so why did he install and use this commercial hacking and spying software ?
so why did he install and use this commercial hacking and spying software ?
imagine if you lose that data or a phone on which you can read that app or that your partner publishes that data on the web or mails it to friends after your breakup
we will start analyzing shortly this weekend
update : we got this through a secondary source who said first that it were IP addresses of clients but now thinks it could also be the IP addresses of victims - we have to sort that out
the fulll files are not yet received that will take some time for more analysis
if more information is found out about these addresses or more belgian information is found out, please keep me updated thanx
by the way if anybody has a way to decrypt the encrypted files, the internet is interested
this is from a warning of the Ukranian authorities but in fact counts for all confidential business and other information because in the present atmosphere everything is possible in Russia
we are waiting on more info
if you have more info about the use of finfisher in Belgium be free to make it available to me
Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. A company brochure that was published by WikiLeaks as part of the SpyFiles three years ago describes it like this:
FinFly Web is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks.
FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules.
Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software.
A video advertises its features, and other documents describe provide more details.
Basically it's a European company that sells computer hacking and spying software to governments and police agencies. Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents. Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to 'good' governments, and those authoritarian regimes most have stolen a copy.
And that's the end of the story until a couple days ago when I hacked in and made off with 40GB of data from Gamma's networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB
Here's a torrent of all the data. Please download and seed. Here's a twitter feed where I'm posting some of the interesting stuff I find in there, starting off slow to build up rather than just publish all the worst shit at once.
I assumed the hacking would be the hard part and once I got the data it would just kinda go viral on it's own or something. But it turn's out without any media access or idea how that shit works, getting people to notice or care is actually kind of hard. Please share and seed the torrent!
and here is more info
Portable Document Format (PDF):
- Cyber solutions for the fight against crime (17 pages)
- FinSpy 3.00 – User Manual – 2011-06-05, by Stephan Oelkers (127 pages)
- FinSpyPC 4.51 (HotFix for 4.50) Release Notes – 2014-04-14 (14 pages)
- FinSpyMobile 4.51 Release Notes – 2014-04-14 (15 pages)
- FinFisher Price list 2014 – 2013-12-16 (updated: 2014-01-24)
- FinFisher Products Extended Antivirus Test (Anti-Virus Results FinSpy PC 4.51) – 2014-04-04
- Device Tests FinSpyMobile 4.51 – 2006-09-16 (updated: 2014-04-15)
There is a zip archive “FinSploit Sales” with a text file and three videos.
"Sony has agreed to a preliminary settlement of $15 million (USD) in a class action law suit over cyber-attacks on its networks in 2011. The settlement, which follows a £250,000 penalty imposed by UK authorities against the tech giant in 2013, serves as a salient reminder that companies may be exposed to significant liability if they fail to protect their users' personal information.
In May 2011, an unknown assailant executed attacks against Sony’s data centre in San Diego, infiltrating its PlayStation Network and Qriocity and Sony Online Entertainment services. The attack compromised the data of 77 million users, including names, addresses, passwords and potentially credit card and other payment information. Services were offline for weeks as Sony worked with the FBI and other law enforcement authorities to determine the nature and origin of the attack.
so if you compare this to the arguments about the proposed fines in Europe you just ask yourself what the fuss is about
in the UK they were fined some 200.000 pound of 350.000 dollars
next time Sony will place its headquarters and liabilities in Europe.
The existence of TOR has not only agonized the Russians or the NSA but also those who effectively have to prosecute childporn, drugtrafficking and counterfeiting. That some of these businesses have set up shop on TOR and that the community has made no effort at all to close them down (community rules for example).
So when the FBI busted several hidden services last year - of which tormail (infected with their malware) made many people wander how they did it ?
documents have now come to light that the FBI received the permission from a secret court to infect US ip addresses with malware if it could prove that they were using services like TOR to hide their activities. It has led to some successful arrests but at the same time it is unclear how many other users have been infected and why there is no selfdestruct on the malware if it becomes clear that the Ip address was not part of the investigation).
this is how the FBI people did it
This was the first Tor browser exploit found in the wild, and it was an alarming development to the Tor community. When security researchers analyzed the code, they found a tiny Windows program hidden in a variable named “Magneto.” The code gathered the target’s MAC address and the Windows hostname, and then sent it to a server in Virginia in a way that exposed the user’s real IP address. In short, the program nullified the anonymity that the Tor browser was designed to enable.
so even if you put up your own hidden service or use the vulnerability on an existing hidden service the result will be the same - which means that you have to go through a proxy through TOR (and you will have to pay if you want a good fast proxy and even these are not always anonymous for the police services)
https://www.documentcloud.org/documents/1261620-torpedo-affidavit.html (the official judicial documents that leaked the news)
"Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."
but throughout the article it is repeated that (my comment)
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
and just to top it mister Holden had even contact with these thiefs and knows more or less who they are (my comment)
"Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time."
but these gangster have broken one golden rule that Russian hackers have to abide to if they don't want to be prosecuted in Russia, stay out of Russian websites. (my comment)
"Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers."
So let make this even more clear
* the data have been audited by independent securitypeople (except if they were smokescreened because it would be difficult for them to check if the data really came from the hacked websites or the websites were still vulnerable without breaking the US law)
* MR Holden did a publicity stunt just before Black hat to be the talk of the town and thought in the first place only of himself and had no interest in the public repercussions of his act and the data that he is holding (and doesn't seem to have the intention to be responsable in any way)
* Mr Holden has been in contact with the particular hackers since some time and hasn't informed the intelligence community about that - even if they were preparing attacks against major US corporations or had broken into them
it is time to set an example for all to see that if you get your hands on such information that is not yet public than you run enormous risks if you don't go to the police or the authorities to set up a campaign to inform and protect the victims and the vulnerable infrastructure
here are the files
Mirror 2 :
funny in fact (and injust because all apps and Smartphones do that)
sometimes you think what you are doing and why you are publishing all that stuff if there is nothing changing and nobody seems to give a damn, thinking that it is not possible to do something enormously dangerous with it
but think of this
there are 420.000 websites on the web which have lost all the personal data in their database because of a sql injection and that data was not sufficiently encrypted to make it unusuable
you may be sure that there will be websites that you use or have used at one time
you may be sure that there will be websites that are in fact critical
you may be sure that the logins were used on other systems
so it is time - high time - to set up an international coordination comittee to fix this and treat it as a virus outbreak
** update they will try to sell you a digital information protection service of 120 $ or 1OO euro's A MONTH (so on 1.2 billion persons if they find 1% stupid suckers they are rich enough to go to the stock market)
take that I find on the street your wallet with all your information in it
am I now the owner of it ?
No I have to restitute it to you and in fact I have to bring it to the police station so they can give it back to you after they have verified the identity
but what is Hold On security doing
they are saying that they have find
* 4.5 billion personal data of which 1.2 billion logins and half a billion emailaddresses
* 420.000 websites that could be broken into
Do they now go to ICANN or the CERTS or the FBI with that data to coordinate on a worldwide scale
* the selection of all the logins which for obvious reasons have to be blocked immediately - even if they could be older - because they have .int, .mil, .gov in it or because it is clear that it is from a bank or Financial service or shop or because it is clear from the login that the person is an administrator
* the selection of the websites that need to be closed down or secured immediately because they are from government, banks or systems with an enormous lot of personal information
who do they think they are ?
Do they have worldwide local knowledge about the importance of each local website ? Do they have the resources to treat and check every question for information from millions of enterprises and billions of people (if they ever)
Do they have the machine power to treat all that ?
Are they secure enough to treat so much information and protect it even if they have said that they have somewhere billions of data on their systems and billions of new data coming in through webforms and mails (the biggest honeypot of the world in fact)
NO they act as pirates and thiefs and as if they are not bound by rules and laws and they can do with the data as they please - which is not the case
so if I was the EFF, FTC, FBI or any other organisation I would take them to court
(and by the way the NSA can ask for a copy so they can stop spying for a while :). No but it would be the first productive way to use all that enormous computerpower that has been assembled in the desert to doublecheck all the that information and prioritize it and take the necessary actions (Under the guidance of an international commission)
and you know after all that - everybody in the world will be happy that the NSA had all that supercomputerpower for the best of all of us and that it could be used in the best way possible
and from the site itself
it was a three step operation
step 1 : buy a set of logins on the black market and use it to have access to systems and emailaddresses
step 2 : use the information gathered by botnets about infected systems
step 3 : scan the web for vulnerable MYSQL systems (injection) and pump the data from these databases
by the way it is very easy to control if your MySQL site has injectionproblems, there are Tools for that, even before you publish it on the web and if you have a MySQL website you should control this (this mistake is known since the beginning of the year 2000 and should be common knowledge among everybody who is pretending to work on the web or know what he is doing)
so it is amazing that still 450.000 websites actually on the web and with logins and other operations still have sql injections problems that lead to dataleakage
this means in fact that
* privacycommissions and other controlling agencies will need to oblige online operations who have personal or Financial information to be certified by certified controllers that they have no such mistakes and oblige them to do this check every so many weeks or months
* cyberinsurers will need also that kind of certification
* hosters and ISP's will need to install Application firewalls that stop all known slq injection discovery scanning and execution
* website owners will need to think twice if they want to receive and secure the information themselves or use third service like Google or Facebook for simple logins or third payment operators for transactions
they can use that information to
* send spammails from emailaccounts without being discovered (so you should look at what mails our going OUT of your mailbox), they have also in their possession half a million emailadresses they can connect to the logins (if your login for your emailaddress is not unique as it should be)
* they also robbed login data from FTP sites
* place pages on websites for which they have the administrative accounts
* place comments on forums with logins from others
the worst thing to do would be
* sell it to anyone offering a few million to really steal money or information
passwords are NOT security, only double authentification is
not publishing the hacked websites which are insecure is security by obscurity and is the worst thing that could happen because those websites will continue as if nothing happens and nobody will care
"A number of Iranian Tor users have reported that Tor no longer works out of the box in Iran, and the Tor Metrics portal shows a corresponding drop in the number of directly-connecting users there. Collin Anderson investigated the situation and reported that the Telecommunication Company of Iran had begun blocking the Tor network by blacklisting connections to Tor’s directory authorities. Tor users can circumvent this block by getting bridges from BridgeDB and entering the bridge addresses they receive into their Tor Browser." from TOR