the same that was used earlier by North Koreans against South Korea
it means that all certificates from Sony will have to be changed - what we said earlier
"According to the security firm, the flaws can be exploited by attackers to achieve a complete Java VM security sandbox escape, as well as to execute an arbitrary code. The researchers estimate that the number of issues is "30+ in total."
it is a bit cloudy with heavy storms expecting in some programming and security departments while it will be icy in the managmentsdepartments of Google App Engine
sunshine is expected later this week when the securityresearchers and Google exchange their results and start working on solutions
I never liked Java because I think it is too open and too insecure and maybe I will like it when they change course the way Microsoft did one day and become more closed, better monitored and with a huge security infrastructure and a set of clear procedures and frequent updates
"Prins, the researcher whose company was hired to investigate the Belgacom hack, has no doubts. Based on Snowden documents leaked last year and the analysis that his company has done of the Regin malware, Prins said he is fully convinced that the NSA and the GCHQ are behind Regin.
Both UNITEDRAKE and STRAIGHTBIZARRE are part of the Regin framework. You can find them in the ANT catalog. https://t.co/TFsdlI8JOW
— Ronald Prins (@cryptoron) November 24, 2014
UNITEDDRAKE and STRAIGHTBIZARRE are codenames of NSA programs, according to leaked documents. While those codenames are not mentioned in the malware, Prins explained that their description in the Snowden documents matches with "the functionality of parts of the Regin framework."
Kaspersky researchers, however, did find codenames of a somewhat similar style inside parts of the Regin malware.
#Regin internal module codenames: LEGSPINv2.6, WILLISCHECKv2.0, HOPSCOTCH.
— Costin Raiu (@craiu) November 24, 2014
except if this is done to fool everybody and it is the Russians installing it to follow the mobile phones of NSA agents in the Middle East
it seems logical but it is not because it seems logical that in the spyworld this is the right answer - it is a normal and a fast answer but not necessarily the only possible answer
exceot in this case these infections at Belgacom coincide with the Snowden files that come from the intranet of the NSA - so there are two independent sources
"This is why the recent disclosure of Regin is so disquieting. The first public announcement of Regin was from Symantec, on November 23. The company said that its researchers had been studying it for about a year, and announced its existence because they knew of another source that was going to announce it. That source was a news site, the Intercept, which described Regin and its U.S. connections the following day. Both Kaspersky and F-Secure soon published their own findings. Both stated that they had been tracking Regin for years. All three of the antivirus companies were able to find samples of it in their files since 2008 or 2009.
So why did these companies all keep Regin a secret for so long? And why did they leave us vulnerable for all this time? To get an answer, we have to disentangle two things. Near as we can tell, all the companies had added signatures for Regin to their detection database long before last month. The VirusTotal website has a signature for Regin as of 2011. Both Microsoft security and F-Secure started detecting and removing it that year as well. Symantec has protected its users against Regin since 2013, although it certainly added the VirusTotal signature in 2011.
Entirely separately and seemingly independently, all of these companies decided not to publicly discuss Regin’s existence until after Symantec and the Intercept did so. Reasons given vary. Mikko Hyponnen of F-Secure said that specific customers asked him not to discuss the malware that had been found on their networks. Fox IT, which was hired to remove Regin from the Belgian phone company Belgacom’s website, didn’t say anything about what it discovered because it “didn’t want to interfere with NSA/GCHQ operations.”
My guess is that none of the companies wanted to go public with an incomplete picture. Unlike criminal malware, government-grade malware can be hard to figure out. It’s much more elusive and complicated. It is constantly updated. Regin is made up of multiple modules—Fox IT called it “a full framework of a lot of species of malware”—making it even harder to figure out what’s going on. Regin has also been used sparingly, against only a select few targets, making it hard to get samples. When you make a press splash by identifying a piece of malware, you want to have the whole story. Apparently, no one felt they had that with Regin.
we have information that there are newer versions of Regin and that there would also be a Regin version for Linux and Unix machines - but as you should have understood from the article above - our sources are not allowed to talk nor to give us such versions
but fox-it said so also because it calls Regin something that is made up of modules and something that is a platform and that nobody has all the different parts
this is why a working group Regin would have have to be formed between the different biggest security companies
the sensationalistic stories from the AV companies that have come out with some information pose more questions than they give answers and should make us feel safe because they discover some files, some destinations or some functions of the virus
at the same time some antivirus softwares seem to be much stricter about the process of normal software and are giving in a complicated network with an enormous list of different old and diverse software big problems because they are starting to block processes and files that they didn't even look at before
this means that the functionality of whitelists and program management is a necessary part of any securitypackage that you would install nowadays in your businesscritical environment
first they used open and vulnerable networks of universities and hotels to attack, extract and publish
"An Internet Protocol address the malware used to communicate with the hackers was also located at a university in Thailand, this person said. Hackers often take advantage of open university networks in initiating attacks. Katie Roberts, a spokeswoman for Starwood Hotels & Resorts Worldwide Inc. (HOT), which owns the St. Regis Bangkok, didn’t respond to emails seeking comment.
If the hackers were indeed at the St. Regis Hotel in Bangkok, they were essentially hiding in plain sight by using a busy wireless network available to hundreds of guests.
this also says something about the security of the networks they are offering their clients if hackers can get inside and out and abuse it at their own will
secondly after they have penetrated the network and after they have extracted the information (just look at the dates of the different packages they are leaking) they have decided to destroy as much as possible and they have launched that attack real fast
"Kurt Baumgartner, principal security researcher at Kaspersky Lab in Denver, Colorado, also found similarities. As in South Korea, the destructive programs were compiled less than 48 hours before the attack, he said. In both instances, the hackers also defaced websites with skeleton images and vaguely political messages
this means that your incident response team should have the resources and the instruments and the authority to intervene immediately on the whole of the network if such a 'wiperattack' is happening and doesn't have to wait for other people to begin to understand what is happening and holding on to some authority while the whole network is just disappearing at an ever increasing rate
get a snort in your network
" After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.we...), I've made next update of the software. At 23rd of October DAVOSET v.1.2.1 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Also yesterday I opened a repository for DAVOSET: https://github.com/MustLive/DAVOSET Download DAVOSET v.1.2.1: http://websecurity.com.ua/uploads/2014/DAVOSET_v.1.2.1.rar In new version there was added support of attacks via WordPress, based on XML support since v.1.1.2 (released at 31.07.2013). After vulnerability in XML-RPC PingBack API in WordPress was found last year, I added support for XML in DAVOSET (to use with XXE vulnerabilities, but it also can be used with this vulnerability). After that people many times asked me to add this support, but nobody wanted to do it by himself, so I added it. Also there were added new services into both lists of zombies and removed non-working services from lists of zombies. In total there are 175 zombie-services in the list. I added 3 and removed 18 zombie-services. I removed a lot of vulnerable sites from the lists, because admins became fixing holes at their web sites in summer - after significant increase of use of my tool.
which means that if your site or webservice is vulnerable it can now not only be hacked but also be abused to attack other sites with an DDOS and abusing about your traffic (if you don't have an unlimited account or just getting your blog or site of the web because it is being abused in such an attack)
this has only any sense if somebody who knows the russian language makes sense out of it all and translates it in english
just as anybody else in the intelligence business I think
more can be found here https://www.youtube.com/channel/UCAXdfFRi-lhKqlKV1JLSCsQ
"Earlier this month a new paper by Naomi Benger, Joop van de Pol, Nigel Smart, and Yuval Yarom hit the news. The paper explains how to recover secret keys from OpenSSL's implementation of ECDSA-secp256k1 using timing information from "as little as 200 signatures"; ECDSA-secp256k1 is the signature system used by Bitcoin. The timing information is collected by an attack process running on the same machine, but the process doesn't need any privileges; I don't see any obstacle to running the attack process in a separate virtual machine. Earlier papers by Yarom and Katrina Falkner and Yarom and Benger had explained how to carry out similarly efficient attacks against various implementations of RSA and binary-field ECDSA.
These attacks are what I call "cache-timing attacks": they exploit data flow
- from secrets to load/store addresses and
- from load/store addresses to attacker-visible differences in timing between different addresses.
For comparison, conventional timing attacks exploit data flow
- from secrets to the program counter (i.e., the instruction address as a function of time) and
- from the program counter to attacker-visible differences in timing between different instruction addresses.
In both cases the second part of the data flow is built into chips, but the first part is built into the software.
Did the software designers have to allow data flow from secrets to addresses? "Obviously not!" say the theoreticians. "Everybody knows that any computation using branches and random access to data can be efficiently simulated by a computation that accesses only a predefined public sequence of instructions and a predefined public sequence of memory locations. Didn't you take a course in computational complexity theory? If the software designers had done a better job then this attack would never have worked."
I have a different view. I blame this attack on the ECDSA designers. Every natural implementation of ECDSA makes heavy use of secret branches and secret array indices. Eliminating these secrets makes the code much more complicated and much slower. (The theoreticians are blind to these problems: their notion of "efficient" uses an oversimplified cost metric.) The ECDSA designers are practically begging the implementors to create variable-time software, so it's not a surprise that the implementors oblige
if the design is insecure everything that follows and uses it will be insecure and you only have to wait untill it is discovered, manipulated and made so easy that it can be automatized
the pedoservice has come into the news after an article in the British press in which it says that it links pedo's and families that want to give their children to pedo's.
First the site was free but in 2013 it became - like so many pedoservices because this is (big) business - based upon payment (follow the money I would say, this is the most simple method of investigation and in 2013 there was no bitcoin)
Secondly read this post (from the Google search site:familiy4.com
All IP addresses are recorded for security reasons, and will be given to the correct authorized if requested. All photos uploaded should be owned to yourself and"
so here you may find a full list of the IP addresses, you don't have to ask it to the hoster or ISP
thirdly there is much of it in the Google cache because they are not upgrading the server - if it ever comes back up again
now if you insert for example France or another name of a country you may find the discussions between members from that country (in the cache of the link)
so happy hunting because it seems that there are some children that will need to be rescued from couples and swapps that were made through this site - in or between countries
Fourth I would also have a look at this information (referrals for one) oh and the webserver is in the US so it won't be that difficult to get a hand on the server and everything that there is on it. The server has also a mailserver on which you would have to lay your hands on.
and I would surely have an even better look at this site, which seems like a kind of index of incest and pedosite services online
"“The FBI is providing the following information with HIGH confidence,” the note reads, according to one person who received it and described it to WIRED. “Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”
The FBI memo lists the names of the malware’s payload files—usbdrv3_32bit.sys and usbdrv3_64bit.sys.
It’s unclear if these files were found on Sony systems. So far there have been no news reports indicating that data on the Sony machines was destroyed or that master boot records were overwritten. A Sony spokeswoman only indicated to Reuters that the company has “restored a number of important services.” http://www.wired.com/2014/12/sony-hack-what-we-know/
it is also intriguing to see the names usbdrv - maybe that is an indication that they are using USB drivers or exploits to attack the system
the fact that they have been rewritten for 64bits shows that it is necessary nowadays for 32bits viruses to have a version in 64bits to make an impact
the fact that it are .sys files show that they were infecting the program files, the systemfiles and probably the kernel and core of the system - they took the name of something that is used by other software to hide and as these files are not signed and not checked it is easy to do this
the operation itself is probably done the same way the #Belgacomhack was done and that is through the accounts of the network operators (again). Only here it was not to get certain specific information from certain specific installations but to destroy and leak everything or as much as possible over a 6 month period (what is seen in the operative scenario's for total network compromise as a standard period to take over (own) a whole network).
Intelligence operations have goals. If you want to understand them you should understand the goals of the intelligence operations otherwise you won't know what will happen next and you have no idea how to secure what data they were after.
Also it are operations, this means that they have been prepared some time in advance and they have been executed in different phases and they were followed up and evaluated or changed to make sure that they had the maximum effect with the least possibility of discovery. Extraction and destruction of evidence is as important in such an operation as getting the information.
The Belgacomhack was probably an US intelligence operation to get information from some mobilephone installations from the Bics network because at that time - just a supposition - the US administration was going after Bin Laden and they had only ONE lead and that were the couriers between Bin Laden and the rest of the organisation. Those people used their mobile phones from time and time but under strict rules of operational security (for example only a few hundred meters after they had left the building and when they were not phoning they also retired the battery). Those couriers sometimes took also other calls from other countries. Not sure there is a link, but I can imagine (it just imagination maybe) that somebody said whatever the effort you have to get that data and if it is too risky for discovery to go through the courts or the local operators just go through the operators but just get that data. I won't ask how you got it. And some people went out to try to get it. But as I said that is just speculation (they may also needed some information about other networks or cells or important people on the wanted list)
The Foreignaffairshack was probably a Russian intelligence operation looking for information about how the European commission and the NATO were reacting to the continuing infiltration of Russian soldiers and tanks into Oekraine. In this highlevel powergame Putin wanted just as Stalin during and after the second world war to have some spies or intelligence operation so he could know what the mindset at the moment was of his friends and opponents and how their reaction would be and what they were saying behind closed doors but not at him when they were sitting at the negotiating table. He had to know the real red lines before. And where can you find the information about the European Commission and the NATO in one place ? In the country where both have their headquarters. And which Administration is responsable for treating all these documents between the host country and the international organisations it is member off ? The Administration of Foreign Affairs. There are also people who think they were after another database.
The Sonyhack was probably a North Korean intelligence operation as a response to a film they didn't like about the great dictator who prefers to see himself as a father for his country. Well he got mad as hell and between the different options (throwing an atomb bomb on Hollywood, protesting diplomatically,....) destroying the company with a digital nuclear timebomb seemed like the best option. THis is exactly what is happening. THis operation started probaly in june or somewhat before and ended with the publication of the first dataset and the timed destruction of the internal computers and servers. Now every company in the world knows that if it angers the North Korean dictator he will destroy them digitally, so you better be prepared. If this was the goal, the message is received and understood.
So if these presumptions are right, than every intelligence service in the world worthy of its name is setting up intelligence operations in the digital world with political and intelligence goals while respecting all the normal operative security rules of an intelligence operation (which makes it hard to attribute them).
This is also the reason I think that for critical environments the security officer should not only have his medals of all his socalled exams and certificates but also a healthy dose of paranoia and be able to play mindgames or to think through how an intelligence operation against his network would be set up and what would be the weakest links or the moments that they still could be discovered or didn't clean up their tracks.
It is only when you start reading books about informationoperations and intelligence that you start to really understand the Snowden files. For malware and IT analysts these are just processes, files, connections and incidents. For an intelligence operative these are phases in an intelligence operation that will lead to a specific goal and have been prepared long time before. (by the way some of the scanning traffic of our infrastructure is also done by other intelligence agencies to put in their database so when they want to set up an operation they already have all the practically important information)
yep they have lost it all
and this is only a very small part of the leaked password files today
and this datapackage was made in ....october
they are all in the wild and will be used and abused in viruses and spam and phishing
and so are there a few more folders with certificates
it also shows that they had access to the Network Administrator servers and to the root of the servers - except if these were organised centrally and only that server was compromised
Another question is what now the browsers and the others will do. If they are consistent with previous actions, they will now declare all the Sony certificates invalid which will make them invalid and so Sony will in fact have to close down all its encrypted protected logins and services untill they have replaced all the certificates with new ones - if they can prove the certificate provider that they have full control over their servers and the network
if the hackers really want to create havoc they steal the new certificates just to proof that they are master of the Sony network who even with the best cyberdefenses couldn't stop them from stealing that information without getting caught - except if it is a honeypot or trap off course
this is an example of the PC's that were taken over
this is part of 1600 linux unix VMware sometimes servers of all kinds
we said all the time that probably some backupservers were also impacted
well here it is
and this is from the list of windows servers that were found on the network (of the 800)
you will see that there are even windows2000 still on the network and a lot of 2003 servers - this is really OLD
you also see an SMTP server
and what is also interesting is that the excell file for the computers is dated in JULY 2014 while those of the servers just seem to be made yesterday.
well this can mean that the operation started in july somewhere or earlier and that between those date the operation was set up, one step at a time, patiently working through each server, each filestack and each connection, preparing the next step and hiding your tracks
so this could mean that this wipe-attack was just the explosion of thousands of time-bombs that were placed to set off now - coinciding with the film which confirms the possiblitiy that it were the North Koreans as they mostly want their cyberattacks or hacks (becoming public) at certain specific dates or linked to certain events
you have to look through my other open intelligence sources to find the links, sorry guys I have the lawyers from mensura on my neck seeking revenge
it also means that there is no secret information more about the internal network of Sony and it also shows that their internal network was enormously outdated which makes it somewhat responsable for what has happened. If you don't have bunkers to isolate and protect your valuable data inside your network you can as well place it online for everybody to download if your network itself is not secured or is penetrated (or your staff is infiltrated).
it means that they do have the keys to the castle and for the moment they can just walk in and out at free will
that is because you have no double authentification but only passwords
passwords are not security
if you take 11 terra of files of one of the biggest companies and you have probably a copy of not only the intranet and some mailboxes but also of a backup server, than this is the kind of things that will happen
expect attacks in the future to go more often after these backupservers (if it is from a backupserver but even if it isn't it is there that you can find the biggest collection of unencrypted files without much protection)