The Information Commissioner’s Office has fined Ticketmaster £1.25m after the site’s operators failed to spot a Magecart card skimmer infection until after 9 million customers’ details had been slurped by criminals.

The breach began in February 2018 and was not detected until April, when banks realised their customers’ cards were being abused by criminals immediately after they were used for legitimate purchases on Ticketmaster’s website.

Key to the criminals’ success was Ticketmaster’s decision to deploy a Javascript-powered chatbot on its website payment pages, giving criminals an easy way in by compromising the third party’s JS – something the ICO held against Ticketmaster in its decision to award the fine.

Ticketmaster ‘fessed up to world+dog in June that year, and the final damage has now been revealed by the Information Commissioner’s Office (ICO): 9.4m people’s data was “potentially affected” of which 1.5m were in the UK; 66,000 credit cards were compromised and had to be replaced; and Ticketmaster itself doesn’t know how many people were affected between 25 May and 23 June 2018.

Today’s fine only applies to that May-June period, which happens to be after the Data Protection Act 2018 – the UK implementation of the EU’s GDPR – came into force. This allowed the ICO to impose a higher penalty than it could have done under the pre-GDPR legal regime.

[…]

Ticketmaster remains in denial about its culpability for the breach, telling The Register in a statement: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal today’s announcement.”

Inbenta Technologies supplied a custom Javascript-powered chatbot to Ticketmaster which was compromised by the Magecart operators.

Crucially, for whatever reason, Ticketmaster deployed the chatbot on its payment pages, giving the criminals a way in.

As we reported in 2018, Inbenta told us of Ticketmaster’s deployment of the Javascript in question: “Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”

[…]

“It took Ticketmaster approximately nine weeks from the date of Monzo’s notification of possible fraud involving the Ticketmaster website for Ticketmaster to run a payment through its payment page and monitor the network traffic thereon,” said an incredulous ICO, which noted that it took a random Twitter user explaining why JS on a payments page is a bad thing for the business to wake up and do something about it.

Barclaycard and American Express also noticed suspicious goings-on in April 2018, but Ticketmaster steadfastly denied anything was wrong until May, eventually realising the game was up in June.

[…]

Source: Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal • The Register

The Campari Group recently experienced a ransomware attack that allegedly shut down the company’s servers. The malware, created by the RagnarLocker gang, essentially locked corporate servers and allowed the hackers to exfiltrate “2 terabytes” of data, according to the hackers.

On Nov. 6, the company wrote, “at this stage, we cannot completely exclude that some personal and business data has been taken.”

Clearly, it has.

While the booze company admitted to the attack, it’s clear that they haven’t get paid the ransom, as the hackers reportedly took out Facebook ads that targeted Campari Group employees on Facebook.

To post the ads, the hackers broke into a business-focused account owned by another victim, Chris Hodson, and used his credit card to pay for $500 worth of ads. Hodson, a Chicago-based DJ, told security researcher Brian Krebs he had set up two-factor authentication but that the hackers were still able to crack his Hodson Event Entertainment account.

“Hodson said a review of his account shows the unauthorized campaign reached approximately 7,150 Facebook users, and generated 770 clicks, with a cost-per-result of 21 cents,” wrote Krebs. “Of course, it didn’t cost the ransomware group anything. Hodson said Facebook billed him $35 for the first part of the campaign, but apparently detected the ads as fraudulent sometime this morning before his account could be billed another $159 for the campaign.”

[…]

Facebook isn’t the only method the Ragnar group is using to reach out to victims. Security experts believe the hacking group is also now hiring outgoing call center operators in India to help victims remember who, ultimately, is in charge of their data.

Source: Campari Ransomware Hackers Take Out Facebook Ads to Get Paid

Hackers are currently selling a trove of 3 million credit card numbers and customer records apparently stolen from Dickey’s Barbecue Pit, one of the biggest barbecue chains in the United States.

The company made a statement today about the hack, suggesting that charges made to the stolen cards will be reversed.

[…]

Security firm Gemini Advisory found the data on a hacker site called The Joker’s Stash under the name “BLAZINGSUN.” The data appears to have come from magstripe data on customer cards.

“This represents a broader challenge for the industry, and Dickey’s may become the latest cautionary tale of facing lawsuits in addition to financial damage from cybersecurity attacks,” wrote Gemini researchers.

Dickey’s experienced a ransomware attack in 2015 and recently claimed to have locked down their servers. This recent attack, however, suggests that hackers have breached a central payments service and could have even more data available for sale.

The hackers are selling the card numbers on Joker’s Stash for $17 each. Because each Dickey’s location is able to run its own point-of-sale system, it seems that this breach affected a central payments processor, allowing hackers to gain access to data from 156 of the company’s 469 locations. The hackers claim the data is “high valid,” meaning 90 to 100 percent of the cards are active and usable.

Source: Dickey’s Barbecue Pit Hackers May Have 3M Stolen Credit Cards

The scale of these data breaches now is incredible. And considering BA has been fined $26m for allowing 400,000 customer records to be stolen, I’m pretty sure Dickey’s can be glad they are not in the EU!

Barnes and Noble tonight confirmed it was hacked, and that its customers’ personal information may have been accessed by the intruders. The cyber-break-in forced the bookseller to take its systems offline this week to clean up the mess. See our update at the end of this piece. Our original report follows.

Bookseller Barnes and Noble’s computer network fell over this week, and its IT staff are having to restore servers from backups.

The effects of the collapse were first felt on Sunday, with owners of B&N’s Nook tablets discovering they were unable to download their purchased e-books to their gadgets nor buy new ones. That is to say, if they had bought an e-book and hadn’t downloaded it to their device before B&N’s cloud imploded, they would be unable to open and read the digital tome. The bookseller’s Android and Windows 10 apps were similarly affected.

It soon became clear the problem was quite serious when some cash registers in Barnes and Noble’s physical stores also briefly stopped working.

[…]

Shortly after this article was published, Barnes & Noble confirmed in an email to customers that it was hacked. The biz said it found out over the weekend, on October 10, that miscreants had broken into its computer systems, adding that customers’ personal information stored on file may have been accessed or taken by the intruders. This info includes names, addresses, telephone numbers, and purchase histories.

Source: Confirmed: Barnes & Noble hacked, systems taken offline for days, miscreants may have swiped personal info • The Register

German authorities said Thursday that what appears to have been a misdirected hacker attack caused the failure of IT systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment.

The Duesseldorf University Clinic’s systems have been disrupted since last Thursday. The hospital said investigators have found that the source of the problem was a hacker attack on a weak spot in “widely used commercial add-on software,” which it didn’t identify.

As a consequence, systems gradually crashed and the hospital wasn’t able to access data; emergency patients were taken elsewhere and operations postponed.

The hospital said that that “there was no concrete ransom demand.” It added that there are no indications that data is irretrievably lost and that its IT systems are being gradually restarted.

A report from North Rhine-Westphalia state’s justice minister said that 30 servers at the hospital were encrypted last week and an extortion note left on one of the servers, news agency dpa reported. The note — which called on the addressees to get in touch, but didn’t name any sum — was addressed to the Heinrich Heine University, to which the Duesseldorf hospital is affiliated, and not to the hospital itself.

Duesseldorf police then established contact and told the perpetrators that the hospital, and not the university, had been affected, endangering patients. The perpetrators then withdrew the extortion attempt and provided a digital key to decrypt the data. The perpetrators are no longer reachable, according to the justice minister’s report.

Prosecutors launched an investigation against the unknown perpetrators on suspicion of negligent manslaughter because a patient in a life-threatening condition who was supposed to be taken to the hospital last Friday night was sent instead to a hospital in Wuppertal, a roughly 32-kilometer (20-mile) drive. Doctors weren’t able to start treating her for an hour and she died.

Source: German Hospital Hacked, Patient Taken to Another City Dies | SecurityWeek.Com

EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages. We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and another that defrauds the merchant. First, criminals can use a victim’s Visa contactless card for high-value purchases, without knowledge of the card’s PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties. The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.

Source: [2006.08249] The EMV Standard: Break, Fix, Verify

[…]

Flight Radar spokesman Ian Petchenik told The Register: “At this time we understand this to be a very strong DDoS attack [orchestrated] from a single source. While it is not known why we’re being targeted, multiple flight tracking services have suffered attacks over the past two days.”

It was not immediately obvious which other sites had suffered attacks, though some had used their Twitter accounts to inform followers of planned server upgrades and updates to end-user apps.

Open source researchers claim to have picked up the live flight tracks of drones over Armenia and Azerbaijan, following armed skirmishes between the two nations over the long-disputed Nagorno-Karabakh region. The conflict gained a more international dimension earlier today when a Turkish F-16 fighter jet reportedly shot down an elderly Armenian Su-25 Frogfoot ground attack aircraft.

Another day, another #drone.

Turkish drone carrying out surveillance flights over Iraqi Kurdistan in areas with PKK activities. pic.twitter.com/AOMLXXqjVl

— Wim Zwijnenburg (@wammezz) September 25, 2020

The use of DDoSes against general-interest websites has fallen out of favour in recent years as the script kiddies behind those types of attacks in days of yore a) grew up and b) realised that ransomware is far more lucrative than crayoning over someone else’s website.

With that said, such attacks are still in use: in August someone malicious forced the New Zealand stock exchange offline, while encrypted email biz Tutanota suffered a spate of similar attacks earlier this month.

Whatever the cause of the Flight Radar 24 attacks – one knowledgeable source suggested to El Reg that the Nagorno-Karabakh conflict may have triggered a government determined to control what the wider world can see – they serve as a reminder that even one of the oldest online attack methods can still cause chaos today.

Source: Plane-tracking site Flight Radar 24 DDoSed… just as drones spotted buzzing over Azerbaijan and Armenia • The Register

Would you believe more than 1% of computers worldwide are still using Windows XP? Incredibly, there are still millions of people using 19-year-old operating system. And a recent development — if it bears out — is another reason  people need to make the switch to something newer.

On Thursday, users on 4chan posted what they claimed was the source code of Windows XP.

Posting an image of a screenshot allegedly of the source code in front of Window’s XP iconic Bliss background, one user wrote ‘sooooo Windows XP Source code leaked’. Another Redditor helpfully has uploaded the code as a torrent, assisting in its spread.

While there is no confirmation that this code is definitely Windows XP, independent researchers have begun to pick through the source code and believe it stands up to scrutiny.

[…]

 

Source: Looks Like the Windows XP Source Code Just Leaked on 4chan

Iranian hackers, most likely employees or affiliates of the government, have been running a vast cyberespionage operation equipped with surveillance tools that can outsmart encrypted messaging systems — a capability Iran was not previously known to possess, according to two digital security reports released Friday.

The operation not only targets domestic dissidents, religious and ethnic minorities and antigovernment activists abroad, but can also be used to spy on the general public inside Iran, said the reports by Check Point Software Technologies, a cybersecurity technology firm, and the Miaan Group, a human rights organization that focuses on digital security in the Middle East.

The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said.

[…]

According to the report by Check Point’s intelligence unit, the cyberespionage operation was set up in 2014, and its full range of capabilities went undetected for six years.

[…]

The hackers appeared to have a clear goal: stealing information about Iranian opposition groups in Europe and the United States and spying on Iranians who often use mobile applications to plan protests, according to the Miaan report.

Among the most prominent victims of the attacks, the reports said, are the Mujahedeen Khalq, or M.E.K., an insurgent group that the Iranian authorities regard as a terrorist organization; a group known as the Association of Families of Camp Ashraf and Liberty Residents; the Azerbaijan National Resistance organization; citizens of Iran’s restive Sistan and Balochistan Province; and Hrana, an Iranian human rights news agency. Human rights lawyers and journalists working for Voice of America have also been targeted, Miaan said.

According to Check Point, the hackers use a variety of infiltration techniques, including phishing, but the most widespread method is sending what appear to be tempting documents and applications to carefully selected targets.

[…]

These documents contained malware code that activated a number of spyware commands from an external server when the recipients opened them on their desktops or phones. According to the Check Point report, almost all of the targets have been organizations and opponents of the government who have left Iran and are now based in Europe. Miaan documented targets in the United States, Canada and Turkey as well as the European Union.

The spyware enabled the attackers to gain access to almost any file, log clipboard data, take screenshots and steal information. According to Miaan, one application empowered hackers to download data stored on WhatsApp.

In addition, the attackers discovered a weakness in the installation protocols of several encrypted applications including Telegram, which had always been deemed relatively secure, enabling them to steal the apps’ installation files.

These files, in turn, allow the attackers to make full use of the victims’ Telegram accounts. Although the attackers cannot decipher the encrypted communications of Telegram, their strategy makes it unnecessary. Rather, they use the stolen installation files to create Telegram logins to activate the app in the victims’ names on another device. This enables the attackers to secretly monitor all Telegram activity of the victims.

“This cutting-edge surveillance operation succeeded in going under the radar for at least six years,” said Lotem Finkelstein, head of threat intelligence at Check Point. “The group maintained a multi-platform, targeted attack, with both mobile, desktop and web attack vectors, that left no evasion path for victims on the target list.”

[…]

Source: Iranian Hackers Can Beat Encrypted Apps like Telegram, Researchers Say – The New York Times

The malware that French law enforcement deployed en masse onto Encrochat devices, a large encrypted phone network using Android phones, had the capability to harvest “all data stored within the device,” and was expected to include chat messages, geolocation data, usernames, passwords, and more, according to a document obtained by Motherboard.

The document adds more specifics around the law enforcement hack and subsequent takedown of Encrochat earlier this year. Organized crime groups across Europe and the rest of the world heavily used the network before its seizure, in many cases to facilitate large scale drug trafficking. The operation is one of, if not the, largest law enforcement mass hacking operation to date, with investigators obtaining more than a hundred million encrypted messages.

“The NCA has been collaborating with the Gendarmerie on Encrochat for over 18 months, as the servers are hosted in France. The ultimate objective of this collaboration has been to identify and exploit any vulnerability in the service to obtain content,” the document reads, referring to both the UK’s National Crime Agency and one of the national police forces of France.

As well as the geolocation, chat messages, and passwords, the law enforcement malware also told infected Encrochat devices to provide a list of WiFi access points near the device, the document reads.

[…]

Encrochat was a company that offered custom-built phones that sent end-to-end encrypted messages to one another. Encrochat took a base Android device, installed its own software, and physically removed the GPS, microphone, and camera functionality to lock down the devices further. These modifications may have impacted what sort of data the malware was actually able to obtain once deployed. Encrochat phones had a panic wipe feature, where if a user entered a particular PIN it would erase data stored on the device. The devices also ran two operating systems that sat side by side; one that appeared to be innocuous, and another that contained the users’ more sensitive communications.

In a previous email to Motherboard a representative of Encrochat said the firm is a legitimate company with clients in 140 countries, and that it sets out “to find the best technology on the market to provide a reliable and secure service for any organization or individual that want[s] to secure their information.” The firm had tens of thousands of users worldwide, and decided to shut itself down after discovering the hack against its network.

Encrochat’s customers included a British hitman who assassinated a crime leader and an armed robber, and various violent gangs around Europe including those who used so-called “torture chambers.” Some of the users may have been legitimate, however.

Since the shutdown, police across Europe have arrested hundreds of alleged criminals who used the service. Motherboard previously obtained chat logs that prosecutors have presented as evidence against one drug dealer.

Running an encrypted phone company is not typically illegal in-and-of-itself. The U.S. Department of Justice charged Vince Ramos, the CEO of another firm called Phantom Secure with racketeering conspiracy and other charges after an undercover investigation caught him saying the phones were made for drug trafficking. Phantom Secure started as a legitimate firm before catering more to the criminal market. Ramos was sentenced to nine years in prison in May 2019.

Source: European Police Malware Could Harvest GPS, Messages, Passwords, More

How they harvested GPS from devices with the functionality physically removed is a mystery to me, although wifi networks definitely provide a pretty good form of geolocation

More than a dozen internet service providers (ISPs) across Europe have reported DDoS attacks that targeted their DNS infrastructure.

The list of ISPs that suffered attacks over the past week includes Belgium’s EDP, France’s Bouygues Télécom, FDN, K-net, SFR, and the Netherlands’ Caiway, Delta, FreedomNet, Online.nl, Signet, and Tweak.nl.

Attacks lasted no longer than a day and were all eventually mitigated, but ISP services were down while the DDoS was active.

NBIP, a non-profit founded by Dutch ISPs to collectively fight DDoS attacks and government wiretapping attempts, provided ZDNet with additional insights into the past week’s incidents.

“Multiple attacks were aimed towards routers and DNS infrastructure of Benelux based ISPs,” a spokesperson said. “Most of [the attacks] were DNS amplification and LDAP-type of attacks.”

“Some of the attacks took longer than 4 hours and hit close to 300Gbit/s in volume,” NBIB said.

[…]

Source: European ISPs report mysterious wave of DDoS attacks | ZDNet

In July 2017, Tesla CEO Elon Musk got on stage at the National Governors Association in Rhode Island and confirmed that a “fleet-wide hack” is one of Tesla’s biggest concerns as the automaker moves to autonomous vehicles.

He even presented a strange scenario that could happen in an autonomous future:

“In principle, if someone was able to say hack all the autonomous Teslas, they could say – I mean just as a prank – they could say ‘send them all to Rhode Island’ [laugh] – across the United States… and that would be the end of Tesla and there would be a lot of angry people in Rhode Island.”

What Musk knew that the public didn’t was that Tesla got a taste of that actually happening just a few months prior to his talk.

The Big Tesla Hack

Back in 2017, Jason Hughes was already well known in the Tesla community under his WK057 alias on the forums.

He was an early member of the Tesla “root access” community, a group of Tesla owners who would hack their own cars to get more control over them and even unlock unreleased features.

[…]

After Tesla started to give customers access to more data about Supercharger stations, mainly the ability to see how many chargers were currently available at a specific charging station through its navigation app, Hughes decided to poke around and see if he could expose the data.

He told Electrek:

“I found a hole in the server-side of that mechanism that allowed me to basically get data for every Supercharger worldwide about once every few minutes.”

The hacker shared the data on the Tesla Motors Club forum, and the automaker seemingly wasn’t happy about it.

Someone who appeared to be working at Tesla posted anonymously about how they didn’t want the data out there.

Hughes responded that he would be happy to discuss it with them.

20 minutes later, he was on a conference call with the head of the Supercharger network and the head of software security at Tesla.

They kindly explained to him that they would prefer for him not to share the data, which was technically accessible through the vehicles. Hughes then agreed to stop scraping and sharing the Supercharger data.

After reporting his server exploit through Tesla’s bug reporting service, he received a $5,000 reward for exposing the vulnerability.

With now having more experience with Tesla’s servers and knowing that their network wasn’t the most secure, to say the least, he decided to go hunting for more bug bounties.

After some poking around, he managed to find a bunch of small vulnerabilities.

The hacker told Electrek:

“I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was ‘Mothership’.”

Mothership is the name of Tesla’s home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through “Mothership.”

After downloading and dissecting the data found in the repository, Hughes started using his car’s VPN connection to poke at Mothership. He eventually landed on a developer network connection.

That’s when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla’s fleet.

All he needed was a vehicle’s VIN number, and he had access to all of those through Tesla’s “tesladex” database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.

At the time, I gave Hughes the VIN number of my own Tesla Model S, and he was able to give me its exact location and any other information about my own vehicle.

[…]

Hughes couldn’t really send Tesla cars driving around everywhere like Tesla’s CEO described in a strange scenario few months later, but he could “Summon” them.

In 2016, Tesla released its Summon feature, which enables Tesla owners to remotely move their cars forward or backward a few dozen feet without anyone in them.

[…]

the automaker awarded him a special $50,000 bug report reward — several times higher than the max official bug reward limit:

Source: The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy – Electrek

Uber’s chief security officer, Joe Sullivan broke the law by hushing up the theft of millions of people’s details from the app maker’s databases by hackers, prosecutors say.

Sullivan, 52, formerly of eBay, Facebook, and PayPal, was today charged with obstruction of justice and misprision – concealing knowledge of a crime from law enforcement – by the US District Attorney for Northern California, an office he briefly worked for back in the day. These come with potentially five and three-year prison sentences, respectively, and a fine of up to $250,000 apiece.

According to the government, the charges [PDF] stem from Sullivan’s efforts to cover up the 2016 security breach at Uber in which miscreants siphoned from internal databases the personal information of 57 million passengers and 600,000 drivers, including their driving license details.

The hack was significant enough that Sullivan was “visibly shaken” by the break-in, particularly after Uber had been dealing with the fallout from a 2014 cyber-intrusion, according to FBI special agent Mario Scussel.

“A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out,” Scussel claimed in court filings this week.

We’re told that, rather than informing the Feds and publicly disclosing the security lapse, Sullivan instead sought to hush up the hack by buying the silence of the intruders with $100,000 in Bitcoins, making them sign confidentiality agreements to keep the details under wraps, and playing the whole thing off as a reward for finding a bug in Uber’s systems rather than characterizing it more accurately as a data leak.

Source: Ex-Uber chief security officer charged, accused of covering up theft of personal info from databases by hackers • The Register

Researchers have demonstrated that they can make a working 3D-printed copy of a key just by listening to how the key sounds when inserted into a lock. And you don’t need a fancy mic — a smartphone or smart doorbell will do nicely if you can get it close enough to the lock.

The next time you unlock your front door, it might be worth trying to insert your key as quietly as possible; researchers have discovered that the sound of your key being inserted into the lock gives attackers all they need to make a working copy of your front door key.

It sounds unlikely, but security researchers say they have proven that the series of audible, metallic clicks made as a key penetrates a lock can now be deciphered by signal processing software to reveal the precise shape of the sequence of ridges on the key’s shaft. Knowing this (the actual cut of your key), a working copy of it can then be three-dimensionally (3D) printed.

How Soundarya Ramesh and her team accomplished this is a fascinating read.

Once they have a key-insertion audio file, SpiKey’s inference software gets to work filtering the signal to reveal the strong, metallic clicks as key ridges hit the lock’s pins [and you can hear those filtered clicks online here]. These clicks are vital to the inference analysis: the time between them allows the SpiKey software to compute the key’s inter-ridge distances and what locksmiths call the “bitting depth” of those ridges: basically, how deeply they cut into the key shaft, or where they plateau out. If a key is inserted at a nonconstant speed, the analysis can be ruined, but the software can compensate for small speed variations.

The result of all this is that SpiKey software outputs the three most likely key designs that will fit the lock used in the audio file, reducing the potential search space from 330,000 keys to just three. “Given that the profile of the key is publicly available for commonly used [pin-tumbler lock] keys, we can 3D-print the keys for the inferred bitting codes, one of which will unlock the door,” says Ramesh.

Source: Researchers Can Duplicate Keys from the Sounds They Make in Locks

Zoombombers today disrupted a court hearing involving the Florida teen accused of masterminding a takeover of high-profile Twitter accounts, forcing the judge to stop the hearing. “During the hearing, the judge and attorneys were interrupted several times with people shouting racial slurs, playing music, and showing pornographic images,” ABC Action News in Tampa Bay wrote. A Pornhub video forced the judge to temporarily shut down the hearing.

The Zoombombing occurred today when the Thirteenth Judicial Circuit Court of Florida in Tampa held a bail hearing for Graham Clark, who previously pleaded not guilty and is reportedly being held on $725,000 bail. Clark faces 30 felony charges related to the July 15 Twitter attack in which accounts of famous people like Elon Musk, Bill Gates, Jeff Bezos, and Joe Biden were hijacked and used to push cryptocurrency scams. Hackers also accessed direct messages for 36 high-profile account holders.

Today, Judge Christopher Nash ruled against a request to lower Clark’s bail amount. But before that, the judge “shut down the hearing for a short time” when arguments were interrupted by “pornography… foul language and rap music,” Fox 13 reporter Gloria Gomez wrote on Twitter.

“I’m removing people as quickly as I can whenever a disruption happens,” Nash said after one Zoombomber interrupted a lawyer. A not-safe-for-work portion of the hearing was posted by a Twitter user here. The first 47 seconds are safe to watch and include Nash’s comment about removing Zoombombers, but the rest of the video includes the Pornhub clip that caused Nash to shut down the hearing.

There were still problems after the hearing resumed, the Tampa Bay Times wrote:

Hoping a brief pause would filter out the interrupters, Nash reopened the meeting. But users who disguised their names as CNN and BBC News resumed their interruptions.

Nash was ultimately able to rule, declining to lower the bail amount. He did, however, remove a requirement that Clark prove the legitimacy of his assets. Lawyers have said he has $3 million in Bitcoin under his control.

“Predictably, the Zoom hearing for the 17-year-old alleged Twitter hacker in Fla. was bombed multiple times, with the final bombing of a pornhub clip ending the zoom portion of the proceedings,” security reporter Brian Krebs wrote on Twitter. “How the judge in charge of the proceeding didn’t think to enable settings that would prevent people from taking over the screen is beyond me. My guess is he didn’t know he could.”

Nash said that he’ll require a password next time, according to WFLA reporter Ryan Hughes.

Source: Zoombomber crashes court hearing on Twitter hack with Pornhub video | Ars Technica

In December 2019 I wrote about The Growing Problem of Malicious Relays on the Tor Network with the motivation to rise awareness and to improve the situation over time. Unfortunately instead of improving, things have become even worse, specifically when it comes to malicious Tor exit relay activity.

Tor exit relays are the last hop in the chain of 3 relays and the only type of relay that gets to see the connection to the actual destination chosen by the Tor Browser user. The used protocol (i.e. http vs. https) by the user decides whether a malicious exit relay can actually see and manipulate the transferred content or not.

[…]

One key question of malicious relay analysis always is: What hosting companies did they use? So here is a break down by used internet service provider. It is mostly OVH (one of the — generally speaking — largest ISPs used for Tor relays). Frantech, ServerAstra and Trabia Network are also known providers for relays. “Nice IT Services Group” looks interesting, since I’ve never seen relays on this obscure network before the attacker added some of his relays there on 2020–04–16.

[…]

The full extend of their operations is unknown, but one motivation appears to be plain and simple: profit.
They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays. They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings. It is hard to detect for Tor Browser users that do not specifically look for the “https://” in the URL bar.

[…]

There are established countermeasures, namely HSTS Preloading and HTTPS Everywhere, but in practice many website operators do not implement them and leave their users vulnerable to this kind of attack. This kind of attack is not specific to Tor Browser. Malicious relays are just used to gain access to user traffic. To make detection harder, the malicious entity did not attack all websites equally. It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.

[…]

Summary

• Since the disclosure of large scale attacks on the Tor network (malicious operator did run >10% of Tor’s guard capacity) in December 2019, no improvements with regards to malicious Tor relays have been implemented.
• The malicious Tor relay operator discussed in this blog post controlled over 23% of the entire Tor network exit capacity (as of 2020–05–22)
• The malicious operator demonstrated to recover their capacity after initial removal attempts by Tor directory authorities.
• There are multiple indicators that suggest that the attacker still runs >10% of the Tor network exit capacity (as of 2020–08–08)
• The reoccurring events of large scale malicious Tor relay operations make it clear that current checks and approaches for bad-relays detection are insufficient to prevent such events from reoccurring and that the threat landscape for Tor users has changed.
• Multiple specific countermeasures have been proposed to tackle the ongoing issue of malicious relay capacity.
• It is up to the Tor Project and the Tor directory authorities to act to prevent further harm to Tor users.
• […]

Source: How Malicious Tor Relays are Exploiting Users in 2020 (Part I) | by nusenu | Aug, 2020 | Medium

A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.

ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.

According to a review, the list includes:

• IP addresses of Pulse Secure VPN servers
• Pulse Secure VPN server firmware version
• SSH keys for each server
• A list of all local users and their password hashes
• Admin account details
• Last VPN logins (including usernames and cleartext passwords)
• VPN session cookies

Bank Security, a threat intelligence analyst specialized in financial crime and the one who spotted the list earlier today and shared it with ZDNet, made an interesting observation about the list and its content.

The security researcher noted that all the Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the CVE-2019-11510 vulnerability.

Bank Security believes that the hacker who compiled this list scanned the entire internet IPv4 address space for Pulse Secure VPN servers, used an exploit for the CVE-2019-11510 vulnerability to gain access to systems, dump server details (including usernames and passwords), and then collected all the information in one central repository.

Based on timestamps in the list (a collection of folders), the dates of the scans, or the date the list was compiled, appear to between June 24 and July 8, 2020.

Source: Hacker leaks passwords for 900+ enterprise VPN servers | ZDNet

A massive hack has hit Reddit today after tens of Reddit channels have been hacked and defaced to show messages in support of Donald Trump’s reelection campaign.

The hacks are still ongoing at the time of writing, but we were told Reddit’s security team is aware of the issue and has already begun restoring defaced channels.

A partial list of impacted channels (subreddits) is available below. This includes Reddit channels for the NFL, many TV shows, The Pirate Bay, Disneyland, Disney’s Avengers, several city channels, and more. Combined, the channels have tens of millions of subscribers.

• r/NFL
• r/CFB (US College Football)
• r/TPB (The Pirate Bay’s Reddit channel)
• r/BlackMirror (TV show)
• /r/Buffy (TV show)
• r/Avengers (Movie franchise)
• r/Vancouver (city)
• r/Dallas (city)
• r/Plano (city)
• r/Japan
• r/Gorillaz (music band)
• r/Podcasts
• /r/Disneyland
• r/49ers (NFL team)
• /r/BostonCeltics (NBA team)
• r/Leafs (Toronto Mapple Leafs)
• /r/EDM (electronic dance music channel)
• /r/Food
• r/Beer
• r/Renting
• r/Lockpicking
• r/Subaru (car maker)
• r/freefolk (Game of Thrones fan channel)
• r/Space
• r/ISS
• r/DestinyTheGame (video game)
• r/LawSchool
• r/StartledCats
• r/TheDailyZeitgeist
• r/Supernatural
• /r/Naruto
• /r/RupaulsDragRace
• r/GRE
• r/GMAT
• r/greatbritishbakeoff
• r/11foot8
• r/truecrimepodcasts
• r/comedyheaven
• r/weddingplanning
• r/Chadsriseup
• r/BertStrips
• r/KingkillerChronicle (book series)
• r/PoliticalDiscussion
• r/MadLads
• r/DNDMemes
• r/woodpaneled
• r/telescopes
• r/WeAreTheMusicMakers
• r/DeTrashed
• r/Samurai8
• r/3amjokes
• r/ANGEL
• r/PhotoshopBattles
• r/Animemes
• r/comedyheaven/
• r/awwducational
• r/gamemusic
• r/hentaimemes
• r/ShitAmericansSay
• r/ShitPostCrusaders
• r/SweatyPalms
• r/Locklot
• r/BadHistory
• r/CrewsCrew/
• r/ListenToThis
• r/PokemonGOBattleLeague
• r/FacingTheirParenting
• r/TwoSentenceHorror
• r/BookSuggestions
• r/FreezingFuckingCold/
• r/woof_irl
• r/BurningAsFuck
• r/ImagineThisView
• r/AnotherClosetAtheist
• r/CasualTodayILearned
• r/ShowerBeer
• r/TookTooMuch
• r/DallasProtests/
• r/BannedFromClubPenguin
• r/creepyPMs
• r/RedditDayOf
• r/AquaticAsFuck
• r/HeavyFuckingWind/
• r/BlackPeopleTwitter
• r/HuskersRisk
• r/Fireteams/
• r/LuxuryLifeHabits
• r/IRLEasterEggs
• r/nononono
• r/nonononoyes
• r/ThatsInsane

The Reddit security team said the hack took place after the intruder(s) took over subreddit moderator accounts. Several moderators have also come forward to admit that their accounts have been hacked and that they did not use two-factor authentication. Channel owners who are having problems have been asked to report problems in this Reddit ModSupport thread.

An account on Twitter took credit for the hack. However, the account’s owners did not respond to a request for comment so ZDNet can verify its claims. The account is now suspended.

The Reddit hack also comes after Reddit banned r/The_Donald, a channel for Donald Trump supporters, in late June. Reddit said it took the decision to ban the channel for breaking its community rules after reports of harassment, bullying, and threats of violence.

Today’s stunt is reminiscent to a similar one that took place at the end of June and the start of July, when more than 1,800 Roblox accounts were hacked and defaced with a similar pro-Trump reelection message.

Source: Hackers are defacing Reddit with pro-Trump messages | ZDNet

On Wednesday, security firm FireEye released a report on a disinformation-focused group it’s calling Ghostwriter. The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics; they’ve posted fake content on everything from social media to pro-Russian news websites. In some cases, FireEye says, Ghostwriter has deployed a bolder tactic: hacking the content management systems of news websites to post their own stories. They then disseminate their literal fake news with spoofed emails, social media, and even op-eds the propagandists write on other sites that accept user-generated content.

That hacking campaign, targeting media sites from Poland to Lithuania, has spread false stories about US military aggression, NATO soldiers spreading coronavirus, NATO planning a full-on invasion of Belarus, and more. “They’re spreading these stories that NATO is a danger, that they resent the locals, that they’re infected, that they’re car thieves,” says John Hultquist, director of intelligence at FireEye. “And they’re pushing these stories out with a variety of means, the most interesting of which is hacking local media websites and planting them. These fictional stories are suddenly bona fide by the sites that they’re on, and then they go in and spread the link to the story.”

[…]

the company’s analysts have found that the news site compromises and the online accounts used to spread links to those fabricated stories, as well as the more traditional creation of fake news on social media, blogs, and websites with an anti-US and anti-NATO bent, all tie back to a distinct set of personas, indicating one unified disinformation effort. FireEye’s Hultquist points out that the campaign doesn’t seem financially motivated, indicating a political or state backer, and notes that the focus on driving a wedge between NATO and citizens of Eastern Europe hints at possible Russian involvement.

Nor would it be the first time that Russian hackers planted fake news stories; in 2017, US intelligence agencies concluded that Russian hackers breached Qatar’s state news agency and planted a fake news story designed to embarrass the country’s leader and cause a rift with the US, though US intelligence never confirmed the Kremlin’s involvement.

“We can’t concretely tie it to Russia at this time, but it’s certainly in line with their interests,” Hultquist says of the Ghostwriter campaign. “It wouldn’t be a surprise to me if this is where the evidence leads us.”

Source: Hackers Broke Into Real News Sites to Plant Fake Stories | WIRED

On Tuesday, the US Department of Justice charged two Chinese nationals with allegedly hacking hundreds of organizations and individuals in America and elsewhere to steal confidential corporate secrets on behalf of Beijing for more than a decade.

The pilfered files are said to be worth hundreds of millions of dollars, and in some cases, it is claimed, the pair tried to extort money out of their victims: pay up, or the trade secrets leak.

The targeted organizations are said to include a British AI and cancer research biz, an Australian defense contractor, a South Korean shipbuilder and engineering giant, German software makers, American pharmaceutical, software, and defense corporations, and the US Dept of Energy’s Hanford site.

Assistant Attorney General John Demers and other US officials held a press conference on Tuesday to unseal the 11-count indictment [PDF], returned by a grand jury on July 7, against Li Xiaoyu, 34, and Dong Jiazhi, 33.

“The campaign targeted intellectual property and confidential business information held by the private sector, including COVID-19-related treatment, testing, and vaccines,” said Demers in prepared remarks.

“The hackers also targeted the online accounts of non-governmental organizations and individual dissidents, clergy, and democratic and human rights activists in the United States, China, Hong Kong, and abroad.”

According to the indictment, Li and Dong, former classmates at an electrical engineering college in Chengdu, China, have been hacking into high tech manufacturing, civil, industrial, and medical engineering firms, software companies of all sorts, solar companies, and pharmaceuticals, among others, since 2009.

The US claims that the two accused worked both for themselves and with the backing of the Chinese government’s Ministry of State Security. This assistance included being supplied with zero-day vulnerabilities exploits to facilitate their intrusion.

But often their hacking sprees, it’s alleged, involved the exploitation of publicly known vulnerabilities. The accused hackers are said to have used a program called China Chopper to install web shells to execute commands on victims’ networks and exfiltrate documents. The duo also uploaded password-stealing malware, it is claimed.

The pilfered data, it’s claimed, was often packed up on the RAR archive files that were concealed through the use of innocuous file names and common file extensions like .jpg. The hackers are said to have frequently used the recycle bin on Windows machines to store and move files because administrators are less likely to look there.

Adding insult to injury

“The defendants stole hundreds of millions of dollars’ worth of trade secrets, intellectual property, and other valuable business information,” the indictment says.

“At least once, they returned to a victim from which they had stolen valuable source code to attempt an extortion – threatening to publish on the internet, and thereby destroy the value of, the victim’s intellectual property unless a ransom was paid.”

The indictment also accuses the pair of providing Chinese authorities with the passwords of email accounts belonging to Chinese dissidents and to academics in the US and other countries.

Recently, Li and Dong are said to have been researching vulnerabilities in the networks of biotech firms involved in COVID-19 vaccine research. It’s claimed they have gone after organizations and individuals in the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom.

“China’s anti-competitive behavior and flagrant disregard for their promises not to engage in cyber-enabled intellectual property theft is not just a domestic issue; it is a global issue,” said Demers.

The defendants have each been charged with one count of conspiracy to commit computer fraud, theft of trade secrets, wire fraud, and unauthorized access of a computer, and with seven counts of aggravated identity theft.

China has no extradition treaty with the US, and relations between two countries are not particularly cordial at the moment, which makes it highly unlikely either of the two defendants will ever appear in a US courtroom unless they get really stupid crossing borders. That seems unlikely now.

Source: Bad: US govt says Chinese duo hacked, stole blueprints from just about everyone. Also bad: They extorted cash • The Register

Twitter has admitted that the naughty folk who hijacked verified accounts last week read a portion of hacked users’ direct messages.

Among the 36 Twitter users whose direct messages (DMs), email addresses and phone numbers were definitely accessed by account hijackers last week was one Dutch politician, the microblogging platform said overnight.

“We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed,” Twitter said in an updated post.

The hack happened after an individual or persons unknown gained access to Twitter’s administrative tools, allegedly after bribing a company insider.

As we reported last week, a number of Twitter accounts belonging to high-profile individuals were compromised. Those accounts all have blue ticks, indicating that they really do belong to whomever’s name and mugshot they bear.

Source: Twitter hack latest: Up to 36 compromised accounts had their private messages read – including a Dutch politician’s • The Register

In a study published by Xuanwu Labs (which is owned by Chinese tech giant Tencent), researchers detailed the BadPower hack which works by manipulating the firmware inside fast charge power adapters.

Normally, when a phone is connected to a power brick with support for fast charging, the phone and the power adapter communicate with each other to determine the proper amount of electricity that can be sent to the phone without damaging the device—the more juice the power adapter can send, the faster it can charge the phone.

However, by hacking the fast charging firmware built into a power adapter, Xuanwu Labs demonstrated that bad actors could potentially manipulate the power brick into sending more electricity than a phone can handle, thereby overheating the phone, melting internal components, or as Xuanwu Labs discovered, setting the device on fire.

After confirming the results of the research, Xuanwu labs decided to test BadPower by loading it onto 35 different power bricks (out of 234 available models currently on sale) and discovered that 18 of those chargers (made by eight different vendors) were susceptible to the attack.

To make matters worse, if BadPower is used to hack a power brick, there would be no external signs or easy ways of detecting that the device had been tampered with. Fortunately, for now, it will require the bad actor to have physical access to the power adapter. The researchers at Xuanwu claimed hacking a power adapter was as simple as connecting it to a portable, custom-designed rig that can upload malicious code to the power brick in a just a few seconds. And in some cases, the researchers were able to upload BadPower just by connecting a power adapter to an infected phone or laptop.

Source: BadPower Attack Can Trick Power Bricks into Starting a Fire

Russian hackers at the state’s FSB spy agency have been caught breaking into Western institutions working on potential vaccines for the COVID-19 coronavirus in hope of stealing said research. That’s according to the British National Cyber Security Centre and America’s NSA today.

The Kremlin-backed APT29 crew, also known by a variety of other names such as Cozy Bear, Iron Hemlock, or The Dukes, depending on which threat intel company you’re talking to that week, is believed by most reputable analysts to be a wholly owned subsidiary of the FSB, modern-day successor to the infamous Soviet KGB.

NCSC ops director Paul Chichester said in a statement: “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic.”

Foreign Secretary Dominic Raab added: “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health.”

NCSC and its international chums say they are 95 per cent confident that the attacks they investigated came from Russia. By abusing publicly known vulnerabilities, including those in Citrix and popular VPN products, the Russians were able to gain access to targeted networks. Once inside they deploy a custom malware named WellMess or WellMail, it’s claimed.

“WellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files. The malware supports HTTP, TLS and DNS communications methods,” said NCSC in its advisory [PDF complete with IOCs and detection rules].

WellMail uses SMTP port 25 to communicate, runs commands or scripts, and uploads its findings to a hard-coded command and control server using TLS encryption. Both pieces of malware are written in Go, the open source language devised by Google. The report neatly summarizes the situation:

Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.

Intriguingly, NCSC – along with the US CISA and Canada’s Communications Security Establishment – also said APT29 was deploying a custom malware it named SoreFang against products from Chinese enterprise networking biz Sangfor. However, it cautioned that Sangfor was already a target for other malicious folk before APT29 got wind of it and so not all attacks against Sangfor kit were necessarily proof of state-level espionage.

Today’s attribution follows on from warnings back in May that nameless-but-nefarious bods were targeting those same coronavirus research institutions. In light of today’s news, it could be argued that that public shot across the FSB’s bows didn’t do much to stop the digital attacks.

“This also demonstrates that Iron Hemlock (aka APT29, Cozy Bear) is a very capable threat actor that conducts low visibility operations over an extended period, since at least 2018 in this case, while attracting minimal publicity,” Rafe Pilling, a researcher at infosec biz Secureworks, told The Register.

“Every time we see this group emerge in public they are using novel malware and tradecraft. A strong focus on operational security prompts constant change, a stark contrast to some of their comrades in other parts of government and the military.”

He added that it’s not just Russia doing the hacking, although Vladimir Putin’s nation is at the forefront of today’s report: “The NCSC report emphasises that the global interest in COVID-19 is driving an intelligence collection agenda for Russia, as well as nations like Iran, that has previously been identified targeting COVID-19 related research,” he opined.

“The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research.”

Meanwhile, Mandiant Threat Intelligence’s John Hultquist said in a statement that APT29 tended to stay below the radar and steal data, making today’s attribution all the more eye-catching for espionage watchers.

“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,” he explained. “Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”

Back in 2015 Fireeye observed APT29 deploying a Twitter-dependent malware strain it called Hammertoss, while last year Eset spotted the same hackers quietly targeting EU nations’ foreign offices and embassies. It seems the state-backed threat is never all that far away

Source: FYI Russia is totally hacking the West’s labs in search of COVID-19 vaccine files, say UK, US, Canada cyber-spies • The Register

The Central Intelligence Agency has conducted a series of covert cyber operations against Iran and other targets since winning a secret victory in 2018 when President Trump signed what amounts to a sweeping authorization for such activities, according to former U.S. officials with direct knowledge of the matter.

The secret authorization, known as a presidential finding, gives the spy agency more freedom in both the kinds of operations it conducts and who it targets, undoing many restrictions that had been in place under prior administrations. The finding allows the CIA to more easily authorize its own covert cyber operations, rather than requiring the agency to get approval from the White House.

Unlike previous presidential findings that have focused on a specific foreign policy objective or outcome — such as preventing Iran from becoming a nuclear power — this directive, driven by the National Security Council and crafted by the CIA, focuses more broadly on a capability: covert action in cyberspace.

The “very aggressive” finding “gave the agency very specific authorities to really take the fight offensively to a handful of adversarial countries,” said a former U.S. government official. These countries include Russia, China, Iran and North Korea — which are mentioned directly in the document — but the finding potentially applies to others as well, according to another former official. “The White House wanted a vehicle to strike back,” said the second former official. “And this was the way to do it.”

The CIA’s new powers are not about hacking to collect intelligence. Instead, they open the way for the agency to launch offensive cyber operations with the aim of producing disruption — like cutting off electricity or compromising an intelligence operation by dumping documents online — as well as destruction, similar to the U.S.-Israeli 2009 Stuxnet attack, which destroyed centrifuges that Iran used to enrich uranium gas for its nuclear program.

The finding has made it easier for the CIA to damage adversaries’ critical infrastructure, such as petrochemical plants, and to engage in the kind of hack-and-dump operations that Russian hackers and WikiLeaks popularized, in which tranches of stolen documents or data are leaked to journalists or posted on the internet. It has also freed the agency to conduct disruptive operations against organizations that were largely off limits previously, such as banks and other financial institutions.

Another key change with the finding is it lessened the evidentiary requirements that limited the CIA’s ability to conduct covert cyber operations against entities like media organizations, charities, religious institutions or businesses believed to be working on behalf of adversaries’ foreign intelligence services, as well as individuals affiliated with these organizations, according to former officials.

“Before, you would need years of signals and dozens of pages of intelligence to show that this thing is a de facto arm of the government,” a former official told Yahoo News. Now, “as long as you can show that it vaguely looks like the charity is working on behalf of that government, then you’re good.”

The CIA has wasted no time in exercising the new freedoms won under Trump. Since the finding was signed two years ago, the agency has carried out at least a dozen operations that were on its wish list, according to this former official. “This has been a combination of destructive things — stuff is on fire and exploding — and also public dissemination of data: leaking or things that look like leaking.”

Some CIA officials greeted the new finding as a needed reform that allows the agency to act more nimbly. “People were doing backflips in the hallways [when it was signed],” said another former U.S. official.

But critics, including some former U.S. officials, see a potentially dangerous attenuation of intelligence oversight, which could have unintended consequences and even put people’s lives at risk, according to former officials.

The involvement of U.S. intelligence agencies in hack-and-dump activities also raises uncomfortable comparisons for some former officials. “Our government is basically turning into f****ing WikiLeaks, [using] secure communications on the dark web with dissidents, hacking and dumping,” said one such former official.

The CIA declined to comment or respond to an extensive list of questions from Yahoo News. The National Security Council did not respond to multiple written requests for comment.

[…]

Source: Secret Trump order gives CIA more powers to launch cyberattacks