“The largest attack reported by a respondent this year was 500Gbps, with other respondents reporting attacks of 450Gbps, 425Gbps, and 337Gbps,” (says the Arbor report)
Source: 500Gbps DDoS attack flattens world record
Battered Ukrainian electricity utilities are being targeted with backdoors in attacks possibly linked to those fingered for recent blackouts.
The phishing attacks are attempting to get backdoors installed on utility company computers using techniques similar to those seen in the BlackEnergy attacks.
BlackEnergy ripped through Ukrainian utilities in what is largely considered the cause of mass power outages on 23 December in the Prykarpattya Oblenergo and Kyivoblenergo utilities.
Power was cut to some 80,000 customers for six hours and Ukraine’s nation’s security service has pointed the finger at the Kremlin.
Now the utilities are being served malicious Microsoft XLS files, which attempt to execute the open source GCat backdoor, a technique that has been used in many other attacks.
ESET threat man Robert Lipovsky says users are urged to execute macros and will be served with a Trojan downloaded from a remote server. “This backdoor is able to download executables and execute shell-commands,” Lipovsky says.
“Other GCat backdoor functionality, such as making screenshots, keylogging, or uploading files, was removed from the source code.
“The backdoor is controlled by attackers using a Gmail account, which makes it difficult to detect such traffic in the network.”
Source: Ukraine energy utilities attacked again with open source Trojan backdoor
US spy chief James Clapper’s personal online accounts have been hacked, his office confirmed Tuesday, a few months after CIA director John Brennan suffered a similar attack.
Clapper’s Office of the Director of National Intelligence confirmed the hack but refused to provide details.
“We are aware of the matter and we reported it to the appropriate authorities,” spokesman Brian Hale told AFP.
A teen hacker who goes by “Cracka” claimed to have hacked Clapper’s home telephone and Internet accounts, his personal email, and his wife’s Yahoo email, online magazine Motherboard reported.
Source: US spy chief’s personal accounts hacked
Few, if any, companies or government agencies store more sensitive personal information than the IRS, and consumers have virtually no insight into how that data is used and secured. But, as the results of a recent Justice Department investigation show, when you start poking around in those dark corners, you sometimes find very ugly things.
Beginning in 2008, a small group of people–including an IRS employee who worked in the Taxpayer Advocate Service section–worked a simple and effective scam that involved fake tax returns, phony refunds, dozens of pre-loaded debit cards, and a web of lies. The scheme relied upon one key ingredient for its success: access to taxpayers’ personal information. And it brought the alleged perpetrators more than $1 million.
The scam’s particulars are not unique. There have been a variety of similar operations that have come to light over the last few years, with IRS employees improperly accessing taxpayer records as part of a financial fraud or out of curiosity over what an athlete or actor makes. What sets this case apart is that the accused IRS employee, Nakeisha Hall, was tasked specifically with helping people who had been affected by some kind of tax-related identity theft or fraud.
From that position, Hall allegedly tapped in to the personal files of an untold number of taxpayers and used the data she found there to file false tax returns in those victims’ names. The returns would be set up in such a way that the “taxpayers” would be due refunds. Hall typically would request that refunds be put on debit cards issued by Bancorp Bank or another bank, according to an indictment issued by the Department of Justice in December. The debit cards would be mailed to addresses that Hall had access to, and then Hall’s alleged co-conspirators Jimmie Goodman and Abdullah Coleman would pick up the cards.
Source: How an IRS Employee Allegedly Stole $1 Million from Taxpayers | On the Wire
The HTTPS Bicycle attack can result in the length of personal and secret data being exposed from a packet capture of a user’s HTTPS traffic. For example, the length of passwords and other data (such as GPS co-ordinates) can be determined simply by analysing the lengths of the encrypted traffic.Some of the key observations of this attack are as below: Requires a packet capture containing HTTPS (TLS) traffic from a browser to a website The TLS traffic must use a stream-based cipher Can reveal the lengths of unknown data as long as the length of the rest of the data is known – this includes passwords, GPS data and IP addresses Packet captures from several years ago could be vulnerable to this attack, with no mitigation possible The real world impact is unknown, as there are several prerequisites that may be hard to fulfill.This leads us into interesting discussions on the resilience of passwords as a form of authentication method.
Source: HTTPS Bicycle Attack – Obtaining Passwords From TLS Encrypted Browser Requests | Websense
SentinelOne director of mobile research Tim Strazzere said he found an open socket—shell@blackphone:/dev/socket $ ls l at_pal srwrwrw radio system 20150731 17:51 at_pal—accessible on the phone that the agps_daemon, a system-level shell is able to communicate with. The vulnerability, CVE-2015-6841, is specific to the modem used by the Blackphone, the Icera modem developed by nVidia. The manufacturer announced in May it was discontinuing its Icera softmodem business.
Strazzere said that an attacker could use a malicious app, or chain together a Stagefright-type exploit with this vulnerability, to send commands to the phone’s radio.
The result poses a number of privacy and security woes for victims; an attacker could enable call forwarding, mute the phone, or send and read SMS messages all without leaving a trace on the device.
Source: Silent Circle Blackphone Icera Modem Security Patch | Threatpost | The first stop for security news
Time Warner Cable Inc said on Wednesday up to 320,000 customers may have had their email passwords stolen.
The company said email and password details were likely gathered either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored Time Warner Cable’s customer information, including email addresses.
Source: Time Warner Cable says up to 320,000 customers’ data may have been stolen
The Israel-based duo pried apart and compromised KVMs (keyboard video mouse) units such that they could download malware and compromise attached computers.
The attack, demonstrated at the Chaos Communications Congress in Hamburg last month is notable because KVMs are used to control multiple machines. A compromised unit would not be immediately suspicious to most admins and could compromise all computers that attach to it, using those with internet links to stay updated and exfiltrate data.
The KVM would download malware from an internet-connected machine and pass it into the unit’s memory.
Source: Checkpoint chap’s hack whacks air-gaps flat
Microsoft Corp (MSFT.O) experts concluded several years ago that Chinese authorities had hacked into more than a thousand Hotmail email accounts, targeting international leaders of China’s Tibetan and Uighur minorities in particular – but it decided not to tell the victims, allowing the hackers to continue their campaign, according to former employees of the company.
Source: Microsoft failed to warn victims of Chinese email hack: former employees
This poor policy is what you get when there is no legal framework requiring disclosure.
37 US states could have been scammed by rogue security guy
In July, Eddie Tipton, 52, was found guilty of installing a rootkit in the MSLA’s random-number generating computer that allowed him to predict the digits for future winning tickets. He also tampered with security cameras to cover up his time at the keyboard, the court heard.
Tipton was sentenced to ten years in prison after CCTV caught him buying a $16.5m winning ticket in the Iowa state lottery. He is free on bail while appealing his conviction.
Meanwhile, investigators claim that three other state lotteries in Colorado, Wisconsin, and Oklahoma also report paying out prizes worth $8m to people associated with Tipton.
Source: Feds widen probe into lottery IT boss who rooted game for profit
InterApp can allow its operators to break into nearby smartphones that have their WiFi connection open, and then, employing a diverse arsenal of security vulnerabilities, gain root permission on devices and exfiltrate information to a tactical server.
According to Rayzone, InterApp can steal a user’s email address password and content, passwords for social networking apps, Dropbox passwords and files, the user’s phone contact list, and his photo gallery.
Additionally, the gadget can also acquire the phone’s previous geographical locations and plot them on a map, IMEI details, MSISDN data, MAC address, device model, OS info, and personal information on the target, such as gender, age, address, education, and more.
Source: InterApp: The Gadget That Can Spy on Any Smartphone
Cracking Wi-Fi passwords, spoofing accounts, and testing networks for exploits is all fun enough, but if you want to take the show on the road, you’ll want an easily portable rig. Enter Kali Linux and the Raspberry Pi.
Source: How to Build a Portable Hacking Station with a Raspberry Pi and Kali Linux
Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion.
the flaws allow attackers who log into any account — including a universal demonstration account – to log into any of the 360,000 units ThinkRace claims it sold without need of a password.
Source: Hundreds of thousands of engine immobilisers hackable over the net
Basically he increments the cookie.
WordPress hosting outfit WP Engine has confessed to a security breach, prompting it to reset 30,000 customers’ passwords.
Security firm Trend Micro has also warned that The Independent newspaper’s WordPress-based blog section has been compromised
Source: WordPress hosting biz confesses to breach, urgently contacts 30,000 users
The security bug relates to the fact that the AVG antivirus creates a memory space with full RWX (read-write-execute) privileges where it normally runs. For that particular version of the AVG antivirus, this memory space was not randomized and was often shared with other applications, like, for example, Acrobat Reader or the enSilo product that collided with the antivirus.
If an attacker knew about the antivirus’ predictable behavior and where this address space was, they could force their malicious code to execute inside that memory address and have the same privileges as the antivirus process (which is system-level).
Source: AVG, McAfee, Kaspersky Fix Common Vulnerability in Their Antivirus Products
We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.
Source: News – Security and Trading
A database containing personally identifiable information was accessed, potentially compromising the names, email addresses, dates of birth, and phone numbers of 656,723 customers.
Source: JD Wetherspoon: A ‘hacker’ nicks 650,000 pub-goers’ data
The hacktivist group Anonymous breached into the website of United Nations Framework Convention on Climate Change (UNFCCC) and leaked a trove of personal information of 1415 officials.
Source: Anonymous Hacks UN Climate Change Site Against Police Attack on Cop21 March
US hotel chain Hilton revealed Tuesday that hackers infected some of its point-of-sale computer systems with malware crafted to steal credit card information.
Hilton would not disclose whether data was taken, but advised anyone who used payment cards at Hilton Worldwide hotels between November 18 and December 5 of last year or April 21 and July 27 of this year to watch for irregular activity on credit or debit card accounts.
Malicious code that infected registers at hotels had the potential to take cardholders’ names along with card numbers, security codes and expiration dates, Hilton said in an online post.
Source: Hilton hotels hit by cyber attack
Allows you to store all of your credit cards and magstripes in one device Works on traditional magstripe readers wirelessly (no NFC/RFID required) Can disable Chip-and-PIN (code not included) Correctly predicts Amex credit card numbers + expirations from previous card number (code not included) Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously Easy to build using Arduino or other common parts MagSpoof is a device that can spoof/emulate any
Source: samyk/magspoof · GitHub
Researchers find ways to p0wn industrial control systems
Source: SAP pumps 70m barrels of oil a day … and might also blow them up
U.S. prosecutors on Tuesday unveiled criminal charges against three men accused of running a sprawling computer hacking and fraud scheme that included a huge attack against JPMorgan Chase & Co and generated hundreds of millions of dollars of illegal profit.
Source: U.S. charges three in huge cyberfraud targeting JPMorgan, others
Mimic implements a devilishly sick idea floated on Twitter by Peter Ritchie: “Replace a semicolon (;) with a Greek question mark (;) in your friend’s C# code and watch them pull their hair out over the syntax error.” There are quite a few characters in the Unicode character set that look, to some extent or another, like others – homoglyphs. Mimic substitutes common ASCII characters for obscure homoglyphs. Caution: using this script may get you fired and/or beaten to a pulp.
Source: Mimic, the Evil Script That Will Drive Programmers To Insanity – Slashdot
British broadband provider TalkTalk has admitted that all of its 4 million customers’ names, addresses, dates of birth, email addresses, phone numbers and bank details may have stolen by hackers.
Source: Huge Hack Hits 4 Million British Broadband Customers
Security researchers at Pen Test Partners have found a security vulnerability in the iKettle Wi-Fi Electric Kettle that allows attackers to crack the password of the WiFi network to which the kettle is connected. Researchers say that using this simple trick and information about iKettles, they drove around London, cracked home WiFi networks, and created a map of insecure WiFi networks across the city. The same researchers cracked a Samsung smart-fridge this summer to disclose Gmail passwords. If you have 6 minutes, there’s a YouTube video you can watch.
Source: Tattling Kettles Help Researchers Crack WiFi Networks In London – Slashdot