Tag: hacker

Heartbleed hacker arrested

The first cracker to use the untraceable Heartbleed bug to steal data from the Canadian taxman has had his collar fingered by the Mounties.

Inspector Knacker of the London Yard arrested a 19-year-old man and charged him in connection with the attack.

The Canada Revenue Agency (CRA) said this week that about 900 social insurance numbers and possibly other data had been compromised because of an attack on its site.

Stephen Solis-Reyes faces criminal charges of unauthorized use of computer and mischief in relation to data.

Inspector Knacker confirmed in a statement that Solis-Reyes, allegedly,  was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug.

They have seized Solis-Reyes computer equipment and scheduled his first court appearance for July 17, 2014.

Security experts have warned that more attacks will follow until companies update their software.

Solis-Reyes, a student at Western University, is the son of Roberto Solis-Oba who teaches computer science at Western.

According to his lawyer he is an A student and a very, very bright young man. Apparently the kid is too emotional to speak about the charges against him and police haven’t told him anything, either. So far no-one has seen the evidence.

Contrary to earlier reports Solis-Reyes voluntarily turned himself in to police on Tuesday after officers threatened to arrest him in the middle of one of his classes. Days earlier Mounties served a warrant at Solis-Reyes’s house at 1AM but left without advising of a charge.

The CRA temporarily shut down some access to its website late on April 8 in response to security concerns about the Heartbleed bug. This security flaw in its website encryption left it vulnerable to hackers. 

Google pushes sites to encrypt

Google might tweak its search algorithm in favour of encrypted sites in a bid to encourage better security across the web.

Matt Cutts, an engineer in charge of liaising with website designers and minimizing spam in search, said that if everyone adopted encryption it would make it harder for third parties to spy on Internet users. Speaking at the SMX West conference in California, he said that encouraging encryption was important, because once sites had been hacked “We don’t have the time to maybe hold your hand and walk you through and show you exactly where it happened.”

It appears that Google’s discussions on changing the algorithm are at an early stage and Cutts is a major evangelist for the idea. Officially, Google said it has nothing to announce.

Google uses its search algorithm to encourage and discourage practices among web developers.

For example, sites known to have malicious software are penalised in rankings as are those that load very slowly. In total, the company has over 200 “signals” that help it determine search rankings, most of which it does not discuss.

If Google adds encryption to the list, it would give websites a big incentive to adopt it more widely.

However the first sites to adopt it will be those dodgy sites which are designed to game Google, rather than those which provide good content.

Google has been encrypting more of its services in recent years, including Gmail and Google Search. It encrypted traffic between its data centres after revelations that the NSA was exploiting vulnerabilities in Google’s infrastructure.

Of course all this depends on the encryption working. This week it was revealed that a popular encryption scheme, known as OpenSSL, contained a bug that could allow hackers to attack a network and take personal information without leaving a trace. 

Windows XP is finally a Norwegian Blue

Software giant Microsoft has finally pulled the plug on its most successful product and said that it will not support Windows XP any more.

The support deadline for Windows XP support means millions of machines worldwide are at risk from security threats. The writing has been on the wall for XP for years. However, Microsoft has been unsuccessfully trying to wean its users off their addiction to the OS. The latest figures show that nearly a quarter of the world’s PCs still run XP.

It has been a pretty long run. The operating system was released to manufacturing on August 24, 2001 and development was started in the late 1990s.

Prototype code was nicknamed named “Neptune” and was an operating system built on the Windows NT kernel which was intended for consumers. An updated version of Windows 2000 was also originally planned for the business market. In January 2000, both projects were shelved in favour of a single OS codenamed “Whistler”. This meant that the OS could be used in both business and consumer environments.

It introduced a significantly redesigned graphical user interface and was the first version of Windows to use product activation in an effort to reduce software piracy. Given it was pirated to oblivion you see how that worked out.

Windows XP also proved to be popular among users; by January 2006, over 400 million copies of Windows XP were in use and was the most widely used operating system until August 2012, when Windows 7 overtook it

The much-extended deadline falls on the same day as Patch Tuesday, giving Vole a chance to release updates for the platform. However, after that there will be no more updates for those without custom support.

One of those with a custom support agreement is the UK government, which has paid Vole £5.5 million to keep public sector organisations covered. The Dutch government also signed a similar deal.

For the rest of the world it will be a great time to target XP systems because there will be no protection short of virus checkers. 

Cyber criminals capture 25,000 Unix servers

Security boffins at ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing as well as other agencies, have found a cybercriminal campaign that has taken control of over 25,000 Unix servers worldwide.

Dubbed “Operation Windigo” it has resulted in infected servers sending out millions of spam emails which are designed to hijack servers, infect the computers that visit them, and steal information.

cPanel and kernel.org have already been identified as victims.

ESET’s security research team published a detailed technical paper, presenting the findings of the team’s investigations and malware analysis. The paper also provides guidance on how to find out if your systems are affected and instructions for removing the malicious code.

The sheer size and complexity of the operation has remained largely unrealised by the security community which has been too busy trying to work out how to keep the US NSA out.

Windigo has been building for over two and a half years, and currently has 10,000 servers under its control.

ESET security researcher Marc-Étienne Léveillé said that the botnet sends out more than 35 million spam messages every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk.

“Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements.”

Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, while Mac users are typically served adverts for dating sites. iPhone owners are redirected to online porn.

It could be more serious. More than 60 percent of the world’s websites are running on Linux servers, and many more might not be aware that they have been hacked. 

US indicts three hackers

Three men accused of being members of an international cybercrime ring that tried to steal at least $15 million by hacking into U.S. customer accounts at 14 financial institutions and the Department of Defence’s payroll service, have been indicted.

Oleksiy Sharapka, 33, and Leonid Yanovitsky, 39, both of Kiev, Ukraine; and Richard Gundersen, 47, of Brooklyn, New York, were each indicted on charges of conspiracy to commit wire fraud, conspiracy to commit access device fraud and identity theft, and aggravated identity theft.

The trio were among eight charged.

According to US Attorney Paul Fishman, the gang hacked into accounts belonged to customers of Aon Hewitt, Automatic Data Processing, Citibank NA, PayPal, Electronic Payments, E*Trade, Fundtech Holdings, iPayment, JPMorgan Chase Bank, Nordstrom Bank, TD Ameritrade, TIAA-CREF, USAA, Veracity Payment Solutions, and the Defense Department’s finance and accounting service.

The court will hear how the men gained unauthorised access to networks, diverting customer funds to bank accounts and pre-paid debit cards, employing “cashers” to make ATM withdrawals and fraudulent purchases in Georgia, Illinois, Massachusetts, New York and elsewhere.

They then used stolen identities to file false tax returns seeking refunds with the Internal Revenue Service.

The caper ran from March 2012, after Sharapka was deported after serving nearly 7-1/2 years in prison in Massachusetts, to around June 2013.

Prosecutors said Sharapka ran the conspiracy with help from Yanovitsky, and Gundersen helped move fraud proceeds. Each faces up to 20 years in prison on the wire fraud conspiracy count.

The Ukrainian defendants have not been captured yet. Gundersen was expected to answer the charge in court later.

Charges against one of the other defendants, Ilya Ostapyuk of Brooklyn, were dismissed in September, court records show. The other four defendants either pleaded guilty or still face charges, a spokesman for Fishman said. 

Brit arrested for breaking into Federal Reserve

A British bloke with the unfortunate name of Lauri Love has been charged with hacking into computer servers belonging to the US Federal Reserve, and then widely disclosing personal information of people who use them.

Love was cuffed in Blighty four months ago and accused by US and British authorities of hacking into various U.S. government computer systems, including those run by the military.

The Suffolk resident, who is in his late-20s, worked with other hackers from October 2012 to February 2013 to infiltrate the Federal Reserve’s system.

Love used a SQL injection to access names, email addresses and phone numbers, and then post the stolen information to a website he controlled after a prior hacking.

Love boasted about his activity in a chatroom under names such as “peace” and “Smedley Butler,” once saying he planned to “drop another little federal reserve bomb,” meaning he would disclose confidential information.

US Attorney Preet Bharara philosophically defined Love as a sophisticated hacker, however it is not clear how much data was actually nicked.

Love is charged with one count each of computer hacking and aggravated identity theft. If he is extradited to the US he could face a decade in prison on the hacking charge and another two years on the identity theft charge.

Love has entered no plea, which sounds like it should be an internet meme on Facebook. 

Hackers go for speech recognition in Chrome

Hackers have worked out a way to use the speech recognition in Chrome to spy on you.

Apparently, the method involves switching on your microphone using bugs in the Chrome browser.

The exploit was discovered by developer Tal Ater who found it while working on annyang, a popular JavaScript Speech Recognition library.

This allowed him to find multiple bugs in Chrome, and to come up with an exploit which combines all.

He reported the exploit to Google’s security team in private on September 13. By September 19, their engineers have identified the bugs and suggested fixes. On September 24, a patch which fixes the exploit was ready, and three days later, his find was nominated for Chromium’s Reward Panel.

But as time passed, and the fix didn’t make it to users’ desktops. A month and a half later, Ater asked the team why the fix was not released. Their answer was that there was an ongoing discussion within the Standards group, to agree on the correct behaviour – “Nothing is decided yet.”

Four months later Google is still waiting for the Standards group to agree on the best course of action, and your browser is still vulnerable.

As it lies, all it takes is a user to visit a site that uses speech recognition to offer some cool new functionality.

Here is a short film of the exploit in action

The Demonoid is nearly back from the dead

The Demonoid tracker came back online today after a year of being offline.

The tracker is linked to nearly 400,000 torrent files and more than a million peers, which makes it one of the largest working BitTorrent trackers on the Internet.

It is still not completely ready for prime time but the people behind it say they are working to revive one of the most famous file-sharing communities.

Demonoid was one of the single largest semi-private BitTorrent tracker that ever existed with millions of file sharers. It was killed off in August 2012, because of technical difficulties.

Two months ago, the site owners put up a notice suggesting that they were planning to restore Demonoid to its former glory.

Today the site’s tracker  was revived, and at the time of writing the tracker is coordinating the communications of 1.3 million people scattered across 388,321 torrent files.

Overnight Demonoid has instantly settled itself among the five largest BitTorrent trackers on the Internet.

Demonoid has traded in its Ukrainian provider for one in Sweden.

It is not clear if Demonoid users can still use their old accounts, as the database may have been hacked.

According to Torrent Freak,  fhe tracker that was revived today uses Demonoid’s original .com domain. 

Aussie teen hacker arrested for helping government

An Aussie teen hacker is regretting helping a government website fix a security hole after the company in charge of the site reported him to the fuzz.

Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who bought stuff through the Metlink web site run by the Transport Department.

The site was important because it is the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site.

According to The Age newspaper Rogers contacted the site after Christmas to report the vulnerability but never got a response. He decided to call The Age and when a hack rang the Transportation Department for comment, it reported Rogers to the police.

The paper did not say how Rogers accessed the database, but says it was a doddle. It was probably a SQL injection vulnerability, as this is the tool of choice to breach web sites and gain access to backend databases.

The Aussie police have a history of slapping the cuffs on people who reveal security vulnerabilities. In 2011, Patrick Webster suffered a similar consequence after reporting a website vulnerability to First State Super, an Australian investment firm that managed his pension fund.

Webster was arrested after he wrote a script to download about 500 account statements to prove to First State that its account holders were at risk. First State responded by reporting him to police and demanding access to his computer to make sure he’d deleted all of the statements he had downloaded.

Rogers said that the police have not contacted him and that he only learned he had been reported to the police from the journalist who wrote the story for The Age.

Still he is probably regretting doing the decent thing and reporting the flaw. 

Huawei products do have backdoors

Der Spiegel hack and hacker Jacob Applebaum has found proof that products made by the Chinese outfit Huawei do have backdoors to allow access to spying.

This was the central reason why US Senators banned Huawei from taking US government projects claiming that the company was a tool of the Chinese military.

The only problem was that the backdoors being placed in the Huawei gear were put there because US spooks wanted to spy on everyone and the Chinese outfit was just doing what it was told.

A bit on the nose really to do what you are told by US spooks and then lose your contracts because you are following their security instructions.

Applebaum found that if any company tried to use traditional and reliable US companies, because they feared Chinese intrusion, they would find the same backdoor installed.

Talking to the 30th Chaos Computer Club conference in Hamburg, Germany, Applebaum presented a snapshot of dozens of zero day exploits used to spy on both US citizens and foreigners.

It looks like the NSA can use zero-day exploits to spy on communications passing through the switches and routers of all the world’s largest networking vendors, Dell Cisco, Juniper Networks and Huawei.

Dell and HP servers have a backdoor as well as smartphones of Apple and Samsung.

Applebaum dubbed the companies collaborators with the spooks who had left their customers vulnerable.

“Fuck them for collaborating, and for leaving us vulnerable,” he said. He hoped that by naming and shaming them they would close the backdoors on the spooks.

Apparently the backdoor is in the server hardware systems at the BIOS level.

The NSA’s documents boast that these exploits work across servers running the Microsoft Windows, Linux, FreeBSD and even Sun Solaris operating systems.

This gives away the spook’s cunning plan. After all how many people in Al Qaida are using Solaris? Applebaum asked the crowd.

Dell’s best-selling PowerEdge servers (1850, 2850, 1950, 2950) all feature a vulnerability that allows the NSA to post spyware iton the BIOS using either remote access or via the inserting of a USB drive.

A related NSA exploit, dubbed GODSURGE, uses a JTAG debugging interface in the Dell PowerEdge 1950 and 2950. A JTAG debugging interface is usually used to test the BIOS/firmware for bugs, but it can also be used to reflash the BIOS from scratch.

HP’s Proliant 380DL G5 server can be opened using IRONCHEF, which extracted data from the server using two-way RF communication.

The NSA has also developed an exploit for tapping Apple’s iPhone called DROPOUTJEEP and another for Vole’s Windows Phone called TOTEGHOSTLY, Applebaum said.