Sunday Reuters reported that “a sophisticated hacking group” backed by “a foreign government” has stolen information from America’s Treasury Department, and also from “a U.S. agency responsible for deciding policy around the internet and telecommunications.”

The Washington Post has since attributed the breach to “Russian government hackers,” and discovered it’s “part of a global espionage campaign that stretches back months, according to people familiar with the matter.” Officials were scrambling over the weekend to assess the extent of the intrusions and implement effective countermeasures, but initial signs suggested the breach was long-running and significant, the people familiar with the matter said. The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service and breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration… [The Washington Post has also reported this is the group responsible for the FireEye breach. -Ed]

All of the organizations were breached through the update server of a network management system called SolarWinds, according to four people familiar with the matter. The company said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized with in a “highly-sophisticated, targeted…attack by a nation state.” The scale of the Russian espionage operation is potentially vast and appears to be large, said several individuals familiar with the matter. “This is looking very, very bad,” said one person. SolarWinds products are used by more than 300,000 organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency, according to the firm’s website. SolarWinds is also used by the top 10 U.S. telecommunications companies…

APT29 compromised the SolarWinds server that sends updates so that any time a customer checks in to request an update, the Russians could hitch a ride on that update to get into a victim’s system, according to a person familiar with the matter. “Monday may be a bad day for lots of security teams,” tweeted Dmitri Alperovitch, a cybersecurity expert and founder of the Silverado Policy Accelerator think tank.
Reuters described the breach as “so serious it led to a National Security Council meeting at the White House.”

Source: Russia Breached Update Server Used by 300,000 Organizations, Including the NSA – Slashdot

The European Medicines Agency (EMA), the EU regulatory body in charge of approving COVID-19 vaccines, said today it was the victim of a cyber-attack.

In a short two-paragraph statement posted on its website today, the agency discloses the security breach but said it couldn’t disclose any details about the intrusion due to an ongoing investigation.

EMA is currently in the process of reviewing applications for two COVID-19 vaccines, one from US pharma giant Moderna, and a second developed in a collaboration between BioNTech and Pfizer.

[…]

in a follow-up statement released on its own website, BioNTech said that “some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed” during the attack, confirming that COVID-19 research was most likely the target of the attack.

Over the past months, numerous companies working on COVID-19 research and vaccines have been the targets of hackers, and especially of state-sponsored hacking groups.

Companies like Johnson & Johnson, Novavax, Genexine, Shin Poong Pharmaceutical, Celltrion, AstraZeneca, Moderna, and Gilead have been targeted by hackers, according to reports from Reuters and the Wall Street Journal.

In November, OS maker and cyber-security giant Microsoft said it detected three nation-state hacking groups (known as APTs) targeting seven companies working on COVID-19 vaccines, singling out Russia’s Strontium (Fancy Bear) and North Korea’s Zinc (Lazarus Group) and Cerium for the attacks.

[…]

Source: EU agency in charge of COVID-19 vaccine approval says it was hacked | ZDNet

Since the start of the coronavirus pandemic, we’ve seen hackers target efforts to develop a COVID-19 vaccine, but it now seems they’re shifting their attention to the supply chain that will distribute those vaccines to people across the world.

IBM says it recently uncovered a highly coordinated global phishing campaign focused on the companies and organizations involved with the upcoming “cold chain” distribution of COVID-19 vaccines. That’s the part of the supply network that ensures those vaccines stay cold enough so that they don’t go bad. It’s a critically important aspect of the two leading vaccine candidates from Pfizer and Moderna, as they need to be kept at minus 94 degrees Fahrenheit and minus 4 degrees Fahrenheit, respectively.

The hackers impersonated an executive with Haier Biomedical, a Chinese company that styles itself as “the world’s only complete cold chain provider.” They sent meticulously researched phishing emails that included an HTML attachment asking the recipient to input their credentials. They could have used that information later to gain access to sensitive networks.

The campaign, which IBM says has “the potential hallmarks” of a state-sponsored effort, cast a wide net. The company only named one target explicitly — the European Commission’s Directorate-General for Taxation and Customs Union — but said the campaign targeted at least 10 different organizations, including a dev shop that makes websites for pharmaceutical and biotech companies. The company doesn’t know if any of the attacks were ultimately successful in their goal.

[…]

Source: Hackers are trying to disrupt the COVID-19 vaccine supply chain | Engadget

On Nov. 16, 2020, Virginia-based cybersecurity firm Shift5, Inc. announced that it had received a $2.6 million contract from the Army’s Rapid Capabilities and Critical Technologies Office (RCCTO) to “provide unified cybersecurity prototype kits designed to help protect the operational technology of the Army’s Stryker combat vehicle platform.” The company says it first pitched its plan for these kits at RCCTO’s first-ever Innovation Day event in September 2019.

[…]

“Adversaries demonstrated the ability to degrade select capabilities of the ICV-D when operating in a contested cyber environment,” according to an annual report from the Pentagon’s Office of the Director of Operational Test and Evaluation, or DOT&E, covering activities during the 2018 Fiscal Year. “In most cases, the exploited vulnerabilities pre-date the integration of the lethality upgrades.”

The “lethality upgrades” referred to here center on the integration of a turret armed with a 30mm automatic cannon onto the Infantry Carrier Vehicle (ICV) variant of the Stryker, resulting in the Dragoon version. The indication here is that the cyber vulnerabilities were present in systems also found on unmodified ICVs, suggesting that the issues are, or at least were, impacted other Stryker variants, as well.

Source: Army Hires Company To Develop Cyber Defenses For Its Strykers After They Were Hacked

The Information Commissioner’s Office has fined Ticketmaster £1.25m after the site’s operators failed to spot a Magecart card skimmer infection until after 9 million customers’ details had been slurped by criminals.

The breach began in February 2018 and was not detected until April, when banks realised their customers’ cards were being abused by criminals immediately after they were used for legitimate purchases on Ticketmaster’s website.

Key to the criminals’ success was Ticketmaster’s decision to deploy a Javascript-powered chatbot on its website payment pages, giving criminals an easy way in by compromising the third party’s JS – something the ICO held against Ticketmaster in its decision to award the fine.

Ticketmaster ‘fessed up to world+dog in June that year, and the final damage has now been revealed by the Information Commissioner’s Office (ICO): 9.4m people’s data was “potentially affected” of which 1.5m were in the UK; 66,000 credit cards were compromised and had to be replaced; and Ticketmaster itself doesn’t know how many people were affected between 25 May and 23 June 2018.

Today’s fine only applies to that May-June period, which happens to be after the Data Protection Act 2018 – the UK implementation of the EU’s GDPR – came into force. This allowed the ICO to impose a higher penalty than it could have done under the pre-GDPR legal regime.

[…]

Ticketmaster remains in denial about its culpability for the breach, telling The Register in a statement: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal today’s announcement.”

Inbenta Technologies supplied a custom Javascript-powered chatbot to Ticketmaster which was compromised by the Magecart operators.

Crucially, for whatever reason, Ticketmaster deployed the chatbot on its payment pages, giving the criminals a way in.

As we reported in 2018, Inbenta told us of Ticketmaster’s deployment of the Javascript in question: “Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”

[…]

“It took Ticketmaster approximately nine weeks from the date of Monzo’s notification of possible fraud involving the Ticketmaster website for Ticketmaster to run a payment through its payment page and monitor the network traffic thereon,” said an incredulous ICO, which noted that it took a random Twitter user explaining why JS on a payments page is a bad thing for the business to wake up and do something about it.

Barclaycard and American Express also noticed suspicious goings-on in April 2018, but Ticketmaster steadfastly denied anything was wrong until May, eventually realising the game was up in June.

[…]

Source: Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal • The Register

The Campari Group recently experienced a ransomware attack that allegedly shut down the company’s servers. The malware, created by the RagnarLocker gang, essentially locked corporate servers and allowed the hackers to exfiltrate “2 terabytes” of data, according to the hackers.

On Nov. 6, the company wrote, “at this stage, we cannot completely exclude that some personal and business data has been taken.”

Clearly, it has.

While the booze company admitted to the attack, it’s clear that they haven’t get paid the ransom, as the hackers reportedly took out Facebook ads that targeted Campari Group employees on Facebook.

To post the ads, the hackers broke into a business-focused account owned by another victim, Chris Hodson, and used his credit card to pay for $500 worth of ads. Hodson, a Chicago-based DJ, told security researcher Brian Krebs he had set up two-factor authentication but that the hackers were still able to crack his Hodson Event Entertainment account.

“Hodson said a review of his account shows the unauthorized campaign reached approximately 7,150 Facebook users, and generated 770 clicks, with a cost-per-result of 21 cents,” wrote Krebs. “Of course, it didn’t cost the ransomware group anything. Hodson said Facebook billed him $35 for the first part of the campaign, but apparently detected the ads as fraudulent sometime this morning before his account could be billed another $159 for the campaign.”

[…]

Facebook isn’t the only method the Ragnar group is using to reach out to victims. Security experts believe the hacking group is also now hiring outgoing call center operators in India to help victims remember who, ultimately, is in charge of their data.

Source: Campari Ransomware Hackers Take Out Facebook Ads to Get Paid

Hackers are currently selling a trove of 3 million credit card numbers and customer records apparently stolen from Dickey’s Barbecue Pit, one of the biggest barbecue chains in the United States.

The company made a statement today about the hack, suggesting that charges made to the stolen cards will be reversed.

[…]

Security firm Gemini Advisory found the data on a hacker site called The Joker’s Stash under the name “BLAZINGSUN.” The data appears to have come from magstripe data on customer cards.

“This represents a broader challenge for the industry, and Dickey’s may become the latest cautionary tale of facing lawsuits in addition to financial damage from cybersecurity attacks,” wrote Gemini researchers.

Dickey’s experienced a ransomware attack in 2015 and recently claimed to have locked down their servers. This recent attack, however, suggests that hackers have breached a central payments service and could have even more data available for sale.

The hackers are selling the card numbers on Joker’s Stash for $17 each. Because each Dickey’s location is able to run its own point-of-sale system, it seems that this breach affected a central payments processor, allowing hackers to gain access to data from 156 of the company’s 469 locations. The hackers claim the data is “high valid,” meaning 90 to 100 percent of the cards are active and usable.

Source: Dickey’s Barbecue Pit Hackers May Have 3M Stolen Credit Cards

The scale of these data breaches now is incredible. And considering BA has been fined $26m for allowing 400,000 customer records to be stolen, I’m pretty sure Dickey’s can be glad they are not in the EU!

Barnes and Noble tonight confirmed it was hacked, and that its customers’ personal information may have been accessed by the intruders. The cyber-break-in forced the bookseller to take its systems offline this week to clean up the mess. See our update at the end of this piece. Our original report follows.

Bookseller Barnes and Noble’s computer network fell over this week, and its IT staff are having to restore servers from backups.

The effects of the collapse were first felt on Sunday, with owners of B&N’s Nook tablets discovering they were unable to download their purchased e-books to their gadgets nor buy new ones. That is to say, if they had bought an e-book and hadn’t downloaded it to their device before B&N’s cloud imploded, they would be unable to open and read the digital tome. The bookseller’s Android and Windows 10 apps were similarly affected.

It soon became clear the problem was quite serious when some cash registers in Barnes and Noble’s physical stores also briefly stopped working.

[…]

Shortly after this article was published, Barnes & Noble confirmed in an email to customers that it was hacked. The biz said it found out over the weekend, on October 10, that miscreants had broken into its computer systems, adding that customers’ personal information stored on file may have been accessed or taken by the intruders. This info includes names, addresses, telephone numbers, and purchase histories.

Source: Confirmed: Barnes & Noble hacked, systems taken offline for days, miscreants may have swiped personal info • The Register

German authorities said Thursday that what appears to have been a misdirected hacker attack caused the failure of IT systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment.

The Duesseldorf University Clinic’s systems have been disrupted since last Thursday. The hospital said investigators have found that the source of the problem was a hacker attack on a weak spot in “widely used commercial add-on software,” which it didn’t identify.

As a consequence, systems gradually crashed and the hospital wasn’t able to access data; emergency patients were taken elsewhere and operations postponed.

The hospital said that that “there was no concrete ransom demand.” It added that there are no indications that data is irretrievably lost and that its IT systems are being gradually restarted.

A report from North Rhine-Westphalia state’s justice minister said that 30 servers at the hospital were encrypted last week and an extortion note left on one of the servers, news agency dpa reported. The note — which called on the addressees to get in touch, but didn’t name any sum — was addressed to the Heinrich Heine University, to which the Duesseldorf hospital is affiliated, and not to the hospital itself.

Duesseldorf police then established contact and told the perpetrators that the hospital, and not the university, had been affected, endangering patients. The perpetrators then withdrew the extortion attempt and provided a digital key to decrypt the data. The perpetrators are no longer reachable, according to the justice minister’s report.

Prosecutors launched an investigation against the unknown perpetrators on suspicion of negligent manslaughter because a patient in a life-threatening condition who was supposed to be taken to the hospital last Friday night was sent instead to a hospital in Wuppertal, a roughly 32-kilometer (20-mile) drive. Doctors weren’t able to start treating her for an hour and she died.

Source: German Hospital Hacked, Patient Taken to Another City Dies | SecurityWeek.Com

EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages. We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and another that defrauds the merchant. First, criminals can use a victim’s Visa contactless card for high-value purchases, without knowledge of the card’s PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties. The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.

Source: [2006.08249] The EMV Standard: Break, Fix, Verify

[…]

Flight Radar spokesman Ian Petchenik told The Register: “At this time we understand this to be a very strong DDoS attack [orchestrated] from a single source. While it is not known why we’re being targeted, multiple flight tracking services have suffered attacks over the past two days.”

It was not immediately obvious which other sites had suffered attacks, though some had used their Twitter accounts to inform followers of planned server upgrades and updates to end-user apps.

Open source researchers claim to have picked up the live flight tracks of drones over Armenia and Azerbaijan, following armed skirmishes between the two nations over the long-disputed Nagorno-Karabakh region. The conflict gained a more international dimension earlier today when a Turkish F-16 fighter jet reportedly shot down an elderly Armenian Su-25 Frogfoot ground attack aircraft.

Another day, another #drone.

Turkish drone carrying out surveillance flights over Iraqi Kurdistan in areas with PKK activities. pic.twitter.com/AOMLXXqjVl

— Wim Zwijnenburg (@wammezz) September 25, 2020

The use of DDoSes against general-interest websites has fallen out of favour in recent years as the script kiddies behind those types of attacks in days of yore a) grew up and b) realised that ransomware is far more lucrative than crayoning over someone else’s website.

With that said, such attacks are still in use: in August someone malicious forced the New Zealand stock exchange offline, while encrypted email biz Tutanota suffered a spate of similar attacks earlier this month.

Whatever the cause of the Flight Radar 24 attacks – one knowledgeable source suggested to El Reg that the Nagorno-Karabakh conflict may have triggered a government determined to control what the wider world can see – they serve as a reminder that even one of the oldest online attack methods can still cause chaos today.

Source: Plane-tracking site Flight Radar 24 DDoSed… just as drones spotted buzzing over Azerbaijan and Armenia • The Register

Would you believe more than 1% of computers worldwide are still using Windows XP? Incredibly, there are still millions of people using 19-year-old operating system. And a recent development — if it bears out — is another reason  people need to make the switch to something newer.

On Thursday, users on 4chan posted what they claimed was the source code of Windows XP.

Posting an image of a screenshot allegedly of the source code in front of Window’s XP iconic Bliss background, one user wrote ‘sooooo Windows XP Source code leaked’. Another Redditor helpfully has uploaded the code as a torrent, assisting in its spread.

While there is no confirmation that this code is definitely Windows XP, independent researchers have begun to pick through the source code and believe it stands up to scrutiny.

[…]

 

Source: Looks Like the Windows XP Source Code Just Leaked on 4chan

Iranian hackers, most likely employees or affiliates of the government, have been running a vast cyberespionage operation equipped with surveillance tools that can outsmart encrypted messaging systems — a capability Iran was not previously known to possess, according to two digital security reports released Friday.

The operation not only targets domestic dissidents, religious and ethnic minorities and antigovernment activists abroad, but can also be used to spy on the general public inside Iran, said the reports by Check Point Software Technologies, a cybersecurity technology firm, and the Miaan Group, a human rights organization that focuses on digital security in the Middle East.

The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said.

[…]

According to the report by Check Point’s intelligence unit, the cyberespionage operation was set up in 2014, and its full range of capabilities went undetected for six years.

[…]

The hackers appeared to have a clear goal: stealing information about Iranian opposition groups in Europe and the United States and spying on Iranians who often use mobile applications to plan protests, according to the Miaan report.

Among the most prominent victims of the attacks, the reports said, are the Mujahedeen Khalq, or M.E.K., an insurgent group that the Iranian authorities regard as a terrorist organization; a group known as the Association of Families of Camp Ashraf and Liberty Residents; the Azerbaijan National Resistance organization; citizens of Iran’s restive Sistan and Balochistan Province; and Hrana, an Iranian human rights news agency. Human rights lawyers and journalists working for Voice of America have also been targeted, Miaan said.

According to Check Point, the hackers use a variety of infiltration techniques, including phishing, but the most widespread method is sending what appear to be tempting documents and applications to carefully selected targets.

[…]

These documents contained malware code that activated a number of spyware commands from an external server when the recipients opened them on their desktops or phones. According to the Check Point report, almost all of the targets have been organizations and opponents of the government who have left Iran and are now based in Europe. Miaan documented targets in the United States, Canada and Turkey as well as the European Union.

The spyware enabled the attackers to gain access to almost any file, log clipboard data, take screenshots and steal information. According to Miaan, one application empowered hackers to download data stored on WhatsApp.

In addition, the attackers discovered a weakness in the installation protocols of several encrypted applications including Telegram, which had always been deemed relatively secure, enabling them to steal the apps’ installation files.

These files, in turn, allow the attackers to make full use of the victims’ Telegram accounts. Although the attackers cannot decipher the encrypted communications of Telegram, their strategy makes it unnecessary. Rather, they use the stolen installation files to create Telegram logins to activate the app in the victims’ names on another device. This enables the attackers to secretly monitor all Telegram activity of the victims.

“This cutting-edge surveillance operation succeeded in going under the radar for at least six years,” said Lotem Finkelstein, head of threat intelligence at Check Point. “The group maintained a multi-platform, targeted attack, with both mobile, desktop and web attack vectors, that left no evasion path for victims on the target list.”

[…]

Source: Iranian Hackers Can Beat Encrypted Apps like Telegram, Researchers Say – The New York Times

The malware that French law enforcement deployed en masse onto Encrochat devices, a large encrypted phone network using Android phones, had the capability to harvest “all data stored within the device,” and was expected to include chat messages, geolocation data, usernames, passwords, and more, according to a document obtained by Motherboard.

The document adds more specifics around the law enforcement hack and subsequent takedown of Encrochat earlier this year. Organized crime groups across Europe and the rest of the world heavily used the network before its seizure, in many cases to facilitate large scale drug trafficking. The operation is one of, if not the, largest law enforcement mass hacking operation to date, with investigators obtaining more than a hundred million encrypted messages.

“The NCA has been collaborating with the Gendarmerie on Encrochat for over 18 months, as the servers are hosted in France. The ultimate objective of this collaboration has been to identify and exploit any vulnerability in the service to obtain content,” the document reads, referring to both the UK’s National Crime Agency and one of the national police forces of France.

As well as the geolocation, chat messages, and passwords, the law enforcement malware also told infected Encrochat devices to provide a list of WiFi access points near the device, the document reads.

[…]

Encrochat was a company that offered custom-built phones that sent end-to-end encrypted messages to one another. Encrochat took a base Android device, installed its own software, and physically removed the GPS, microphone, and camera functionality to lock down the devices further. These modifications may have impacted what sort of data the malware was actually able to obtain once deployed. Encrochat phones had a panic wipe feature, where if a user entered a particular PIN it would erase data stored on the device. The devices also ran two operating systems that sat side by side; one that appeared to be innocuous, and another that contained the users’ more sensitive communications.

In a previous email to Motherboard a representative of Encrochat said the firm is a legitimate company with clients in 140 countries, and that it sets out “to find the best technology on the market to provide a reliable and secure service for any organization or individual that want[s] to secure their information.” The firm had tens of thousands of users worldwide, and decided to shut itself down after discovering the hack against its network.

Encrochat’s customers included a British hitman who assassinated a crime leader and an armed robber, and various violent gangs around Europe including those who used so-called “torture chambers.” Some of the users may have been legitimate, however.

Since the shutdown, police across Europe have arrested hundreds of alleged criminals who used the service. Motherboard previously obtained chat logs that prosecutors have presented as evidence against one drug dealer.

Running an encrypted phone company is not typically illegal in-and-of-itself. The U.S. Department of Justice charged Vince Ramos, the CEO of another firm called Phantom Secure with racketeering conspiracy and other charges after an undercover investigation caught him saying the phones were made for drug trafficking. Phantom Secure started as a legitimate firm before catering more to the criminal market. Ramos was sentenced to nine years in prison in May 2019.

Source: European Police Malware Could Harvest GPS, Messages, Passwords, More

How they harvested GPS from devices with the functionality physically removed is a mystery to me, although wifi networks definitely provide a pretty good form of geolocation

More than a dozen internet service providers (ISPs) across Europe have reported DDoS attacks that targeted their DNS infrastructure.

The list of ISPs that suffered attacks over the past week includes Belgium’s EDP, France’s Bouygues Télécom, FDN, K-net, SFR, and the Netherlands’ Caiway, Delta, FreedomNet, Online.nl, Signet, and Tweak.nl.

Attacks lasted no longer than a day and were all eventually mitigated, but ISP services were down while the DDoS was active.

NBIP, a non-profit founded by Dutch ISPs to collectively fight DDoS attacks and government wiretapping attempts, provided ZDNet with additional insights into the past week’s incidents.

“Multiple attacks were aimed towards routers and DNS infrastructure of Benelux based ISPs,” a spokesperson said. “Most of [the attacks] were DNS amplification and LDAP-type of attacks.”

“Some of the attacks took longer than 4 hours and hit close to 300Gbit/s in volume,” NBIB said.

[…]

Source: European ISPs report mysterious wave of DDoS attacks | ZDNet

In July 2017, Tesla CEO Elon Musk got on stage at the National Governors Association in Rhode Island and confirmed that a “fleet-wide hack” is one of Tesla’s biggest concerns as the automaker moves to autonomous vehicles.

He even presented a strange scenario that could happen in an autonomous future:

“In principle, if someone was able to say hack all the autonomous Teslas, they could say – I mean just as a prank – they could say ‘send them all to Rhode Island’ [laugh] – across the United States… and that would be the end of Tesla and there would be a lot of angry people in Rhode Island.”

What Musk knew that the public didn’t was that Tesla got a taste of that actually happening just a few months prior to his talk.

The Big Tesla Hack

Back in 2017, Jason Hughes was already well known in the Tesla community under his WK057 alias on the forums.

He was an early member of the Tesla “root access” community, a group of Tesla owners who would hack their own cars to get more control over them and even unlock unreleased features.

[…]

After Tesla started to give customers access to more data about Supercharger stations, mainly the ability to see how many chargers were currently available at a specific charging station through its navigation app, Hughes decided to poke around and see if he could expose the data.

He told Electrek:

“I found a hole in the server-side of that mechanism that allowed me to basically get data for every Supercharger worldwide about once every few minutes.”

The hacker shared the data on the Tesla Motors Club forum, and the automaker seemingly wasn’t happy about it.

Someone who appeared to be working at Tesla posted anonymously about how they didn’t want the data out there.

Hughes responded that he would be happy to discuss it with them.

20 minutes later, he was on a conference call with the head of the Supercharger network and the head of software security at Tesla.

They kindly explained to him that they would prefer for him not to share the data, which was technically accessible through the vehicles. Hughes then agreed to stop scraping and sharing the Supercharger data.

After reporting his server exploit through Tesla’s bug reporting service, he received a $5,000 reward for exposing the vulnerability.

With now having more experience with Tesla’s servers and knowing that their network wasn’t the most secure, to say the least, he decided to go hunting for more bug bounties.

After some poking around, he managed to find a bunch of small vulnerabilities.

The hacker told Electrek:

“I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was ‘Mothership’.”

Mothership is the name of Tesla’s home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through “Mothership.”

After downloading and dissecting the data found in the repository, Hughes started using his car’s VPN connection to poke at Mothership. He eventually landed on a developer network connection.

That’s when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla’s fleet.

All he needed was a vehicle’s VIN number, and he had access to all of those through Tesla’s “tesladex” database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.

At the time, I gave Hughes the VIN number of my own Tesla Model S, and he was able to give me its exact location and any other information about my own vehicle.

[…]

Hughes couldn’t really send Tesla cars driving around everywhere like Tesla’s CEO described in a strange scenario few months later, but he could “Summon” them.

In 2016, Tesla released its Summon feature, which enables Tesla owners to remotely move their cars forward or backward a few dozen feet without anyone in them.

[…]

the automaker awarded him a special $50,000 bug report reward — several times higher than the max official bug reward limit:

Source: The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy – Electrek

Uber’s chief security officer, Joe Sullivan broke the law by hushing up the theft of millions of people’s details from the app maker’s databases by hackers, prosecutors say.

Sullivan, 52, formerly of eBay, Facebook, and PayPal, was today charged with obstruction of justice and misprision – concealing knowledge of a crime from law enforcement – by the US District Attorney for Northern California, an office he briefly worked for back in the day. These come with potentially five and three-year prison sentences, respectively, and a fine of up to $250,000 apiece.

According to the government, the charges [PDF] stem from Sullivan’s efforts to cover up the 2016 security breach at Uber in which miscreants siphoned from internal databases the personal information of 57 million passengers and 600,000 drivers, including their driving license details.

The hack was significant enough that Sullivan was “visibly shaken” by the break-in, particularly after Uber had been dealing with the fallout from a 2014 cyber-intrusion, according to FBI special agent Mario Scussel.

“A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out,” Scussel claimed in court filings this week.

We’re told that, rather than informing the Feds and publicly disclosing the security lapse, Sullivan instead sought to hush up the hack by buying the silence of the intruders with $100,000 in Bitcoins, making them sign confidentiality agreements to keep the details under wraps, and playing the whole thing off as a reward for finding a bug in Uber’s systems rather than characterizing it more accurately as a data leak.

Source: Ex-Uber chief security officer charged, accused of covering up theft of personal info from databases by hackers • The Register

Researchers have demonstrated that they can make a working 3D-printed copy of a key just by listening to how the key sounds when inserted into a lock. And you don’t need a fancy mic — a smartphone or smart doorbell will do nicely if you can get it close enough to the lock.

The next time you unlock your front door, it might be worth trying to insert your key as quietly as possible; researchers have discovered that the sound of your key being inserted into the lock gives attackers all they need to make a working copy of your front door key.

It sounds unlikely, but security researchers say they have proven that the series of audible, metallic clicks made as a key penetrates a lock can now be deciphered by signal processing software to reveal the precise shape of the sequence of ridges on the key’s shaft. Knowing this (the actual cut of your key), a working copy of it can then be three-dimensionally (3D) printed.

How Soundarya Ramesh and her team accomplished this is a fascinating read.

Once they have a key-insertion audio file, SpiKey’s inference software gets to work filtering the signal to reveal the strong, metallic clicks as key ridges hit the lock’s pins [and you can hear those filtered clicks online here]. These clicks are vital to the inference analysis: the time between them allows the SpiKey software to compute the key’s inter-ridge distances and what locksmiths call the “bitting depth” of those ridges: basically, how deeply they cut into the key shaft, or where they plateau out. If a key is inserted at a nonconstant speed, the analysis can be ruined, but the software can compensate for small speed variations.

The result of all this is that SpiKey software outputs the three most likely key designs that will fit the lock used in the audio file, reducing the potential search space from 330,000 keys to just three. “Given that the profile of the key is publicly available for commonly used [pin-tumbler lock] keys, we can 3D-print the keys for the inferred bitting codes, one of which will unlock the door,” says Ramesh.

Source: Researchers Can Duplicate Keys from the Sounds They Make in Locks

Zoombombers today disrupted a court hearing involving the Florida teen accused of masterminding a takeover of high-profile Twitter accounts, forcing the judge to stop the hearing. “During the hearing, the judge and attorneys were interrupted several times with people shouting racial slurs, playing music, and showing pornographic images,” ABC Action News in Tampa Bay wrote. A Pornhub video forced the judge to temporarily shut down the hearing.

The Zoombombing occurred today when the Thirteenth Judicial Circuit Court of Florida in Tampa held a bail hearing for Graham Clark, who previously pleaded not guilty and is reportedly being held on $725,000 bail. Clark faces 30 felony charges related to the July 15 Twitter attack in which accounts of famous people like Elon Musk, Bill Gates, Jeff Bezos, and Joe Biden were hijacked and used to push cryptocurrency scams. Hackers also accessed direct messages for 36 high-profile account holders.

Today, Judge Christopher Nash ruled against a request to lower Clark’s bail amount. But before that, the judge “shut down the hearing for a short time” when arguments were interrupted by “pornography… foul language and rap music,” Fox 13 reporter Gloria Gomez wrote on Twitter.

“I’m removing people as quickly as I can whenever a disruption happens,” Nash said after one Zoombomber interrupted a lawyer. A not-safe-for-work portion of the hearing was posted by a Twitter user here. The first 47 seconds are safe to watch and include Nash’s comment about removing Zoombombers, but the rest of the video includes the Pornhub clip that caused Nash to shut down the hearing.

There were still problems after the hearing resumed, the Tampa Bay Times wrote:

Hoping a brief pause would filter out the interrupters, Nash reopened the meeting. But users who disguised their names as CNN and BBC News resumed their interruptions.

Nash was ultimately able to rule, declining to lower the bail amount. He did, however, remove a requirement that Clark prove the legitimacy of his assets. Lawyers have said he has $3 million in Bitcoin under his control.

“Predictably, the Zoom hearing for the 17-year-old alleged Twitter hacker in Fla. was bombed multiple times, with the final bombing of a pornhub clip ending the zoom portion of the proceedings,” security reporter Brian Krebs wrote on Twitter. “How the judge in charge of the proceeding didn’t think to enable settings that would prevent people from taking over the screen is beyond me. My guess is he didn’t know he could.”

Nash said that he’ll require a password next time, according to WFLA reporter Ryan Hughes.

Source: Zoombomber crashes court hearing on Twitter hack with Pornhub video | Ars Technica

In December 2019 I wrote about The Growing Problem of Malicious Relays on the Tor Network with the motivation to rise awareness and to improve the situation over time. Unfortunately instead of improving, things have become even worse, specifically when it comes to malicious Tor exit relay activity.

Tor exit relays are the last hop in the chain of 3 relays and the only type of relay that gets to see the connection to the actual destination chosen by the Tor Browser user. The used protocol (i.e. http vs. https) by the user decides whether a malicious exit relay can actually see and manipulate the transferred content or not.

[…]

One key question of malicious relay analysis always is: What hosting companies did they use? So here is a break down by used internet service provider. It is mostly OVH (one of the — generally speaking — largest ISPs used for Tor relays). Frantech, ServerAstra and Trabia Network are also known providers for relays. “Nice IT Services Group” looks interesting, since I’ve never seen relays on this obscure network before the attacker added some of his relays there on 2020–04–16.

[…]

The full extend of their operations is unknown, but one motivation appears to be plain and simple: profit.
They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays. They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings. It is hard to detect for Tor Browser users that do not specifically look for the “https://” in the URL bar.

[…]

There are established countermeasures, namely HSTS Preloading and HTTPS Everywhere, but in practice many website operators do not implement them and leave their users vulnerable to this kind of attack. This kind of attack is not specific to Tor Browser. Malicious relays are just used to gain access to user traffic. To make detection harder, the malicious entity did not attack all websites equally. It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.

[…]

Summary

• Since the disclosure of large scale attacks on the Tor network (malicious operator did run >10% of Tor’s guard capacity) in December 2019, no improvements with regards to malicious Tor relays have been implemented.
• The malicious Tor relay operator discussed in this blog post controlled over 23% of the entire Tor network exit capacity (as of 2020–05–22)
• The malicious operator demonstrated to recover their capacity after initial removal attempts by Tor directory authorities.
• There are multiple indicators that suggest that the attacker still runs >10% of the Tor network exit capacity (as of 2020–08–08)
• The reoccurring events of large scale malicious Tor relay operations make it clear that current checks and approaches for bad-relays detection are insufficient to prevent such events from reoccurring and that the threat landscape for Tor users has changed.
• Multiple specific countermeasures have been proposed to tackle the ongoing issue of malicious relay capacity.
• It is up to the Tor Project and the Tor directory authorities to act to prevent further harm to Tor users.
• […]

Source: How Malicious Tor Relays are Exploiting Users in 2020 (Part I) | by nusenu | Aug, 2020 | Medium

A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.

ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.

According to a review, the list includes:

• IP addresses of Pulse Secure VPN servers
• Pulse Secure VPN server firmware version
• SSH keys for each server
• A list of all local users and their password hashes
• Admin account details
• Last VPN logins (including usernames and cleartext passwords)
• VPN session cookies

Bank Security, a threat intelligence analyst specialized in financial crime and the one who spotted the list earlier today and shared it with ZDNet, made an interesting observation about the list and its content.

The security researcher noted that all the Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the CVE-2019-11510 vulnerability.

Bank Security believes that the hacker who compiled this list scanned the entire internet IPv4 address space for Pulse Secure VPN servers, used an exploit for the CVE-2019-11510 vulnerability to gain access to systems, dump server details (including usernames and passwords), and then collected all the information in one central repository.

Based on timestamps in the list (a collection of folders), the dates of the scans, or the date the list was compiled, appear to between June 24 and July 8, 2020.

Source: Hacker leaks passwords for 900+ enterprise VPN servers | ZDNet

A massive hack has hit Reddit today after tens of Reddit channels have been hacked and defaced to show messages in support of Donald Trump’s reelection campaign.

The hacks are still ongoing at the time of writing, but we were told Reddit’s security team is aware of the issue and has already begun restoring defaced channels.

A partial list of impacted channels (subreddits) is available below. This includes Reddit channels for the NFL, many TV shows, The Pirate Bay, Disneyland, Disney’s Avengers, several city channels, and more. Combined, the channels have tens of millions of subscribers.

• r/NFL
• r/CFB (US College Football)
• r/TPB (The Pirate Bay’s Reddit channel)
• r/BlackMirror (TV show)
• /r/Buffy (TV show)
• r/Avengers (Movie franchise)
• r/Vancouver (city)
• r/Dallas (city)
• r/Plano (city)
• r/Japan
• r/Gorillaz (music band)
• r/Podcasts
• /r/Disneyland
• r/49ers (NFL team)
• /r/BostonCeltics (NBA team)
• r/Leafs (Toronto Mapple Leafs)
• /r/EDM (electronic dance music channel)
• /r/Food
• r/Beer
• r/Renting
• r/Lockpicking
• r/Subaru (car maker)
• r/freefolk (Game of Thrones fan channel)
• r/Space
• r/ISS
• r/DestinyTheGame (video game)
• r/LawSchool
• r/StartledCats
• r/TheDailyZeitgeist
• r/Supernatural
• /r/Naruto
• /r/RupaulsDragRace
• r/GRE
• r/GMAT
• r/greatbritishbakeoff
• r/11foot8
• r/truecrimepodcasts
• r/comedyheaven
• r/weddingplanning
• r/Chadsriseup
• r/BertStrips
• r/KingkillerChronicle (book series)
• r/PoliticalDiscussion
• r/MadLads
• r/DNDMemes
• r/woodpaneled
• r/telescopes
• r/WeAreTheMusicMakers
• r/DeTrashed
• r/Samurai8
• r/3amjokes
• r/ANGEL
• r/PhotoshopBattles
• r/Animemes
• r/comedyheaven/
• r/awwducational
• r/gamemusic
• r/hentaimemes
• r/ShitAmericansSay
• r/ShitPostCrusaders
• r/SweatyPalms
• r/Locklot
• r/BadHistory
• r/CrewsCrew/
• r/ListenToThis
• r/PokemonGOBattleLeague
• r/FacingTheirParenting
• r/TwoSentenceHorror
• r/BookSuggestions
• r/FreezingFuckingCold/
• r/woof_irl
• r/BurningAsFuck
• r/ImagineThisView
• r/AnotherClosetAtheist
• r/CasualTodayILearned
• r/ShowerBeer
• r/TookTooMuch
• r/DallasProtests/
• r/BannedFromClubPenguin
• r/creepyPMs
• r/RedditDayOf
• r/AquaticAsFuck
• r/HeavyFuckingWind/
• r/BlackPeopleTwitter
• r/HuskersRisk
• r/Fireteams/
• r/LuxuryLifeHabits
• r/IRLEasterEggs
• r/nononono
• r/nonononoyes
• r/ThatsInsane

The Reddit security team said the hack took place after the intruder(s) took over subreddit moderator accounts. Several moderators have also come forward to admit that their accounts have been hacked and that they did not use two-factor authentication. Channel owners who are having problems have been asked to report problems in this Reddit ModSupport thread.

An account on Twitter took credit for the hack. However, the account’s owners did not respond to a request for comment so ZDNet can verify its claims. The account is now suspended.

The Reddit hack also comes after Reddit banned r/The_Donald, a channel for Donald Trump supporters, in late June. Reddit said it took the decision to ban the channel for breaking its community rules after reports of harassment, bullying, and threats of violence.

Today’s stunt is reminiscent to a similar one that took place at the end of June and the start of July, when more than 1,800 Roblox accounts were hacked and defaced with a similar pro-Trump reelection message.

Source: Hackers are defacing Reddit with pro-Trump messages | ZDNet