Category Archives: cyberattacks

It’s official: North Korea is behind WannaCry

Thomas P. Bossert, Trump’s Homeland Security Advisor, writes: Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.

The attack spread indiscriminately across the world in May. It encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses and homes. While victims received ransom demands, paying did not unlock their computers. It was cowardly, costly and careless. The attack was widespread and cost billions, and North Korea is directly responsible.

We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government. [Continue reading…]

Last May, Quinn Norton wrote: The story of WannaCry (also called Wcry and WannaCrypt) begins somewhere before 2013, in the hallways of the National Security Agency, but we can only be sure of a few details from that era. The NSA found or purchased the knowledge of a flaw of MicroSoft’s SMB V.1 code, an old bit of network software that lets people share files and resources, like printers. While SMB V.1 has long been superseded by better and safer software, it is still widely used by organizations that can’t, or simply don’t, install the newer software.

The flaw, or bug, is what what people call a vulnerability, but on its own it’s not particularly interesting. Based on this vulnerability, though, the NSA wrote another program—called an exploit—which let them take advantage of the flaw anywhere it existed. The program the NSA wrote was called ETERNALBLUE, and what they used it to do was remarkable.

The NSA gave themselves secret and powerful access to a European banking transaction system called SWIFT, and, in particular, SWIFT’s Middle Eastern transactions, as a subsequent data-dump by a mysterious hacker group demonstrated. Most people know SWIFT as a payment system, part of how they use credit cards and move money. But its anatomy, the guts of the thing, is a series of old Windows computers quietly humming along in offices around the world, constantly talking to each other across the internet in the languages computers only speak to computers.

The NSA used ETERNALBLUE to take over these machines. Security analysts, such as Matthieu Suiche, the founder of Comae Technologies, believe the NSA could see, and as far as we know, even change, the financial data that flowed through much of the Middle East—for years. Many people have speculated on why the NSA did this, speculation that has never been confirmed or denied. A spokesperson for the agency did not immediately reply to The Atlantic’s request for an interview.

But the knowledge of a flaw is simply knowledge. The NSA could not know if anyone else had found this vulnerability, or bought it. They couldn’t know if anyone else was using it, unless that someone else was caught using it. This is the nature of all computer flaws.

In 2013 a group the world would know later as The Shadow Brokers somehow obtained not only ETERNALBLUE, but a large collection of NSA programs and documents. The NSA and the United States government hasn’t indicated whether they know how this happened, or if they know who The Shadow Brokers are. The Shadow Brokers communicate publicly using a form of broken English so unlikely that many people assume they are native English speakers attempting to masquerade themselves as non-native—but that remains speculative. Wherever they are from, the trove they stole and eventually posted for all the world to see on the net contained powerful tools, and the knowledge of many flaws in software used around the world. WannaCry is the first known global crisis to come from these NSA tools. Almost without a doubt, it will not be the last.

A few months ago, someone told Microsoft about the vulnerabilities in the NSA tools before The Shadow Brokers released their documents. There is much speculation about who did this, but, as with so many parts of this story, it is still only that—speculation. Microsoft may or may not even know for sure who told them. Regardless, Microsoft got the chance to release a program that fixed the flaw in SMB V.1 before the flaw became public knowledge. But they couldn’t make anyone use their fix, because using any fix—better known as patching or updating—is always at the discretion of the user. They also didn’t release it for very old versions of Windows. Those old versions are so flawed that Microsoft has every reason to hope people stop using them—and not just because it allows the company to profit from new software purchases.

There is another wrinkle in this already convoluted landscape: Microsoft knew SMB V.1, which was decades old, wasn’t very good software. They’d been trying to abandon it for 10 years, and had replaced it with a stronger and more efficient version. But they couldn’t throw out SMB V.1 completely because so many people were using it. After WannaCry had started its run around the world, the head of SMB for Microsoft tweeted this as part of a long and frustrated thread:


The more new and outdated systems connect, the more chance there is to break everything with a single small change.

We live in an interconnected world, and in a strange twist of irony, that interconnectedness can make it difficult to change anything at all. This is why so many systems remain insecure for years: global banking systems, and Spanish telecoms, and German trains, and the National Health Service of the United Kingdom. [Continue reading…]

Facebooktwittermail

Uber concealed cyberattack that exposed 57 million people’s data

Bloomberg reports: Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing company ousted Joe Sullivan, chief security officer, and one of his deputies for their roles in keeping the hack under wraps.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card details, trip location info or other data were taken, Uber said.

At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers $100,000 to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. “We are changing the way we do business.” [Continue reading…]

Facebooktwittermail

British cybersecurity chief warns of Russian hacking

The New York Times reports: Russian hackers over the past 12 months have tried to attack the British energy, telecommunications and media industries, the government’s top cybersecurity official said Tuesday in a summary of a speech to be delivered on Wednesday.

The warning, by Ciaran Martin, chief of the National Cyber Security Center, is the strongest indication yet that Russian cyberattacks on Western governments and industries may be far more persistent than United States or British officials have previously acknowledged. [Continue reading…]

Facebooktwittermail

The world once laughed at North Korean cyberpower. No more

The New York Times reports: When North Korean hackers tried to steal $1 billion from the New York Federal Reserve last year, only a spelling error stopped them. They were digitally looting an account of the Bangladesh Central Bank, when bankers grew suspicious about a withdrawal request that had misspelled “foundation” as “fandation.”

Even so, Kim Jong-un’s minions still got away with $81 million in that heist.

Then only sheer luck enabled a 22-year-old British hacker to defuse the biggest North Korean cyberattack to date, a ransomware attack last May that failed to generate much cash but brought down hundreds of thousands of computers across dozens of countries — and briefly crippled Britain’s National Health Service.

Their track record is mixed, but North Korea’s army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to American and British security officials who have traced these attacks and others back to the North.

Amid all the attention on Pyongyang’s progress in developing a nuclear weapon capable of striking the continental United States, the North Koreans have also quietly developed a cyberprogram that is stealing hundreds of millions of dollars and proving capable of unleashing global havoc.

Unlike its weapons tests, which have led to international sanctions, the North’s cyberstrikes have faced almost no pushback or punishment, even as the regime is already using its hacking capabilities for actual attacks against its adversaries in the West.

And just as Western analysts once scoffed at the potential of the North’s nuclear program, so did experts dismiss its cyberpotential — only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose. [Continue reading…]

Facebooktwittermail

Ukraine cyberattack was meant to paralyze, not profit, evidence shows

The New York Times reports: The day started like most for Roman N. Klimenko, an accountant in Kiev who had just settled in at his desk, typing at a computer keyboard and drinking coffee. He was unaware that concealed within his tax preparation software lurked a ticking bomb.

That bomb soon exploded, destroying his financial data and quickly spreading through computer systems vital to Ukraine’s government — and beyond. The cyberattack, on Tuesday, was caused by a virus similar to one that wreaked global havoc less than two months ago.

Both had the appearance of hacker blackmail assaults known as ransomware attacks: screens of infected computers warn users their data will be destroyed unless ransoms are paid.

But in Ukraine’s case, a more sinister motive — paralysis of the country’s vital computer systems — may have been at work, cybersecurity experts said on Wednesday. And many Ukrainians cast their suspicions on Russia.

Cybersecurity experts based their reasoning partly on having identified the group of Ukrainian users who were initially and improbably targeted: tax accountants. [Continue reading…]

Facebooktwittermail

Cyber-attack on UK parliament: Russia is suspected culprit

The Guardian reports: The Russian government is suspected of being behind a cyber-attack on parliament that breached dozens of email accounts belonging to MPs and peers.

Although the investigation is at an early stage and the identity of those responsible may prove impossible to establish with absolute certainty, Moscow is deemed the most likely culprit.

The disclosure follows the release of the first details of the “sustained” cyber-attack that began on Friday. Fewer than 90 email accounts belonging to parliamentarians are believed to have been hacked, a parliamentary spokesman said.

Amid fears that the breach could lead to blackmail attempts, officials were forced to lock MPs out of their own email accounts as they scrambled to minimise the damage from the incident. [Continue reading…]

Facebooktwittermail

How NSA secrets helped cybercriminals mount a worldwide attack

The Washington Post reports: Computers around the world are suffering an attack from malicious software. The compromised computers have been hit by “ransomware” — software that encrypts the computer’s hard drive so that all the information on it is unavailable, and refuses to release it until a ransom is paid in Bitcoin, an online currency that is difficult to trace. Among the victims are FedEx, Britain’s National Health Service and computers belonging to Russia’s Ministry for the Interior.

Ransomware attacks have happened before. What is unusual is how quickly this attack is compromising large numbers of critical computers. It has been so successful because it has made use of a so-called “zero-day exploit” — a previously unknown flaw in Windows software that makes it easy to take control of vulnerable systems. This zero day exploit became publicly known last month, when it was released as part of a treasure trove of NSA data by the “Shadow Brokers,” a shadowy group of hackers who many believe are associated with Russian intelligence. Criminal hackers appear to have combined this exploit with ransomware tools to mount a worldwide campaign. Here’s what you need to know to understand what happened. [Continue reading…]

The Guardian reports: An “accidental hero” has halted the global spread of the WannaCry ransomware, reportedly by spending a few dollars on registering a domain name hidden in the malware.

The ransomware has wreaked havoc on organizations including FedEx and Telefonica, as well as the UK’s National Health Service (NHS), where operations were cancelled, x-rays, test results and patient records became unavailable and phones did not work.

However, a UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and activated a “kill switch” in the malicious software.

The switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

“I saw it wasn’t registered and thought, ‘I think I’ll have that’,” he is reported as saying. The purchase cost him $10.69. Immediately, the domain name was registering thousands of connections every second.

“They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organizations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember. [Continue reading…]

Facebooktwittermail

Here’s how easy it is to get Trump officials to click on a fake link in email

Gizmodo reports: Even technology experts can be insecure on the internet, as last week’s “Google Docs” phishing attack demonstrated. An array of Gmail users, including BuzzFeed tech reporter Joe Bernstein, readily handed over access to their email to a bogus app. Politicians should be especially wary of suspicious emails given recent events, yet a security test run by the Special Projects Desk found that a selection of key Trump Administration members and associates would click on a link from a fake address.

The Trump camp has talked a lot about cybersecurity—or “the cyber”—particularly to criticize Hillary Clinton for the risks posed by her private email server and to savor the damage done by hacks against the Democratic National Committee and Clinton campaign chairman John Podesta. Its own record, however, is less than sterling—in January, notably, after Trump named Rudolph Giuliani as a cybersecurity advisor, experts promptly discovered that the Giuliani Security corporate website was riddled with known vulnerabilities.

So, three weeks ago, Gizmodo Media Group’s Special Projects Desk launched a security preparedness test directed at Giuliani and 14 other people associated with the Trump Administration. We sent them an email that mimicked an invitation to view a spreadsheet in Google Docs. The emails came from the address security.test@gizmodomedia.com, but the sender name each one displayed was that of someone who might plausibly email the recipient, such as a colleague, friend, or family member.

The link in the document would take them to what looked like a Google sign-in page, asking them to submit their Google credentials. The url of the page included the word “test.” The page was not set up to actually record or retain the text of their passwords, just to register who had attempted to submit login information.

Some of the Trump Administration people completely ignored our email, the right move. But it appears that more than half the recipients clicked the link: Eight different unique devices visited the site, one of them multiple times. There’s no way to tell for sure if the recipients themselves did all the clicking (as opposed to, say, an IT specialist they’d forwarded it to), but seven of the connections occurred within 10 minutes of the emails being sent.

At least the recipients didn’t go farther. Our testing setup—which included disclaimers for careful readers at each step—did not induce anyone to go all the way and try to hand over their credentials.

Two of the people we reached—informal presidential advisor Newt Gingrich and FBI director James Comey—replied to the emails they’d gotten, apparently taking the sender’s identity at face value. Comey, apparently believing that he was writing to his friend, Lawfareblog.com editor-in-chief Ben Wittes, wrote: “Don’t want to open without care. What is it?” And Gingrich, apparently under the impression he was responding to an email from his wife, Callista, wrote: “What is this?”

In both cases, we didn’t respond. In an actual phishing attack, the replies could have given the sender a chance to more aggressively put their targets at ease and lure them in. [Continue reading…]

Facebooktwittermail

Reports: Arrested Russian intel officer allegedly spied for U.S.

USA Today reports: A senior Russian intelligence officer and cybersecurity investigator arrested last month on treason charges allegedly was passing information to U.S. intelligence services, according to Russian media outlets.

Sergei Mikhailov, who worked for the FSB, the successor to the KGB, was arrested in December, along with Ruslan Stoyanov, a top manager for Russia’s largest cybersecurity firm, according to the economic newspaper Kommersant. Stoyanov was also charged with suspicion of treason.

In addition, two other people, including Major Dmitry Dokuchaev, also an FSB officer, were arrested in connection with the case, according to Russia’s REN-TV. The fourth person was not identified.

Stoyanov allegedly developed a program introduced into a prominent bank’s computer system to gather privileged information on customers, REN-TV reports. That information, it reports, was then sold to the West.

In another twist, Russian media says the FSB believes Mikhailov tipped U.S. intelligence about Vladimir Fomenko and his server rental company “King Servers.” The U.S. cybersecurity company Threat Connect identified King Servers last year as an “information nexus” used by hackers suspected of working for Russian intelligence in cyberattacks on electoral systems in Arizona and Illinois.

The Russian newspaper Novaya Gazeta says Mikhailov was arrested during an FSB meeting in early December when officers came into the room, put a bag over his head and took him away.

The cause of the arrests was not clear. The newspaper said only that the FSB discovered Mikhailov’s alleged involvement in the purported plot after the U.S. accused King Servers of the cyberattacks on the U.S. [Continue reading…]

Facebooktwittermail

Days before election, U.S. used secret hotline to ask Russia to halt cyber interventions

David Ignatius writes: The White House sent a secret “hotline”-style message to Russia on Oct. 31 to warn against any further cyber-meddling in the U.S. election process. Russia didn’t escalate its tactics as Election Day approached, but U.S. officials aren’t ready to say deterrence worked.

The previously undisclosed message was part of the high-stakes game of cyber-brinkmanship that has been going on this year between Moscow and Washington. How to stabilize this relationship without appearing to capitulate to Russian pressure tactics is among the biggest challenges facing President-elect Donald Trump.

The message was sent on a special channel created in 2013 as part of the Nuclear Risk Reduction Center, using a template designed for crisis communication. “It was a very clear statement to the Russians and asked them to stop their activity,” a senior administration official said, adding: “The fact that we used this channel was part of the messaging.”

According to several other high-level sources, President Obama also personally contacted Russian President Vladimir Putin last month to caution him about the disruptive cyberattacks. The senior administration official wouldn’t comment on these reports.

The private warnings followed a public statement Oct. 7 by Director of National Intelligence James Clapper and Secretary of Homeland Security Jeh Johnson charging that “Russia’s senior-most officials” had authorized cyberattacks that were “intended to interfere with the U.S. election process.” [Continue reading…]

Facebooktwittermail

How massive DDoS attacks are undermining the Internet

NBC News reports: Andrew Komarov of InfoArmor told NBC News he didn’t see any sign of Russian involvement at all, whether state or private [in the “denial of service,” or DDoS, attacks that caused massive internet outages across the U.S. on Friday]. He noted that the botnet used in the attack, “Mirai,” was developed by an English speaker and that he had found no link between “Mirai” and the Russians, who have their own much more sophisticated methods.

He said the attacks seemed more consistent with the methods used by the hacking group known as Lizard Squad, two of whose members, both teens, were arrested earlier this month in the U.S. and the Netherlands and charged in connection with DDoS attacks.

Said Komarov, “We have some context, that because of similar victims, using Dyn, and also tactics, tools and procedures by threat actors, it may be a revenge for the past arrests of DDoS’ers in the underground, happened several weeks ago.”

Dmitri Alperovitch of Crowdstrike also expressed doubt about a link to the Russian government, and speculated the attacks might have to do with a recent interview that cybersecurity expert Brian Krebs did with Dyn mentioning Russian organized crime. Alperovitch said use of a botnet bears the hallmark of a criminal rather than state attack, and the target may simply have been Dyn, not the U.S.

Flashpoint, a private cybersecurity and intelligence firm, noted that the Krebs site was attacked in September by a Mirai botnet, and the Krebs site was among those attacked Friday. The hacker who attacked Krebs in September released the source code on the web earlier this month, and hackers have copied the code to create their own botnets.

Flashpoint said it had concluded that the Friday attacks were not mounted by hacktivists, a political group or a state actor. [Continue reading…]

TechCrunch reports: In the past few weeks, hackers have upped the DDoS stakes in a big way. Starting with the attack on KrebsonSecurity.com and increasing in severity from there, hundreds of thousands of devices have been used to perpetrate these actions. A number that dwarfs previous attacks by orders of magnitude.

While it isn’t yet confirmed, evidence points to the attack that we saw on Friday morning following this same playbook, but being perpetrated on a much larger scale, relying on Internet of Things (IoT) devices rather than computers and servers to carry out an attack.

In fact, in all likelihood an army of surveillance cameras attacked Dyn. Why surveillance cameras? Because many of the security cameras used in homes and business around the world typically run the same or similar firmware produced by just a few companies.

This firmware is now known to contain a vulnerability that can easily be exploited, allowing the devices to have their sights trained on targets like Dyn. What’s more, many still operate with default credentials — making them a simple, but powerful target for hackers.

Why is this significant? The ability to enslave these video cameras has made it easier and far cheaper to create botnets at a scale that the world has never seen before. If someone wants to launch a DDoS attack, they no longer have to purchase a botnet—they can create their own using a program that was dumped on the internet just a few weeks ago. [Continue reading…]

The New York Times reports: Dale Drew, chief security officer at Level 3, an internet service provider, found evidence that roughly 10 percent of all devices co-opted by Mirai were being used to attack Dyn’s servers. Just one week ago, Level 3 found that 493,000 devices had been infected with Mirai malware, nearly double the number infected last month.

Mr. Allen added that Dyn was collaborating with law enforcement and other internet service providers to deal with the attacks.

In a recent report, Verisign, a registrar for many internet sites that has a unique perspective into this type of attack activity, reported a 75 percent increase in such attacks from April through June of this year, compared with the same period last year.

The attacks were not only more frequent, they were bigger and more sophisticated. The typical attack more than doubled in size. What is more, the attackers were simultaneously using different methods to attack the company’s servers, making them harder to stop.

The most frequent targets were businesses that provide internet infrastructure services like Dyn. [Continue reading…]

Brian Krebs reports: The attack on DYN comes just hours after DYN researcher Doug Madory presented a talk on DDoS attacks in Dallas, Texas at a meeting of the North American Network Operators Group (NANOG). Madory’s talk — available here on Youtube.com — delved deeper into research that he and I teamed up on to produce the data behind the story DDoS Mitigation Firm Has History of Hijacks.

That story (as well as one published earlier this week, Spreading the DDoS Disease and Selling the Cure) examined the sometimes blurry lines between certain DDoS mitigation firms and the cybercriminals apparently involved in launching some of the largest DDoS attacks the Internet has ever seen. Indeed, the record 620 Gbps DDoS against KrebsOnSecurity.com came just hours after I published the story on which Madory and I collaborated.

The record-sized attack that hit my site last month was quickly superseded by a DDoS against OVH, a French hosting firm that reported being targeted by a DDoS that was roughly twice the size of the assault on KrebsOnSecurity. As I noted in The Democratization of Censorship — the first story published after bringing my site back up under the protection of Google’s Project Shield — DDoS mitigation firms simply did not count on the size of these attacks increasing so quickly overnight, and are now scrambling to secure far greater capacity to handle much larger attacks concurrently. [Continue reading…]

Facebooktwittermail

CIA prepping for possible cyber attack against Russia

NBC News reports: The Obama administration is contemplating an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election, U.S. intelligence officials told NBC News.

Current and former officials with direct knowledge of the situation say the CIA has been asked to deliver options to the White House for a wide-ranging “clandestine” cyber operation designed to harass and “embarrass” the Kremlin leadership.

The sources did not elaborate on the exact measures the CIA was considering, but said the agency had already begun opening cyber doors, selecting targets and making other preparations for an operation. Former intelligence officers told NBC News that the agency had gathered reams of documents that could expose unsavory tactics by Russian President Vladimir Putin.

Vice President Joe Biden told “Meet the Press” moderator Chuck Todd on Friday that “we’re sending a message” to Putin and that “it will be at the time of our choosing, and under the circumstances that will have the greatest impact.”

When asked if the American public will know a message was sent, the vice president replied, “Hope not.”

Retired Admiral James Stavridis told NBC News’ Cynthia McFadden that the U.S. should attack Russia’s ability to censor its internal internet traffic and expose the financial dealings of Putin and his associates. [Continue reading…]

And what better way to expose such information than by providing it to Wikileaks. Julian Assange can then demonstrate that he’s not a puppet of Putin’s — or risk being outed if it turns out his organization chooses not to release such material.

Wouldn’t that turn Wikileaks into a puppet of the U.S. government? Kind of — except Assange’s position is that it’s not his job to pass judgment on the motives of his sources. His commitment is to protect his sources and publish secrets.

Facebooktwittermail

Why the internet of things is the new magic ingredient for cyber criminals

John Naughton writes: Brian Krebs is one of the unsung heroes of tech journalism. He’s a former reporter for the Washington Post who decided to focus on cybercrime after his home network was hijacked by Chinese hackers in 2001. Since then, he has become one of the world’s foremost investigators of online crime. In the process, he has become an expert on the activities of the cybercrime groups that operate in eastern Europe and which have stolen millions of dollars from small- to medium-size businesses through online banking fraud. His reporting has identified the crooks behind specific scams and even led to the arrest of some of them.

Krebs runs a blog – Krebs on Security – which is a must-read for anyone interested in these matters. Sometimes, one fears for his safety, because he must have accumulated so many enemies in the dark underbelly of the net. And last Tuesday one of them struck back.

The attack began at 8pm US eastern time, when his site was suddenly hit by a distributed denial of service (DDoS) attack. This is a digital assault in which a computer server is swamped by trivial requests that make it impossible to serve legitimate ones. The attack is called a distributed one because the noxious pings come not from one location, but from computers located all over the world that have earlier been hacked and organised into a “botnet”, which can then direct thousands or millions of requests at a targeted server in order to bring it down. Think of it as a gigantic swarm of electronic hornets overwhelming a wildebeest.

DDoS attacks are a routine weapon in the cybercriminal’s armoury. They are regularly used, for example, to blackmail companies, which then pay a ransom to have the hornets called off. They’re a useful tool because it’s very difficult to pinpoint the individuals or groups that have assembled a particular botnet army. And in the past Krebs has had to deal with DDoS attacks that were probably launched by people who were not amused by the accuracy of his investigative reporting.

Last Tuesday’s attack was different, however – in two respects. The first was its sheer scale. It got so bad that even Akamai, the huge content delivery network that handles 15-30% of all web traffic, had to tell Krebs that it couldn’t continue to carry his blog because the attack was beginning to affect all its other customers. So he asked them to redirect all traffic heading for krebsonsecurity.com to the internet’s equivalent of a black hole. This meant that his site effectively disappeared from the web: a courageous and independent voice had been silenced. [Continue reading…]

Facebooktwittermail

David Vincenzetti: How the Italian mogul built a hacking empire

David Kushner reports: The Blackwater of surveillance, the Hacking Team is among the world’s few dozen private contractors feeding a clandestine, multibillion-dollar industry that arms the world’s law enforcement and intelligence agencies with spyware. Comprised of around 40 engineers and salespeople who peddle its goods to more than 40 nations, the Hacking Team epitomizes what Reporters Without Borders, the international anti-censorship group, dubs the “era of digital mercenaries.”

The Italian company’s tools — “the hacking suite for governmental interception,” its website claims — are marketed for fighting criminals and terrorists. But there, on Marquis-Boire’s computer screen, was chilling proof that the Hacking Team’s software was also being used against dissidents. It was just the latest example of what Marquis-Boire saw as a worrying trend: corrupt regimes using surveillance companies’ wares for anti-democratic purposes.

When Citizen Lab published its findings in the October 2012 report “Backdoors are Forever: Hacking Team and the Targeting of Dissent?” the group also documented traces of the company’s spyware in a document sent to Ahmed Mansoor, a pro-democracy activist in the United Arab Emirates. Privacy advocates and human rights organizations were alarmed. “By fueling and legitimizing this global trade, we are creating a Pandora’s box,” Christopher Soghoian, the principal technologist with the American Civil Liberties Union’s Speech, Privacy, and Technology Project, told Bloomberg.

The Hacking Team, however, showed no signs of standing down. “Frankly, the evidence that the Citizen Lab report presents in this case doesn’t suggest anything inappropriately done by us,” company spokesman Eric Rabe told the Globe and Mail.

As media and activists speculated about which countries the Italian firm served, the founder and CEO of the Hacking Team, David Vincenzetti — from his sleek, white office inside an unsuspecting residential building in Milan — took the bad press in stride. He joked with his colleagues in a private email that he was responsible for the “evilest technology” in the world.

A tall, lean 48-year-old Italian with a taste for expensive steak and designer suits, Vincenzetti has transformed himself over the past decade from an under-ground hacker working out of a windowless basement into a mogul worth millions. He is nothing if not militant about what he defines as justice: Julian Assange, the embattled founder of WikiLeaks, is “a criminal who by all means should be arrested, expatriated to the United States, and judged there”; whistleblower Chelsea Manning is “another lunatic”; Edward Snowden “should go to jail, absolutely.”

“Privacy is very important,” Vincenzetti says on a recent February morning in Milan, pausing to sip his espresso. “But national security is much more important.”

Vincenzetti’s position has come at a high cost. Disturbing incidents have been left in his wake: a spy’s suicide, dissidents’ arrests, and countless human rights abuses. “If I had known how crazy and dangerous he is,” Guido Landi, a former employee, says, “I would never have joined the Hacking Team.” [Continue reading…]

Facebooktwittermail

U.S. ratchets up cyber attacks on ISIS

The Daily Beast reports: President Obama confirmed for the first time last week that the U.S. is conducting “cyber operations” against ISIS, in order to disrupt the group’s “command-and-control and communications.”

But the American military’s campaign of cyber attacks against ISIS is far more serious than what the president laid out in his bland description. Three U.S. officials told The Daily Beast that those operations have moved beyond mere disruption and are entering a new, more aggressive phase that is targeted at individuals and is gleaning intelligence that could help capture and kill more ISIS fighters.

As the U.S. ratchets up its online offensive against the terror group, U.S. military hackers are now breaking into the computers of individual ISIS fighters. Once inside the machines, these hackers are implanting viruses and malicious software that allow them to mine their devices for intelligence, such as names of members and their contacts, as well as insights into the group’s plans, the officials said, speaking on condition of anonymity to describe sensitive operations.

One U.S. official told The Daily Beast that intelligence gleaned from hacking ISIS members was an important source for identifying key figures in the organization. In remarks at CIA headquarters in Langley, Virginia this week, Obama confirmed that cyber operations were underway and noted that recently the U.S. has either captured or killed several key ISIS figures, including Sulayman Dawud al-Bakkar, a leader of its chemical weapons program, and “Haji Iman,” the man purported to be ISIS’s second in command. [Continue reading…]

Facebooktwittermail

Google search technique aided N.Y. dam hacker in Iran

The Wall Street Journal reports: An Iranian charged with hacking the computer system that controlled a New York dam used a readily available Google search process to identify the vulnerable system, according to people familiar with the federal investigation.

The process, known as “Google dorking,” isn’t as simple as an ordinary online search. Yet anyone with a computer and Internet access can perform it with a few special techniques. Federal authorities say it is increasingly used by hackers to identify computer vulnerabilities throughout the U.S.

Hamid Firoozi, who was charged Thursday by federal prosecutors, stumbled onto the Bowman Avenue Dam in Rye Brook, N.Y., in 2013 by using the technique to identify an unprotected computer that controlled the dam’s sluice gates and other functions, said people briefed on the investigation. Once he identified the dam, he allegedly hacked his way in using other methods.

“He was just trolling around, and Google-dorked his way onto the dam,” one person familiar with the investigation said.

The search technique has been around for about 10 years, said cybersecurity experts, and is neither illegal nor always malicious. It is primarily used by “white hat hackers,” computer specialists who test an organization’s computer system for vulnerabilities, said Michael Bazzell, a former computer crime investigator for the Federal Bureau of Investigation. [Continue reading…]

Facebooktwittermail

FBI adds two Syrian hackers to its most-wanted list for cybercriminals

The Atlantic reports: In late April 2013, a tweet from the Associated Press claimed that a pair of explosions at the White House had injured President Barack Obama. Markets reacted nearly instantly, sending stocks plunging. But when, a short time later, Press Secretary Jay Carney told reporters there was no explosion, the market quickly righted itself.

The news organization’s Twitter account was hacked, it turned out. A group calling itself the Syrian Electronic Army claimed credit. In only a few minutes, their rogue tweet demonstrated the market-moving power of 140 characters sent from a credible source.

The Syrian Electronic Army has also defaced websites belonging to the U.S. Marines, Harvard University, and Human Rights Watch, as well as websites and Twitter feeds of other major news organizations like the BBC, CNN, and The Washington Post. The group’s members remained anonymous, going by pseudonyms like “The Shadow” and “The Pro.”

But on Tuesday, the Justice Department revealed the identity of three members of the group, charging them with computer hacking and placing two of them on the FBI’s “Cyber’s Most Wanted” list. The FBI is offering a $100,000 bounty for information leading to their arrest. [Continue reading…]

Facebooktwittermail

The cyberattack on Ukraine’s power grid is a warning of what’s to come

By Nilufer Tuptuk, UCL and Stephen Hailes, UCL

When more than 100,000 people in and around the Ukrainian city of Ivano-Frankivsk were left without power for six hours, the Ukrainian energy ministry accused Russia of launching a cyberattack on the country’s national energy grid.

Now reports released by security researchers from the SANS Industrial Control Systems team and the Industrial Control Systems Cyber Emergency Response Team confirm their belief that a cyberattack was responsible for the power cut, making the incident one of the first significant, publicly reported cyberattacks on civil infrastructure.

This is a rare event, of which the most famous example is the Stuxnet malware used to destroy equipment in the Iranian nuclear programme. Many consider Stuxnet so sophisticated that national governments must have been involved. But as is frequently the case, attributing responsibility for Stuxnet has proved difficult, and it’s likely that, despite circumstantial evidence, it will be the same in this case. While the Ukrainian Security Service (SBU) and the international press were quick to blame Russian state-backed hackers, Moscow has remained silent.

Continue reading

Facebooktwittermail