No trust without independent control - Page 7

  • #sony hack : two new facts that are important to consider for securitypeople

    first they used open and vulnerable networks of universities and hotels to attack, extract and publish

    "An Internet Protocol address the malware used to communicate with the hackers was also located at a university in Thailand, this person said. Hackers often take advantage of open university networks in initiating attacks. Katie Roberts, a spokeswoman for Starwood Hotels & Resorts Worldwide Inc. (HOT), which owns the St. Regis Bangkok, didn’t respond to emails seeking comment.

     

    If the hackers were indeed at the St. Regis Hotel in Bangkok, they were essentially hiding in plain sight by using a busy wireless network available to hundreds of guests.
    http://www.bloomberg.com/news/2014-12-07/sony-s-darkseoul-breach-stretched-from-thai-hotel-to-hollywood.html

    this also says something about the security of the networks they are offering their clients if hackers can get inside and out and abuse it at their own will

    secondly after they have penetrated the network and after they have extracted the information (just look at the dates of the different packages they are leaking) they have decided to destroy as much as possible and they have launched that attack real fast

    "Kurt Baumgartner, principal security researcher at Kaspersky Lab in Denver, Colorado, also found similarities. As in South Korea, the destructive programs were compiled less than 48 hours before the attack, he said. In both instances, the hackers also defaced websites with skeleton images and vaguely political messages
    http://www.bloomberg.com/news/2014-12-07/sony-s-darkseoul-breach-stretched-from-thai-hotel-to-hollywood.html

    this means that your incident response team should have the resources and the instruments and the authority to intervene immediately on the whole of the network if such a 'wiperattack' is happening and doesn't have to wait for other people to begin to understand what is happening and holding on to some authority while the whole network is just disappearing at an ever increasing rate

    get a snort in your network

  • #ukraine : the fall of the Ruble in one pic

    source http://www.bloomberg.com/news/2014-12-07/ruble-s-rout-is-tale-of-failed-threats-missteps-and-blown-cash.html

    let's hope that this will foce Putin to come back to his senses

  • tool to abuse vulnerabilities to ddos sites off the web

    " After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. At 23rd of October DAVOSET v.1.2.1 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Also yesterday I opened a repository for DAVOSET: https://github.com/MustLive/DAVOSET Download DAVOSET v.1.2.1: http://websecurity.com.ua/uploads/2014/DAVOSET_v.1.2.1.rar In new version there was added support of attacks via WordPress, based on XML support since v.1.1.2 (released at 31.07.2013). After vulnerability in XML-RPC PingBack API in WordPress was found last year, I added support for XML in DAVOSET (to use with XXE vulnerabilities, but it also can be used with this vulnerability). After that people many times asked me to add this support, but nobody wanted to do it by himself, so I added it. Also there were added new services into both lists of zombies and removed non-working services from lists of zombies. In total there are 175 zombie-services in the list. I added 3 and removed 18 zombie-services. I removed a lot of vulnerable sites from the lists, because admins became fixing holes at their web sites in summer - after significant increase of use of my tool.
    http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-October/009057.html

    which means that if your site or webservice is vulnerable it can now not only be hacked but also be abused to attack other sites with an DDOS and abusing about your traffic (if you don't have an unlimited account or just getting your blog or site of the web because it is being abused in such an attack)

  • ukranian cyber-forces hacked Russian ministery of interior and leaked documents

    source https://www.youtube.com/watch?v=wyBZp4UXvCI

    this has only any sense if somebody who knows the russian language makes sense out of it all and translates it in english

  • ukranian cyber-forces hack securitycamera's for espionage in realtime online

    just as anybody else in the intelligence business I think

    more can be found here https://www.youtube.com/channel/UCAXdfFRi-lhKqlKV1JLSCsQ

  • researchers break openssl implementation in bitcoin with only 200 timing attacks

    "Earlier this month a new paper by Naomi Benger, Joop van de Pol, Nigel Smart, and Yuval Yarom hit the news. The paper explains how to recover secret keys from OpenSSL's implementation of ECDSA-secp256k1 using timing information from "as little as 200 signatures"; ECDSA-secp256k1 is the signature system used by Bitcoin. The timing information is collected by an attack process running on the same machine, but the process doesn't need any privileges; I don't see any obstacle to running the attack process in a separate virtual machine. Earlier papers by Yarom and Katrina Falkner and Yarom and Benger had explained how to carry out similarly efficient attacks against various implementations of RSA and binary-field ECDSA.

     

    These attacks are what I call "cache-timing attacks": they exploit data flow

     

    1. from secrets to load/store addresses and
    2. from load/store addresses to attacker-visible differences in timing between different addresses.

     

    For comparison, conventional timing attacks exploit data flow

     

    1. from secrets to the program counter (i.e., the instruction address as a function of time) and
    2. from the program counter to attacker-visible differences in timing between different instruction addresses.

     

    In both cases the second part of the data flow is built into chips, but the first part is built into the software.

     

    Did the software designers have to allow data flow from secrets to addresses? "Obviously not!" say the theoreticians. "Everybody knows that any computation using branches and random access to data can be efficiently simulated by a computation that accesses only a predefined public sequence of instructions and a predefined public sequence of memory locations. Didn't you take a course in computational complexity theory? If the software designers had done a better job then this attack would never have worked."

     

    I have a different view. I blame this attack on the ECDSA designers. Every natural implementation of ECDSA makes heavy use of secret branches and secret array indices. Eliminating these secrets makes the code much more complicated and much slower. (The theoreticians are blind to these problems: their notion of "efficient" uses an oversimplified cost metric.) The ECDSA designers are practically begging the implementors to create variable-time software, so it's not a surprise that the implementors oblige
    http://blog.cr.yp.to/20140323-ecdsa.html

    if the design is insecure everything that follows and uses it will be insecure and you only have to wait untill it is discovered, manipulated and made so easy that it can be automatized

  • eurobellen.nl hacked and leaked

    userid, password and emailaddress

  • the pedoservice family4love.com has some interesting features for the law enforcement

    the pedoservice has come into the news after an article in the British press in which it says that it links pedo's and families that want to give their children to pedo's.

    First the site was free but in 2013 it became - like so many pedoservices because this is (big) business - based upon payment (follow the money I would say, this is the most simple method of investigation and in 2013 there was no bitcoin)

    Secondly read this post (from the Google search  site:familiy4.com

    F4L - Terms of Service

    family4love.com/help/terms

    All IP addresses are recorded for security reasons, and will be given to the correct authorized if requested. All photos uploaded should be owned to yourself and"

    so here you may find a full list of the IP addresses, you don't have to ask it to the hoster or ISP

    thirdly there is much of it in the Google cache because they are not upgrading the server - if it ever comes back up again

    https://www.google.be/search?q=site%3AFamily4Love.com&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:nl:official&client=firefox-a&channel=sb&gfe_rd=cr&ei=9HuEVKeSA4fFVIuGgJAE

    now if you insert for example France or another name of a country you may find the discussions between members from that country (in the cache of the link)

    so happy hunting because it seems that there are some children that will need to be rescued from couples and swapps that were made through this site - in or between countries

    Fourth I would also have a look at this information (referrals for one) oh and the webserver is in the US so it won't be that difficult to get a hand on the server and everything that there is on it. The server has also a mailserver on which you would have to lay your hands on.

    and I would surely have an even better look at this site, which seems like a kind of index of incest and pedosite services online

  • #sonyhack the filenames of the malware are known by the FBI but not online or by Virustotal

    "“The FBI is providing the following information with HIGH confidence,” the note reads, according to one person who received it and described it to WIRED. “Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”

    The FBI memo lists the names of the malware’s payload files—usbdrv3_32bit.sys and usbdrv3_64bit.sys.

    It’s unclear if these files were found on Sony systems. So far there have been no news reports indicating that data on the Sony machines was destroyed or that master boot records were overwritten. A Sony spokeswoman only indicated to Reuters that the company has “restored a number of important services.” http://www.wired.com/2014/12/sony-hack-what-we-know/

    it is also intriguing to see the names usbdrv - maybe that is an indication that they are using USB drivers or exploits to attack the system

    the fact that they have been rewritten for 64bits shows that it is necessary nowadays for 32bits viruses to have a version in 64bits to make an impact 

    the fact that it are .sys files show that they were infecting the program files, the systemfiles and probably the kernel and core of the system - they took the name of something that is used by other software to hide and as these files are not signed and not checked it is easy to do this 

    the operation itself is probably done the same way the #Belgacomhack was done and that is through the accounts of the network operators (again). Only here it was not to get certain specific information from certain specific installations but to destroy and leak everything or as much as possible over a 6 month period (what is seen in the operative scenario's for total network compromise as a standard period to take over (own) a whole network). 

  • #sonyhack #belgacomhack #foreignaffairshack are probably intelligence operations

    Intelligence operations have goals. If you want to understand them you should understand the goals of the intelligence operations otherwise you won't know what will happen next and you have no idea how to secure what data they were after. 

    Also it are operations, this means that they have been prepared some time in advance and they have been executed in different phases and they were followed up and evaluated or changed to make sure that they had the maximum effect with the least possibility of discovery. Extraction and destruction of evidence is as important in such an operation as getting the information. 

    The Belgacomhack was probably an US intelligence operation to get information from some mobilephone installations from the Bics network because at that time - just a supposition - the US administration was going after Bin Laden and they had only ONE lead and that were the couriers between Bin Laden and the rest of the organisation. Those people used their mobile phones from time and time but under strict rules of operational security (for example only a few hundred meters after they had left the building and when they were not phoning they also retired the battery). Those couriers sometimes took also other calls from other countries. Not sure there is a link, but I can imagine (it just imagination maybe) that somebody said whatever the effort you have to get that data and if it is too risky for discovery to go through the courts or the local operators just go through the operators but just get that data. I won't ask how you got it. And some people went out to try to get it. But as I said that is just speculation (they may also needed some information about other networks or cells or important people on the wanted list)

    The Foreignaffairshack was probably a Russian intelligence operation looking for information about how the European commission and the NATO were reacting to the continuing infiltration of Russian soldiers and tanks into Oekraine. In this highlevel powergame Putin wanted just as Stalin during and after the second world war to have some spies or intelligence operation so he could know what the mindset at the moment was of his friends and opponents and how their reaction would be and what they were saying behind closed doors but not at him when they were sitting at the negotiating table. He had to know the real red lines before. And where can you find the information about the European Commission and the NATO in one place ? In the country where both have their headquarters. And which Administration is responsable for treating all these documents between the host country and the international organisations it is member off ? The Administration of Foreign Affairs. There are also people who think they were after another database. 

    The Sonyhack was probably a North Korean intelligence operation as a response to a film they didn't like about the great dictator who prefers to see himself as a father for his country. Well he got mad as hell and between the different options (throwing an atomb bomb on Hollywood, protesting diplomatically,....) destroying the company with a digital nuclear timebomb seemed like the best option. THis is exactly what is happening. THis operation started probaly in june or somewhat before and ended with the publication of the first dataset and the timed destruction of the internal computers and servers. Now every company in the world knows that if it angers the North Korean dictator he will destroy them digitally, so you better be prepared. If this was the goal, the message is received and understood. 

    So if these presumptions are right, than every intelligence service in the world worthy of its name is setting up intelligence operations in the digital world with political and intelligence goals while respecting all the normal operative security rules of an intelligence operation (which makes it hard to attribute them). 

    This is also the reason I think that for critical environments the security officer should not only have his medals of all his socalled exams and certificates but also a healthy dose of paranoia and be able to play mindgames or to think through how an intelligence operation against his network would be set up and what would be the weakest links or the moments that they still could be discovered or didn't clean up their tracks. 

    It is only when you start reading books about informationoperations and intelligence that you start to really understand the Snowden files. For malware and IT analysts these are just processes, files, connections and incidents. For an intelligence operative these are phases in an intelligence operation that will lead to a specific goal and have been prepared long time before. (by the way some of the scanning traffic of our infrastructure is also done by other intelligence agencies to put in their database so when they want to set up an operation they already have all the practically important information)

  • #sonyhack Sony has lost in fact all of its passwords for everything

    yep they have lost it all

    and this is only a very small part of the leaked password files today

    and this datapackage was made in ....october

  • #sonyhack : Sony will have to change all its certificates

    they are all in the wild and will be used and abused in viruses and spam and phishing

    and so are there a few more folders with certificates

    it also shows that they had access to the Network Administrator servers and to the root of the servers - except if these were organised centrally and only that server was compromised

    Another question is what now the browsers and the others will do. If they are consistent with previous actions, they will now declare all the Sony certificates invalid which will make them invalid and so Sony will in fact have to close down all its encrypted protected logins and services untill they have replaced all the certificates with new ones - if they can prove the certificate provider that they have full control over their servers and the network

    if the hackers really want to create havoc they steal the new certificates just to proof that they are master of the Sony network who even with the best cyberdefenses couldn't stop them from stealing that information without getting caught - except if it is a honeypot or trap off course

  • #sonyhack this was a digital Waterloo for network defense, these files show everything was taken

    this is an example of the PC's that were taken over

    this is part of 1600 linux unix VMware sometimes servers of all kinds

    we said all the time that probably some backupservers were also impacted

    well here it is

    and this is from the list of windows servers  that were found on the network (of the 800)

    you will see that there are even windows2000 still on the network and a lot of 2003 servers - this is really OLD

    you also see an SMTP server

    and what is also interesting is that the excell file for the computers is dated in JULY 2014 while those of the servers just seem to be made yesterday.

    well this can mean that the operation started in july somewhere or earlier and that between those date the operation was set up, one step at a time, patiently working through each server, each filestack and each connection, preparing the next step and hiding your tracks

    so this could mean that this wipe-attack was just the explosion of thousands of time-bombs that were placed to set off now - coinciding with the film which confirms the possiblitiy that it were the North Koreans as they mostly want their cyberattacks or hacks (becoming public) at certain specific dates or linked to certain events

    you have to look through my other open intelligence sources to find the links, sorry guys I have the lawyers from mensura on my neck seeking revenge

    it also means that there is no secret information more about the internal network of Sony and it also shows that their internal network was enormously outdated which makes it somewhat responsable for what has happened. If you don't have bunkers to isolate and protect your valuable data inside your network you can as well place it online for everybody to download if your network itself is not secured or is penetrated (or your staff is infiltrated).

  • NATO defense expenditures for 2013 and what will surely change soon

    some countries with borders with Russia or not that far from Russia will have to increase their budgets and some are already annoucing these new investments and new military strategies and cooperation agreements

    if you look at the table you will also understand better some of Putin's diplomatic efforts from the beginning and lately

    the biggest question is if the NATO will stay united throughout this difficult period because anytime a coalition of countries has been faced with a persistant and overwhelming adversary who doesn't have to agree with anyone and doesn't have to comply with anything, there have been different strategies which are defended rightly or wrongly by different groups which gives the dictator at the opposite time the opportunity to win time and at first to achieve his goals without a real war - just by small wars and destabilisation with the right dose of diplomacy

    Embedded image permalink

  • #sonyhack : hackers use sony playstation servers to distribute 27GB of leaks

    http://www.theregister.co.uk/2014/12/03/strange_things_afoot_with_great_sony_pictures_torrent_data_leak/

    it means that they do have the keys to the castle and for the moment they can just walk in and out at free will

    that is because you have no double authentification but only passwords

    passwords are not security