Tuesday, 20 January 2015

Cops arrest another man after Christmas PlayStation/Xbox DDoS

UK police have arrested an 18-year-old man in Southport in connection with the Lizard Squad's Grinch-like, Christmas-time Distributed Denial of Service (DDoS) blockage of PlayStation and Xbox systems.
Besides suspicion of unauthorised access to computer material, he was also arrested in connection with threats to kill and with swatting.
The South East Regional Organised Crime Unit (SEROCU) tweeted the arrest and gave a few more details in a release, saying that UK law enforcement worked closely with the FBI in the ongoing investigation.
SEROCU tweet
Our Cyber Crime Unit has arrested an 18-year-old in connection with the #DDOS attach [sic] on #Xbox & #Playstation this morning working with @FBI
In further tweets, SEROCU said that the suspect was arrested under the Computer Misuse Act 1990 in an operation that focused not just on the gaming DDoS, but also on swatting: the practice of making bogus emergency calls, as pranks or acts of revenge against someone, that result in the dispatch of emergency services that can wind up with law enforcement surrounding innocent people's homes with guns drawn.
Arrest. Image courtesy of Shutterstock.Craig Jones, Head of the Cyber Crime Unit at SEROCU, said that the swatting took place in the US, with hoax emergency calls coming in via Skype and resulting in a "major incident" in which SWAT (Special Weapons and Tactics) teams were dispatched.
We don't yet know whether in fact this teenager was associated with Lizard Squad - just that police are investigating his involvement with the gaming attack.
What is Lizard Squad? It's often referred to as a 'hacking group', though as Naked Security's Mark Stockley has pointed out, the attack on millions of adults' and children's Christmas-day gaming fun doesn't qualify as a "hack" in the sense that it required no skills at penetrating Microsoft's or Sony's networks whatsoever.
In the final Chet Chat podcast of 2014, Mark explains [10'00"] that all the cyber vandals did was to cyberishly squat in front of the games so that few could get in to play:
This isn't a hack in the sense that we normally use the word hack to refer to some sort of breach or unauthorised entry. Lizard Squad didn't gain entry to any Microsoft data or Sony data. They didn't breach any Microsoft systems or Sony systems. They weren't picking the lock; they were barricading the door from the outside.
This is the second arrest connected with the attack, following which the Lizard Squad has been blowing raspberries at authorities and shilling its takedown-for-hire DDoS service.
The first arrest was of Vinnie Omari, a 22-year-old who was bailed out on 30 December.
Two arrests? Pah. We haven't seen anything yet, Jones assures us:
We are still at the early stages of the investigation and there is still much work to be done. We will continue to work closely with the FBI to identify those to who commit offences and hold them to account.
SEROCU, supported by the National Cyber Crime Unit (NCCU) and working closely with the FBI, arrested the teenager this morning in Southport.
Agents also seized a number of electronic and digital devices.

Verizon rushes fix for email account open season security flaw

A security researcher has discovered a vulnerability in the API used by Verizon's My FiOS mobile application which allowed any user access to any Verizon email account -- and a fix has been rapidly pushed out. As reported by ThreatPost, Verizon pushed a fix out for the flaw last week after security researcher Randy Westergren Jr disclosed the vulnerability. The flaw was severe enough that the telecommunications giant patched the problem within 48 hours.
The security researcher, who is a Verizon FiOS customer, disclosed details of the vulnerability once a fix was issued for customers. Westergren said he discovered a vulnerability in the API which allowed a user to access any Verizon email account, scan their inbox, read individual emails and send messages on their behalf. Naturally, this is a severe problem as so many of us connect other accounts to our email addresses -- ranging from social media accounts to e-commerce and banking -- and Verizon is a large provider of Web and email services in the United States.
While proxying requests from his device, Westergren noticed an interesting call to fetch when pulling emails in. There were two references to his username, one being:
The response to call was a JSON object containing header information for the emails in his inbox. However, Westergren then stumbled upon something interesting.
"Altering the uid parameter and specifying another username shouldn't have an effect, since I'm logged in and my session is maintained through my cookies," the researcher noted. "Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox. This was enough of an issue, but I immediately questioned whether the other API methods were affected."
Once the security researcher prepared a proof-of-concept exploit, Westergren realized that playing with different parameters also allowed him to send and delete email from another user's email inbox.
Westergren tested his exploit against the API, confirming the system was vulnerable. He also believes all the API methods for the software's widget within the app were vulnerable, and so if the API has been re-used by Verizon, other apps released by the US carrier were not secure.

The security researcher recognized how serious this flaw could be, and reached out to Verizon's corporate security after failing to get a worthwhile response on Twitter. Within two days, a fix had been prepared, confirmed by the researcher and released to the public.
"Verizon's security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said. "They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude."

Video nasty: Two big bugs in VLC media player's core library

A Turkish hacker has revealed two zero-day vulnerabilities in library code used by the popular VLC media player and others.
The data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities could lead to arbitrary code execution, researcher Veysel Hatas said in a post.
"VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitised when handling a specially crafted FLV" or M2V file, Hatas said.
"This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code."
He said both were high severity holes.
VLC's developers, Videolan Software, were informed of the flaws on Boxing Day and had not issued fixes for the latest stable version, 2.1.5, by the time of disclosure 9 January. Version 2.2.0-rc2, available to testers, is not vulnerable, according to the VLC project's bug tracker.
The developers have been contacted for comment. Judging by entries in the VLC bug tracker, here and here, the flaws lie within libavcodec, a core component of the video player. This library is also used by MPlayer and other open-source software.
Videolan Software claims to have clocked up millions of downloads for Windows and Mac operating systems alone across various versions and more than 1.5 billion downloads in total.

Possible Lizard Squad members claims hack of Oz travel insurer

SQLi kid pops Aussie Travel Cover, dumps 800k records

Nearly 900,000 client records including names, addresses, and phone numbers have been stolen from travel insurer Aussie Travel Cover by a suspected member of the Lizard Squad hacking crew.
The hacker released databases including those detailing customer policies and travel dates along with a list of partial credit card information.
The company discovered the hack December 18 and informed agents five days later, but did not inform policy holders or customers.
The company told the ABC it was working with police but made no comment on the hack.
Hacker @abdilo_ took credit for the breach.
The supposed Queenslander has goaded police by claiming on their Twitter feed to have hacked various websites using SQL injection.
Cybercrime reporter Brian Krebs thought Adbillo was affiliated with Xbox One and Playstation hacking group Lizard Squad and its DDOS-as-a-service offering.
The hacker has issued a series of invective and antisec-flavoured tweets claiming to have popped agencies, businesses and hospitals using mainly SQL injection. In one illustrated tweet he appeared to state his lack of concern for his possible arrest.
The failure to inform customers of the breach has prompted scorn from the technology community which largely follows that hacked entities should notify those affected as soon as possible.


The NSA quietly commandeered a botnet targeting US Defence agencies to attack other victims including Chinese and Vietnamese dissidents, Snowden documents reveal.
The allegation is among the latest in a cache of revelations dropped by Der Spiegel that revealed more about the spy agency.
The "Boxingrumble" botnet was detected targeting the Defence Department's Nonsecure Internet Protocol Router Network prompting NSA bods to redirect the attack to a server operated by the Tailored Access Operations unit.
A DNS spoofing attack tricked the botnet into treating the spies as trusted command and control agents. The NSA then used the bot's hooks into other victims to foist its own custom malware.
Much of the bot-hijacking attacks dubbed "Quantumbot" by the NSA was conducted under its operation DEFIANT WARRIOR which utilised XKeyscore and infrastructure of Five Eyes allies including Australia, New Zealand, the UK and Canada to identify foreign bots ripe for attack.
The work granted broader network exploitation, attack and vantage points, NSA Power Point slides revealed (pdf).
It was part of what appeared to be the NSA's dream of having "a botnet upon which the sun never sets", a goal noted under the slide title "if wishes were ponies".
Bots found in the US would be referred to the FBI for cleansing, but infected victims in other countries were considered collateral.
The documents also revealed the NSA's Tutelage program (pdf), a sister to Turmoil and part of the Turbulence family of surveillance and exploitation kit, was used to block distributed denial of service (DoS) attacks by the Anonymous collective.
Tutelage was successful in identifying and blocking internet protocol addresses linked to the Low Orbit Ion Cannon DDoS software when US Defence agencies were attacked.
The documents also revealed NSA spies at Remote Operations Centres exfiltrated data through compromised machines owned by innocent victims that the agency dubbed 'Scapegoat Targets'.
The theme continued under its mobile phone infection efforts designed to plunder data from businesses. Staffers with NSA-infected handsets were referred to as "unwitting data mules", a nod to drug-dealer slang.

Microsoft Outlook PENETRATED by Chinese 'man-in-the-middle'

Great Wall of China

Microsoft suffered a "man-in-the-middle" attack on its Outlook email service in China over the weekend, according to Greatfire.org.
The assault on its mail systems apparently lasted around 24 hours before returning to normal. It came after Google's Gmail was blocked in the People's Republic late last year.
Greatfire.org said that it had tested IMAP and SMTP for Outlook on Saturday and found that both protocols were under a MitM attack in the country.
The China censorship watcher said:
"This attack comes within a month of the complete blocking of Gmail (which is still entirely inaccessible). Because of the similarity between this attack and previous, recent MitM attacks in China (on Google, Yahoo and Apple), we once again suspect that Lu Wei and the Cyberspace Administration of China have orchestrated this attack or have willingly allowed the attack to happen.
"If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor