privacy - Page 12

  • #finfisher this Belgian contacted the helpdesk as probable user

    so why did he install and use this commercial hacking and spying software ?

     

    http://pastebin.com/qnHuftbY

  • there is an app for everything even for making a workout of your sexlife

    source http://www.ibtimes.co.uk/sexfit-helps-measure-increase-mens-performance-bed-1460190

    imagine if you lose that data or a phone on which you can read that app or that your partner publishes that data on the web or mails it to friends after your breakup

  • Important UPDATE : the Belgian IP addresses that are victims of #finfisher spytool

    we will start analyzing shortly this weekend

    update : we got this through a secondary source who said first that it were IP addresses of clients but now thinks it could also be the IP addresses of victims - we have to sort that out

    the fulll files are not yet received that will take some time for more analysis

    if more information is found out about these addresses or more belgian information is found out, please keep me updated  thanx

    by the way if anybody has a way to decrypt the encrypted files, the internet is interested

    109.130.46.244  
    109.130.133.249 
    109.130.166.22
    109.130.40.252
    109.130.124.145
    109.130.176.55
    109.130.113.16
    109.130.181.137
    109.130.28.126
    109.130.170.111
    109.130.137.248
    109.130.15.192
    109.130.93.61
    109.130.81.64
    109.130.82.244
    109.130.71.210
    109.130.71.235
    109.130.31.30
    109.130.119.198
    109.130.161.178
    109.130.63.148
    109.130.53.138
    109.130.181.221
    109.130.186.110
    109.130.175.219
    109.130.149.131
    109.130.55.42
    109.130.186.43
    109.130.141.108
    109.130.111.139
    109.130.25.33
    109.130.193.147
    109.130.193.247
    109.130.145.207
    109.130.10.187
    109.130.45.103
    109.130.36.154
    109.130.30.82

    94.108.165.96
    94.108.183.115
    94.108.224.116
    94.108.211.67
    94.108.150.99
    94.108.208.193
    94.108.210.237
    94.226.122.120
    94.108.176.207
    94.108.227.216
    91.183.82.202
    94.226.121.211
    94.108.247.128
    94.226.121.161
    94.108.199.219
    94.226.121.121

    84.198.177.168
    84.198.179.208
    84.198.182.174
    84.198.182.5
    84.198.177.122
    84.198.183.237
    84.198.186.73
    84.198.186.144
    84.198.177.153
    84.198.185.168
    84.198.176.203
    84.198.183.202

    81.82.35.95
    81.82.35.113

    http://pastebin.com/bMrGcqpc

  • #ukraine why anybody should stay away of Russian websites and servers

    source http://euromaidanpress.com/2014/08/01/sbu-encourages-ukrainians-to-leave-russian-social-networks/

    this is from a warning of the Ukranian authorities but in fact counts for all confidential business and other information because in the present atmosphere everything is possible in Russia

  • #finfisher spytools was also used in Belgium

    we are waiting on more info

    if you have more info about the use of finfisher in Belgium be free to make it available to me

  • in 2010 most clients of #finfisher weren't put in the category 'all the rest' (France, Luxembourg,...)

     

    http://www.zdnet.com/top-govt-spyware-company-hacked-gammas-finfisher-leaked-7000032399/

  • how to find finfisher with NMAP on your networks

    source http://pastebin.com/6cGN2VAK

    Considering the network pattern described on http://pastebin.com/emK1Vt5g it is possible to enable nmap to detect Finfisher C&C machines:
     
    vim /usr/share/nmap/nmap-service-probes
     
    It basically add-up to the ports for HTTP probing:
    - 22
    - 53
    - 4111
     
    And add that signature:
    match http m|^HTTP/1.1 200 OK.*Hallo Steffi$|s p/FinFisher Governmental
    Monitoring Trojan C&C Server/
     
    The result is as follow:
    Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-27 11:29 MSK
    Interesting ports on static.ip.77.69.140.194.batelco.com.bh (77.69.140.194):
    PORT     STATE SERVICE VERSION
    4111/tcp open  http    FinFisher Governmental Monitoring Trojan C&C Server
     
    The nmap-service-probes format is at http://nmap.org/book/vscan-fileformat.html
  • check your linuxservers, are you infected with the #finfisher spytool ?

    source http://pastebin.com/jkndLHQf

    The FinFisher dropper 'wgetTest' found in the leaked ~36GB torrent for Linux creates a random directory in /home/$USER selecting from the following list:
     
    .data:0804D0E0 common_directories_to_infect dd offset a_cache
    .data:0804D0E0                                         ; DATA XREF: count_infection_element_paths_and_names+10o
    .data:0804D0E0                                         ; get_and_create_infection_dir_and_filename+68r ...
    .data:0804D0E0                                         ; ".cache"
    .data:0804D0E4 off_804D0E4     dd offset a_dbus        ; DATA XREF: FFB8F40Co
    .data:0804D0E4                                         ; ".dbus"
    .data:0804D0E8                 dd offset a_fontconfig  ; ".fontconfig"
    .data:0804D0EC                 dd offset a_gconf       ; ".gconf"
    .data:0804D0F0                 dd offset a_gnome       ; ".gnome"
    .data:0804D0F4                 dd offset a_gnome2      ; ".gnome2"
    .data:0804D0F8                 dd offset a_kde         ; ".kde"
    .data:0804D0FC                 dd offset a_local       ; ".local"
    .data:0804D100                 dd offset a_qt          ; ".qt"
    .data:0804D104                 dd offset a_ssh         ; ".ssh"
     
    So, an example could be /home/joxean/.cache/. Then, a sub-directory inside this directory is selected from the following list:
     
    .data:0804D140 ; char **possible_files_to_detect_infection[6]
    .data:0804D140 possible_files_to_detect_infection dd offset a_config
    .data:0804D140                                         ; DATA XREF: count_infection_element_paths_and_names+42o
    .data:0804D140                                         ; get_and_create_infection_dir_and_filename+104r ...
    .data:0804D140                                         ; ".config"
    .data:0804D144                 dd offset a_bin         ; ".bin"
    .data:0804D148 off_804D148     dd offset a_sbin        ; DATA XREF: FFB8F408o
    .data:0804D148                                         ; ".sbin"
    .data:0804D14C off_804D14C     dd offset a_etc         ; ".etc"
    .data:0804D150                 dd offset a_cfg         ; ".cfg"
    .data:0804D154                 dd offset a_apps        ; ".apps"
     
    So, an example could be /home/asier/.cache/.sbin. Then, the dropper patches itself and copies (patched) in the selected directory with the following name:
     
    data:0804D1A0 ; char *g_likely_executable_names[8]
    .data:0804D1A0 g_likely_executable_names dd offset aCpuset
    .data:0804D1A0                                         ; DATA XREF: count_infection_element_paths_and_names+74o
    .data:0804D1A0                                         ; check_already_infected+396o ...
    .data:0804D1A0                                         ; "cpuset"
    .data:0804D1A4                 dd offset aKthreadd     ; "kthreadd"
    .data:0804D1A8                 dd offset aKsnapd       ; "ksnapd"
    .data:0804D1AC                 dd offset aUdevd        ; "udevd"
    .data:0804D1B0                 dd offset aDbusDaemon   ; "dbus-daemon"
    .data:0804D1B4                 dd offset aAtd          ; "atd"
    .data:0804D1B8                 dd offset aCrond        ; "crond"
    .data:0804D1BC                 dd offset aHald         ; "hald"
     
    So, again, an example process could be /home/joe/.cache/.sbin/atd.
     
    When the file is dropped and patched then the main dropper forks and the child executes the dropped process with a line similar to the following one:
     
    (...)
          chdir(infection_path);
          execl(infection_command, infection_command, "80.so", "RunDll", 0);
    (...)

     

  • download the leaked sourcecode of the commercial spyware FInflyweb from finfisher

    Source code of FinFly Web

    Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. A company brochure that was published by WikiLeaks as part of the SpyFiles three years ago describes it like this:

     

    FinFly Web is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks.

    FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules.

    Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software.

    A video advertises its features, and other documents describe provide more details.
    https://netzpolitik.org/2014/gamma-finfisher-hacked-40-gb-of-internal-documents-and-source-code-of-government-malware-published/

  • commercial spyfirm #finfisher for police and firms hacked with 40GB of data available (download links)

    "

    Basically it's a European company that sells computer hacking and spying software to governments and police agencies. Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents. Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to 'good' governments, and those authoritarian regimes most have stolen a copy.

    And that's the end of the story until a couple days ago when I hacked in and made off with 40GB of data from Gamma's networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB

    Here's a torrent of all the data. Please download and seed. Here's a twitter feed where I'm posting some of the interesting stuff I find in there, starting off slow to build up rather than just publish all the worst shit at once.

    I assumed the hacking would be the hard part and once I got the data it would just kinda go viral on it's own or something. But it turn's out without any media access or idea how that shit works, getting people to notice or care is actually kind of hard. Please share and seed the torrent!

     

    We've taken down our website at finsupport.finfisher.com while we investigate rumours that it may have been hacked.—
    Phineas Fisher (@GammaGroupPR) August 04, 2014

    and here is more info

    Unfortunately, the Dropbox-accuont with the original Torrent-file is “temporarily disabled”, but we are happy to provide a mirror. (Magnet-Link)

    Portable Document Format (PDF):

    Microsoft Excel:

    FinSploit Sales

    There is a zip archive “FinSploit Sales” with a text file and three videos.
    https://netzpolitik.org/2014/gamma-finfisher-hacked-40-gb-of-internal-documents-and-source-code-of-government-malware-published/

  • Sony has to pay 15 Million dollars for the dataleak of Lulzec in 2011

    "Sony has agreed to a preliminary settlement of $15 million (USD) in a class action law suit over cyber-attacks on its networks in 2011.  The settlement, which follows a £250,000 penalty imposed by UK authorities against the tech giant in 2013, serves as a salient reminder that companies may be exposed to significant liability if they fail to protect their users' personal information. 

     

    In May 2011, an unknown assailant executed attacks against Sony’s data centre in San Diego, infiltrating its PlayStation Network and Qriocity and Sony Online Entertainment services.  The attack compromised the data of 77 million users, including names, addresses, passwords and potentially credit card and other payment information.  Services were offline for weeks as Sony worked with the FBI and other law enforcement authorities to determine the nature and origin of the attack. 
    http://tmtblog.minterellison.com/blog.aspx?entry=572

    so if you compare this to the arguments about the proposed fines in Europe you just ask yourself what the fuss is about

    in the UK they were fined some 200.000 pound of 350.000 dollars

    next time Sony will place its headquarters and liabilities in Europe.

  • while we are complaining about the NSA the FBI infected since 2012 TORservers (tormail for example) with trojan malware

    The existence of TOR has not only agonized the Russians or the NSA but also those who effectively have to prosecute childporn, drugtrafficking and counterfeiting. That some of these businesses have set up shop on TOR and that the community has made no effort at all to close them down (community rules for example).

    So when the FBI busted several hidden services last year - of which tormail (infected with their malware) made many people wander how they did it ?

    documents have now come to light that the FBI received the permission from a secret court to infect US ip addresses with malware if it could prove that they were using services like TOR to hide their activities. It has led to some successful arrests but at the same time it is unclear how many other users have been infected and why there is no selfdestruct on the malware if it becomes clear that the Ip address was not part of the investigation).

    this is how the FBI people did it

    "On August 1, 2013, some savvy Tor users began noticing that the Freedom Hosting sites were serving a hidden “iframe”—a kind of website within a website. The iframe contained Javascript code that used a Firefox vulnerability to execute instructions on the victim’s computer. The code specifically targeted the version of Firefox used in the Tor Browser Bundle—the easiest way to use Tor.

    This was the first Tor browser exploit found in the wild, and it was an alarming development to the Tor community. When security researchers analyzed the code, they found a tiny Windows program hidden in a variable named “Magneto.” The code gathered the target’s MAC address and the Windows hostname, and then sent it to a server in Virginia in a way that exposed the user’s real IP address. In short, the program nullified the anonymity that the Tor browser was designed to enable.
    http://www.wired.com/2014/08/operation_torpedo/

    so even if you put up your own hidden service or use the vulnerability on an existing hidden service the result will be the same - which means that you have to go through a proxy through TOR (and you will have to pay if you want a good fast proxy and even these are not always anonymous for the police services)

    https://www.documentcloud.org/documents/1261620-torpedo-affidavit.html (the official judicial documents that leaked the news)

     

  • the New York Times confirms that the database with 1.2 billion logins is real and the sites are still vulnerable

    "Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."

    but throughout the article it is repeated that (my comment)

    “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

    and just to top it mister Holden had even contact with these thiefs and knows more or less who they are (my comment)

    "Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time."

    but these gangster have broken one golden rule that Russian hackers have to abide to if they don't want to be prosecuted in Russia, stay out of Russian websites. (my comment)

    "Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers."
    http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html

    So let make this even more clear

    * the data have been audited by independent securitypeople (except if they were smokescreened because it would be difficult for them to check if the data really came from the hacked websites or the websites were still vulnerable without breaking the US law)

    * MR Holden did a publicity stunt just before Black hat to be the talk of the town and thought in the first place only of himself and had no interest in the public repercussions of his act and the data that he is holding (and doesn't seem to have the intention to be responsable in any way)

    * Mr Holden has been in contact with the particular hackers since some time and hasn't informed the intelligence community about that - even if they were preparing attacks against major US corporations or had broken into them

    it is time to set an example for all to see that if you get your hands on such information that is not yet public than you run enormous risks if you don't go to the police or the authorities to set up a campaign to inform and protect the victims and the vulnerable infrastructure

  • mailbox ex premier of Peru Cornejo hacked by Anonymous (with links)

    source

    here are the files

    http://up.ht/1p87gHA
    http://up.ht/UZ3UdQ
    http://up.ht/1p891oj
    http://up.ht/UZbBk2
     
    Mirror 2 :
     
    https://mega.co.nz/#!111jgbjb!3C6tErjIMzCqzJBc_WNPegk_nhqAN-SNIn_BU4BWZhY
    https://mega.co.nz/#!F99EVJ5S!ZcOfYI4GJzmIf2O7IeWPfHjUojypC_OXgFClV3x8u-w
    https://mega.co.nz/#!0l0ABZKJ!wMsb8dZCyLApnbpsbOrjo2fhdopkWd_VjVI0fU8gyyQ
    https://mega.co.nz/#!A58hCQSB!4lAubgalE291mEKgoJCQfYYcTCe2RKKRcawaTnHuTr0

    source https://pastecry.pt/MeqBxR#lulzsecperu

  • chinese government slams Appls for collecting too much personal information

    funny in fact (and injust because all apps and Smartphones do that)

    source http://money.cnn.com/2014/07/11/technology/security/china-iphone-privacy/index.html

  • 420.000 websites have still fatal sql injection mistakes which asks for international coordinated action

    sometimes you think what you are doing and why you are publishing all that stuff if there is nothing changing and nobody seems to give a damn, thinking that it is not possible to do something enormously dangerous with it

    but think of this

    there are 420.000 websites on the web which have lost all the personal data in their database because of a sql injection and that data was not sufficiently encrypted to make it unusuable

    you may be sure that there will be websites that you use or have used at one time

    you may be sure that there will be websites that are in fact critical

    you may be sure that the logins were used on other systems

    so it is time - high time - to set up an international coordination comittee to fix this and treat it as a virus outbreak

  • 'Hold on security' has taken our 1.2 billion personal data hostage for commercial gains and should be taken to court

    ** update they will try to sell you a digital information protection service of 120 $ or 1OO euro's A MONTH (so on 1.2 billion persons if they find 1% stupid suckers they are rich enough to go to the stock market)

    take that I find on the street your wallet with all your information in it

    am I now the owner of it ?

    No I have to restitute it to you and in fact I have to bring it to the police station so they can give it back to you after they have verified the identity

    but what is Hold On security doing

    they are saying that they have find

    * 4.5 billion personal data of which 1.2 billion logins and half a billion emailaddresses

    * 420.000 websites that could be broken into

    Do they now go to ICANN or the CERTS or the FBI with that data to coordinate on a worldwide scale

    * the selection of all the logins which for obvious reasons have to be blocked immediately - even if they could be older - because they have  .int, .mil, .gov in it or because it is clear that it is from a bank or Financial service or shop or because it is clear from the login that the person is an administrator

    * the selection of the websites that need to be closed down or secured immediately because they are from government, banks or systems with an enormous lot of personal information

    who do they think they are ?

    Do they have worldwide local knowledge about the importance of each local website ? Do they have the resources to treat and check every question for information from millions of enterprises and billions of people (if they ever)

    Do they have the machine power to treat all that ?

    Are they secure enough to treat so much information  and protect it even if they have said that they have somewhere billions of data on their systems and billions of new data coming in through webforms and mails  (the biggest honeypot of the world in fact)

    NO they act as pirates and thiefs and as if they are not bound by rules and laws and they can do with the data as they please - which is not the case

    so if I was the EFF, FTC, FBI or any other organisation I would take them to court

    (and by the way the NSA can ask for a copy so they can stop spying for a while :). No but it would be the first productive way to use all that enormous computerpower that has been assembled in the desert to doublecheck all the that information and prioritize it and take the necessary actions (Under the guidance of an international commission)

    and you know after all that - everybody in the world will be happy that the NSA had all that supercomputerpower for the best of all of us and that it could be used in the best way possible

    source http://www.holdsecurity.com/news/cybervor-breach/

  • Russian pharmaspammers have collected 1.2 billion logins on 420.000 websites

    source http://money.cnn.com/2014/08/05/technology/security/russian-hackers-theft/index.html?hpt=hp_t2

    and from the site itself

    it was a three step operation

    step 1 : buy a set of logins on the black market and use it to have access to systems and emailaddresses

    step 2 : use the information gathered by botnets about infected systems

    step 3 : scan the web for vulnerable MYSQL systems (injection) and pump the data from these databases

         by the way it is very easy to control if your MySQL site has injectionproblems, there are Tools for that, even before you publish it on the web and if you have a MySQL website you should control this (this mistake is known since the beginning of the year 2000 and should be common knowledge among everybody who is pretending to work on the web or know what he is doing)

    so it is amazing that still 450.000 websites actually on the web and with logins and other operations still have sql injections problems that lead to dataleakage

    this means in fact that

    * privacycommissions and other controlling agencies will need to oblige online operations who have personal or Financial information to be certified by certified controllers that they have no such mistakes and oblige them to do this check every so many weeks or months

    * cyberinsurers will need also that kind of certification

    * hosters and ISP's will need to install Application firewalls that stop all known slq injection discovery scanning and execution

    * website owners will need to think twice if they want to receive and secure the information themselves or use third service like Google or Facebook for simple logins or third payment operators for transactions

    they can use that information to

    * send spammails from emailaccounts without being discovered (so you should look at what mails our going OUT of your mailbox), they have also in their possession half a million emailadresses they can connect to the logins (if your login for your emailaddress is not unique as it should be)

    * they also robbed login data from FTP sites

    * place pages on websites for which they have the administrative accounts

    * place comments on forums with logins from others

    the worst thing to do would be

    * sell it to anyone offering a few million to really steal money or information

    conclusion

    passwords are NOT security, only double authentification is

    not publishing the hacked websites which are insecure is security by obscurity and is the worst thing that could happen because those websites will continue as if nothing happens and nobody will care

  • if you use a Google service for your website you need a privacy policy

    "When you use any of the Google services, most of their terms require it. For example, under section 7 of Google Analytics Terms of Service, it states that all websites using this service must have a comprehensive privacy policy. It states that you must disclose that you are using cookies to collect the data and state that you are using Google’s services, such as Google Analytics.

     

     

    There are numerous Google services that include the privacy policy requirement in their terms of use, including AdSense, AdWords, Maps/Google Earth. In other words, if you include a map of your business location on your website, according to Google’s terms, you are using one of Google’s services that require you to have a privacy policy.
    http://www.startupsmart.com.au/leadership/legal-matters/no-privacy-policy-google-says-you-need-one/2014052912404.html

  • what to do if a country starts blocking TOR (example Iran now)

    "A number of Iranian Tor users have reported that Tor no longer works out of the box in Iran, and the Tor Metrics portal shows a corresponding drop in the number of directly-connecting users there. Collin Anderson investigated the situation and reported that the Telecommunication Company of Iran had begun blocking the Tor network by blacklisting connections to Tor’s directory authorities. Tor users can circumvent this block by getting bridges from BridgeDB and entering the bridge addresses they receive into their Tor Browser." from TOR

    source https://bridges.torproject.org/