The discovery of a new, sophisticated team of hackers spying on dozens of government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet’s cybersecurity that experts have warned about for years: DNS hijacking, a technique that meddles with the fundamental address book of the internet. Researchers at Cisco’s Talos security division on Wednesday revealed that a hacker group it’s calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organtaizations.

In the process, they went so far as to compromise multiple country-code top-level domains — the suffixes like .co.uk, or .ru, that end a foreign web address — putting all the traffic of every domain in multiple countries at risk. The hackers’ victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet’s directory system, hackers were able to silently use “man-in-the-middle” attacks to intercept all internet data from email to web traffic sent to those victim organizations.

[…] Cisco Talos said it couldn’t determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cypress, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco’s Craig Williams confirmed that Armenia’s .am top-level domain was one ‘of the “handful” that were compromised, but wouldn’t say which of the other countries’ top-level domains were similarly hijacked.

https://m.slashdot.org/story/354704

A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned.

The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA. The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server.

The hackers then put the data up for download on their own website, which we’re also not naming nor linking to given the sensitivity of the data.

The spreadsheets contained about 4,000 unique records after duplicates were removed, including member names, a mix of personal and government email addresses, job titles, phone numbers and their postal addresses. The FBINAA could not be reached for comment outside of business hours. If we hear back, we’ll update.

TechCrunch spoke to one of the hackers, who didn’t identify his or her name, through an encrypted chat late Friday.

“We hacked more than 1,000 sites,” said the hacker. “Now we are structuring all the data, and soon they will be sold. I think something else will publish from the list of hacked government sites.” We asked if the hacker was worried that the files they put up for download would put federal agents and law enforcement at risk. “Probably, yes,” the hacker said.

The hacker claimed to have “over a million data” [sic] on employees across several U.S. federal agencies and public service organizations.

It’s not uncommon for data to be stolen and sold in hacker forums and in marketplaces on the dark web, but the hackers said they would offer the data for free to show that they had something “interesting.”

[…]

The hacker — one of more than ten, they said — used public exploits, indicating that many of the websites they hit weren’t up-to-date and had outdated plugins.

[…]

Their end goal: “Experience and money,” the hacker said.

Source: Hackers publish personal data on thousands of US police officers and federal agents | TechCrunch

Facebook has been prompting some users registering for the first time to hand over the passwords to their email accounts, the Daily Beast reported on Tuesday—a practice that blares right past questionable and into “beyond sketchy” territory, security consultant Jake Williams told the Beast.

A Twitter account using the handle @originalesushi first posted an image of the screen several days ago, in which new users are told they can confirm their third-party email addresses “automatically” by giving Facebook their login credentials. The Beast wrote that the prompt appeared to trigger under circumstances where Facebook might think a sign-up attempt is “suspicious,” and confirmed it on their end by “using a disposable webmail address and connecting through a VPN in Romania.”

It is never, ever advisable for a user to give out their email password to anyone, except possibly to a 100 percent verified account administrator when no other option exists (which there should be). Email accounts tend to be primary gateways into the rest of the web, because a valid one is usually necessary to register accounts on everything from banks and financial institutions to social media accounts and porn sites. They obviously also contain copies of every un-deleted message ever sent to or from that address, as well as additional information like contact lists. It is for this reason that email password requests are one of the most obvious hallmarks of a phishing scam.

“That’s beyond sketchy,” Williams told the Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”

“This is basically indistinguishable to a phishing attack,” Electronic Frontier Foundation security researcher Bennett Cyphers told Business Insider. “This is bad on so many levels. It’s an absurd overreach by Facebook and a sleazy attempt to trick people to upload data about their contacts to Facebook as the price of signing up… No company should ever be asking people for credentials like this, and you shouldn’t trust anyone that does.”

A Facebook spokesperson confirmed in a statement to Gizmodo that this screen appears for some users signing up for the first time, though the company wrote, “These passwords are not stored by Facebook.” It additionally characterized the number of users it asks for email passwords as “very small.” Those presented with the screen were signing up on desktop while using email addresses that did not support OAuth—an open standard for allowing third parties authenticated access to assets (such as for the purpose of verifying identities) without sharing login credentials. OAuth is typically a standard feature of major email providers.

Facebook noted in the statement that those users presented with this screen could opt out of sharing passwords and use another verification method such as email or phone. The company also said it would be ending the practice of asking for email passwords.

Source: Facebook Is Just Casually Asking Some New Users for Their Email Passwords

This beggars belief!

In January, the National Enquirer published a special edition that revealed an intimate relationship Bezos was having. He asked me to learn who provided his private texts to the Enquirer, and why. My office quickly identified the person whom the Enquirer had paid as a source: a man named Michael Sanchez, the now-estranged brother of Lauren Sanchez, whom Bezos was dating. What was unusual, very unusual, was how hard AMI people worked to publicly reveal their source’s identity. First through strong hints they gave to me, and later through direct statements, AMI practically pinned a “kick me” sign on Michael Sanchez.

“It was not the White House, it was not Saudi Arabia,” a company lawyer said on national television, before telling us more: “It was a person that was known to both Bezos and Ms. Sanchez.” In case even more was needed, he added, “Any investigator that was going to investigate this knew who the source was,” a very helpful hint since the name of who was being investigated had been made public 10 days earlier in a Daily Beast report.

Much was made about a recent front-page story in the Wall Street Journal, fingering Michael Sanchez as the Enquirer’s source—but that information was first published almost seven weeks ago by The Daily Beast, after “multiple sources inside AMI” told The Daily Beast the exact same thing. The actual news in the Journal article was that its reporters were able to confirm a claim Michael Sanchez had been making: It was the Enquirer who first contacted Michael Sanchez about the affair, not the other way around.

AMI has repeatedly insisted they had only one source on their Bezos story, but the Journal reports that when the Enquirer began conversations with Michael Sanchez, they had “already been investigating whether Mr. Bezos and Ms. Sanchez were having an affair.” Michael Sanchez has since confirmed to Page Six that when the Enquirer contacted him back in July, they had already “seen text exchanges” between the couple. If accurate, the WSJ and Page Six stories would mean, clearly and obviously, that the initial information came from other channels—another source or method.

[On Sunday, AMI issued a statement insisting that “it was Michael Sanchez who tipped the National Enquirer off to the affair on Sept. 10, 2018, and over the course of four months provided all of the materials for our investigation.” Read the full statement here. — ed.]

“Bezos directed me to ‘spend whatever is needed’ to learn who may have been complicit in the scheme, and why they did it. That investigation is now complete.”

Reality is complicated, and can’t always be boiled down to a simple narrative like “the brother did it,” even when that brother is a person who certainly supplied some information to a supermarket tabloid, and even when that brother is an associate of Roger Stone and Carter Page. Though interesting, it turns out those truths are also too simple.

Why did AMI’s people work so hard to identify a source, and insist to the New York Times and others that he was their sole source for everything?

My best answer is contained in what happened next: AMI threatened to publish embarrassing photos of Jeff Bezos unless certain conditions were met. (These were photos that, for some reason, they had held back and not published in their first story on the Bezos affair, or any subsequent story.) While a brief summary of those terms has been made public before, others that I’m sharing are new—and they reveal a great deal about what was motivating AMI.

An eight-page contract AMI sent for me and Bezos to sign would have required that I make a public statement, composed by them and then widely disseminated, saying that my investigation had concluded they hadn’t relied upon “any form of electronic eavesdropping or hacking in their news-gathering process.”

Note here that I’d never publicly said anything about electronic eavesdropping or hacking—and they wanted to be sure I couldn’t.

They also wanted me to say our investigation had concluded that their Bezos story was not “instigated, dictated or influenced in any manner by external forces, political or otherwise.” External forces? Such a strange phrase. AMI knew these statements did not reflect my conclusions, because I told AMI’s Chief Content Officer Dylan Howard (in a 90-minute recorded phone call) that what they were asking me to say about external forces and hacking “is not my truth,” and would be “just echoing what you are looking for.”

(Indeed, an earlier set of their proposed terms included AMI making a statement “affirming that it undertook no electronic eavesdropping in connection with its reporting and has no knowledge of such conduct”—but now they wanted me to say that for them.)

The contract further held that if Bezos or I were ever in our lives to “state, suggest or allude to” anything contrary to what AMI wanted said about electronic eavesdropping and hacking, then they could publish the embarrassing photos.

Todd Williamson/Getty

I’m writing this today because it’s exactly what the Enquirer scheme was intended to prevent me from doing. Their contract also contained terms that would have inhibited both me and Bezos from initiating a report to law enforcement.

Things didn’t work out as they hoped.

When the terms for avoiding publication of personal photos were presented to Jeff Bezos, he responded immediately: “No thank you.” Within hours, he wrote an essay describing his reasons for rejecting AMI’s threatening proposal. Then he posted it all on Medium, including AMI’s actual emails and their salacious descriptions of private photos. (After the Medium post, AMI put out a limp statement saying it “believed fervently that it acted lawfully in the reporting of the story of Mr. Bezos.”)

The issues Bezos raised in his Medium post have nothing whatsoever to do with Michael Sanchez, any more than revealing the name of a low-level Watergate burglar sheds light on the architects of the Watergate cover-up. Bezos was not expressing concerns about the Enquirer’s original story; he was focused on what he called “extortion and blackmail.”

Next, Bezos directed me to “spend whatever is needed” to learn who may have been complicit in the scheme, and why they did it.

That investigation is now complete. As has been reported elsewhere, my results have been turned over to federal officials. Since it is now out of my hands, I intend today’s writing to be my last public statement on the matter. Further, to respect officials pursuing this case, I won’t disclose details from our investigation. I am, however, comfortable confirming one key fact:

Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information. As of today, it is unclear to what degree, if any, AMI was aware of the details.

Source: Bezos’ Investigator Gavin de Becker Finds the Saudis Obtained the Amazon Chief’s Private Data

Reuters is a bit shorter on the matter:

WASHINGTON (Reuters) – The security chief for Amazon chief executive Jeff Bezos said on Saturday that the Saudi government had access to Bezos’ phone and gained private information from it.

Gavin De Becker, a longtime security consultant, said he had concluded his investigation into the publication in January of leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating.

Last month, Bezos accused the newspaper’s owner of trying to blackmail him with the threat of publishing “intimate photos” he allegedly sent to Sanchez unless he said in public that the tabloid’s reporting on him was not politically motivated.

In an article for The Daily Beast website, De Becker said the parent company of the National Enquirer, American Media Inc., had privately demanded that De Becker deny finding any evidence of “electronic eavesdropping or hacking in their newsgathering process.”

“Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information,” De Becker wrote. “As of today, it is unclear to what degree, if any, AMI was aware of the details.”

https://www.reuters.com/article/us-people-bezos-saudi/saudis-gained-access-to-amazon-ceo-bezos-phone-bezos-security-chief-idUSKCN1RB0RS

NSO and a competitor, the Emirati firm DarkMatter, exemplify the proliferation of privatized spying. A monthslong examination by The New York Times, based on interviews with current and former hackers for governments and private companies and others as well as a review of documents, uncovered secret skirmishes in this burgeoning world of digital combat.

A former top adviser to the Saudi crown prince, Mohammed bin Salman, spoke of using NSO’s products abroad as part of extensive surveillance efforts.CreditGiuseppe Cacace/Agence France-Presse — Getty Images

Image

The firms have enabled governments not only to hack criminal elements like terrorist groups and drug cartels but also in some cases to act on darker impulses, targeting activists and journalists. Hackers trained by United States spy agencies caught American businesspeople and human rights workers in their net. Cybermercenaries working for DarkMatter turned a prosaic household item, a baby monitor, into a spy device.

The F.B.I. is investigating current and former American employees of DarkMatter for possible cybercrimes, according to four people familiar with the investigation. The inquiry intensified after a former N.S.A. hacker working for the company grew concerned about its activities and contacted the F.B.I., Reuters reported.

NSO and DarkMatter also compete fiercely with each other, paying handsomely to lure top hacking talent from Israel, the United States and other countries, and sometimes pilfering recruits from each other, The Times found.

The Middle East is the epicenter of this new era of privatized spying. Besides DarkMatter and NSO, there is Black Cube, a private company run by former Mossad and Israeli military intelligence operatives that gained notoriety after Harvey Weinstein, the disgraced Hollywood mogul, hired it to dig up dirt on his accusers. Psy-Group, an Israeli company specializing in social media manipulation, worked for Russian oligarchs and in 2016 pitched the Trump campaign on a plan to build an online army of bots and avatars to swing Republican delegate votes.

Last year, a wealthy American businessman, Elliott Broidy, sued the government of Qatar and a New York firm run by a former C.I.A. officer, Global Risk Advisors, for what he said was a sophisticated breach of his company that led to thousands of his emails spilling into public. Mr. Broidy said that the operation was motivated by hard-nosed geopolitics: At the beginning of the Trump administration, he had pushed the White House to adopt anti-Qatar policies at the same time his firm was poised to receive hundreds of millions of dollars in contracts from the United Arab Emirates, the archrival to Qatar.

A judge dismissed Mr. Broidy’s lawsuit, but suspicions have grown that Qatar had a hand in other operations, including the hacking and leaking of the emails of Yousef al-Otaiba, the influential Emirati ambassador in Washington.

The rapid expansion of this global high-tech battleground, where armies of cybermercenaries clash, has prompted warnings of a dangerous and chaotic future.

Source: A New Age of Warfare: How Internet Mercenaries Do Battle for Authoritarian Governments – The New York Times

The personal information of roughly 3.1 million Toyota customers may have been leaked following a security breach of multiple Toyota and Lexus sales subsidiaries, as detailed in a breach notification issued by the car maker today.

As detailed in a press release published on Toyota’a global newsroom, unauthorized access was detected on the computing systems of Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.

“It turned out that up to 3.1 million items of customer information may have been leaked outside the company. The information that may have been leaked this time does not include information on credit cards,” says the data breach notification.

[…]

Security experts consider the attacks targeting Toyota’s subsidiaries and dealers to be part of a large scale coordinated operation attributed to the Vietnamese-backed APT32 hacking group, also known as OceanLotus and Cobalt Kitty, says ZDNet.

FireEye says that APT32 is targeting “foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors.”

APT32 also targeted research institutes from around the world, media organizations, various human rights organizations, and even Chinese maritime construction firms in the past. [1, 2, 3, 4, 5, 6, 7]

Source: Toyota Security Breach Exposes Personal Info of 3.1 Million Clients

No mention of what data exactly was stolen, which is worrying.

A Lithuanian man admitted he helped trick Facebook Inc. and Alphabet Inc.’s Google into sending more than $100 million through a phishing scheme.

Evaldas Rimasauskas, 50, pleaded guilty to one count of wire fraud before U.S. District Judge George Daniels on Wednesday under an agreement with prosecutors and will forfeit $49.7 million. Rimasauskas was extradited to New York in August 2017. He faces as many as 30 years in prison when he is sentenced July 24.

Prosecutors alleged that Rimasauskas, along with some unidentified co-conspirators, helped orchestrate a scheme in which fake emails were sent to employees and agents of the two tech giants. The thieves pretended to represent Taiwanese hardware maker Quanta Computer. They told Facebook and Google workers that the companies owed Quanta money, and then directed payments be sent to bank accounts controlled by the scammers.

[…]

Daniels asked Rimasauskas why the victims wired the money and whether they were promised anything in return.

“I’m not sure 100 percent because I was asked to open bank accounts,” Rimasauskas said. “After that I did not do anything with these accounts.”

Assistant U.S. Attorney Eun Young Choi told the judge that prosecutors don’t allege that Rimasauskas was the one who directly induced the companies to send the money.

“He created the infrastructure to further the fraudulent transfers,” Choi said.

The scheme netted about $23 million from Google in 2013 and about $98 million from Facebook in 2015, according to a person familiar with the case, who asked not to be named because the companies haven’t been publicly identified by prosecutors as the victims.

Source: Man Pleads Guilty in $100 Million Scam of Facebook and Google – Bloomberg

• 30 m radius (wifi)
• 4MB RAM for 4 million characters
• QWERTY keyboards
• hidden network (wifi)
• remote key injection
• open source software

Source: KEYVILBOARD | Dé hardware keylogger voor jouw arsenaal

Citrix today warned its customers that foreign hackers romped through its internal company network and stole corporate secrets.

The enterprise software giant – which services businesses, the American military, and various US government agencies – said it was told by the FBI on Wednesday that miscreants had accessed Citrix’s IT systems and exfiltrated a significant amount of data.

According to infosec firm Resecurity, which had earlier alerted the Feds and Citrix to the cyber-intrusion, at least six terabytes of sensitive internal files were swiped from the US corporation by the Iranian-backed IRIDIUM hacker gang. The spies hit in December, and Monday this week, we’re told, lifting emails, blueprints, and other documents, after bypassing multi-factor login systems and slipping into Citrix’s VPNs.

Source: Iranian hackers ransack Citrix, make off with 6TB+ of emails, biz docs, internal secrets • The Register

If you open a PDF document and your viewer displays a panel (like you see below) indicating that

1. the document is signed by invoicing@amazon.de and
2. the document has not been modified since the signature was applied You assume that the displayed content is precisely what invoicing@amazon.de has created.

During recent research, we found out that this is not the case for almost all PDF Desktop Viewers and most Online Validation Services.

So what is the problem?

With our attacks, we can use an existing signed document (e.g., amazon.de invoice) and change the content of the document arbitrarily without invalidating the signatures. Thus, we can forge a document signed by invoicing@amazon.de to refund us one trillion dollars.

To detect the attack, you would need to be able to read and understand the PDF format in depth. Most people are probably not capable of such thing (PDF file example).

To recap this, you can use any signed PDF document and create a document which contains arbitrary content in the name of the signing user, company, ministry or state.

Source: PDF Signature Spoofing

In new research they plan to present at the USENIX Security conference on Thursday, a group of researchers from the University of Washington has shown for the first time that it’s possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer. While that attack is far from practical for any real spy or criminal, it’s one the researchers argue could become more likely over time, as DNA sequencing becomes more commonplace, powerful, and performed by third-party services on sensitive computer systems. And, perhaps more to the point for the cybersecurity community, it also represents an impressive, sci-fi feat of sheer hacker ingenuity.

Source: Biohackers Encoded Malware in a Strand of DNA

Last August, Zac Plansky woke to find that the rifle scopes he was selling on Amazon had received 16 five-star reviews overnight. Usually, that would be a good thing, but the reviews were strange. The scope would normally get a single review a day, and many of these referred to a different scope, as if they’d been cut and pasted from elsewhere. “I didn’t know what was going on, whether it was a glitch or whether somebody was trying to mess with us,” Plansky says.

As a precaution, he reported the reviews to Amazon. Most of them vanished days later — problem solved — and Plansky reimmersed himself in the work of running a six-employee, multimillion-dollar weapons accessory business on Amazon. Then, two weeks later, the trap sprang. “You have manipulated product reviews on our site,” an email from Amazon read. “This is against our policies. As a result, you may no longer sell on Amazon.com, and your listings have been removed from our site.”

A rival had framed Plansky for buying five-star reviews, a high crime in the world of Amazon. The funds in his account were immediately frozen, and his listings were shut down. Getting his store back would take him on a surreal weeks-long journey through Amazon’s bureaucracy, one that began with the click of a button at the bottom of his suspension message that read “appeal decision.”

[…]

For sellers, Amazon is a quasi-state. They rely on its infrastructure — its warehouses, shipping network, financial systems, and portal to millions of customers — and pay taxes in the form of fees. They also live in terror of its rules, which often change and are harshly enforced. A cryptic email like the one Plansky received can send a seller’s business into bankruptcy, with few avenues for appeal.

Sellers are more worried about a case being opened on Amazon than in actual court, says Dave Bryant, an Amazon seller and blogger. Amazon’s judgment is swifter and less predictable, and now that the company controls nearly half of the online retail market in the US, its rulings can instantly determine the success or failure of your business, he says. “Amazon is the judge, the jury, and the executioner.”

Amazon is far from the only tech company that, having annexed a vast sphere of human activity, finds itself in the position of having to govern it. But Amazon is the only platform that has a $175 billion prize pool tempting people to game it, and the company must constantly implement new rules and penalties, which in turn, become tools for new abuses, which require yet more rules to police. The evolution of its moderation system has been hyper-charged. While Mark Zuckerberg mused recently that Facebook might need an analog to the Supreme Court to adjudicate disputes and hear appeals, Amazon already has something like a judicial system — one that is secretive, volatile, and often terrifying.

Amazon’s judgments are so severe that its own rules have become the ultimate weapon in the constant warfare of Marketplace. Sellers devise all manner of intricate schemes to frame their rivals, as Plansky experienced. They impersonate, copy, deceive, threaten, sabotage, and even bribe Amazon employees for information on their competitors.

[…]

Scammers have effectively weaponized Amazon’s anti-counterfeiting program. Attacks have become so widespread that they’ve even pulled in the US Patent and Trademark Office, which recently posted a warning that people were making unauthorized changes through its electronic filing system, likely “part of a scheme to register the marks of others on third-party ‘brand registries.’” Scammers had begun swapping out the email addresses on their rival’s trademark files, which can be done without a password, and using the new email to register their competitor’s brand with Amazon, gaining control of their listings. As Harris encountered, Amazon appears not to check whether a listing belongs to a brand already enrolled in brand registry. Stine has a client who had trademarked their party supply brand and registered it with Amazon, only to have a rival change their trademark file, register with Amazon, and hijack their listing for socks, which had things like “If you can read this, bring coffee” written on the soles.

[…]

There are more subtle methods of sabotage as well. Sellers will sometimes buy Google ads for their competitors for unrelated products — say, a dog food ad linking to a shampoo listing — so that Amazon’s algorithm sees the rate of clicks converting to sales drop and automatically demotes their product. They will go on the black market and purchase or rent seller accounts with special editing privileges and use them to change the color or description of their rival’s products so they get suspended for too many customers complaining about the item being “not as described.” They will exile their competitor’s listings to an unrelated category — say, move a product with a “Best Seller” badge in the office category to lawn care, taking the badge for themselves.

“They took a kids toy made for six to 12 year olds and they changed it to a sex toy,” one outraged seller told me. This is a common move, as Amazon hides products in that category unless the customer clicks a button saying they’re over 18. Another seller who had been battling counterfeiters of his childproof locks and outlet covers received a threat in Chinese saying that, while it is hard to build a listing like his, it would be easy to destroy. “Be cautious,” the message warned. Later, he too was banished to sex toys. “It’s suppressed from search results unless you literally search for a “sexual child proof door lock,” he says. (He had no sales.)

Source: Dirty dealing in the $175 billion Amazon Marketplace

An incredible story, very worth reading in its’ entirety

Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.

“This is the biggest collection of breaches we’ve ever seen,” says Chris Rouland, a cybersecurity researcher and founder of the IoT security firm Phosphorus.io, who pulled Collections #1–5 in recent days from torrented files. He says the collection has already circulated widely among the hacker underground: He could see that the tracker file he downloaded was being “seeded” by more than 130 people who possessed the data dump, and that it had already been downloaded more than 1,000 times. “It’s an unprecedented amount of information and credentials that will eventually get out into the public domain,” Rouland says.

Source: Hackers Are Passing Around a Megaleak of 2.2 Billion Records | WIRED

Airbus has admitted that a “cyber incident” resulted in unidentified people getting their hands on “professional contact and IT identification details” of some Europe-based employees.

The company said in a brief statement published late last night that the breach is “being thoroughly investigated by Airbus’ experts”. The company has its own infosec business unit, Stormguard.

“Investigations are ongoing to understand if any specific data was targeted,” it continued, adding that it is in contact with the “relevant regulatory authorities”, which for Airbus is France’s CNIL data protection watchdog. We understand no customer data was accessed, while Airbus insists for the moment that there has been no impact on its commercial operations.

Airbus said the target was its Commercial Aircraft business unit, which employs around 10,000 people in the UK alone, split between two sites. The company said that only people in “Europe” were affected.

Source: Personal data slurped in Airbus hack – but firm’s industrial smarts could be what crooks are after • The Register

Sonoff B1, lights and shades

12 Replies

Six months ago I was reviewing the AiThinker AiLight, a great looking light bulb with an embedded ESP8266EX microcontroller, driven by a MY9291 LED driver. Just before summer IteadStudio released it’s Sonoff B1 [Itead.cc] light bulb, heavily inspired (probably same manufacturer) by the AiLight, at least on the design.

Now that IteadStudio has become popular between the home automation community you can also find the Sonoff B1 on global marketplaces like Ebay or Aliexpress for around 13€.

A closer look at the B1 uncovers some important differences. But before going deeper into the details let me first say that this post will probably look more like a review, at least more than I use to write. And second, yes: ESPurna supports the Sonoff B1

An unboxing?

Not quite so. I leave that to other people with better skills on the video editing world. Let me just tell you than the “box” is somewhat different from what I expected. You might recall the AiLight box: a simple beige drawer-like box with a “WiFi Light” text and a simple icon. No colors, pictures, specifications,… nothing.

Instead, the Sonoff B1 I received from IteadStudio comes in a colorful box, with the usual pictures and data you can find in retail products.

Inside the box the light bulb is comfy housed in a polyethylene foam, along with a quality control certification and a small “getting started” manual in English and Chinese.

A heat sink?

Don’t think so. The first thing I noticed when I opened the box was that the bulb was very similar to the AiLight, the second the only visual difference. It certainly looks like a big heat sink. I almost fear touching it while connected. But how much heat can you generate if the light is rated 6W? The bulb body houses a basic AC/DC power supply (90-250VAC to 12VDC) and is accessible unscrewing the metal frame (the heat-sink part from the smooth part with the “sonoff” logo).

The AiLight is also 6W and you can safely touch it, even when it has been at full power for a lot of time. The Sonoff B1 shouldn’t be different. So I’m lean towards thinking it’s an aesthetic decision. Unless there are some beefy power LEDs inside.

Power LEDs?

Not all of them. Anyway I think this is the aspect where the B1 clearly differentiates from the AiLight. The later has 8 cold white power LEDs, as well as 6 red, 4 green and 4 blue power LEDs. The Sonoff B1 also has 8 cold white ones. But then it features 8 warm white power LEDs and 3 5050 RGB LEDs!

I don’t have a luximeter but the difference when fully white between the two is hard to spot. But the warm white color really makes the difference in favor of the Sonoff bulb. On the other hand, the 3 5050 SMD LEDs are clearly not enough. Even more: since the RGB LEDs are closer to the center of the round PCB, just around the WiFi antenna, the shadow of the antenna is very noticeable if you are using a colored light.

Hard to tell which one is brighter for the naked eye…

The pic does not justice the difference. The right on is the AiLight with the white power LEDs at full duty. The left on is the Sonoff B1 using the warm white power LEDs (you can see the yellowish color in the wall). The cold white LEDs are brighter but, depending on the room, the warm white LEDs could be more suitable.

Both bulbs again, now with the red channel at full duty. No need for words.

3 5050 RGB LEDs, 3 shadows of the antenna

A view without the cap, red LEDs are at 100% duty cycle, white LEDs are only at 10%…

I think the Sonoff B1 could be a better choice when used to illuminate with a warm white light your living room or your bedroom than the AiLight. If you need a colorful illumination, discotheque moods or a nice cold white for your kitchen, use the AiLight. Another possible (and interesting) use for Sonoff B1 would be as a notification light using traffic light color code, for instance. Clearly visible but not disturbing colors.

The controller?

Not the same. It is actually an ESP8285. In practice, you can talk to it like if it was an ESP2866 with a 1Mb embedded flash using DOUT flash mode. So that’s my recommended configuration.

The ESP8285 and required components with the 5050 RGB LEDs

As you can see in the pictures, the PCB is actually 2 PCB, one for the power LEDs and the other one for the microcontroller, some components and the 5050 on the front, a buck converter (12VDC to 3.3VDC for the ESP8285) and the LED driver on the back. The two PCBs are soldered together and glued to the underneath support.

In the AiLight the LED driver is a MY9291 [datasheet, PDF] by My-Semi. The Sonoff B1 uses another My-Semi driver, the MY9231 [datasheet, PDF]. The MY9291 is a 4 channels LED driver but the MY9231 is just 3 channels… so how is it possible to do RGB plus white and warm? Well actually these ICs are daisy chainable, so there are two MY9231 controllers in the Sonoff B1, the first one controlling the white power LEDs and the second the 5050 RGB LEDs.

I did not want to remove the glue under the PCB. But you can glimpse one My-Semi controller through the bottom hole.

ESPurna?

The ESPurna firmware is released as free open software and can be checked out at my Espurna repository on GitHub.

Sure! You can flash the Sonoff B1 following the same procedure of the AiLight. There are 6 pads on the PCB labelled 3V3, RX, TX, GND, GPIO0 and SDA. You will need to wire the first 5 (tin you cable, apply a small drop on the pad and then heat them together). Connect RX to TX, TX to RX, GND to GND, GPIO0 to GND and finally 3V3 to the 3V3 power source of your programmer. It will then enter into flash mode (GPIO0 is grounded). You can either flash the bin file from the ESPurna downloads section or build your own image (check the ESPurna wiki for docs).

Wired flashing of the Sonoff B1

Since ESPurna version 1.9.0 you define and control any number of dimming channels, you can also define the first three to be RGB channels. If you do, the web UI will show you a colorpicker to select the color.

You can also control it via MQTT. It supports CSS notation, comma separated or color temperature, as well as brightness and status, of course.

1 2 3 4 5 6 7 8 9 10 11

// 100% red mosquitto_pub -t /home/study/light/color/set -m "#FF0000"; // 100% warm white mosquitto_pub -t /home/study/light/color/set -m "0,0,0,0,255"; // 300 mired color temperature mosquitto_pub -t /home/study/light/color/set -m "M300"; // 4000 kelvin color temperature mosquitto_pub -t /home/study/light/color/set -m "K4000";

Of course you can also use Home Assistant MQTT Light component. The configuration would look like this:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

light:   - platform: mqtt     name: 'AI Light TEST'     state_topic: '/home/study/light/relay/0'     command_topic: '/home/study/light/relay/0/set'     payload_on: 1     payload_off: 0     rgb_state_topic: '/home/study/light/color'     rgb_command_topic: '/home/study/light/color/set'     rgb: true     optimistic: false     color_temp: true     color_temp_command_topic: '/home/study/light/mired/set'     brightness: true     brightness_command_topic: '/home/study/light/brightness/set'     brightness_state_topic: '/home/study/light/brightness'     white_value: true     white_value_command_topic: '/home/study/light/channel/3/set'     white_value_state_topic: '/home/study/light/channel/3'

Either way, flashing custom firmware like ESPurna on a 13€ Sonoff B1 [Ebay] device allows you to first fully control your device (no connections outside your home network if you don’t want to) and second, make it interoperate with other services like Home Assistant, Domoticz, Node-RED or any other MQTT o REST capable services.

After all, I’m talking about Technological Sovereignty.

Source: Sonoff B1, lights and shades – Tinkerman

WPML (or WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages.

According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn’t need to advertise itself with a free version on the official WordPress.org plugins repository.

But on Saturday, ET timezone, the plugin faced its first major security incident since its launch in 2007.

The attacker, which the WPML team claims is a former employee, sent out a mass email to all the plugin’s customers. In the email, the attacker claimed he was a security researcher who reported several vulnerabilities to the WPML team, which were ignored. The email[1, 2, 3, 4, 5] urged customers to check their sites for possible compromises.

But the WPML team vehemently disputed these claims. Both on Twitter[1, 2] and in a follow-up mass email, the WPML team said the hacker is a former employee who left a backdoor on its official website and used it to gain access to its server and its customer database.

WPML claims the hacker used the email addresses and customer names he took from the website’s database to send the mass email, but he also used the backdoor to deface its website, leaving the email’s text as a blog post on its site [archived version here].

Developers said the former employee didn’t get access to financial information, as they don’t store this kind of details, but they didn’t rule that he could now log into customers’ WPML.org accounts as a result of compromising the site’s database.

The company says it’s now rebuilding its server from scratch to remove the backdoor and resetting all customer account passwords as a precaution.

The WPML team also said the hacker didn’t gain access to the source code of its official plugin and did not push a malicious version to customers’ sites.

The company and its management weren’t available for additional questions regarding the incident. It is unclear if they reported the employee to authorities at the time of writing. If the company’s claim is true, there is little chance of the former employee escaping jail time.

Source: Popular WordPress plugin hacked by angry former employee | ZDNet

Federal prosecutors unveiled charges in an international stock-trading scheme that involved hacking into the Securities and Exchange Commission’s EDGAR corporate filing system.

The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were “test filings,” which corporations upload to the SEC’s website.

The charges were announced Tuesday by Craig Carpenito, U.S. Attorney for the District of New Jersey, alongside the SEC, the Federal Bureau of Investigation and the U.S. Secret Service, which investigates financial crimes.

watch now

VIDEO00:30

SEC sues traders for hacking Edgar system in 2016

The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services.

Carpenito, in a press conference Tuesday, said the thefts included thousands of valuable, private business documents. “After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public,” he said.

Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies’ stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito.

watch now

VIDEO02:08

Risk factor

The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said. The EDGAR service operates in New Jersey, which is why the Justice Department office in Newark was involved in the case.

Stephanie Avakian, co-head of the SEC’s Division of Enforcement, said the same criminals also stole advance press releases sent to three newswire services, though she didn’t name the newswires. The hackers used multiple broker accounts to collect the illicit gains, she said.

Two Ukrainians were charged by the Justice Department with hacking the database — Oleksandr Ieremenko and Artem Radchenko. Seven further individuals and entities were also named in a civil suit by the SEC for trading on the illicit information: Sungjin Cho, David Kwon, Igor Sabodakha, Victoria Vorochek, Ivan Olefir, Andrey Sarafanov, Capyield Systems, Ltd. (owned by Olefir) and Spirit Trade Ltd.

Consolidated Audit Trail fears

Also at the time, the incident sparked fears over the SEC’s Consolidated Audit Trail database, known as CAT. The CAT was meant to record every trade and order — either stock or option — made in the U.S., with the goal of providing enough data to analyze for detecting market manipulations and other malicious behavior.

Full implementation of the CAT has been plagued by delays, with equities reporting now scheduled to begin in November. The New York Stock Exchange has asked the SEC to consider limiting the amount of data collected by the CAT, which would include data on around 58 billion daily trades, as well as the personal details of individuals making the trades, including their Social Security numbers and dates of birth.

In September 2017, SEC chairman Jay Clayton announced the EDGAR database had been hacked in a lengthy statement. The commission said the database was penetrated in 2016 but the incident wasn’t detected until August 2017.

“Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systemic,” Clayton said at the time. “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Source: International stock trading scheme hacked into SEC database

The one thing no one expects on a job interview is North Korean hackers picking up on the other line. But that’s apparently exactly what happened to a hapless employee at Redbanc, the company that handles Chile’s ATM network.

The bizarre story was reported in trendTIC, a Chilean tech site. A Redbanc employee found a job opening on LinkedIn for a developer position. After setting up a Skype interview, the employee was then asked to install a program called ApplicationPDF.exe on their computer, trendTIC reports. The program was reportedly explained to be part of the recruitment process and generated a standard application form. But it was not an application form, it was malware.

Because the malware was then installed on a company computer, the hackers reportedly received important info about the employee’s work computer, including username, hardware and OS, and proxy settings. With all that info, the hackers would then be able to later deliver a second-stage payload to the infected computer.

As for the link to North Korea, an analysis by security firm Flashpoint indicates the malware utilized PowerRatankba, a malicious toolkit associated with Lazarus Group, a hacking organization with ties to Pyongyang. If you haven’t heard of these guys, you’ve definitely heard of the stuff they’ve been up to. Also known as Hidden Cobra, the Lazarus Group is linked with the Sony hack in 2014 and the WannaCry 2.0 virus, which infected 230,000 computers in 150 countries in 2017. They’re also known for targeting major banking and financial institutions and have reportedly absconded with $571 million in cryptocurrency since January 2017.

The hack reportedly took place at the end of December, but it was only made public after Chilean Senator Felipe Harboe took to Twitter last week to blast Redbanc for keeping the breach secret. Redbanc later acknowledged the breach occurred in a statement, but the company failed to mention any details.

That said, there were some serious security 101 no-no’s committed by the Redbanc employee that we can all learn from. Mainly, it doesn’t matter how much you hate your current gig, you should be suspicious if a prospective employer asks you to download any program that asks for personal information. Also, for multiple common-sense reasons, maybe don’t do job interviews on your dedicated work computer. And while it’s hard these days not to take work home, for security reasons, you should definitely be more discerning about the programs you download onto a work-issued device. Sounds simple enough, but then again, it happened to this poor fellow.

[ZDNet]

Source: North Korean Hackers Gain Access to Chilean ATMs Through Skype

The South Korea Ministry of National Defense says 10 of its internal PCs have been compromised by North Korea unknown hackers .

Korea’s Dong-A Ilbo reports that the targeted machines belonged to the ministry’s Defense Acquisition Program Administration, the office in charge of military procurement.

The report notes that the breached machines would have held information on purchases for things such as “next-generation fighter jets,” though the Administration noted that no confidential information was accessed by North Korea the yet-to-be identified infiltrators.

North Korea The mystery hackers got into the machines on October 4 of last year. Initially trying to break into 30 machines, the intruders only managed to compromise 10 of their targets.

After traversing the networks for more than three weeks the intrusion was spotted on October 26 by the National Intelligence Service, who noticed unusual activity on the procurement agency’s intellectual property servers.

An investigation eventually unearthed the breach, and concluded that North Korea the mystery hackers did get into a number of machines but didn’t steal anything that would be of use to North Korea a hostile government .

The incident was disclosed earlier this week in a report from a South Korean politician.

“It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration,” Dong-A Ilbo quotes Lthe politico as saying.

“Further investigation to find out if the source of attacks is North Korea or any other party.”

The report notes that the attack on the Defense Acquisition Program Administration appears to be part of a larger effort by North Korea an unknown group to infiltrate networks throughout the South Korean government in order to steal data.

The government says it is working on “extra countermeasures” to prevent future attacks by North Korea mystery foreign groups.

Source: South Korea says mystery hackers cracked advanced weapons servers • The Register

On December 28th, Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, analyzed the data stream of BinaryEdge search engine and identified an open and unprotected MongoDB instance:

The same IP also appeared in Shodan search results:

Upon closer inspection, an 854 GB sized MongoDB database was left unattended, with no password/login authentication needed to view and access the details of what appeared to be more than 200 million very detailed resumes of Chinese job seekers.

Each of the 202,730,434 records contained the details not only on the candidates’ skills and work experience but also on their personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more.

 

See more details in the PDF factsheet

 

The origin of the data remained unknown until one of my Twitter followers pointed to a GitHub repository (page is no longer available but it is still saved in Google cache)  which contained a web app source code with identical structural patterns as those used in the exposed resumes:

 

 

 

The tool named “data-import” (created 3 years ago) seems to have been created to scrape data (resumes) from different Chinese classifieds, like bj.58.com and others.

 

 

It is unknown, whether it was an official application or illegal one used to collect all the applicants’ details, even those labeled as ‘private’.

Upon additional request, the security team of BJ.58.com did not confirm that the data originated from their source:

We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us.

It seems that the data is leaked from a third party who scrape data from many CV websites.

Shortly after my notification on Twitter, the database had been secured. It’s worth noting that MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline.

Source: No more privacy: 202 Million private resumes exposed – HackenProof Blog

A newly disclosed vulnerability in Skype for Android could be exploited by miscreants to bypass an Android phone’s passcode screen to view photos, contacts, and even launch browser windows.

Bug-hunter Florian Kunushevci today told The Register the security flaw, which has been reported to Microsoft, allows the person in possession of someone’s phone to receive a Skype call, answer it without unlocking the handset, and then view photos, look up contacts, send a message, and open the browser by tapping links in a sent message, all without ever unlocking the phone. This is handy for thieves, pranksters, prying partners, and so on. Here’s a video demonstrating the bypass…

Kunushevci, a 19-year-old bug researcher from Kosovo, said he was an everyday user of the Skype for Android app when he noticed that something appeared to be amiss with the way the VoIP app accessed files on the handset. Curious, he decided to put his white hat on, and take a closer look.

Source: Can’t unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass • The Register

Uploaded to Github on Thursday, a tool called Crashcast enables the almost instantaneous takeover all of Chromecast streaming devices left accessible online by mistake. This same misconfiguration issue was taken advantage of by the hacker duo Hacker Giraffe and j3ws3r earlier this week to broadcast a message in support of the YouTube star Felix Kjellberg, more widely known as PewDiePie, to thousands of Chromecast owners.

The prank was intended to draw attention, the hacker said, to the fact that thousands of Chromecast devices globally have been left exposed unnecessarily.

Hacker Giraffe, who not too long ago pulled a similar prank using internet-connected printers, said on Thursday that the backlash caused by the Chromecast high jinks led them to give up hacking. The fear of getting caught and prosecuted, the hacker wrote on Pastebin, was causing “all kinds of fears and panic attacks.”

“I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions,” they added.

But now a tool which accomplishes the same feat is accessible to virtually anyone, thanks to Amir Khashayar Mohammadi, a security and freelance researcher. Mohammadi tells Gizmodo, however, that the tool he’s released is merely a proof-of-concept uploaded to further research into the problem, and is not intended for people to use maliciously.

Luckily, the problem is a fairly benign one. The tool doesn’t allow for remote code execution, so forcing the device to play random YouTube videos is about all that can be accomplished. “You’re not necessarily hacking anything here,” says Mohammadi, who blogs and publishes papers on the website Spuz.me. “All you’re doing is issuing a cURL command which in this case tells the Chromecast to view a video.”

“There is no authentication or bypass, you’re actually doing what the Chromecast is intended to do, except the reason this works is because they’re all being exposed to the internet,” he continued, adding: “I mean honestly, why would anyone leave their Chromecast on the internet? It makes no sense. You’re literally asking for it.”

Source: Researcher Distributes Tool That Enables Mass-Hijacking of Google Chromecast Devices

A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.

The 96-page report (PDF) from the Committee of Oversight and Government Reform found that the 2017 network breach could have easily been prevented had the company taken basic security precautions.

“Equifax, however, failed to implement an adequate security program to protect this sensitive data,” the report reads.

“As a result, Equifax allowed one of the largest data breaches in US history. Such a breach was entirely preventable.”

The report noted some of the previously-disclosed details of the hack, including the expired SSL certificate that had disabled its intrusion detection system for 19 months and the Apache Struts patch that went uninstalled for two months because of that bad cert.

The report states that Equifax’s IT team did scan for unpatched Apache Struts code on its network. But it only checked the root directory, not the subdirectory that was home to the unpatched software

Both issues were blamed for allowing an attacker to compromise the Equifax Automated Consumer Interview System and then spend weeks moving throughout the network to harvest personal records from other databases. It was only when the certificate was renewed that Equifax saw the massive amounts of data being copied from its servers and realized something was very wrong.

While those two specific issues were pinpointed as the source of the attack, the report finds that the intrusion was allowed to happen because the IT operation at Equifax had grown far too large far too fast, without a clear management structure or coherent policies across various departments.

Lousy IT security by design

“In 2005, former Equifax CEO Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, IT systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks,” the committee found.

“In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing ‘almost 1,200 times’ the amount of data held in the Library of Congress every day.”

What’s more, the report notes that Equifax had been aware of these shortcomings for years, with internal audits that found problems in their software patching process back in 2015, and in both 2016 and 2017 a report from MSCI Inc. rated Equifax network security as a “zero out of ten.”

A 2015 audit found that ACIS, a Solaris environment that dated back to the 1970s, was not properly walled off from other databases, a fault that allowed the attackers to access dozens of systems they would not have otherwise been able to get to.

“Although the ACIS application required access to only three databases within the Equifax environment to perform its business function, the ACIS application was not segmented off from other, unrelated databases,” the report noted.

“As a result, the attackers used the application credentials to gain access to 48 unrelated databases outside of the ACIS environment.”

After the pwning of its servers was revealed Equifax blamed its woes on an IT staffer who hadn’t installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax’s failings than this one scapegoat.

To help prevent similar attacks from occurring, the report recommends a number of additional requirements for credit reporting agencies to tell people what information is being gathered, how it is stored, and who it is shared with. The report also suggests moving away from social security numbers as personal identifiers and recommends that companies in the finance and credit sectors be pushed to modernize their IT structure. ®

Source: Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory • The Register