Monthly Archives: July 2017

Crooks Reused Passwords on Hansa and Dream, so Dutch Police Hijacked Their Accounts after running Hansa for a month

Posted on by
Reply

Currently, the infosec community and former Hansa vendors themselves have spotted two ways in which Dutch authorities are going after former Hansa vendors.
Police gain access to Dream accounts via password reuse

In the first, Dutch investigators have taken the passwords of vendors who have the same usernames on both the old Hansa Market and the Dream Market — today’s top Dark Web marketplace after the seizure of the Hansa and AlphaBay marketplaces.

If vendors reused passwords and they didn’t activate 2FA for their Dream Market accounts, authorities take over the profiles, change passwords, and lock the vendors out of their shops.
[…]
The second method of operation spotted by the Dark Web community involves so-called “locktime” files that were downloaded from the Hansa Market before Dutch authorities shut it down on July 20.

Under normal circumstances a locktime file is a simple log of a vendor’s market transaction, containing details about the sold product, the buyer, the time of the sale, the price, and Hansa’s signature. The files are used as authentication by vendors to request the release of Bitcoin funds after a sale’s conclusion, or if the market was down due to technical reasons.

According to people familiar with Hansa’s inner workings who shared their knowledge with Bleeping Computer, Hansa locktime files were usually just a simple text file.

Source: Crooks Reused Passwords on the Dark Web, so Dutch Police Hijacked Their Accounts

It took DEF CON hackers minutes to pwn these US voting machines

Posted on by
Reply

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside.

In less than 90 minutes, the first cracks in the systems’ defenses started appearing, revealing an embarrassing low level of security. Then one was hacked wirelessly.
[…]
The machines – from Diebolds to Sequoia and Winvote equipment – were bought on eBay or from government auctions, and an analysis of them at the DEF CON Voting Village revealed a sorry state of affairs. Some were running very outdated and exploitable software – such as unpatched versions of OpenSSL and Windows XP and CE. Some had physical ports open that could be used to install malicious software to tamper with votes.

Source: It took DEF CON hackers minutes to pwn these US voting machines

In Car Head up Displays

Posted on by
Reply

Life has changed since 2007 and 2012 so it’s time for a rundown of modern systems!

For around $400,- you get Navdy, which takes some time to set up but offers the best solution for sale at the moment. It has map navigation, notifications, direct sunlight, hand gestures and control button on the steering wheel. You can answer calls, set up your music, etc. It’s well thought out and works best with you smartphone connected. It’s clearly visible in sunlight. It has it’s own screen through which you look.

homepage

amazon product page

Garmin has one which is way more basic, but also way cheaper at $150,-. It works with Garmin Streetpilot or Navigon apps for navigation. Also clearly visible in sunlight and has a reflector lens or can project onto a sticker on your windshield.

Garmin site + buy it

For around EUR 45,- you can buy an A8 system. It’s a bit more limited in it’s display (no navigation) and projects onto your windshield, which means you need to place a sticker in order to see it properly in daylight. For the price though, you can’t complain!

Megagadgets

Amazon

The we have the category: put your smartphone in it and project onto our little screen. Hudway Glass is an example of this. At $50,- they are clearly overpriced (and you can buy them cheaper om Amazon!) and you also need HUD software for it (if you have an iphone look at Atoll Ordenadores with ASmartHud+ and many others).

Hudway Glass

There are two promising pre-orders out there:

Exploride can be pre-ordered for $300 and will be produced for $500. This is a complete unit with its’ own screen and connects to you smartphone for lots of functionality

Carloudy which is an e-ink wireless HUD that connects to your smartphone. It has a voice command interface. It looks like it reflects onto a windshield sticker You can sign into the public beta in the US now for $260,-

Finally the Continental HUD as used in Mercedes, Audi and BMW. The information is very basic but the visibility is great from all angles.

EVE Online’s Real Life Planet-Discovery Minigame Is Live Now

Posted on by
Reply
Project Discovery, a collaborative project between CCP Games, Massively Multiplayer Online Science (MMOS), and the University of Geneva, aims to use EVE’s playerbase to locate, identify and catalog real life planets outside the bounds of our own solar system. By quantifying scientific data provided by the Keplar Satellite telescope, EVE players can save university scholars hundreds of thousands of hours of work, and potentially advance their research by several years.

Source: EVE Online’s Real Life Planet-Discovery Minigame Is Live Now

Netherlands turns into total surveillance state: unsupervised mass internet tapping, storage and sharing with whoever they feel like

Posted on by
Reply

AMSTERDAM (Reuters) – The Dutch Senate passed a law early on Wednesday giving intelligence agencies broad new surveillance and other powers, including the ability to gather data from large groups of people at once.

The Senate’s approval was the last hurdle for the “tapping law,” which was moulded into its current form after years of debate and criticism from both the country’s constitutional courts and online privacy advocates.

The law, which was passed with broad support, will go into effect this month after it is signed by the country’s monarch and circulated in the official legislative newspaper.

Online rights group Bits of Freedom warned the Netherlands’ military and civil intelligence agencies will now have the opportunity to tap large quantities of internet data traffic, without needing to give clear reasons and with limited oversight.

They also object to a three-year term for storage of data that agencies deem relevant, and the possibility for them to exchange information they cull with foreign counterparts.

Source: Dutch pass ‘tapping’ law, intelligence agencies may gather data en masse

Bloke takes over every .io domain by snapping up crucial name servers

Posted on by
Reply

Want to control over 270,000 websites? That’ll be $96 and a handover cockup, please

Late Friday, Matthew Bryant noticed an unusual response to some test code he was using to map top-level domains: several of the .io authoritative name servers were available to register.

Out of interest, he tried to buy them and was amazed to find the registration went through – leaving him potentially in control of hundreds of thousands of websites.

These crucial name servers – specifically, a0.nic.io, b0.nic.io, c0.nic.io, ns-a1.io, ns-a2.io, ns-a3.io, and ns-a4.io – are like the telephone directories of the .io space. If your web browser wants to connect to, say, github.io, it may have to go out to one of these authoritative name servers to convert github.io into a public IP address to connect to.

Those nic.io and ns-aX.io addresses should be owned and maintained by .io’s operators. But Bryant was able to purchase and register ns-a1.io, ns-a2.io, ns-a3.io, and ns-a4.io, and point them at his own DNS servers, allowing him to, if he wanted, potentially redirect connections to any .io domain to a server of his choosing.

Source: Bloke takes over every .io domain by snapping up crucial name servers

.io registry is sticking it’s head in the sand. oops.

CIA Vault 7 tools steal active SSH sessions on Linux and Windows

Posted on by
Reply

BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.

Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Web inventor Sir Tim and W3C decide to close up the web: world has 2 weeks to appeal

Posted on by
Reply

Traditionally, web technology has been open. HTML markup, CSS, and JavaScript code can be viewed (though not necessarily easily understood, thanks to minification), remixed, and reused. The web’s openness allowed it to flourish.

But those selling costly content – software and media companies – prefer open wallets to anything goes. So they have employed copy deterrence schemes based on proprietary technologies like Adobe Flash and Wildvine to make high-value content viewable but not easily copyable in web browsers. However, this approach leaves much to be desired in terms of user experience and ongoing compatibility.

The Encrypted Media Extensions API – supported by companies like Apple, Google, Microsoft and Netflix and opposed by the free software community, academic researchers, and foes of anti-piracy mechanisms – provides a standards-based mechanism to display DRM-protected content in compliant web browsers.

Source: Web inventor Sir Tim sizes up handcuffs for his creation – and world has 2 weeks to appeal

The argument Tim Berners-Lee gives why he agreed to this (“If W3C did not recommend EME, then the browser vendors would just make it outside W3C,” he wrote. “…It is better for users for the DRM to be done through EME than other ways.”) is inane! If he doesn’t agree, then the vendors would all go around implementing different standards (as they historically and to the great annoyance of web designers everywhere have done) and DRM would only work on one type of browser. I thought by now we realised that DRM doesn’t work, is expensive in terms of money and resources and gets broken pretty much the day it leaves the factory.

Create a user called ‘0day’, get bonus root privs – thanks, Systemd!

Posted on by
Reply

To obtain root privileges on a Linux distribution that utilizes systemd for initialization, start with an invalid user name in the systemd.unit file.

Linux usernames are not supposed to begin with numbers, to avoid ambiguity between numeric UIDs and alphanumeric user names. Nevertheless, some modern Linux distributions, like RHEL7 and CentOS, allow this.

The systemd software will not allow unit files to be created with an invalid user name. But other tools can create such files.

Curiously, if systemd encounters an invalid name in a unit file, like “0day,” it will ignore the parameter and create the requested service. As the documentation states, “If systemd encounters an unknown option, it will write a warning log message but continue loading the unit.”

But it will run the unit with root privileges instead of rejecting it or adopting more restrictive permissions.

Source: Create a user called ‘0day’, get bonus root privs – thanks, Systemd!

Systemd claims it’s not a bug!

At 18, He Strapped a Rocket Engine to His Bike. Now He’s Taking on SpaceX: Rocket Lab, led by someone who knows what he’s  doing!

Posted on by
Reply

After decades of tinkering, Peter Beck and Rocket Lab are poised to bring low-cost launches to the world.

Source: At 18, He Strapped a Rocket Engine to His Bike. Now He’s Taking on SpaceX

As opposed to running a company on insane working hours and crazy project changes, this guy is launching rockets at $5m per pop, doing 500lbs. He has a launch site that allows for a huge amount of launches into many different areas. His engines are simple and actually work. It’s a great story of a space startup that looks like it actually will work.