понедельник, 12 декабря 2016 г.

Hackers attack San Francisco’s transit system, resulting in free rides

Hackers apparently breached San Francisco’s mass transit system over the holiday weekend, forcing the agency to shut down its light-rail ticketing machines and point-of-payment systems and allowing passengers to ride for free.



A message reading “You hacked. ALL data encrypted” appeared on ticket machines Saturday morning, along with a contact email address — suggesting a ransomware attack, in which a hacker can lock out a system from its owners. The San Francisco Municipal Transportation System, known as Muni, quickly shut down the payment system, opening its gates to passengers.
The system was restored by Sunday morning, according to Muni. The agency did not say how the situation was resolved.
The attack left Muni scrambling to discover the extent of damage, and whether any employee or passenger data had been breached. “At this point there are not any indications of any impacts to customers,” Muni spokesman Paul Rose told the San Francisco Chronicle on Sunday. “We’re doing a full investigation to find out exactly what we are dealing with.”
Among the chief concerns is whether the Clipper smart-card system was also breached. Muni is among 20 Bay Area transit agencies using Clipper cards for transit payments. The cards are used for about 800,000 fare payments a day, according to the Bay Area Metropolitan Transportation Commission, and many cardholders have their credit-card data on file.
The hack also raises disturbing questions about the digital security of America’s infrastructure and public safety; Muni trains are controlled by computers when they’re running in underground tunnels, although this weekend’s attack apparently did not access that system.
“I think it is terrifying,” one rider told KPIX 5 News on Saturday. “I really do I think if they can start doing this you know here, we’re not safe anywhere.”
Earlier this year, a Southern California hospital’s computer system was held hostage by ransomware for more than a week, before the hospital payed about $17,000 in bitcoin to the hackers.

German spy agency finds "striking increase" in Russian hacks

The BfV spy agency claims Russian hackers are trying to interfere with upcoming election


Germany's spy agency has seen a "striking increase" in the number of Russian-backed cyber attacks against the state and political parties, in what is considered a campaign to spread propaganda and misinformation ahead of next year's election.
The BfV spy organisation has identified a range of Russian tactics, including propaganda campaigns "using enormous funds to channel and spread disinformation", targeting Russian-speaking communities, political parties and leading decision makers.
"We see aggressive and increased cyber spying and cyber operations that could potentially endanger German government officials, members of parliament and employees of democratic parties," said Hans-Georg Maassen, head of the BfV spy agency.
Following claims of Russian interference during German elections last month, the agency now expects attacks to increase in an attempt to spread uncertainty and political distrust among the voting population as the country prepares for the 2017 federal election.
The attacks are believed to be an attempt to strengthen extremist groups, while "weakening or destabilising the Federal Republic of Germany", according to a BfV press statement.
Over recent months the agency has identified a significant increase in the number of 'spear-phishing' attacks against political parties within the German Parliament, perpetrated by Russian backed hacker group 'APT 28', also known as 'Fancy Bear'.
The group has also been responsible for a string of 'false-flag' attacks, in which "state authorities commit cyber attacks under the guise of pretend hacktivists", according to the BfV.
Last month Angela Merkel warned that Russian hacking groups were likely to try and interfere with the election process, after the group was blamed for an attack on the US Democrat National Committee, for meddling with the US presidential election, and an attack on the German Parliament in 2015.
Estonian Foreign Minister Sven Mikser expressed similar concerns on Thursday, regarding attacks against political institutions as an act of 'psychological warfare'.
"It's a pretty safe bet that they will try to do it again," said Mikser, speaking to Reuters. "They will try to surprise us. That's something that we should be very careful to look at and try to protect ourselves from."
Estonia has bulked up its cybersecurity after government websites were knocked offline in 2007, incidents which were blamed on Russian state sponsored hackers.
Russia continues to deny accusations of state sponsored hacking and any attempts to weaken the European Union, which has imposed strict economic sanctions against the country.

среда, 20 июля 2016 г.

WikiLeaks Servers attacked after the announcement of Turkey coup documents release

According to WikiLeaks, these documents were leaked from AKP (Turkish: Adalet ve Kalkınma Partisi / English: Justice and Development Party), which is President Recep Tayyip Erdogan's party, currently Turkey's biggest political force.

WikiLeaks announced the data dump just three days after a small faction of the Turkish military tried to take over the country's leadership via a military coup that failed hours after. 208 people were killed, and more than 2,000 wounded in the coup's aftermath.
Thousands of police officers and military personnel were arrested across the country over the weekend after the coup had failed. Human rights organizations have complained about Turkey beating prisoners and not bringing forward clear evidence. Some of them, including WikiLeaks, have gone on record and called it a purge of any political dissidents who might oppose Erdogan's rule.
A few hours after WikiLeaks announced the leak, the organization tweeted, "our infrastructure is under sustained attack."
Below are the relevant tweets. At the time of writing, even if it is Tuesday, the day of the leaks, WikiLeaks has failed to deliver on its promised data dump, probably delayed because of the attack.

понедельник, 18 июля 2016 г.

Hacker group threatens to take Pokémon Go offline on August 1

Hackers who claimed responsibility for popular game Pokémon Go being offline over the weekend have threatened a bigger attack in a fortnight's time.
The group, known on Twitter as PoodleCorp, claimed to have brought the game's servers down on Saturday using a Distributed-Denial-of-Service (DDoS) attack reminiscent of that against Sony's PlayStation Network and XBox Live on Christmas Day in 2014. 

"Just was a lil [sic] test, we will do something on a larger scale soon," said Twitter user XO, who claims to be the leader of PoodleCorp.
A little over a day later the PoodleCorp account said: "August 1st #PoodleCorp #PokémonGo".
Pokémon Go's servers have suffered from high volumes of traffic since the game first launched in Australia, New Zealand and the US a fortnight ago. Niantic Labs, the Google startup behind the game that spun-out in 2015, paused its international release until it was confident that its servers could cope with the traffic.
It said the outage on Saturday was caused by the number of downloads. "Due to the incredible number of Pokémon Go downloads, some Trainers are experiencing server connectivity issues," said a message on Niantic's website over the weekend. "Don't worry, our team is on it." 

But PoodleCorp, which claims affiliation with Lizard Squad and other hacking groups, insists it was behind the attack.
The collective, which formed recently as "a combined group of Lizard Squad and other members that weren't in groups to combine a super group for this summer", has previously claimed to have attacked League of Legends and prominent YouTube video makers, including Leafy and h3h3 Productions.
XO, the alleged PoodleCorp leader, told YouTube news channel Drama Alert: "Chaos is entertainment and we like making people angry."

"We will be taking down all of the servers of Pokémon Go all day long for 24 hours on August 1," he said.
PoodleCorp took the servers down by overwhelming them with traffic from a "very big botnet", a network of virus-connected computers that can be remotely controlled en-masse by cyber criminals, according to XO. "We have various devices, pretty much all of the internet."
The group said that its attacks can be verified through the time stamps of its Twitter posts, which it claims come before the servers went down, indicating that the outage was maliciously-intended rather than a technical error.
For avid players of the game, XO had a cold warning for the beginning of next month: "Find something else to do because if that's all you have to do you need a life".
Pokémon Go became a viral success within days of its release. The augmented reality game swiftly outstripped the number of users on the dating app Tinder, and soon had greater user engagement than Twitter and Facebook. 
A collaboration between Niantic, Nintendo and the separate Pokémon company, the game has sent Nintendo's shares rocketing by 90 per cent. That means the game makers, who own 32 per cent of Pokémon Go, have gained $17 billion (£12.85 bn) in market value in just a fortnight.

40M iCloud accounts may have been hacked

Since February, a number of Apple users have reported locked devices displaying ransom demands written in Russian.
Earlier this week, a security professional posted a message to a private email group requesting information related a possible compromise of at least 40 million iCloud accounts.
Salted Hash started digging around on this story after the email came to our attention. In it, a list member questioned the others about a rumor concerning "rumblings of a massive (40 million) data breach at Apple."

The message goes on to state that the alleged breach was conducted by a Russian actor, and vector "seems to be via iCloud to the 'locate device' feature, and is then locking the device and asking for money."

Salted Hash reached out to Apple for comments, we'll update this article if they respond.
Update: Sources familiar with these types of attacks, speaking on background with Salted Hash, have said the victim count of 40 million is likely way overblown. Their reasoning is sound too, because even if only a small percentage of the list were being attacked, a few hundred thousand victims within a few months would standout like a beacon. In short, there would be no way to keep such attacks under the radar.
For now, let's assume there hasn't been a massive iCloud data breach. If that's the case, then how are these users being compromised?

How the attack works:

In 2014, someone (or perhaps more than one person) using the name "Oleg Pliss" held an unknown number of Australian Apple devices for ransom, demanding a payment of $100.

The Russian Interior Ministry announced in June of 2014 that two people were arrested for blocking Apple devices to extort funds. With those arrests, it was assumed the scams were finished.
But since at least February of this year, the scams have returned and the most recent cases are targeting users in Europe and the United States, but the methods used by the attackers are the same ones that were popular two years ago.
It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim's device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.
In each of the cases reported publicly, the ransom demanded is usually $30 to $50. If a victim contacts the referenced email address, in addition to payment instructions, they're told they have 12 hours to comply or their data will be deleted.

China hacked the FDIC

The House of Representative's Science, Space and Technology Committee released its investigative report on Wednesday. 

It presents the FDIC's bank regulators as technologically inept -- and deceitful.
According to congressional investigators, the Chinese government hacked into 12 computers and 10 backroom servers at the FDIC, including the incredibly sensitive personal computers of the agency's top officials: the FDIC chairman, his chief of staff, and the general counsel.
When congressional investigators tried to review the FDIC's cybersecurity policy, the agency hid the hack, according to the report.
Investigators cited several insiders who knew about how the agency responded. For example, one of the FDIC's top lawyers told employees not to discuss the hacks via email -- so the emails wouldn't become official government records.
FDIC Chairman Martin Gruenberg is being summoned before the Congressional committee on Thursday to explain what happened.
The FDIC refused to comment. However, in a recent internal review, the agency admits that it "did not accurately portray the extent of risk" to Congress and recordkeeping "needs improvement." The FDIC claims it's now updating its policies.
Given the FDIC's role as a national banking regulator, the revelation of this hack poses serious concern.
Related: Are Chinese hackers dialing back attacks on the U.S.?
The FDIC's role is to monitor any bank that isn't reviewed by the Federal Reserve system. It has access to extremely sensitive, internal information at 4,500 banks and savings institutions.
The FDIC also insures deposits at banks nationwide, giving it access to huge loads of information on Americans.
"Obviously it's indicative of the Chinese effort to database as much information as possible about Americans. FDIC information is right in line with the deep personal information they've gone for in the past," said computer security researcher Ryan Duff. He's a former member of U.S. Cyber Command, the American military's hacking unit.
"Intentionally avoiding audits sounds unethical if not illegal," he added.
Congressional investigators discovered the hacks after finding a 2013 memo from the FDIC's own inspector general to the agency's chairman, which detailed the hack and criticized the agency for "violating its own policies and for failing to alert appropriate authorities."
Related: Chinese man admits to cyber spying on Boeing and other U.S. firms
The report also says this culture of secrecy led the FDIC's chief information officer, Russ Pittman, to mislead auditors. One whistleblower, whose identity is not revealed in the report, claimed that Pittman "instructed employees not to discuss... this foreign government penetration of the FDIC's network" to avoid ruining Gruenberg's confirmation by the U.S. Senate in March 2012.
David Kennedy, a computer security expert and former analyst at the NSA spy agency, worries that federal agencies are repeatedly hiding hacks "under the blanket of national security."
"With such a high profile breach and hitting the top levels of the FDIC, it's crazy to me to think that this type of information wasn't publicly released. We need to be deeply concerned around the disclosure process around our federal government," said Kennedy, who now runs the cybersecurity firm TrustedSec.
Related: China blames criminals for U.S. government hack
This same committee, led by Republican Congressman Lamar Smith of Texas, has previously criticized the FDIC for minimizing data breaches.
Several cybersecurity experts -- who have extensive experience guarding government computers -- expressed dismay at the alleged coverup.
"It's incumbent upon our policymakers to know about these data breaches so we can properly evaluate our defenses. Trying to hide successful intrusions only makes it easier for the next hacker to get in," said Dan Guido, who runs the cybersecurity firm Trail of Bits.

четверг, 14 июля 2016 г.

Russian hackers attack

Russian hackers are probing Western defences and have already attacked one power company, security researchers have warned.
A team from SentinelOne said “state sponsored hackers” have targeted a European firm using sophisticated digital warfare techniques.
The attacks came from Eastern Europe and are likely to be Russian in origin, although SentinelOne stopped short of blaming Moscow outright.

Any attack on the power grid could be devastating, because it would effectively cripple an advanced country’s economy.
In 2003, a blackout in the north east of America is thought to have cost $6billion. The world is even more reliant on technology now, meaning the cost could be much higher if hackers managed to bring down the power and turn the lights off in a major city like London or New York.
Tech experts Joseph Landry and Udi Shamir wrote: “The Labs team at SentinelOne recently discovered a sophisticated malware campaign specifically targeting at least one European energy company.
“Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe.”
The malware used by the hackers is highly advanced, meaning it could not have been designed by anyone who was not state sponsored.
SentinelOne told Ars Technica the digital weapon may have been designed by Russia teams, but declined to be more specific.
Security firms are famously wary of “attributing” attacks, because of the risk of blaming the wrong person.

Russian hackers are often suspected of scheming against the western governments and businesses.
Here are some recent articles relevant to the topic.

 They attacked: 

 Central Bank of Cyprus

Merkel's CDU party

a major Finnish media group.

LinkedIn accounts

DNC, Clinton and Trump part 1

DNC hack part 2

NATO sites (possibly)

Russian hackers also cooperated with China to control the world wide web (allegedly)

And finally here's some speculation about russian cyber operations and activities.