12/03/2014

#sonyhack : more internal documents published

"In the documents viewed by Salted Hash, the sales items were for airing rights to various shows such as Dr. Oz, Judge Hatchett, Outer Limits, and Stargate, SG-1. The documents also disclose details related to syndication rights for sitcoms such as King of Queens, Seinfeld, and Rules of Engagement.

While internal sales data is bad enough, the data dump has the ability to make Sony's situation worse.

It includes an internal phone list and organizational chart, complete with names, titles, departments, phone extensions (with outside line dialing information) and cellular phone numbers. The phone list was created in 2009, but it covers the company sales teams in Los Angeles, Atlanta, Chicago, and New York. http://www.csoonline.com/article/2852982/data-breach/sale...

The full first package is only 25 GB ..... out of the 11 terabyte that was claimed first 

now they claim to have more than 100 terrabyte and they say they will continue to publish information 

but the files are old - which means that they probably have gotten an hold on backupservers (also) which is interesting because those are not always (very rarely in fact) encrypted and the access is not always controlled that strictly. It also explains why so much information could have left the company because it could be that a big filetransfer is totally normal in the backup process 

* hey jan what is this enormous surge in data traffic

* oh, it is the backup processes

* do we do a backup now ? 

* don't know have to ask the backup people, they change all the time when they do backups 

* okay, let's go on to the next incident, attack, malware 

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack : how northkoreans deny the hack with newsspeak that they have done it

"Reacting to the news that North Korea is behind the attacks, a person claiming to represent GOP told Salted Hash:

"We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France. We are not under direction of any state.

"Our aim is not at the film The Interview as Sony Pictures suggests. But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interview is. The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money.

"The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures."

http://www.csoonline.com/article/2853893/disaster-recover...

if you read it you will see that this is typical propaganda newsspeak tactics 

The action is not against the Film because the film is against North Korea but because it harms the regional peace because the dictator in North Korea is so mad about the film that he is capable of doing anything (saying that more attacks and even military incidents can be expected) and so the film harms regional peace and for this reason this film shouldn't have been made because is angers the great dictator. Sony should only have made films that the great dictator likes personally so he isn't so mad that he wants to turn his anger into a destructive attack - cyberwise or military 

so we can expect more such attacks, military incidents and threats from the Great Dictator in the coming weeks 

the only question is how the Chinese will respond or if they will try to calm it down

at the other side, don't be surprised if the film gets a limited distribution and only in specialised festivals and so on and if paychannels won't program it in their library 

with the same reasoning we shouldn't have made any film about Hitler and the Nazis because we would be afraid of his reaction and the same about Ukraine (even if we are holding the same discourse to the Ukraine people all the time, that they shouldn't anger Putin and should try to negotiate something with him instead of resisting)

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack: it came by the mail (and why don't we sandbox emailattachments ?)

"Once installed on the victim's system, by way of a malicious email attachment in most cases, the malware – called a wiper in some circles – will initiate a beacon and phone home.

The malware described by the FBI relies on hardcoded IP addresses (C&C servers) in Italy, Thailand, or Poland, and connect them on either port 8080 or 8000. The malware will attempt to make connections every 10 minutes to each of the IPs. If that fails, a two-hour sleep command is issued, after which the computer is shutdown and rebooted.

The memo warns that once the beacons start, the process of wiping the files has begun http://www.csoonline.com/article/2853893/disaster-recover...

this is like most of the APT attacks that are described are very 'professional attacks and code only available to ...blablablabla' 

but if you follow the same logical examination as any forensic investigation and you ask how the file came on the PC (even before asking yourself how it is possible that those workstations have so many administrative rights and so little protection .... behind that socalled firewall and other securitywalls) 

than the answer is in most cases always the same 

"it came as an attachment from the mail" or as a "download from a link in the mail" 

but why do we accept that these attachments in the mail are downloaded and placed on the computers or our internal networks ? Why don't we place them on a sandboxed server (with no connection to the internet or even the intranet) where people can open them, read them and eventually sanitize them before placing them on a server in the network (that you can secure much harder than the rest of your servers (for example no networkconnections for files). 

Ideally you should be able to let those files be analyzed every so many days by a number of antivirus, antimalware etc products and block all those where there are suspicions 

this would be the cheapiest solution that would in fact be very easy to set up and add to your mailserver and network. 

Permalink | |  Print |  Facebook | | | | Pin it! |

#sony attack : the destructive wiperware and more information coming out (links)

it is impossible to say who protects against the file because virustotal doesn't give any answer, nor on the MD5 nor on the filename

maybe this is done at the demand of the FBI to make it impossible for the attacker to discover which networks can be attacked easily because their antivirus isn't uptodate yet - even if in the other cases it doesn't mean that all the antiviruses on all the machines in the networks have updated libraries and protections 

it is also clear that this virus is generic, it isn't build for a specific machine or model or version, it just attacks all the boot processes so it makes it much harder to protect against and much more dangerous to protect against once it is inside your environment (because if it had been written specifically for a specific machine you could calculate how many more of such machines you had and where they were located and what was the risk of each machine and concentrate immediately on those that are of most value to the organisation, business or network) 

File: igfxtrayex.exe
Size: 249856 bytes (244.0 KB)
MD5: 760c35a80d758f032d02cf4db12d3e55
PE Compile Time: 2014-11-24 04:11:08
Language pack of resource section: Korean
http://it.slashdot.org/story/14/12/02/188233/fbi-wiper-ma...

normally the name of the software would have let it pass through process controls 

igfxtray.exe is a process which allows you to access the Intel Graphics configuration and diagnostic application for the Intel 810 series graphics chipset.This program is a non-essential system process, and is installed for ease of use via the desktop tray. http://www.processlibrary.com/en/directory/files/igfxtray...

the virusfile was uploaded yesterday to this sandbox (with connections to Tokio)

https://malwr.com/analysis/MWZkZjU4Mjc1ZTNlNDQzN2FkOWFhNW...

This file was already called malware in 2011 by this site (and it was attributed to the TRUECRYPT organisation but it isn't digitaly signed (well as long as such software can be placed into the boot or root of a pc without any digital signing we are just riding in the dark without lights - and if they were signed they have to be checked)

http://www.isthisfilesafe.com/md5/77EA9586C6D588386EE9C98...

virustotal has for this file an analysis  but some antiviruses didn't protect against it 

this was an 32bits version - one that shouldn't have worked in an 64bits environment 

2011 seems to be a very difficult year for the rootkit-bootkit developers as they have to migrate to 64bits :)

Permalink | |  Print |  Facebook | | | | Pin it! |

12/02/2014

meanwhile in Kobane (one pic that says enough)

Permalink | |  Print |  Facebook | | | | Pin it! |

Did North Korea send a digital atombomb at Sony and what is this destructware

The reason for the attack is political

"Yet the technology news site Re/code reported that Sony was investigating to determine whether hackers working on behalf of North Korea were responsible for the attack as retribution for the company's backing of the film "The Interview."

The movie, which is due to be released in the United States and Canada on Dec. 25, is a comedy about two journalists recruited by the CIA to assassinate North Korean leader Kim Jong Un. The Pyongyang government denounced the film as "undisguised sponsoring of terrorism, as well as an act of war" in a letter to U.N. Secretary-General Ban Ki-moon in June.

The technical section of the FBI report said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.
http://news.yahoo.com/exclusive-fbi-warns-destructive-mal...

Permalink | |  Print |  Facebook | | | | Pin it! |

destructionware.... bootkits have become digital atomic bombs at Sonyhack

"The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up.  The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," the report said.

Security experts said that repairing the computers requires technicians to manually either replace the hard drives on each computer, or re-image them, a time-consuming and expensive process. http://news.yahoo.com/exclusive-fbi-warns-destructive-malware-wake-sony-attack-002204335--finance.html

we have seen the hundreds of pages with all the sites and information that has been downloaded and now seems destroyed. It are whole intranets with intranetsites (and their code) and databases and internal applications and passwords and files and personal mailboxes and so it goes on for hundreds of pages

now it is clear that all the harddisks on which this data was found were virutally destroyed and I hope they have good external backups and that these were isolated from the network so that the hackers couldn't delete those at well (which was done in several hacking incidents)

by using destructive bootkits you also make i very hard to do some very professional forensic analysis because it will be very hard to find that evidence in the destroyed hard disks - eventually you will have to destroy it yourself to be able to recuperate some other data (instead of the eventlogs and other proof)

we already had viruses that blocked your data with an encryption key but this is a whole new ballgame..... they are just out to copy and publish your internal network and to destroy it totally afterwards with the only intent of making you pay by creating chaos

but the big question naturally is why Sony wasn't better prepared for this after its attacks and leaks in 2011

Permalink | |  Print |  Facebook | | | | Pin it! |

12/01/2014

fanning : some kids lost their digital virginity online and some online firms should protect them better

yep this is one screenshot ..... and the most innocent part of the fanning collections that were downloaded from icloud because they had forgotten to active the most active defense against passwordguessing being prohibiting bruteforce attacks in which thousands of passwords could be tested without any alert

but you have to see the files to understand the real disaster is that these are youngsters who will find some of these files on all kinds of fileservers and pornservers (there is pornographic stuff in it although not that much even if I didn't look at or downloaded each of the thousands of files)

maybe we should demand from online organisations that they protect the files of our kids higher than our own. if we make a stupid sextape than it is our own fault, we are adults - but we can't control them every minute of the day or control every contact or movie they make - so it is up for the online organisations to give them a safer and more secure online environment

and really this is innocent stuff

once digital, it can travel anywhere anytime and once it is out there or with someone else it is gone - out of control - out of your control

Permalink | |  Print |  Facebook | | | | Pin it! |

no we don't need military in our streets for now, we need them at our nuclear installations

The minister of Security (as he calls himself) proposed to the minister of Defense of the same party (NVA) to let military patrol the streets in Belgium.

They have done already that once but than we had at the same time the attacks from the Bende van Nijvel and from the CCC which was creating the strategy of tension in Belgium voluntary or not as not all information about that will be declassified before I die

He refers to France but France started with military patrols at certain historic and strategic places after some real big terroristic attacks and because from time to time they arrest terroristic cells before they can attack. This is not necessarily a good strategy (in Great Britain it are just heavily armed policemen - but still policemen)

If the minister wants to put the military to any good use, he should place them at and around our nuclear installations where we have already lost one due to internal strategic sabotage and have lost another for two days because of a fire in an external electrical installation that is not protected by any wall or defensive installation 

if we lose any of the other nuclear installations we will be in a real blackout and the only thing you have to do is to blow up some electrical installations outside the installations which are totally unprotected

oh, no not only I am saying this, it was on the journal of RTBF (http://www.rtbf.be/video/detail_jt-19h30?id=1975146  from  minute 16) and in France there are also calls to militarise the protection and security of our nuclear installations (shortly after 9/11 there were military and missiles around our nuclear installations)

Permalink | |  Print |  Facebook | | | | Pin it! |

#ferguson milk in your face to keep the tears away

Clouds of tear gas filled the streets of Ferguson, forcing demonstrators to run for cover. Standing among broken bottles and shop windows, one woman doused herself in Milk of Magnesia to relieve the symptoms.
http://widerimage.reuters.com/story/tears-and-tear-gas-in...

Permalink | |  Print |  Facebook | | | | Pin it! |

#hongkong police use pepperspray and puts swimming goggles on

and all those commentators who thought that the protests were over and dying are wrong again

each time they think that the Chinese have won, everything changes again and we are back to square one

there is another thing that is important

just as with the Euromaidan protests the majority of the protestors came after work to the camp

this was also the case in Ukraine and kept it alive because most people need an income and expect if you can win in a few days than they can't just stay away from work day after day, week after week, month after month

look at that (and you didn't see that in the news, you only saw some scuffles but not the mass of people behind them)

 

Embedded image permalink

Permalink | |  Print |  Facebook | | | | Pin it! |

all kinds of vendormachines now under attack from general malware to attack them

the first malware that targeted POS point of Sale systems was built for specific software and hardware and wanted only the credticard information

now from a specific malware it has grown into a platform to attack any vendor system for any reason

"Some recent POS investigations have revealed organized crime groups distributing malicious code and compromising networking environments of merchants and credit card devices, including ticket vending machines and electronic kiosks installed in public places and mass transport systems. One of the compromised devices was found in Sardinia in August 2014, giving the bad actors unauthorized access to it through VNC.
https://www.intelcrawler.com/news-24

but the infections are only starting (one in Holland, one in France but none in Belgium for the moment)

it also means that the period of security by obscurity is over for these systems and that anti-cocal hackers will give us free coke (or none at all) or free busrides or just want to get pincodes on any access system (to have some physical penetration afterwards ?)

Permalink | |  Print |  Facebook | | | | Pin it! |

since the forget me ruling Google (and yahoo and bing now) are no internet index anymore

they are only part of the internet and they are becoming more and more irrelevant

we will work on that in the coming weeks by preparing more specific searches to bypass this censorship

(how do I know it is censorship because when I search for the names of spies that are in my books about the latest espionage scandals of the last years (to understand Snowden) it is clear that information has been deleted because it is mentioned under the first page with the search results)

for the moment some say that you can find the urls's that are being abolished in Europe in other versions of the Google search machine

but meanwhile the effect is enormous (and it is bigger than the millions of urls's to pirated content because this is about legal content but that some people for some reason don't want you to see anymore in Google)

"Google was the first company to publish a form to make such requests, and has so far received more than 174,000 requests covering more than 600,000 URLs, removing 41.5% of them from its search results. Now it has been joined by Bing and Yahoo.
http://www.theguardian.com/technology/2014/dec/01/microso...

for those who have known the internet before Google

we are going back to local searches and linkindexes and keeping information you have found online because you never know how long it will stay online

Permalink | |  Print |  Facebook | | | | Pin it! |

dexia in Israel a target for Anonymous for subsidizing new israeli projects in Palestine

Permalink | |  Print |  Facebook | | | | Pin it! |

reading the mails from CEO's before investing on the stockmarket

"The cybersecurity company FireEye has unearthed a team of email intruders that snoop through the correspondence of company executives who may possess market-moving information.

FireEye said the team has carried out attacks against nearly 100 publicly traded companies or their advisory firms in possible attempts to play the stock market. Most of the targets are health care or pharmaceutical companies. It noted that the shares of those firms can move dramatically after the announcement of clinical trial results, regulatory decisions or other significant developments.

FireEye has labeled the group FIN4 and says it focuses on capturing usernames and passwords to email accounts, which gives the group access to private email correspondence. The group does not use malware, which helps it evade detection.
http://www.ctvnews.ca/business/fireeye-details-cybersecur...

they send emails from friends or contacts that ask you to fill in a form with your email credentials

than they use those email credentials to read over your shoulders your email

and this you can only end when your company emailservice does the same location control as Google and Yahoo - except when they do it from the same location or through a hacked site or a local proxy that gives the same protection

information is much more important than showing off that you have hacked or defaced something

the best solution is double authentification

Permalink | |  Print |  Facebook | | | | Pin it! |

sony has again gone down the abyss of total compromise

"The security break at Sony Pictures marks the second time that Sony Corporation had been targeted by hackers. In 2011, the online network for Sony's PlayStation game console was broken into, exposing names and credit card numbers for millions of customers. By the time damages from more than 50 class-action lawsuits had been paid, it's estimated that Sony spent more than $2 billion as a result of the breach.

"Further disturbing is that thus far the studio's IT experts have been unable to reverse the attack and get the computer system back to normal. “The IT department has absolutely no idea what hit them or if they can recover any of their files or operating systems, or even turn on their computers Monday,” said the insider. http://www.thewrap.com/sony-execs-working-on-chalkboards-while-hackers-claim-stolen-data-includes-stars-ids-budget-and-contract-figures/

and here you will find a good overview of what is lost (private keys, code, ID's, contracts,.....) and all other information you may need  inside the discussion https://www.reddit.com/r/hacking/comments/2n9zhv/i_used_t...

Permalink | |  Print |  Facebook | | | | Pin it! |

sony hacking already a digital disaster because of massive downloads

the numbers speak for themselves

Fury is in the States in the theatres while annie still had to be released worldwide

“Fury,” a war film that stars Brad Pitt and Shia LaBeouf, has reportedly been downloaded by over 1.2 million unique IP addresses, while “Annie” has been downloaded by an estimated 206,000 unique IP’s, according to the piracy-tracking firm Excipio.  http://conservativeblogscentral.com/archives/7389

this is a disaster

and proof that if you don't use anonimizing software your torrent traffic will be kept somewhere for some time

Permalink | |  Print |  Facebook | | | | Pin it! |

how to find anything online if you take your time and you know how

there are 5 ways to find anything online

first is Google  

  and than you have to make first a Google account so you can use the advanced search options

  if the data or some of the data has disappeared from Google you should use BING

  there are some operators "term"  you use to find any data in which there is only that term

   "mymailadres"  will give you everything with your emailadres in it

   than there is the period  (last week, last 24hours, last month) but you always will have to use it without time indicator because that indicator doesn't work that well - it is only interesting to find links that have a good time indicator

   you can also limit to a certain domain or site  site:.....

   another interesting is  filetype:txt for example of .cvs   or .pdf  or .whatever

secondly there are torrents

   here you will have to search at torrent search sites because many links aren't in the searchengines anymore

   you will have to use several because there isn't a google for the torrents

thirdly there are the online forums; IRC and usenet

    several of those forums are blocked off from Google and other search engines

    you have to be member to  be able to see the postings and in some cases you have to upload information that others like to have access to data yourself

    for this you probably will need another identity

    for USenet there are few interesting services that are free and for IRC you have really to be careful for viruses, for snoopers and that you have gone through several proxies because on pastebin you will find a whole lot of IRC logs with the full networkname of your identity.

fourth there is twitter with links to download dumps

   so with the download file servers you will find thousands of files online on these servers

   and they are not necessary on Google or they make no sense (who knows that xhx.avi is the latest film for example)

   they are sometimes only on twitter links to such files so you will have to find the necessary twitter links

Fifth there is TOR where you need to download the client and than to follow our guide to find or search for the files - many services are invite only

Permalink | |  Print |  Facebook | | | | Pin it! |

update : this blog is FORBIDDEN TO PUBLISH ANY information about online MENSURA DATA

due to a complaint from the lawyers of Mensura we are not allowed to post specific links to the data

we didn't even publish any direct links just how to find it and even than it was just a posting about using Google to find that data

things anybody with a little bit of intelligence and internetknowledge can do

well you have to learn it yourselfs because I am forbidden to write anything about how to find any particular set of data

so people will continue to think that their data is not online anymore

IT is still online

I know how to find it but I can't write about it

or this whole blog will disappear

which is just what mensura wants

to 'make believe' that the data is not online anymore

and that I am not allowed to publish anything anymore

nothing even not a hint

but believe me that data is ONLINE

Permalink | |  Print |  Facebook | | | | Pin it! |

Sony lost 11 terra of data to hackers (11.000 GB) of which unreleased films

"According to an approximation, 11,000 GB data was ripped off by the hackers and have warned if their demands are not met all this data would be released in the wild.

A thread on Reddit provided information on what hackers could have stolen from the Sony pictures system. According to the thread, the data might contain passport and visa information for cast and crew working on Sony movies, Outlook inboxes, documents detailing the company’s IT systems plus accounting and research information- but all this is just a small part of this gigantic breach.
http://hackread.com/hackers-leak-sony-movies-after-hack-a...

and this is not a joke

http://thehackernews.com/2014/11/sony-pictures-movies-leaked.html

and these are the five unreleased films that you will find on torrents

how do you do that ?

Get 11.000 GB of information past a firewall and security and logs and monitors and people who are supposed to look at those screens without anything or anybody seeing anything

do you understand how MUCH information that is ?

even with a normal trafficvolumemonitor (how much a connection, server or accounts transports normally) you would have seen that something is not right and an alert would have gone off (this is very efficient to leave videostreaming open but blocking downloads of movies)

so we will have  new Sony movies and mailboxes of filmstars and pics of them and so on very soon.... except if they pay up (and they hardly have any choice don't they)

  • "Still Alice" starring Julianne Moore, Alec Baldwin – US release date: Jan 16, 2015

  • "Mr Turner" starring Timothy Spall. – US release date: Dec 19, 2014
  • "Annie" starring Jamie Foxx and Cameron Diaz. – US release date: Dec 19, 2014
  • "Fury" starring Brad Pitt – US release date: Oct 17, 2014
  • "To Write Love on Her Arms" – US release date: March 2015
http://thehackernews.com/2014/11/sony-pictures-movies-lea...

it is also astonishing that after the massive lulzsec breaches they weren't capable over the last 2 years to upgrade their security to an acceptable level which means that they didn't make any new big investments, didn't install new monitor rooms and didn't extend their staff and procedures

it also means that they don't have any system of Data leakage prevention

even stranger that it came from North Korea - how the hell do you accept an 11 terrabyte download to North Korea ?

follow the information about this hack

https://twitter.com/search?q=%23gop%20sony&src=typd

Permalink | |  Print |  Facebook | | | | Pin it! |

Previous 1 2 3 4 5 6 7 8