldn't be confused as a significant shift in priorities or policies by the UK government. For example, the government reaffirmed cyber as a tier-one threat in its 2015 National Security Strategy (PDF, page 13) and has committed to spending £1.9bn between 2016 and 2021 on updating this. Cyber has been treated as a tier-one threat since the 2010 defence review. ®
http://www.theregister.co.uk/2017/10/09/gchq_cyber_priority/
 
Valtiolliset

The brouhaha over Russian spies using Kaspersky antivirus to steal NSA exploits from a staffer's home PC took an explosive turn on Tuesday.

Essentially, it is now claimed Israeli spies hacked into Kaspersky's backend systems only to find Russian snoops secretly and silently using the software as a global search engine. Kremlin agents were observed in real-time sweeping computers worldwide for American cyber-weapons, and then extracting any matching files. The Russians, it is claimed, hacked Kaspersky's servers to harvest any suspicious data flagged up by the antivirus that matched known codenames for American software exploits.

In short, Kaspersky's code, installed on millions of computers around the planet, was being used as a global searchable spying tool by the Russian government, it is alleged. It also means, now that this has been splashed on the pages of the New York Times, that US intelligence insiders have blown the lid on details of a highly sensitive Israeli operation.
http://www.theregister.co.uk/2017/10/11/israel_russia_kaspersky/
 
Cybercriminals in the Arab states are some of the most co-operative in the world, according to a new report by Trend Micro.

The study, titled Digital Souks: A glimpse into the Middle Eastern and North African underground (PDF), identifies the most popular kinds of hacking tools and commodities, and the most active countries in the region.

Hacktivism, DDoS attacks and website defacements are a staple in the Middle East. These tactics are often carried out by actors who harbour ideological mistrust towards the West as well as local governments. Major primary product categories are malware (27 per cent), fake documents (27 per cent), stolen data (20 per cent), crimeware (13 per cent), weapons (10 per cent), and narcotics (3 per cent).

Items sold on the underground in the region are entirely different to other parts of the world, where drug sales dominate the scene.

Crimeware sold includes a variety of cryptors, malware and hacking tools. Typical prices include worms at $1-$12, keyloggers for free up to $19, known ransomware for $30-$50, malware builders for free up to $500, citadel (FUD) for $150, ninja RAT (FUD) for $100, and Havij 1.8 (cracked) for free.

Similar to the Russian-speaking underground, cashout services also abound. These are platforms from which physical items, usually stolen, are converted into cash. These services are paid in bankcards, Bitcoin (BTC) or via direct cash transactions.

In the Middle East underground, DDoS services can be purchased by hacktivists and threat actors to further their ideology. The average is $45 per hour, with three-hour packages at $275, and involves the deployment of tools such as Low Orbit Ion Cannon (LOIC) or Lizard Stresser.

Malware-as-a-Service (MaaS) typically includes a purveyor, a malware developer selling a single binary or a combination of a binary and builder marketed as fully undetectable (FUD). Average prices are $20 for a binary, and $30–$110 for a binary with C&C infrastructure. A binary-builder package costs around $150–$400.
http://www.theregister.co.uk/2017/10/10/middle_east_cybercrime_markets/
 
Valtiolliset
it is now claimed Israeli spies hacked into Kaspersky's backend systems only to find Russian snoops secretly and silently using the software as a global search engine.

How Israel Caught Russian Hackers Scouring the World for U.S. Secrets
https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html
https://arstechnica.com/information...-used-kaspersky-av-to-search-for-nsa-secrets/

Aiemmin uutisoitiin kuinka olisi alkuaan ollut kotikoneella tietoja.

Last week, The Wall Street Journal dropped a bombshell when it reported that Russian government hackers located confidential National Security Agency material improperly stored on an employee's home computer with help from Kaspersky antivirus, which happened to be installed.
 
Aiemmin uutisoitiin kuinka olisi alkuaan ollut kotikoneella tietoja.

Ei yllätä ollenkaan. Jos lopetin tivaamisen tämän asian tiimoilta pomojen kanssa kun näin miten paljon dataa liikkui ulos turvaorganisaatiosta. Kukaan ei halunnut kertoa alaisille ettei ne voi ottaa töitä kotiin, koska he olettivat että jengi tosissaan duunaa himassa eikä ole päivät pitkät kalsarikänneissä.

Suurin yllätys tässä on iippojen ulos tuleminen.
 
Yritysten tietoturvasta on tulossa yhä vain kuumempi puheenaihe. Digitalisaatio ja robotiikka vaativat tietoturvalta erityisen paljon. Singaporelainen tietoturvayhtiö Kinkayo ajaa markkinoille uutta kyberluottoluokitusta. Yhtiön suomalainen johtaja Mikko S. Niemelä sanoo, että listauksesta voivat saada hyötyä myös tavalliset kansalaiset.

– Arkipäiväisissä tilanteissa ihmiset kirjautuvat palveluihin ja antavat tietojaan järjestelmiin, Niemelä muistuttaa.

– Kun ihmiset laittavat tietoja järjestelmiin, heillä ei juuri ole keinoja suojata niitä, varsinkin jos ne vuotavat.

Jos yritykset alkavat kiinnittää huomiota enemmän omaan ja toistensa tietoturvaan lisää se samalla myös palvelun käyttäjän eli tavallisen kuluttajan tietoturvaa.
https://yle.fi/uutiset/3-9878515
 
About 30GB of data was compromised in the hack on a government contractor, including details about new fighter planes and navy vessels.

The data was commercially sensitive but not classified, the government said. It did not know if a state was involved.

Australian cyber security officials dubbed the mystery hacker "Alf", after a character on TV soap Home and Away.

The breach began in July last year, but the Australian Signals Directorate (ASD) was not alerted until November. The hacker's identity is not known.

"It could be one of a number of different actors," Defence Industry Minister Christopher Pyne told the Australian Broadcasting Corp on Thursday.

"It could be a state actor, [or] a non-state actor. It could be someone who was working for another company."

Mr Pyne said he had been assured the theft was not a risk to national security.
http://www.bbc.co.uk/news/world-australia-41590614
 
admin/1234 - LULz

If there's anything worse than container security, it would appear to be container ship security.

Ken Munro, a researcher for UK-based Pen Test Partners, has been exploring maritime satellite communication systems used to keep ships connected while at sea. His findings don't inspire much confidence. Munro, in a blog post today recounting his research, describes ships as floating industrial control systems that were traditionally isolated but are now always connected to the internet.

Industrial control systems (ICS), which evolved without much thought for network-based attacks, have struggled for decades to adapt to the constant state of siege on the internet.

Munro believes the security of ship IT systems is worse still. "Personally, I think ship security is behind broader ICS security," he said. "The change is as a result of these satcom terminals being online all the time. In the past, just like ICS, ship systems were isolated from the internet."

Munro said there have been plenty of ship security incidents reported. "One that springs to mind is a mobile drilling platform off the coast of Africa that developed a tilt and had to be evacuated," he said. "On investigation, the control system had been ‘hacked’. I use the quotes as I suspect it was simply missing or default creds and an exposed control system GUI."

Using Shodan.io, a search engine for finding devices on the internet, Munro looked for several popular brands of maritime satcom systems, including Cobham, Inmarsat, and Telenor kit, along with older brands that had been acquired, on the assumption they'd be running outdated firmware.
http://www.theregister.co.uk/2017/10/13/it_at_sea_makes_data_too_easy_to_see/

He opted not to test the default user and password configuration for some systems (usually admin/1234), noting that most of the recent maritime hacking reports have involved missing authentication or default creds in comms terminals that allowed someone in. He doesn't really consider such failures hacking, even if the resulting disruption may be the same.

By searching for ‘html:commbox,’ he found various terminal commands for KVH's ship-to-shore network manager CommBox. Pulling up an actual CommBox login page, Munro found the connection was poorly secured with no HTTPS protection. The system presented a link to a queryable user database and it revealed network configuration data merely by mousing over the UI.

With the crew data, Munro was able to quickly find a crew member's social network profile, giving him all the data he'd need to conduct a targeted phishing attack. If he had ties to a ship-hijacking pirates, he could provide the vessel's location, alongside crew data, via the automatic identification system (AIS) used to track ships.

In short, if these security holes were in the ship's hull, the vessel would be resting at the bottom of the sea.

Munro says satcom boxes need to implement TLS, password complexity must be enforced for user accounts, and comms hardware needs secure firmware.

"There are many routes onto a ship, but the satcom box is the one route that is nearly always on the internet," he said. "Start with securing these devices, then move on to securing other ship systems. That’s a whole different story."
 

https://www.bleepingcomputer.com/news/security/new-krack-attack-breaks-wpa2-wifi-protocol/

Firstly, there are some limitations. For a start, an eavesdropper has to be in wireless range of the target network, and have the time and specialized software to pull off the KRACK technique. There is no, to the best of our knowledge, working exploit code available yet – and practical attacks may only be possible against Linux and Android.
http://www.theregister.co.uk/2017/10/17/kracken_patches/

Secondly, if your network traffic is encrypted using HTTPS, a VPN, SSH, TLS, or similar, KRACK won't get very far. All the miscreant will see, after deciphering the wireless network packets, is more encrypted data. At that point, the snooper is just like any other spy potentially sitting on the vast web of networks between you and the website or service you're connected to – and that's why we try to do HTTPS and other end-to-end encryption everywhere: to thwart naughty people lurking silently in the middle. Sadly, quite a lot of internet traffic is still using unencrypted and unprotected HTTP, or can be downgraded to HTTP in certain situations, which is why this KRACK issue is a potential pain.

This attack does not reveal a Wi-Fi network's password. But it can, if the base station uses WPA-TKIP or GCMP encryption, be used to potentially inject data into your unencrypted traffic, such as malicious JavaScript code and malware downloads into plain HTTP connections, against vulnerable devices. That's not great.

And while we're on the subject of bad news, if you're using Android 6.0 or Linux with wpa_supplicant 2.4 or later, it's super easy to hijack the wireless connection. Due to a programming cockup, this software uses a zero key – ie, an encryption key that's all zeroes – when under attack by KRACK, which makes it potentially trivial to intercept, decrypt and tamper with passing wireless packets to and from computers, phones and other devices using the affected wpa_supplicant tool.
 
Viimeksi muokattu:
Encrypted messaging app Telegram must pay 800,000 roubles for resisting Russia's FSB's demand that it help decrypt user messages.

The fine translates to just under US$14,000, making it less of a serious punishment and more a shot across the bows.

However, it does seem to entrench the principle that the Federal Security Service of the Russian Federation (FSB) can demand decryption.

Moscow signalled its intention to crack down last year with legislation put to the Duma, proposing fines up to a million roubles for the administrative offence of not giving keys to the FSB.

Telegram's head office received its summons in July, according to this Russian-language report from the BBC. The summons demanded information about six numbers registered on the Telegram.

Judge Yulia Danilchik of the 383 Meshchansky District Court of Justice made the guilty finding and imposed the fine.

Telegram founder Pavel Durov has posted to Russian social site VK.com that it's not possible to comply.

“In addition to the fact that the requirements of the FSB are not technically feasible, they contradict Article 23 of the Constitution of the Russian Federation: 'Everyone has the right to privacy of correspondence, telephone conversations, postal, telegraphic and other communications,'” he wrote.

He indicated his intention to appeal, and keep doing so “until the claim of the FSB is considered by a judge familiar with the basic law of Russia - its Constitution”.
http://www.theregister.co.uk/2017/10/17/russia_fines_telegram/
 
Back
Top