Tag: Hacking

As Zathras Would Say, “At Least There is Symmetry.”

No Comments

There was a court hearing for the Florida teen who allegedly hacked dozens of celerity Twitter accounts today, and someone posted porn clips to the Zoom meeting.

Needless to say, this is now in my list as a perfect moment in the history of hacking:


Clearly, Mr. Clark has no F%$#s left to give

Perhaps fittingly, a Web-streamed court hearing for the 17-year-old alleged mastermind of the July 15 mass hack against Twitter was cut short this morning after mischief makers injected a pornographic video clip into the proceeding.

 The incident occurred at a bond hearing held via the videoconferencing service Zoom by the Hillsborough County, Fla. criminal court in the case of Graham Clark. The 17-year-old from Tampa was arrested earlier this month on suspicion of social engineering his way into Twitter’s internal computer systems and tweeting out a bitcoin scam through the accounts of high-profile Twitter users.

………

Notice of the hearing was available via public records filed with the Florida state attorney’s office. The notice specified the Zoom meeting time and ID number, essentially allowing anyone to participate in the proceeding.


All worth it for Florida DA Andrew Warren’s reaction

Even before the hearing officially began it was clear that the event would likely be “zoom bombed.” That’s because while participants were muted by default, they were free to unmute their microphones and transmit their own video streams to the channel.

………

What transpired a minute later was almost inevitable given the permissive settings of this particular Zoom conference call: Someone streamed a graphic video clip from Pornhub for approximately 15 seconds before Judge Nash abruptly terminated the broadcast.

I am very amused by this.

So say we all.

Donald Trump Must Have Lost His Mind

No Comments

Clearly, Nigerian princes were involved

Twitter’s verified accounts were compromised, resulting in all of these accounts (Blue Checkmark) being suspended for about an hour.

This means that Donald Trump could not Tweet during this time.

I rather imagine that his was exploding over this.

Twitter suffered a major security breach on Wednesday that saw hackers take control of the accounts of major public figures and corporations, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple.

The company confirmed the breach Wednesday evening, more than six hours after the hack began, and attributed it to a “coordinated social engineering attack” on its own employees that enabled the hackers to access “internal systems and tools”. Twitter said it was “looking into what other malicious activity they may have conducted or information they may have accessed” in addition to using the compromised accounts to send tweets.
………

The company subsequently warned that some users would be unable to tweet or change their passwords as it worked to address the issue. Verified users, whose accounts feature a blue checkmark to denote that Twitter has confirmed their identities, were blocked from tweeting for about an hour.

Oh the humanity.

Well, This is a Relief

No Comments
The US District Court for the District of Columbia has ruled that violating a site’s terms of service is not criminal hacking.

This was a pre-enforcement challenge to the CFAA by researchers who were looking into racial discrimination by websites, but were concerned that these sites would manage to convince a prosecutor to charge them with a felony in response to their discovering embarrassing information.

Given that the general vagueness of the CFAA is a petri dish for prosecutorial abuse, this is a good thing:

A federal court in Washington, DC, has ruled that violating a website’s terms of service isn’t a crime under the Computer Fraud and Abuse Act, America’s primary anti-hacking law. The lawsuit was initiated by a group of academics and journalists with the support of the American Civil Liberties Union.

The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have terms of service prohibiting users from supplying fake information, and the researchers worried that their research could expose them to criminal liability under the CFAA, which makes it a crime to “access a computer without authorization or exceed authorized access.”

So in 2016 they sued the federal government, seeking a declaration that this part of the CFAA violated the First Amendment.

But rather than addressing that constitutional issue, Judge John Bates ruled on Friday that the plaintiffs’ proposed research wouldn’t violate the CFAA’s criminal provisions at all. Someone violates the CFAA when they bypass an access restriction like a password. But someone who logs into a website with a valid password doesn’t become a hacker simply by doing something prohibited by a website’s terms of service, the judge concluded.

“Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature,” Bates wrote.

This May be the Stupidest Thing Ever

No Comments

Seriously, posting your personal details on 4chan boards is not smart.

If you want to do a story on 4chan, or 8chan, take the following:

  • Don’t piss them off.
  • Get a burner phone, a dumb one, bought with cash that ties to none of financial information.
  • Get a burner email account, and read it only at the library.
  • Use an assumed name or code name.
  • Don’t piss them off.

You might also want to don CBW protective gear.

Finally, and I mean this with sincere respect, and no small amount of fear, do NOT f%$# with the chan.

Posting personal details on chan boards was a bad idea BEFORE everyone on them turned into literal Nazis. It is an even worse idea now.

— Sara Luterman (@slooterman) February 6, 2020

What’s the Problem with an Encryption Back Door?

No Comments

After successfully creating a health care app for doctors to view medical records, Diego Fasano, an Italian entrepreneur, got some well-timed advice from a police officer friend: Go into the surveillance business because law enforcement desperately needs technological help.

In 2014, he founded a company that creates surveillance technology, including powerful spyware for police and intelligence agencies, at a time when easy-to-use encrypted chat apps such as WhatsApp and Signal were making it possible for criminal suspects to protect phone calls and data from government scrutiny.

The concept behind the company’s product was simple: With the help of Italy’s telecom companies, suspects would be duped into downloading a harmless-seeming app, ostensibly to fix network errors on their phone. The app would also allow Fasano’s company, eSurv, to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages.

………

“I started to go to all the Italian prosecutors’ offices to sell it,” explained Fasano, a 46-year-old with short, dark-brown hair and graying stubble. “The software was good. And within three years, it was used across Italy. In Rome, Naples, Milan.”

Even the country’s foreign intelligence agency, L’Agenzia Informazioni e Sicurezza Esterna, came calling for Exodus’s services, Fasano said.

But Fasano’s success was short lived, done in by a technical glitch that alerted investigators that something could be amiss. They followed a digital trail between Italy and the U.S. before unearthing a stunning discovery.

Authorities found that eSurv employees allegedly used the company’s spyware to illegally hack the phones of hundreds of innocent Italians—playing back phone conversations of secretly recorded calls aloud in the office, according to legal documents. The company also struck a deal with a company with alleged links to the Mafia, authorities said.

The discovery prompted a criminal inquiry involving four Italian prosecutor’s offices. Fasano and another eSurv executive, Salvatore Ansani, were charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing.

………

The demand for such technology has been driven in part by the rise in popularity of encrypted mobile phone apps and the reality that it is getting harder for law enforcement to glean evidence without the assistance of Silicon Valley giants such as Apple Inc., which is currently at loggerheads with the FBI over access to an iPhone used by an accused terrorist.

………

What makes the allegations against eSurv so astounding is that, if true, the company became involved in the spying itself—and did so right in the heart of Europe.

………

“I think that no prosecutors in Western countries have ever worked on a case like this,” Melillo said in a recent interview at his Naples office. This story is based on interviews with Italian authorities and a review of 170 pages of documents outlining the evidence collected, much of it never before reported.

In the city of Benevento, about 40 miles northeast of Naples, technicians working for the prosecutor’s office in 2018 were using Exodus to hack the phones of suspects in an investigation. That October, one of the technicians noticed that the network connection to Exodus was frequently dropping out, according to Italian authorities.

The technician did some troubleshooting and found a glaring problem. The Exodus system was supposed to operate from a secure internal server accessible only to the Benevento prosecutor’s office. Instead, it was connecting to a server accessible to anyone on the internet, protected only by a username and password, the authorities said.

The implications were enormous: hackers could potentially gain access to the platform and view all of the data that Italian prosecutors were covertly harvesting from suspects’ phones in some of Italy’s most sensitive law enforcement investigations. (Authorities don’t know if the server was in fact ever hacked.)

………

The investigation was eventually handed off to the prosecutor’s office in nearby Naples, which is responsible for handling major computer crimes in the region. The Naples prosecutor began a more in-depth probe—and found that eSurv had been storing a vast amount of sensitive data, unencrypted, on an Amazon Web Services server in Oregon.

The data included thousands of photos, recordings of conversations, private messages and emails, videos, and other files gathered from hacked phones and computers. In total, there were about 80 terabytes of data on the server—the equivalent of roughly 40,000 hours of HD video.

“A large part of the data is secret data,” said Melillo. “It’s related to the investigation of Mafia cases, terrorist cases, corruption cases.”

………

When Fasano began thinking about creating a police surveillance tool, he recruited a small team to explore the possibilities. They eventually developed a spyware tool that would allow police to hack Android phones by luring suspects into downloading what looked like an ordinary app from the Google Play store.

………

The app didn’t contain spy software, allowing it to bypass Google’s automated virus scans. But once a person downloaded it, the app served as a gateway through which eSurv could place spyware onto a person’s phone. The spyware would then covertly take total control: recording audio, taking photos and giving police access to encrypted messages and files, Fasano said.

………

In all, the Black Team spied on more than 230 people who weren’t authorized surveillance targets, according to police documents. Some of the surveillance victims were listed in eSurv’s internal files as “The Volunteers,” suggesting they were unwitting guinea pigs.

………

After reviewing evidence about the Black Team in May, a judge concluded that Exodus appeared to have been “designed and intended from the outset to operate with functions that are very distant from the canons of legality.” The judge approved a warrant to place Ansani and Fasano under house arrest; the investigation is continuing and additional charges could be filed, according to Italian authorities.

………

“It’s like a gun,” said Vincenzo Ioppoli, Fasano’s lawyer. “Once you have sold it, you don’t know how it will be used.”

This is why you can never trust law enforcement, or their contractors, not to abuse the power that you give them.

Little Bobby Droptables Lives!

No Comments
It looks like someone has been reading the “webcomic of romance, sarcasm, math, and language, xkcd, and had developed, and has developed an SQL injection attack to wipe traffic cameras.

I am not sure if would actually work, but I am profoundly impressed about how life mirrors one of the most popular web-comics on the web:

Typical speed camera traps have built-in OCR software that is used to recognize license plates. A clever hacker decided to see if he could defeat the system by using SQL Injection…

The basic premise of this hack is that the hacker has created a simple SQL statement which will hopefully cause the database to delete any record of his license plate. Or so he (she?) hopes. Talk about getting off scot-free!

I do not know if it will work, but I am profoundly amused.

Link to XKCD cartoon:

In the Old Days, It Was Phone Jamming

No Comments

For 2 days in a row, the Labour Party in the UK has been hit with DDoS attacks, and while no data has thought to have been lost, it HAS interfered with access to their site and their electoral tools:

The Labour party has faced a second cyber-attack, a day after experiencing what it called a “sophisticated and large-scale” attempt to disrupt its digital systems.

It is understood the party was the subject of a second distributed denial of service (DDoS) attack on Tuesday afternoon. Such attacks use “botnets” – networks of compromised computers – to flood a server with requests that overwhelm it.

………

Labour has not said who it suspects is behind the attacks, but said it was confident its security systems ensured there was no data breach.

………

Labour has not said which digital platforms were targeted, but it is understood some of them were election and campaigning tools, which would contain details about voters. The party has sent a message to campaigners to say what happened and to explain why the systems were working slowly on Monday.

This raises the obvious questions of who did this, and why did they do it now?

There is actually a fairly simple answer:  A deadline is coming up for “Freepost” (in the US, they would be called “Business Reply Mail” leaflets, and currently the system to submit and gain approval for these mailers is offline.

Someone is monkey wrenching Labour voter organizing efforts.

Does anyone know about Labour candidates having big problems with party’s leaflet-creating website? One local campaign chief says: “it hasn’t been working properly & has now completely failed. Candidates can’t get their leaflets off it & approved. It appears to have been hacked.”

— Michael Crick (@MichaelLCrick) November 11, 2019

— Michael Crick (@MichaelLCrick) November 11, 2019

I’m told that some Labour candidates fear that unless the party can resolve the problem very soon, then they could miss the deadline for getting their Freepost leaflets written, designed and approved

— Michael Crick (@MichaelLCrick) November 11, 2019

I Want This Phone Charger

No Comments

An artist and programmer has come up with a charger that generates a flood of false information to thwart the attempts of the various internet giants to track you:

Martin Nadal, an artist and coder based in Linz, Austria, has created FANGo, a “defense weapon against surveillance capitalism” that is disguised as a mobile phone charger.

On his page introducing the device, Nadal explains that the inside of the charger hides a micro controller that takes control of an Android smartphone by accessing the operating system’s Debug Mode. The device then makes queries and interacts with pages on Google, Amazon, YouTube, and other sites “in order to deceive data brokers in their data capture process.” It works similar to a fake Apple lightning cable, now mass-produced, that hijacks your device once connected.

Tools to frustrate tracking attempts by advertisers or data brokers are not new—AdNauseam is a plugin that clicks on all ads, while TrackmeNot does random searches on different search engines. Such projects, however, exclusively focus on desktops and web browsers. “Today we interact with the internet from the mobile mostly,” Nadal told Motherboard in an email. “We also use applications, where there is no possibility of using these plugins that hinder the monitoring making the user helpless.”

The device’s name is an acronym for Facebook, Amazon, Netflix, and Google, who represent some of the most profitable companies in the world. Nadal, however, sees them as the engines of surveillance capitalism, a theorization of contemporary capitalism by Susanna Zuboff, a Harvard Business School professor emeritus.

………

Nadal is working on adding new features that might take such poisoning even further, using techniques such as geolocation spoofing. “[W]hile my phone is quietly charging at home, the data brokers think that I am walking or dining in another part of the city or world,” he said.

I love it.

But What if it Gets Used for Evil ……… Oh ………Wait ……… It Already Has

No Comments
Computer boffins in the land of Hobbits are using AI based chat bots to screw with scammers.

It’s a nice to see someone turning chat bots against the scammers:

Thousands of online scammers around the globe are being fooled by artificial intelligence bots posing as New Zealanders and created by the country’s internet watchdog to protect it from “phishing” scams.

Chatbots that use distinct New Zealand slang such as “aye” have been deployed by Netsafe in a bid to engage scammers in protracted email exchanges that waste their time, gather intelligence and lure them away from actual victims.

yber crime costs New Zealanders around NZ$250m annually. Computer programmers at Netsafe spent more than a year designing the bots as part of their Re:scam initiative, which went live on Wednesday.

Within 24 hours 6,000 scam emails had been sent to the Re:scam email address and there were 1000 active conversations taking place between scammers and chatbots.

So far, the longest exchange between a scammer and a chatbot pretending to be a New Zealander was 20 emails long.

The bots use humour, grammatical errors and local slang to make their “personas” believable, said Netsafe CEO Martin Cocker. As the programme engages in more fake conversations with scammers overseas, its vocabulary, intelligence and personality traits will grow.

Here’s hoping that the AIs will spend their time battling each other, and ,leave the rest of us alone.

This is Kind of Tempting

No Comments

The websites of US telly giant CBS’s Showtime contained JavaScript that secretly commandeered viewers’ web browsers over the weekend to mine cryptocurrency.

The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.

The scripts were written by Code [Coin] Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site’s administrators. One Monero coin, 1 XMR, is worth about $92 right now.

Let me start by saying that I won’t be putting code like this on my site.

I am considering placing an additional button on my tip jar (aka Matthew’s Saroff’s Beer Fund), but it would take the form of another donation button, since the revenue from Google™ Adsense™ is so pathetic.

If I do this, it will be voluntary, another button to click on the page, and I might occasionally nag my reader(s) to click the button.

As always, note that this post should in no way be construed as an inducement or a request for my reader(s) to click on any ad that they would not otherwise be inclined to investigate further. This would be a violation of the terms of service for Google™ Adsense™.

Once Again, the NSA Makes Us All Less Safe

No Comments

A new ransomware attack similar to last month’s self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 12,000 computers, according to one security company.

PetyaWrap, as some researchers are calling the ransomware, uses a cocktail of potent techniques to break into a network and from there spread from computer to computer. Like the WCry worm that paralyzed hospitals, shipping companies, and train stations around the globe in May, Tuesday’s attack made use of EternalBlue, the code name for an advanced exploit that was developed and used by, and later stolen from, the National Security Agency.

According to a blog post published by antivirus provider Kaspersky Lab, Tuesday’s attack also repurposed a separate NSA exploit dubbed EternalRomance. Microsoft patched the underlying vulnerabilities for both of those exploits in March, precisely four weeks before a still-unknown group calling itself the Shadow Brokers published the advanced NSA hacking tools. The leak gave people with only moderate technical skills a powerful vehicle for delivering virtually any kind of digital warhead to systems that had yet to install the updates.

Besides use of EternalRomance, Tuesday’s attack showed several other impressive improvements over WCry. One, according to Kaspersky, was the use of the Mimikatz hacking tool to extract passwords from other computers on a network. With those network credentials in hand, infected computers would then use PSExec, a legitimate Windows component known as the Windows Management Instrumentation, and possibly other command-line utilities to infect other machines, even when they weren’t vulnerable to the EternalBlue and EternalRomance exploits. For added effectiveness, at least some of the attacks also exploited the update mechanism of a third-party Ukrainian software product called MeDoc, Kaspersky Lab said. A researcher who posts under the handle MalwareTech, speculated here that MeDoc was itself compromised by malware that took control of the mechanism that sends updates to end users.

The fact that the NSA does not do a good job on cybersecurity should surprise no one.  Their job is not to keep our computers safe, but to break into as many systems as it can and hoover up data.

The ACLU has accurately described the problem:

Last month, a massive ransomware attack hit computers around the globe, and the government is partly to blame.

The malicious software, known as “WannaCry,” encrypted files on users’ machines, effectively locking them out of their information, and demanded a payment to unlock them. This attack spread rapidly through a vulnerability in a widely deployed component of Microsoft’s Windows operating system, and placed hospitals, local governments, banks, small businesses, and more in harm’s way.

This happened in no small part because of U.S. government decisions that prioritized offensive capabilities — the ability to execute cyberattacks for intelligence purposes — over the security of the world’s computer systems. The decision to make offensive capabilities the priority is a mistake. And at a minimum, this decision is one that should be reached openly and democratically. A bill has been proposed to try to improve oversight on these offensive capabilities, but oversight alone may not address the risks and perverse incentives created by the way they work. It’s worth unpacking the details of how these dangerous weapons come to be.

………

When researchers discover a previously unknown bug in a piece of software (often called a “zero day”), they have several options:

  1. They can report the problem to the supplier of the software (Microsoft, in this case).
  2. They can write a simple program to demonstrate the bug (a “proof of concept”) to try to get the software supplier to take the bug report seriously.
  3. If the flawed program is free or open source software, they can develop a fix for the problem and supply it alongside the bug report.
  4. They can announce the problem publicly to bring attention to it, with the goal of increasing pressure to get a fix deployed (or getting people to stop using the vulnerable software at all).
  5. They can try to sell exclusive access to information about the vulnerability on the global market, where governments and other organizations buy this information for offensive use.
  6. They can write a program to aggressively take advantage of the bug (an “exploit”) in the hopes of using it later to attack an adversary who is still using the vulnerable code.

Note that these last two actions (selling information or building exploits) are at odds with the first four. If the flaw gets fixed, exploits aren’t as useful and knowledge about the vulnerability isn’t as valuable.

………

The NSA knew about a disastrous flaw in widely used piece of software – as well as code to exploit it — for over five years without trying to get it fixed. In the meantime, others may have discovered the same vulnerability and built their own exploits.

The people handling our offensive cyber capabilities cannot be trusted to protect us, because it is not their jobs.

Their job is to hack into other people’s systems, and any consequences are seen as irrelevant.

It’s blind men and an elephant, and it’s the rest of us who suffer as a result.