Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Google seuraa sinua, vaikka kieltäisit sen ja estäisit sen asetuksista – näin poistat hakuhistorian oikeasti




Oletko estänyt Googlen sijaintihistorian toiminnan Android-puhelimesi asetuksista? Tuore tutkimus osoittaa, että luulosi saattaa olla väärä.
Associated Pressin ja Princetonin tutkijoiden yhteisessä tutkimuksessa havaittiin, että Google Maps ja Googlen hakukone tallentavat yhdessä käyttäjien sijainnin ilman käyttäjien suostumusta.
Ongelmana on se, kuinka sijaintihistoria kytketään pois päältä.

Estäminen pelkästään puhelimen asetuksista ei nimittäin riitä, vaan toiminto pitää estää myös Google-tilin verkkoasetuksista.
Niihin pääset käsiksi sivulta myaccount.google.com/activitycontrols ja kytkemällä pois Web & App Activity -toiminnon.
Mikäli haluat päästä eroon kokonaan Googlen sijaintihistoriasta, mene verkkosivulle myactivity.google.com (suom. Omat tapahtumat), opastaa Lifehacker.
Valitse sivun vasemmasta laidasta Item View (Kohdenäkymä), joka näyttää kunkin Google-tuotteen tallentamat tiedot. Valitse listasta Maps tai erittele karttatulokset hakukentän suotimien avulla. Valitse haluamasi hakutulokset ja klikkaa hakukentän "hampurilaisvalikkoa", josta voit poistaa tulokset valitsemalla "Delete results" (Poista tulokset).

Sijaintitiedot mahdollistavat esimerkiksi Google Maps -karttapalvelun toiminnan sekä työmatkoihin liittyvät suositukset. Niiden hyväksikäyttö on kuitenkin osa myös Googlen muuta liiketoimintaa, ja niiden avulla voidaan kohdentaa esimerkiksi mainoksia.

https://www.tivi.fi/Kaikki_uutiset/...a-nain-poistat-hakuhistorian-oikeasti-6736112

 
"Palvelunestohyökkäys on kaatanut useiden viranomaisten verkkosivustoja – tunnistautuminen ei onnistu Kelan sivuilla
https://yle.fi/uutiset/3-10349357
12.8.2018 klo 18:33

Palvelunestohyökkäys kaatoi iltapäivällä useiden valtionhallinnon viranomaisten ja ministeriöiden verkkosivustoja, kertoo Valtion tieto- ja viestintätekniikkakeskuksen Valtorin toimitusjohtaja Pasi Lehmus.

Palvelunestohyökkäys tapahtui Lehmuksen tietojen mukaan noin kello 16.30. Hyökkäys tapahtui Valtorin palveluita vastaan. Se estää useisiin verkkopalveluihin tunnistautumisen, ja osa sivustoista ei aukene ollenkaan.

Muun muassa valtioneuvoston, sisäministeriön, opetus- ja kulttuuriministeriön sekä sosiaali- ja terveysministeriön sivut ovat poissa käytöstä. Myös poliisin ja tullin verkkosivut ovat kaatuneet.

Terveydenhuollon Omakannan, Kelan ja Väestörekisterikeskuksen sivuille kirjautuminen ei onnistu. Palvelunestohyökkäys on Lehmuksen mukaan selätetty, ja nyt verkkosivustoja aletaan nostaa ylös."

https://www.poliisi.fi/keskusrikosp...tunutta_epailtya_palvelunestohyokkaysta_73366
 

ctg

Ylipäällikkö
Cosmos Bank in India says that hackers made off with $13.4m in stolen funds over the weekend.


Multiple reports out of the country say that a group of attackers used cloned cards to withdraw cash from ATMs at a set time and perform a fraudulent SWIFT money transfer. Together, the efforts resulted in about Rs 94 crore ($13.4m) being stolen from the bank and its account holders.


The attack was believed to have taken place in two phases. The first, on Saturday between 1500 and 2200 local time, was an international effort with money mules in 28 different countries, all extracting cash from their local ATMs. According to the Hindustan Times, 15,000 transactions were carried out over the seven-hour period.


The second phase took place Monday, when a SWIFT transaction saw Cosmos move Rs 13.5 crore ($1.93m) to an account at a bank in Hong Kong.


Security reporter Brian Krebs unknowingly broke word about the heist three days ago when he got hold of a confidential alert sent from the FBI to US banks warning of a pending ATM cash-out attack against a then-unnamed financial institution (later found to be Cosmos.)


The warning notes that the Bureau was confident of a cash-out operation set to occur over the weekend (when banks are closed) and that it thought the operation was the result of a breach at a card issuer.


"The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores," the FBI warned.


"At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards."


The Indian bank has said account holders' money is safe, but it has suspended online banking in the wake of the incident.


While no official culprit for the attack has been named, India's Economic Times has reported that North Korea's Lazarus Group (who have previously targeted banks in the region) is the likely offender.
https://www.theregister.co.uk/2018/08/15/cosmos_bank_raided/
 

ctg

Ylipäällikkö
Microsoft has claimed it thwarted a Russian-backed phishing attack by seizing control of fake copies of right-leaning American think tanks' websites – including one led by a prominent Donald Trump critic.

A US court order authorised Microsoft to apprehend six domains that the Windows maker said were linked to the APT28 hacking crew, also known as Fancy Bear and Strontium, according to Redmond.

The Hudson Institute mainly focuses on American national security and foreign policy issues while the International Republican Institute promotes the foreign policy ideas of the US Republican Party, focusing on attitudes to America overseas.

"We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group," boasted Microsoft prez Brad Smith in a corporate blog post.

The six domains were:


  • my-iri.org
  • hudsonorg-my-sharepoint.com
  • senate.group
  • adfs-senate.services
  • adfs-senate.email
  • office365-onedrive.com
The domain for the Hudson Institute is hudson.org, while the IRI resides online at iri.org. The similarities may have been enough to trick the unfamiliar into visiting these sites and entering login credentials or downloading malware.

"We currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains," Smith said.

The IRI was headed up by American senator John McCain, one of president Donald Trump's more outspoken critics from within his own party. McCain, who was recently diagnosed with brain cancer, stepped down from the IRI leadership at the end of July and anointed Dan Sullivan as its new chairman. Like McCain, Sullivan is a critic of Trump.

"The Kremlin has particularly sought to discredit anti-Trump groups, including within the Republican party," opined Dan Arenson, an analyst from infosec firm Falanx Group.
https://www.theregister.co.uk/2018/08/21/microsoft_seizes_apt28_linked_domains/
 

ctg

Ylipäällikkö
Tämä on aivan uusi

Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.

Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to the internet.

"These printers are controlled using the open source software package 'OctoPrint' but it's likely there are other tools that are similarly affected. OctoPrint is not meant to be exposed in this way, and it explains in its documentation how to deploy the software in a safe way," Mertens explained.

OctoPrint is a web interface for 3D printers that allows users to control and monitor the printer. As things stand, many OctoPrint instances are not properly configured and do not enforce authentication, according to Martens. Once they have access to the printer, an attacker would be able to download the files that describe parts being printed.

Some of these G-code files may be proprietary, copyrighted or contain trade secrets. An attacker would also be able to swap out these files, replacing them with files that describe similar parts that are "weakened" to produce substandard or unsafe parts.

In response to questions from The Register, an OctoPrint dev emphasised the need for user education.

"This really has nothing to do with 'lack of security controls', the controls (e.g. ACL) are there, it's been recommended over and over again that users should NOT just port forward! The problem here is users going out of their way to expose internal services on the public net.

"There's no way to prevent people from exposing internal services on the net. I try to educate, I'm working on yet another prominent warning, but I can't force people to perform proper (and inconvenient) network security."

3D printers are used to make anything from toys to medical components so if a part's dimensions were meddled with, it could have serious safety implications.

"The problem is not related to the printer, rather if OctoPrint is incorrectly configured and left open on the internet," Mertens told El Reg. In addition, some printers do not have safety switches to prevent them from overheating, which means an attacker could attempt to start a fire by uploading a malicious file.

Mertens said both 3D printers and the files for parts being printed can be protected by ensuring network segmentation; enabling the security controls provided by the tool; and other access controls.

More on his thoughts on the subject can be found in an ISC blog post here.
https://www.theregister.co.uk/2018/09/04/3d_printers_hackable/
 

PekkaSavo

Ylipäällikkö
Mitenhän paljon on tietokoneita, printtereitä, puhelimia ja televisioita joihin ei ole tullut eikä tule päivitystä liittyen tähän:
https://www.krackattacks.com/

Voiko ilmaantua "mato" joka leviää wifi-verkosta toiseen? tai vaan seuraa verkkojen liikennettä ja välittää tietoa eteenpäin?
 

ctg

Ylipäällikkö
Voiko ilmaantua "mato" joka leviää wifi-verkosta toiseen? tai vaan seuraa verkkojen liikennettä ja välittää tietoa eteenpäin?
Menee liian monimutkaiseksi madolle, joten käytännössä en näe tälläistä, mutta periaatteessa tuollainen on mahdollista toteuttaa. Käytännössä WPA2 tulee jäämään perinne systeemiksi ja siirrytään astetta parempaan salaukseen, kuten kävi WEPn kanssa aikoinaan.

Toisin sanoen on helpompaa laittaa WPA ja WPA2 salauksen murtaminen hyökkäyskittiin niin muiden WIFI työkalujen lisäksi.
 
Viimeksi muokattu:

ctg

Ylipäällikkö
Researchers at China's Netlab 360 have discovered that thousands of routers manufactured by the Latvian company MikroTik have been compromised by malware based on a vulnerability made public by WikiLeaks' publication of tools from the CIA's "Vault7" toolkit. While MikroTik posted a software update for the vulnerability in April, researchers found that more than 370,000 MikroTik devices they identified on the Internet were still vulnerable.

According to a report by Netlab 360's Genshen Ye, more than 7,500 of them are actively being spied on by attackers, who are actively forwarding full captures of their network traffic to a number of remote servers. Additionally, 239,000 of the devices have been turned into SOCKS 4 proxies accessible from a single, small Internet address block.

MikroTik provides routing and wireless hardware for Internet service providers and businesses worldwide, including ISP and campus network infrastructure such as outdoor fiber routers and wireless backbones. The vulnerable routers discovered by Netlab 360, still configured with an unpatched interface for the company's Winbox router configuration utility, are widely distributed—but the largest concentrations of affected networks were in Brazil and Russia. There were 14,000 devices identified operating using US-based IP addresses.

Previously, researchers at Trustwave had discovered two malware campaigns against MikroTik routers—the first originally targeting routers in Brazil with CoinHive malware. The attack injected the Coinhive JavaScript into an error page presented by the routers' Web proxy server—and redirected all Web requests from the network to that error page. However, in routers affected by this type of malware found by the Netlab 360 team, the attackers had shot themselves in the foot. "All the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs (access control lists) set by attackers themselves," noted Ye.

Another attack discovered by the Netlab 360 team has turned affected routers into a malicious proxy network, using the SOCKS4 protocol over a very non-standard TCP port (4153). "Very interestingly, the Socks4 proxy config only allows access from one single net-block, 95.154.216.128/25," Ye wrote. Almost all of the traffic is going to 95.154.216.167, an address associated with a hosting service in the United Kingdom.

The attack includes the addition of a scheduled task to report the router's IP address back to the attacker to help maintain the persistence of the SOCKS proxy if the router is rebooted. It's not clear what the proxies are being collected for, but they're currently being used to continuously scan for other vulnerable routers.

The eavesdropping attack leverages MikroTik's built-in packet-sniffing capabilities. The sniffer, which uses the TZSP protocol, can send a stream of packets to a remote system using Wireshark or other packet capture tools. The Netlab 360 team found that more than 7,500 routers that had been compromised were streaming network traffic—largely FTP and email focused traffic, as well as some traffic associated with network management—to a small number of addresses. The vast majority of the streams (5,164 of them) were being sent to an address associated with an ISP in Belize.
https://arstechnica.com/information...sed-to-build-vast-proxy-army-spy-on-networks/
 

ctg

Ylipäällikkö
The man who federal prosecutors say operated the Kelihos botnet has now pleaded guilty.

During a hearing in federal court in Hartford, Connecticut on Wednesday, Peter Yuryevich Levashov admitted guilt in one count of causing intentional damage to a protected computer, one count of conspiracy, one count of wire fraud, and one count of aggravated identity theft.

The 38-year-old Russian’s botnet, which dated back to 2010, spanned more than 10,000 machines, and was primarily used to send out spam, steal logins, distribute ransomware, and more. Federal authorities shut it down in 2017.

"For over two decades, Peter Levashov operated botnets which enabled him to harvest personal information from infected computers, disseminate spam, and distribute malware used to facilitate multiple scams," said Assistant Attorney General Brian Benczkowski said in a statement.

The Department of Justice said that Levashov "controlled and operated multiple botnets, including the Storm, Waledac and Kelihos botnets, to harvest personal information and means of identification (including email addresses, usernames and logins, and passwords) from infected computers."

In 2009, he was formally charged in the District of Columbia with operating the "Storm" botnet. As Ars has previously reported, Levashov has long been on a list of the World's Ten Worst Spammers, maintained by antispam volunteer organization Spamhaus.

Levashov was arrested in Barcelona, Spain in April 2017 and was extradited to the United States in February 2018, where he has remained in custody. His sentencing has been scheduled for September 6, 2019.
https://arstechnica.com/tech-policy...uilty-admits-he-ran-notorious-kelihos-botnet/
 

ctg

Ylipäällikkö

If you can steal someone's laptop, leave it switched on in sleep mode, crack it open, hook up some electronics to alter settings in the BIOS firmware, restart it, and boot into a custom program... you can swipe crypto keys and other secrets from the system.

When computers are restarted, the motherboard firmware can wipe the RAM clean to remove any lingering data. It is possible to, while a stolen machine is still in sleep mode, reprogram the firmware's settings to disable this memory zero'ing, and then reboot it into a custom operating system on a USB stick or similar that then scans the RAM for any sensitive information. This information can be used to decrypt encrypted hard drives, and so on.

Whether or not it's easier than smacking the laptop owner with a two-by-four until they give up their login password is, well, an exercise left to our more sociopathic readers.

F-Secure's Olle Segerdahl and Pasi Saarinen this week detailed their memory-slurping technique, effectively bringing cold boot attacks out of the deep freeze from 2008 and putting them back into play. The pair reckon the approach will work against nearly all modern laptops, including Apple Macs.

The hack is tricky, though once mastered, it can be replicated on any purloined machine.
https://www.theregister.co.uk/2018/09/14/cold_boot_attack_reloaded/

Kätevä hyökkäys minkä voi opettaa kenttäväelle, jos on kriittinen tarve päästä koneeseen sisälle ilman sen fyysista haltuunottoa.
 

ctg

Ylipäällikkö
It has never been easier to conduct a cyber attack. There now exists a range of off-the-shelf tools and services that do all the heavy lifting – you just need to pick an approach and tool you like best.

There's ransomware-as-a-service with its "here's one I made earlier" code, search engines that show connected interfaces with known vulnerabilities, and downloadable and easy-to-use scanning tools for the discerning script kiddie.

Heck, why bother with tools that need time and effort to find vulnerable systems? Why not just steal credentials and log in via the front door?
https://www.theregister.co.uk/2018/09/17/compromised_credentials/

Hyvä katsaus tämän päivän todellisuuteen. Jos foliota hieman raottaa niin voi helposti huomata että homma on samanlailla kuin se oli vuosituhanteen vaihteessa ja vaikka tekniikassa, laiteissa ja ohjelmistoissa ollaan menty eteenpäin, ihminen on pysynyt samanlaisena. Kylmä todellisuus on että mikään ei ole murtovarma mutta homma voidaan tehdä vaikeaksi yrittäjille.
 

ctg

Ylipäällikkö
Researchers have uncovered two flaws that leave more than 100,000 NUUO-branded internet-connected surveillance cameras open to remote takeover.

Tenable Research on Monday laid claim to discovering two bugs in the NUUO Network Video Recorder software that can be exploited to covertly access a camera's video feed or simply take over the device with malware.

The bugs, named "Peekaboo" for marketing purposes, were both spotted in the NVRMini2, a network-attached device that both stores video recordings and acts as a control gateway for admins and remote viewers.

The first of the two flaws (CVE-2018-1149) is a remote code execution vulnerability that can be exploited by overflowing a buffer. An attacker exploits the bug by connecting to a network- or internet-facing device, and submitting a malformed cookie to its web-based control panel that triggers the flaw in the cgi_system binary.

Once the bug has been exploited, the attacker would be able to inject and execute commands with root privileges. From there, the attacker would be able to do anything from seize control of the camera and access all of its video footage to loading up the device with botnet clients to use for other attacks.

The second flaw, meanwhile, would allow an attacker to covertly access a network- or internet-connected camera's controls without needing to trigger a buffer overflow or other programming cockup. Rather, CVE-2018-1150 is a leftover bit of debug code that allows the attacker to pull up all user accounts and change passwords. The attacker would also be able to control the camera and view recordings.
https://www.theregister.co.uk/2018/09/17/nuuo_cameras_rce/
 

ctg

Ylipäällikkö
The infamous Pegasus spyware, which targets iPhones and Android devices, has allegedly infiltrated 45 different countries across the globe — and six of those countries have used surveillance malware in the past to abuse human rights, a group of researchers claimed Tuesday.

Researchers from The Citizen Lab scanned the internet in a massive project that took place between 2016 and 2018, sniffing out servers associated with the Pegasus mobile spyware, attributed to Israel-based company NSO Group as an offering for state-level actors around the world.

“The number of Pegasus servers we detected in our scans ballooned from about 200 in 2016 to almost 600 in 2018. This may be an indication that NSO Group is scaling up their operations,” Bill Marczak, senior research fellow at The Citizens Lab and one of the researchers on the team, told Threatpost.

The malware has been active since August 2016 when it was discovered that the NSO Group was selling the mobile spyware to governments and third-parties who wanted its surveillance capabilities in order to read texts, track calls, collect passwords, trace phone locations and gather data from apps of victims.

Pegasus is generally spread through a specially crafted exploit link (via phishing techniques) which when clicked delivers a chain of zero-day exploits to penetrate security features on the phone. The Citizen Lab’s latest report shows that Pegasus has grown more widespread – and alleges that it’s being used by certain countries to target human rights.

That includes the expansion of Pegasus usage in Gulf Cooperation Council countries in the Middle East – particularly to track dissidents, such as UAE activist Ahmed Mansoor, who was targeted by the spyware in 2016; and an Amnesty International staffer and Saudi activist in June 2018.

“Our findings paint a bleak picture of the human-rights risks of NSO’s global proliferation,” researchers said in a Tuesday post. “At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia and the United Arab Emirates.”
https://threatpost.com/dangerous-pegasus-spyware-has-spread-to-45-countries/137506/
 
Top