Thursday, 25 July 2019

Joburg City Power hit by virus, affecting electricity purchases

A computer virus which has hit City Power has resulted in a blackout to its internet technology system, leaving scores of Johannesburg residents unable to purchase electricity, as their kilowatts approach 0.00.
The power utility’s spokesperson Isaac Mangena said the virus had attacked its database and other software, impacting on most of its applications and networks.
The virus has also prevented those who had already bought their electricity from uploading it to their meter boxes.
The City Power website is also affected by the virus.
"It may also affect our response to some outages, as the system to order and dispatch material is affected. City Power IT team has been working since early morning 01:00 to fix this problem," Mangena said.
He said they hoped to have the glitch fixed by midday on Thursday.
On Wednesday, the utility announced that it was experiencing capacity constraints due to the cold weather in Johannesburg.
Mangena said cold weather conditions could result in unplanned outages, as the electrical system experienced overloading when demand increased.
He said plans were in place to deal with unplanned outages. The key focus of the plan was to attend to those areas that experienced repeated unplanned outages on the same day or week, he said.
"We have also increased the number of technicians in areas that are prone to repeated unplanned power outages.
"More teams have been put on standby so that they can be dispatched to attend to outages and respond to emergency calls," he said.
Residents have been urged to use electricity sparingly during this time.

Sunday, 21 July 2019

iNSYNQ Cloud Hosting Provider Hit by Ransomware Attack

Cloud computing provider iNSYNQ experienced a ransomware attack which forced the company to shut down some of its servers to contain the malware infection from spreading and affecting more customer data.
iNSYNQ is an authorized Microsoft, Intuit, and Sage host which provides customers with cloud-based virtual desktops designed to host business applications such as QuickBooks, Sage, Act & Office.
"iNSYNQ experienced a ransomware attack on 7/16/19 perpetrated by unknown malicious attackers. The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible," says a status update published on the company's support website.
"As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment. This effort was made to protect our clients data and backups.
iNSYNQ status
The cloud hosting firm also says that it has hired cybersecurity experts to help restore access to affected customer data and to all clients' virtual desktops, with "major traction" to be made "by early next week" according to a letter sent to customers by iNSYNQ's CEO.
As iNSYNQ's CEO Elliot Luchansky also added in his letter, "Understandably, there have been many requests for backups I want to be very clear that we are not withholding data or backups, we simply cannot safely access them at this time.
"We'll still doing everything in our power to ensure that the backups are available to you once we have addressed the underlying problem. Our entire team is working diligently to protect and restore access to your impacted data [..]"
Luchansky also answered some of the questions asked by iNSYNQ's customers following the downtime caused by the ransomware attack stating that:
Unfortunately, these kinds of things are inevitable. No system is 100% impervious to malware, and we collectively were victims of an attack perpetrated by unknown malicious actors. We wish we had a quick-fix or a way to fully eliminate these risks. If we did, then obviously this kind of event would never happen.
He also said that a timeline for when the customers' environments will be back up is not yet available but the iNSYNQ team is accelerating the process of restoring the clients' data and getting all systems online.
Letter from iNSYNQ's CEO
Letter from iNSYNQ's CEO (h/t TC)
"We turned off servers as soon as we identified that we were being attacked, and are currently working very closely with industry-leading experts that specialize in working through events like this, so that we are able to restore the access as quickly as we possibly can," added Luchansky.
"We contained the situation as soon as we became aware of it. There is no evidence to suggest that any of your files have been copied from the iNSYNQ environment. The issue at hand centers on being able to access your files that have been encrypted; it is not a matter of your data being stolen or copied," iNSYNQ's CEO also said.
While the letter sent by the CEO to the company's customers after the security incident provides some extra info on what happened, there is no mention of the ransomware attack that hit iNSYNQ on Luchansky's Twitter account or on the iNSYNQ account that is no longer accessible — a Google-cached version of the account's contents can be found here).
A customer who got in touch with the iNSYNQ team says that the clients' data backups were stored on a separate server but on the same network affected by the cyber-attack. 
The company also believes that all the customer data will be recovered and restored but it will take some time until all the backups will be checked to make sure that the malware did not affect them in any way.

Saturday, 20 July 2019

Russian FSB Intel Agency Contractor Hacked, Secret Projects Exposed

A contractor for the Russian Federal Security Service (FSB) has been hacked and secret projects that were being developed for the intelligence agency were leaked to Russian Media. These projects detail Russia's attempt to de-anonymize users on the Tor network, collect data from social networks, and how to isolate the Russian portion of the Internet from the rest of the world.
On July 13th, 2019, a contactor for the Russia FSB named "Sytech" was claimed to be hacked by a hacking group named 0v1ru$. As part of this hack, the group defaced the contactor's site to show an image of "Yoba-face", which they posted an image of on their Twitter feed.
Yoba-face on Sytech's site
Yoba-face on Sytech's site
In addition, BBC Russia reports that the hackers stole 7.5TB of data from the contractor's network. This data includes information about numerous non-public projects that were being developed by Sytech on behalf of the Russian government and its intelligence agency.
To prove they gained access to Sytech's servers, 0v1ru$ posted images of internal pages of Sytech's web site and of server drives and users in their Windows domain controller.
This stolen data was then passed on to another hacking group named DigitalRevolution, who shared the data with Russian media.  Digital Revolution claimed to have hacked the Russian research institute "Kvant" in 2018.
Tweet from DigitalRevoluion
The stolen data seen by BBC Russia outlines a variety of projects being developed by Sytech. These projects include:
Mentor was allegedly being developed for the Russian military unit No. 71330, which is reportedly the radio-electronic intelligence of the FSB of Russia. This project would monitor selected email accounts at specified intervals in order to collect information related to certain phrases.
Nadezhda, or Hope in English, is a project designed to visualize how Russia is connected to the rest of the Internet. This research is part of Russia's attempts to create a "sovereign Internet" where Russia can isolate itself from the rest of the Internet.
Nautilus is a project developed between 2009 and 2010 to collect information about users on social networks such as Facebook, LinkedIn, and MySpace.
Nautilus-S is research into de-anonymizing users on the Tor network by creating exit nodes that were controlled by the Russian government. This project was allegedly started at the request of the Russian Research Institute "Kvant".
Reward was being designed to penetrate and perform covert operations on peer-to-peer networks. This includes BitTorrent, Jabber, OpenFT, and ED2K
Tax-3 is the most recent project and was commissioned by "Chief Scientific Innovation Innovation Center JSC, reporting to the Federal Tax Service.".  This project would provide the ability to manually remove information from the Federal Tax Service about people under state protection.
The site for Sytech (www.sytech.ru) has since been shut down and have not responded to inquiries by the BBC.
While this data breach is not nearly as concerning as the Vault 7 WikiLeaks leak of NSA exploits, the BBC has stated that this is the largest data leak in the history of Russian special services.

ever, warn police Microsoft opens Dynamics 365 bug bounty with $20k top prize

Microsoft has launched one more bug bounty to its security rewards lineup. Now researchers will for the first time be able to hunt for bugs in Dynamics 365 ERP and CRM software and get rewards of up to $20,000. 
The Dynamics 365 Bounty program opened two , inviting researchers to find and report vulnerabilities in Microsoft's Dynamics 365 applications with incentive rewards of between $500 and $20,000 for valid bugs. 
There are dozens of online and on-premise Dynamics 365 applications: online apps include Dynamics 365 for sales, customer service, field service, talent, finance and operations, retail and more. The latest releases of on-premise Dynamics 365 apps are also in scope, including Dynamics AX, CRM, GP, NAV, and SL.
Microsoft has also updated its main Microsoft Bug Bounty Program with simplified high-level requirements for them and extra links and resources. 
And it's reorganized its bug bounties into three main categories: Cloud Programs; Platform Programs; and Defense Programs. 
Dynamics 365 is the newest under the Cloud Programs section, which also includes Microsoft Identity services, such as Azure Active Directory. Also in this group are Azure DevOps Services, .NET Core and ASP.NET Core, andthe Microsoft Cloud Bounty. 
The Platform Programs cover Microsoft Hyper-V, the Windows Insider Preview, Windows Defender Application Guard, the Edge on Windows Insider Preview, and Office Insider. 


The Defense Programs currently only includes the 'Mitigation Bypass and Bounty for Defense', which offers the highest rewards of up to $100,000.
The extra resources include links to frequently asked questions, examples of low and high quality reportsthe Windows security servicing criteria, a directory of Azure ServicesMicrosoft product documentation, and a link to the Microsoft Security Research & Defense blog.    


The Dynamics 365 top payout is in line with the top reward for the Microsoft Cloud Bounty, which recently got bumped up to $20,000 from $15,000
Earlier this year Microsoft handed off payment-processing responsibilities to third-party bug bounty platform HackerOne and has since added Bugcrowd to its payment roster. Microsoft continues to handle triage of bug reports and deciding on the value of rewards, but moved to HackerOne and Bugcrowd in order to speed up payments to researchers offer different payment options, including in cryptocurrency. 

Sunday, 14 July 2019

 MUST READ: ZDNet is giving away $1,000 in Amazon gift cards Hacker discloses Magyar Telekom vulnerabilities, faces jail term


An ethical hacker who reported serious vulnerabilities in Magyar Telekom has been arrested and faces years behind bars for "disturbing a public utility."
Magyar Telekom, a Hungarian telecommunications company, filed a complaint against the hacker who is now being defended by the Hungarian Civil Liberties Union (HCLU/TASZ).
According to local media, the man discovered a severe vulnerability in the telecom provider's systems in April 2018. These findings were reported to the company and both parties met.
The idea of working together was floated but never came into fruition, and in the meantime, the researcher continued probing Magyar Telekom's networks.
In May, the hacker found another vulnerability which the publication says, if exploited, could have been used to "access all public and retail mobile and data traffic, and monitor servers."
According to Index.hu, the first vulnerability allowed the hacker to obtain an administrator password through a public-facing service. The second bug allowed him to "create a test user with administrative privileges."


On the same day, the company noticed strange activity on their network and reported a cyberintrusion to the police, leading to the man's arrest.
The trial has already begun. Hungary's prosecution service is requesting a prison term, while the HCLU has fought back, claiming that the indictment is "incomplete" as "it is not clear what exactly he has done."


Magyar Telekom told Napi.hu:
"The hacker, beyond the limits of ethical hacking, launched new attacks after the first attack, and began to crack additional systems with the data he had acquired so far."
A plea deal was on the table. If the man admitted his 'guilt,' he would be given a two-year suspended sentence. However, this was refused and now the researcher is being charged with an upgraded crime --  the "disrupting the operation of a public utility" -- and could end up behind bars for up to eight years.
Ethical hacking is often considered outside of criminal law as intrusions can benefit companies and society as a whole, a "good faith" concept which is argued as part of HCLU's defense strategy.
However, there are still rules which should be observed, such as making sure no private data is taken and day-to-day operations are not disrupted due to testing and probes.
This encapsulates the prosecutor's case. Law enforcement claim that the hacker crossed an ethical line and his actions may have posed a "danger to society," and therefore he can be charged under the country's criminal laws.
However, there is no evidence that the man in question disregarded these rules, and in a separate statement, the company said itself that the customer data was "safe and secure."
"If someone finds a mistake on a system of Magyar Telekom Group and reports it to Telekom immediately, it does not use it in any way (eg does not modify, delete, save information, etc.), cooperates with Telekom's own investigation and does not publish (this endangers the system), Telekom will not file a complaint against it," Magyar Telekom added.
The case is ongoing

Engineer flees to China after stealing source code of US train firm

Insider threats are a common problem for companies now increasingly reliant on computers and electronic systems, with the risk of intellectual property theft a constant worry. 
For one locomotive manufacturer in Chicago, a software engineer handed the keys to the kingdom became the ultimate example of how much data can be stolen by a single individual -- and where it may end up. 
According to newly unsealed federal indictment charges revealed by the US Department of Justice (DoJ) on Thursday, Xudong "William" Yao is currently in hiding after allegedly stealing a vast array of information belonging to his former employer. 
The unnamed locomotive manufacturer hired Yao in 2014. US prosecutors say that within two weeks of starting his new job, Yao downloaded over 3,000 electronic files containing "proprietary and trade secret information relating to the system that operates the manufacturer's locomotives."
This was not the end of the matter. Over the course of the next six months, the software engineer allegedly continued to download and steal more files containing corporate and intellectual property.
Notably, this included nine complete copies of the company's control system source code and the technical blueprints which described how the source code worked in depth.
While Yao pilfered the US company's trade secrets, the engineer also reportedly accepted a job with a business in China that specializes in automotive telematics. 
In February 2015, Yao was fired for reasons which were not related to theft by the US locomotive firm. In July 2015, following his dismissal, Yao made copies of the stolen data, traveled to China, and began working for his new employer. The engineer then traveled to Chicago with the stolen intellectual property in his possession before once again returning to China. 
Since his last known movements, the engineer has not been traced, but US law enforcement believes Yao is on the run in the country. A federal warrant was issued in 2017 but the engineer is yet to be apprehended. 
Yao is charged with nine counts of theft of trade secrets. If found and convicted, the software engineer faces up to 10 years in prison. 
Earlier this month, a 64-year-old electrical engineer was found guilty of conspiring to smuggle military-grade semiconductor chips to China. The engineer and co-conspirators posed as customers to gain access to custom processors, and the physical products were then shipped to a Chinese company. The processors are used by clients including the US Air Force and DARPA.

UK Home Secretary doubles down on cops' deeply flawed facial recognition trials

As if further indication was needed of Britain's slide into a surveillance state, Home Secretary Sajid Javid has backed highly flawed police trials of facial recognition cameras.
Speaking at the launch of tools to be used to combat online child abuse, he said it was right for forces to "be on top of the latest technology".

"I back the police in looking at technology and trialling it," he told the BBC. Javid added that "different types of facial recognition technology is being trialled especially by the Met at the moment and I think it's right they look at that,"
"If they want to take it further it's also right that they come to government, we look at it carefully and we set out through Parliament how that can work."
However, a report by researchers at the University of Essex into the Met's facial recognition trials last week found that just eight correct matches were made out of 42 suggested.
The researchers were granted unprecedented access to the final six tests and concluded that not only is the technology highly inaccurate but its deployment is likely to be found "unlawful" if challenged in court.
An individual in Cardiff has already mounted a legal challenge to the use of facial recognition tech in public areas by South Wales Police - this was the first such case to be launched in the UK.
Javid's comments come hot on the heels of remarks by the head of London's Metropolitan Police union that the authoritarian Chinese government's use of facial recognition was "spot on".
Speaking on the BBC Essex Breakfast Show, Ken Marsh said: "Although China is a very intrusive country and I don't agree with a lot of what they do, they've got it absolutely correct. They're recognising individuals per second and they've got it spot on."
The Information Commissioner, the UK's data watchdog, has also raised concerns about the technology, saying forces have to demonstrate that it is effective and less intrusive alternatives are not available.
Javid was speaking at the launch of new tools costing £1.7m designed to counter online child abuse.

They include a fast-forensic tool to analyse seized devices and find images already known to law enforcement; an image categorisation algorithm to assist officers to identify and categorise the severity of illegal imagery; and a capability to detect images with matching scenes to help identify children in indecent images in order to safeguard victims.
Javid said: “This game-changing tech will help us do this and will be vital in the fight against online child abusers.” 

TrickBot returns with new attack that compromised 250 million email addresses

The TrickBot malware, which earlier this year worked in tandem with the Ryuk ransomware to siphon millions of dollars for hackers, is back with a new attack that may have compromised as many as 250 million email accounts.


In a report by Deep Instinct, the cybersecurity company revealed a new variant of TrickBot that teams it up with a malicious, email-based infection and distribution module dubbed TrickBooster.

The new attack starts the same as in previous methods, with TrickBot infiltrating a victim’s computer. The malware then forces the machine to download TrickBooster, which reports back to a dedicated command and control server with lists of email addresses and log-in credentials harvested from the victim’s inbox, outbox, and address book. Afterwards, the TrickBooster server instructs the infected machine to send out malicious infection and spam emails, with the emails deleted from the outbox and trash folder to remain hidden from the victim.

In Deep Instinct’s investigation of TrickBooster and its associated network infrastructure, the cybersecurity firm discovered a database containing 250 million email accounts that were harvested by TrickBot operators. The addresses were likely also targeted with the malicious emails.

The recovered email dump includes about 26 million addresses on Gmail, 19 million on Yahoo, 11 million on Hotmail, 7 million on AOL, 3.5 million on MSN, and 2 million on Yahoo U.K. The compromised accounts also involved many government departments and agencies in the United States, including but not limited to the Department of Justice, the Department of Homeland Security, the Department of State, the Social Security Administration, the Internal Revenue Service, the Federal Aviation Administration, and the National Aeronautics and Space Administration. Others affected include government organizations and universities in the United Kingdom and Canada.