Sunday, 14 July 2019

 MUST READ: ZDNet is giving away $1,000 in Amazon gift cards Hacker discloses Magyar Telekom vulnerabilities, faces jail term


An ethical hacker who reported serious vulnerabilities in Magyar Telekom has been arrested and faces years behind bars for "disturbing a public utility."
Magyar Telekom, a Hungarian telecommunications company, filed a complaint against the hacker who is now being defended by the Hungarian Civil Liberties Union (HCLU/TASZ).
According to local media, the man discovered a severe vulnerability in the telecom provider's systems in April 2018. These findings were reported to the company and both parties met.
The idea of working together was floated but never came into fruition, and in the meantime, the researcher continued probing Magyar Telekom's networks.
In May, the hacker found another vulnerability which the publication says, if exploited, could have been used to "access all public and retail mobile and data traffic, and monitor servers."
According to Index.hu, the first vulnerability allowed the hacker to obtain an administrator password through a public-facing service. The second bug allowed him to "create a test user with administrative privileges."


On the same day, the company noticed strange activity on their network and reported a cyberintrusion to the police, leading to the man's arrest.
The trial has already begun. Hungary's prosecution service is requesting a prison term, while the HCLU has fought back, claiming that the indictment is "incomplete" as "it is not clear what exactly he has done."


Magyar Telekom told Napi.hu:
"The hacker, beyond the limits of ethical hacking, launched new attacks after the first attack, and began to crack additional systems with the data he had acquired so far."
A plea deal was on the table. If the man admitted his 'guilt,' he would be given a two-year suspended sentence. However, this was refused and now the researcher is being charged with an upgraded crime --  the "disrupting the operation of a public utility" -- and could end up behind bars for up to eight years.
Ethical hacking is often considered outside of criminal law as intrusions can benefit companies and society as a whole, a "good faith" concept which is argued as part of HCLU's defense strategy.
However, there are still rules which should be observed, such as making sure no private data is taken and day-to-day operations are not disrupted due to testing and probes.
This encapsulates the prosecutor's case. Law enforcement claim that the hacker crossed an ethical line and his actions may have posed a "danger to society," and therefore he can be charged under the country's criminal laws.
However, there is no evidence that the man in question disregarded these rules, and in a separate statement, the company said itself that the customer data was "safe and secure."
"If someone finds a mistake on a system of Magyar Telekom Group and reports it to Telekom immediately, it does not use it in any way (eg does not modify, delete, save information, etc.), cooperates with Telekom's own investigation and does not publish (this endangers the system), Telekom will not file a complaint against it," Magyar Telekom added.
The case is ongoing

Engineer flees to China after stealing source code of US train firm

Insider threats are a common problem for companies now increasingly reliant on computers and electronic systems, with the risk of intellectual property theft a constant worry. 
For one locomotive manufacturer in Chicago, a software engineer handed the keys to the kingdom became the ultimate example of how much data can be stolen by a single individual -- and where it may end up. 
According to newly unsealed federal indictment charges revealed by the US Department of Justice (DoJ) on Thursday, Xudong "William" Yao is currently in hiding after allegedly stealing a vast array of information belonging to his former employer. 
The unnamed locomotive manufacturer hired Yao in 2014. US prosecutors say that within two weeks of starting his new job, Yao downloaded over 3,000 electronic files containing "proprietary and trade secret information relating to the system that operates the manufacturer's locomotives."
This was not the end of the matter. Over the course of the next six months, the software engineer allegedly continued to download and steal more files containing corporate and intellectual property.
Notably, this included nine complete copies of the company's control system source code and the technical blueprints which described how the source code worked in depth.
While Yao pilfered the US company's trade secrets, the engineer also reportedly accepted a job with a business in China that specializes in automotive telematics. 
In February 2015, Yao was fired for reasons which were not related to theft by the US locomotive firm. In July 2015, following his dismissal, Yao made copies of the stolen data, traveled to China, and began working for his new employer. The engineer then traveled to Chicago with the stolen intellectual property in his possession before once again returning to China. 
Since his last known movements, the engineer has not been traced, but US law enforcement believes Yao is on the run in the country. A federal warrant was issued in 2017 but the engineer is yet to be apprehended. 
Yao is charged with nine counts of theft of trade secrets. If found and convicted, the software engineer faces up to 10 years in prison. 
Earlier this month, a 64-year-old electrical engineer was found guilty of conspiring to smuggle military-grade semiconductor chips to China. The engineer and co-conspirators posed as customers to gain access to custom processors, and the physical products were then shipped to a Chinese company. The processors are used by clients including the US Air Force and DARPA.

UK Home Secretary doubles down on cops' deeply flawed facial recognition trials

As if further indication was needed of Britain's slide into a surveillance state, Home Secretary Sajid Javid has backed highly flawed police trials of facial recognition cameras.
Speaking at the launch of tools to be used to combat online child abuse, he said it was right for forces to "be on top of the latest technology".

"I back the police in looking at technology and trialling it," he told the BBC. Javid added that "different types of facial recognition technology is being trialled especially by the Met at the moment and I think it's right they look at that,"
"If they want to take it further it's also right that they come to government, we look at it carefully and we set out through Parliament how that can work."
However, a report by researchers at the University of Essex into the Met's facial recognition trials last week found that just eight correct matches were made out of 42 suggested.
The researchers were granted unprecedented access to the final six tests and concluded that not only is the technology highly inaccurate but its deployment is likely to be found "unlawful" if challenged in court.
An individual in Cardiff has already mounted a legal challenge to the use of facial recognition tech in public areas by South Wales Police - this was the first such case to be launched in the UK.
Javid's comments come hot on the heels of remarks by the head of London's Metropolitan Police union that the authoritarian Chinese government's use of facial recognition was "spot on".
Speaking on the BBC Essex Breakfast Show, Ken Marsh said: "Although China is a very intrusive country and I don't agree with a lot of what they do, they've got it absolutely correct. They're recognising individuals per second and they've got it spot on."
The Information Commissioner, the UK's data watchdog, has also raised concerns about the technology, saying forces have to demonstrate that it is effective and less intrusive alternatives are not available.
Javid was speaking at the launch of new tools costing £1.7m designed to counter online child abuse.

They include a fast-forensic tool to analyse seized devices and find images already known to law enforcement; an image categorisation algorithm to assist officers to identify and categorise the severity of illegal imagery; and a capability to detect images with matching scenes to help identify children in indecent images in order to safeguard victims.
Javid said: “This game-changing tech will help us do this and will be vital in the fight against online child abusers.” 

TrickBot returns with new attack that compromised 250 million email addresses

The TrickBot malware, which earlier this year worked in tandem with the Ryuk ransomware to siphon millions of dollars for hackers, is back with a new attack that may have compromised as many as 250 million email accounts.


In a report by Deep Instinct, the cybersecurity company revealed a new variant of TrickBot that teams it up with a malicious, email-based infection and distribution module dubbed TrickBooster.

The new attack starts the same as in previous methods, with TrickBot infiltrating a victim’s computer. The malware then forces the machine to download TrickBooster, which reports back to a dedicated command and control server with lists of email addresses and log-in credentials harvested from the victim’s inbox, outbox, and address book. Afterwards, the TrickBooster server instructs the infected machine to send out malicious infection and spam emails, with the emails deleted from the outbox and trash folder to remain hidden from the victim.

In Deep Instinct’s investigation of TrickBooster and its associated network infrastructure, the cybersecurity firm discovered a database containing 250 million email accounts that were harvested by TrickBot operators. The addresses were likely also targeted with the malicious emails.

The recovered email dump includes about 26 million addresses on Gmail, 19 million on Yahoo, 11 million on Hotmail, 7 million on AOL, 3.5 million on MSN, and 2 million on Yahoo U.K. The compromised accounts also involved many government departments and agencies in the United States, including but not limited to the Department of Justice, the Department of Homeland Security, the Department of State, the Social Security Administration, the Internal Revenue Service, the Federal Aviation Administration, and the National Aeronautics and Space Administration. Others affected include government organizations and universities in the United Kingdom and Canada.