Friday, 6 March 2015

Cyber Criminals Leak First Episode of “CSI: Cyber”

The first episode of the new drama series CSI: Cyber has leaked online. The show, which documents the hunt for cyber-criminals, has apparently fallen victim to its main subject. Is CBS being put in its place by 'hackers' or could the leak be some kind of promotional stunt?
CSI: Cyber is the fourth series in the popular CSI franchise.
The police drama, starring Emmy Award winner Patricia Arquette, revolves around the FBI’s Cyber Crime Division which investigates illegal activities on the Internet, including piracy.
The new show is set to premiere tomorrow night but cyber criminals have spoiled the exclusive for CBS.
Ironically, or perhaps fittingly, leaked copies of the first episode surfaced on various pirate sites during the past day. The leaked footage comes from a high quality copy and doesn’t have any visible watermarks.
The leak appears to come from the P2P group “PMP” and is titled “CSI-Cyber-S01E01-HDTV-x264-PMP.”
Leaked CSI Cyber Episode 1
Interestingly, however, the episode isn’t spreading through the usual torrent sites. Instead, it appeared on various streaming services and cyberlockers first, which is quite unusual.
There are no traces to the video source. It may have come from a promotional screener, or perhaps the leak itself is a promotion? If so, it wouldn’t be the first time that a TV-series has been intentionally leaked to gain traction.
From reading the comments of early viewers the pilot is getting mixed reviews. Some love the concept of a cyber CSI, but others are more critical of the various technicalities.
“Wow. Not a good first effort at all. Did they hire any real hackers or anyone with any real working knowledge of hacking,” one cyber ‘criminal’ commented.
Whether CBS plans to alert the FBI’s real “CSI:Cyber” to hunt down the leakers is unknown, but for now they remain on the loose.

UK Arrests 56 People For Data Theft, Hacking Attacks On Yahoo, DoD, PlayStation Networks

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin on May 21, 2013. Reuters/Pawel Kopczynski

U.K.’s National Crime Agency (NCA) conducted 56 arrests in an effort to nab hackers during a “strike week” in the country. Officials conducted 25 different operations and those arrested were suspected of cybercrimes like data theft, fraud and virus writing, the BBC reported.

The raids were coordinated by NCA’S National Cyber Crime Unit (NCCU), special officers from regional organized crime squads and the Metropolitan Police. In the largest raid during the week, 25 people, suspected of using the Internet to steal money, launder cash and conduct other fraudulent activities, were arrested from London and Essex. One of the suspects arrested in the raids was a man who was allegedly a part of the hacking group D33Ds, which attacked Yahoo in 2012 and published passwords of over 400,000 email ids online.

“Criminals need to realize that committing crime online will not render them anonymous to law enforcement," Andy Archibald, deputy director of the NCCU, said, according to the BBC, adding: "It's imperative that we continue to work with partners to pursue and disrupt the major crime groups targeting the UK."

A 23-year-old man, suspected of hacking into the U.S. Department of Defense in 2014, was also among those arrested in the raids. The attacker had been able to access “non-confidential contact information” of 800 users, including name, title, e-mail addresses and phone numbers after targeting a satellite communications system. The hacker had also gained control over information from 34,400 devices, including IMEI numbers, Forbes reported.

“This arrest underscores DCIS [Defence Criminal Investigative Service] commitment and the joint ongoing efforts among international law enforcement to stop cyber criminals in their tracks, DCIS Special Agents will use every tool at their disposal to pursue and bring to justice those that attack the Department of Defence,” Jeffrey Thorpe, a special agent for the U.S. Department of Defense Criminal Investigative Service, said, according to Forbes.

Another member who was arrested from Leeds during the week is suspected of being a part of the infamous Lizard Squad -- a group that had claimed responsibility for the recent attacks on networks of Xbox, PlayStation and Lenovo.

Microsoft: All Windows versions Vulnerable to FREAK Vulnerability

Recently discovered “FREAK” vulnerability that apparently went undetected for more than a decade is reportedly affecting all supported versions of Microsoft Windows, making the flaw more creepy than what we thought.
FREAK vulnerability is a disastrous SSL/TLS flaw disclosed Monday that allows an attacker to force SSL clients, including OpenSSL, to downgrade to weaken ciphers that can be easily broken and then supposedly conduct Man-in-the-Middle attacks on encrypted HTTPS-protected traffic passing between vulnerable end-users and Millions of websites.
Microsoft issued an advisory published Thursday warning Windows users that Secure Channel (Schannel) stack — the Windows implementation of SSL/TLS — is vulnerable to the FREAK encryption-downgrade attack, though it said it has not received any reports of public attacks.
When the security glitch first discovered on Monday, it was believed that the Windows system was immune to FREAK attacks. But now if you’re the one using Windows, attackers on your network could force the software using Schannel component such as Internet Explorer to use weak encryption over the web.

“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” the company said in a security advisory. “The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems.”
FREAK — short for Factoring attack on RSA-EXPORT Keys — made it significantly easier for hackers and cyber criminals to easily decode intercepted HTTPS connections, revealing sensitive information such as login passwords, login cookies, and even banking information.
However, this is only possible if the website or service at the other end is still supporting 1990s-era “export-grade” cryptography or 512-bit RSA, which were approved by the U.S. government for overseas export. It was assumed that most servers no longer supported weak 512-bit RSA keys, but unfortunately, Millions of websites and services are still available on the Internet using them.
The FREAK vulnerability (CVE-2015-1637) in Windows Secure Channel component dramatically increases the number of users previously known to be vulnerable. Affected versions of Windows include:

    Windows Server 2003
    Windows Vista
    Windows Server 2008
    Windows 7
    Windows 8 and 8.1
    Windows Server 2012
    Windows RT

Microsoft said it is “actively working” with its Microsoft Active Protections Program partners to protect its users from FREAK, and once the investigation get over, it would “take the appropriate action to help protect customers.”
So, Windows users can either expect an out-of-band patch or a security bulletin released on a regular Patch Tuesday.
In recent weeks, security researchers scanned more than 14 million websites that support the SSL/TLS protocols and found that more than 36 percent of them were vulnerable to the decryption attacks that support RSA export cipher suites.
Yesterday, Google developers released an updated version of Chrome for Mac that can’t be forced by attackers to use the older, weaker 512-bit RSA cipher, effectively patching the FREAK vulnerability. Additionally, Safari on Mac OS and iOS aren’t vulnerable to the creepy bug.
At the time of writing, the list of affected web browsers included Internet Explorer, Chrome on Android, the stock Android browser, BlackBerry browser, Opera on Mac OS X and Opera on Linux. Users can visit to determine their browser exposure.

Sheriff's Office website hacked

Officials say there was no specific motive in the hack that took over the Sheriff's website sometime overnight 

MondayLarimer County Sheriff's Office leaders woke up Tuesday morning to an anti-government message on the agency's website.

A Larimer County Sheriff's Office spokesman said the site had been hacked overnight Monday and was taken down early Tuesday as the webmaster worked with the Larimer County Information Technology Department to determine the cause of the security breach and to prevent future hacks on the website.
The message that appeared briefly was addressed to all governments, stating the agencies had failed their citizens. The message gave credit for the hack to a group it called "AnonGhost."
"It's my understanding that the team's notoriety is hacking into government-related websites and shutting them down," spokesman David Moore said. "I can't think of any specific reason we were targeted. A lot of times they do it just because they can."
The Sheriff's Office posted information about the hack Tuesday morning on Facebook.
Moore said there was no sensitive information on the website — rather, officials were more concerned about getting the website back up so residents could access public information.
AnonGhost's Facebook page was started in 2011 and has almost 12,000 likes. It's latest post as of Tuesday reads "hacked" with a link to the Sheriff's Office website.
Officials were able to get the website up and functioning normally Tuesday afternoon.

Adobe launches cashless bug bounty

If you had as many bugs as Adobe, would you offer cash?

Bug bounties Adobe has launched a bug bounty program that hands out high-fives, not cash.
The web application vulnerability disclosure program announced today and launched last month operates through HackerOne used by the likes of Twitter, Yahoo!, and CloudFlare, some of which provide cash or other rewards to those who disclose security messes.
Adobe's program seeks out common flaws in its online services, including cross-site scripting; privileged cross-site request forgery; server-side code execution; authentication or authorisation flaws; injection vulnerabilities; directory traversal; information disclosure, and significant security misconfiguration.
"In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application vulnerability disclosure program on the HackerOne platform," wrote Adobe security program manager Pieters Ockers.
"Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score."
Hackers will need to be the first in for reporting a flaw and offer Adobe "reasonable" time to fix the flaws prior to public disclosure, Ockers says.
Smaller vulnerabilities such as the following are excluded:
  • Logout and other instances of low-severity cross-site request forgery
  • Perceived issues with password reset links
  • Missing http security headers
  • Missing cookie flags on non-sensitive cookies
  • Clickjacking on static pages
The announcement comes as AirBnB this week launched its bug bounty on the popular HackerOne platform.
Bug bounties work best when they offer cash, according to BugCrowd engineer Drew Sing. In vulnerability program guidelines published July he says money is the best incentive to encourage researchers to conduct more regular and intense testing of products and services.
"A high priority security issue handled improperly could damage the reputation of the organisation ... the development, IT and communications team are all critical components to a successful program," Sing says.
The managed bug service recommends bounties should be published in an obvious location on websites, preferably located with the /security subdomain, and sport a dedicated security contact who is well-briefed in handling disclosures.
So why has Adobe decided street cred, not cash, is the way to go? Wags might wonder if the company's infamously-porous products have so many bugs that a cash bounty could dent the bottom line.

US Senators hope to crack down on the trade of private information

Four US senators are introducing legislation aimed at turning the screws on businesses that gather up and sell citizens' personal information.
Senators Edward Markey (D-MA), Richard Blumenthal (D-CT), Sheldon Whitehouse (D-RI) and Al Franken (D-MN) have teamed up to introduce the Data-broker Accountability and Transparency Act (DATA) [PDF], which will let Americans correct and remove their private details from databases.
If the bill makes it into law, so-called data brokers can be forced to stop selling a person's information, and they would be forbidden from using deceptive practices to gather data on people. Additionally, brokers would be required to give users access to their information, and allow them to update or correct sensitive records.
The bill covers information from ages and marital statuses to hobbies, jobs, ailments, and much more: details that companies can legally collect and sell to others. Publicly available information, such as names and addresses, can only be updated if the original source corrects the data.
A data broker is defined as:
A commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third-party access to the information.
So picture marketing giants that are fed information by shops and websites, and then use that to target specific adverts to people.
"The era of data keepers has given way to an era of data reapers. We need to shed light on this ‘shadow’ industry of surreptitious data collection that has amassed covert dossiers on hundreds of millions of Americans," Markey said in announcing the bill.
"This legislation ensures that data brokers cannot take advantage of the most valuable possessions that consumers have: their personal information."
Additionally, the bill would allow US watchdog the FTC to enforce the provisions of the (proposed) law and create a central website where users can look up the information collected on them by data brokers.
The last part is something that will be welcome news to the FTC. Last summer, the commission asked Congress to crack down on data brokers with stricter laws on the collection and selling of personal information.
The bill, S. 668, has been referred to the Senate Committee on Commerce, Science, and Transportation for further approval.

France fingered as source of Syria-spying Babar malware

Crack team of malware boffins think DGSE coded reconware

France's spy agency has been fingered as the likely author of complex reconnaissance malware, researchers say.
The Casper malware is one of a handful with links to the Babar spy program which leaked NSA documents revealed last month to be the handiwork of France's Direction Générale de la Sécurité Extérieure (General Directorate for External Security or DGSE).
Barbar emerged in 2009 and has since been used to steal keystrokes, clipboards and listen in on Skype conversations among other feats of interception.
ESET malware analyst Joan Calvet says in a report on Casper it appears to have recently been used in April 2014 actions against Syrian targets.
"To attack their targets, Casper’s operators used zero-day exploits in Adobe Flash, and these exploits were – surprisingly – hosted on a Syrian governmental website," Calvet says.
"Casper is a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines."
"These targets may have been the visitors of the website — Syrian citizens who want to file a complaint. In this case they could have been redirected to the exploits from a legitimate page of this website."
The Syrian website may have been used as a means to store Casper's binaries and command and control componentry while concealing and misdirecting the identity of attackers.
Casper, analysed in a joint effort between malware researchers Marion Marschalek of Cyphort, Paul Rascagnères of GData, and security bods from the Computer Incident Response Center Luxembourg, could not be definitively pinned on France according to the technical analysis.
Bit Calvet was able to obtain Casper samples through ESET's malware network and found it matched with the same Flash exploits Kaspersky researcher Vyacheslav Zakorzhevsky reported was used on the site last April.
Caper is notable in its identification and evasion of specific versions for four anti-virus platforms including BitDefender, PC Tools, and Avast which it identified on a target's Windows machine using the Windows Management Instrumentation facility.
Calvet says this suggests authors have "in-depth knowledge" of the way those anti-virus products work.
The malware flees a target machine if a product is detected or injects code into a new process if it is found vulnerable, and receives instruction data with a now offline command and control server including the ability to deploy additional plugins.
The research team found its payloads were very similar to those under the DGSE's project researchers dub Animal Farm under which Babar and the Bunny and NBOT malware were developed.
"None of these signs alone is enough to establish a strong link but all the shared features together make us assess with high confidence that Bunny, Babar, NBOT and Casper were all developed by the same organisation," Calvet says.
Kasperksy malware boffin Costin Raiu who indecently analysed Casper told Motherboard the advanced Animal Farm hacking operation was likely the work of a nation state given the absence of financial gain.
“When you have such a large-scale operation going on for several years using multiple zero-days without any kind of financial outcome,” Raiu says.
"It’s obvious that it’s nation-state sponsored — it has to be.”

Mandarin Oriental coughs to credit card breach

Swanky hotel chain left with Michelin-starred egg on face

The fashion world’s most privileged urchin lounges in a luxury hotel in Paris, 1993. © Geoff Wilkinson/RexUSA Upmarket hotel chain Mandarin Oriental has admitted to a credit card breach.
Investigative journalist Brian Krebs uncovered evidence of a breach before extracting an admission of the problem from the hotel group.
The root cause of the security spill – as well as the number of credit cards exposed – remain unclear, pending the results of a Mandarin Oriental investigation.
Krebs got wind of potential problems at the hotel chain as the result of a tip-off from a source in the financial services industry, who reported an emerging pattern of fraudulent charges on customer cards used to pay for stays at the hotels.
In a statement, Mandarin Oriental blamed malware for the breach:
Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorisation and in violation of both civil and criminal law.
The Group has identified and removed the malware and is co-ordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.
We take the protection of customer information very seriously. Unfortunately incidents of this nature are increasingly becoming an industry-wide concern and we have therefore also alerted our technology peers in the hospitality industry.
The hotel chain, which operates upmarket hotels in 27 countries, said that it had already added unspecified extra security measures in the wake of the breach, which remain the focus of an ongoing investigation.
Mandarin Oriental asserted that the malware involved in the breach was undetectable by all anti-viral systems.
The compromise probably dates back to just before Christmas 2014 and involves stays at US hotels, according to Krebs. The investigative journalist raised the possibility that compromised payment terminals at restaurants and other businesses located inside of these hotels, rather than payment data extracted from hotel front desk systems, may be behind the breach.
There are precedents for this particular type of problem. For example, last year White Lodging Services Corp disclosed a breach limited to restaurants and gift shops hosted within its hotels.
Whether or not this happened in the Mandarin Oriental case is purely speculative at this stage, but it's an credible theory which illustrates the nefarious tactics of credit card fraudsters.
Third-party security experts advised Mandarin to focus on keeping on top of the breach notification process in order to keep its wealthy clients on side.
"Mandarin Oriental will need to limit the fall-out of this breach as quickly and efficiently as it can," said Mark James, security specialist at anti-virus firm ESET. "Information is key here and getting that out to the affected users as quickly and concisely as possible will help towards keeping its reputation and its customers."
He added: "A lot of people these days accept the fact that their data online is not safe and will be subjected to theft at some point. It’s how companies affected by data breaches react and recover that sets them apart from the others. Free credit monitoring for all affected parties is a must, along with information on how, when and what they are doing to stop it from happening again.”