Archive for hack

« Older Entries

The SolarWinds Hack: Here’s A Run Down

Posted in Commentary with tags on December 18, 2020 by itnerd

You’ve likely heard a lot about the SolarWinds hack or an epic hack by presumably Russian actors of numerous US government departments. It’s kind of confusing to keep track of so I’ve decided to write up a quick summary of this hack.

This incident began last week when security firm FireEye said that a state-sponsored hacking group, likely Russians, accessed its internal network, stole pen-testing tools and tried to access documents on its government contracts. That was bad. But it got worse when while investigating the hack, FireEye found that the source of the hack to a malware-laced version of SolarWinds Orion, a network monitoring tool used inside large enterprise networks. SolarWinds was notified and admitted to the hack last week. But by that point, US government departments were hacked on a huge scale. On top of that SolarWinds admitted to getting everything from its internal networks to their Office365 accounts hacked. Along with their 18,000 or so of their customers.

On Wednesday, Microsoft took steps to protect users by taking over the web domain that the first-stage malware used to report to attackers. Together with GoDaddy and FireEye, Microsoft turned the domain into a kill switch in order to prevent the malware from pinging back to its creators and downloading second-stage payloads. Though by that point the damage has been done. I’m sure that there was some self interest there as one of the victims of this attack was Microsoft itself.

As for the Russians who are allegedly behind this, The Washington Post claimed that Russia’s APT29 hacking group is behind the SolarWinds hack, but no government or security firm has backed up the paper’s claim. Though this group has been behind other epic hacks and is linked to the Russian government. So this claim seems plausible.

Chris Hickman, chief security officer at digital identity security vendor Keyfactor (www.keyfactor.com) had this to say about the hack and how the bad actors were able to pull it off:

“Code signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.

Lovely. And it is likely we have not heard the last of this story. Stay tuned for updates as this story evolves.

Leave a comment »

Russian Hacker Group Accused Of Targeting COVID-19 Vaccine Research In Canada, U.S. and U.K

Posted in Commentary with tags , , on July 16, 2020 by itnerd

Given the times that we live in, a vaccine is the top thing the planet must do in terms of getting the planet out of the COVID-19 pandemic. So it doesn’t exactly come as a shock that research into a vaccine is a target for hackers that belong to nation states. Case in point is the news that Russian hackers have targeted COVID-19 research:

A hacker group “almost certainly” backed by Russia has tried to steal COVID-19-related vaccine research in Canada, the U.K. and the U.S., according to intelligence agencies in all three countries.

The Communications Security Establishment (CSE), responsible for Canada’s foreign signals intelligence, said APT29 — also known as Cozy Bear and the Dukes — is behind the malicious activity.

The group was accused of hacking the Democratic National Committee before the 2016 U.S. election.

The group “almost certainly operates as part of Russian intelligence services,” the CSE said in a statement released Thursday morning in co-ordination with its international counterparts — an allegation the Kremlin immediately denied.

No shock that the Kremlin denies this as I am sure that nation sates don’t want to be associated with the activities of the hacker groups that they covertly sponsor as it gives them plausible deniability. This is important because Russia has a history of stealing intellectual property. David Masson, Director of Enterprise Security, Darktrace goes into more details about that:

The Soviet Union, and now its successor Russia, has a long and established history of stealing other countries’ intellectual property in order to satisfy national interests. In this instance, we are being warned about an APT (APT 29) linked to the Russian Intelligence Services using cyber-attacks to obtain information on COVID-19 research from medical organizations around the world. Given the recent warning from the US/UK and Canada combined, we can consider that these three countries have been victims of such attacks.

Russia is also facing the effects of this global pandemic and will be seeking “help” in order to deal with it now and in the future. Trying to gain an advantage in the fight against COVID-19 could well lead to theft of research from around the world in order to avoid otherwise necessary investment in time, money and effort (which may not be available). In the modern era, cyber-attacks have proven to be a very cost-effective way of obtaining information that may well be very difficult to get ahold of by other means. Currently the crown jewels in the COVID-19 fight will be a vaccine, so information and research on this subject are extremely valuable.

Medical research organisations, especially those working in academia often operate in a climate of trust and collaboration and will be seen as easy targets by groups such as APT29 who will exploit this. We can expect further attacks and further warnings as the pandemic wears on.

Leave a comment »

More Details On The Jeff Bezos Phone Hack Emerge…. Starting With The Fact That It Was An iPhone X That Was Hacked

Posted in Commentary with tags , on January 23, 2020 by itnerd

Yesterday, I wrote about the fact that Jeff Bezos had his phone hacked by the Saudis. Though they deny that it was responsible for the hack. And that massive amounts of data was downloaded. Today more details have come out regarding this hack.

  • Yesterday it wasn’t clear what phone he was using. We now know via the New York Times that it was an iPhone X.
  • This hack apparently led to a blackmail attempt of sorts from America Media Inc who also owns the National Enquirer as what was taken was apparently “embarrasing” texts and photos. That in turn led to the famous “No thank you, Mr Pecker” Medium post.

Now when I started writing this story, I thought all of this sounded familiar. And I was right when I started to look back through the blog. The attack vector, and the type of the attack is very similar to an attack on a human rights activist back in 2016. The source of the attack was malware provided by a shadowy company called NSO who is known to sell their malware to governments who don’t exactly have the best human rights records. And at the time Apple released an emergency patch to iOS 9 to close the holes that were used in that incident. Fast forward to today where the UN Report that led to me writing yesterday’s story also points to NSO:

The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group’s Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials. This would be consistent with other information. For instance, the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group.

And to add to this, Facebook who owns WhatsApp fixed an issue that fits this attack vector almost a year ago. And the thought was the NSO group was behind that attack.

Now the question is how did we get to where we are now? Well, this is the theory that is floating around if you accept that the Saudis are behind this is a follows:

  • Just before the hack, The Washington Post, which Jeff Bezos owns, was investigating American Media, Inc and it’s role in helping President Donald Trump silence women he had affairs with.
  • The Washington Post also had writing for them a person named Jamal Khashoggi. He was a vocal critic of the Saudi government and was murdered because of that. And a lot of the negative things that he had to say about the Saudi government ended up in the Washington Post
  • The Saudis were likely not happy about the Washington Post reporting. And they have a bit of a reputation of going after people that they perceive as threats in a variety of ways. Thus they hatched this scheme to use the NSO malware to get something on Bezos. And hit the jackpot with whatever “embarrassing texts and photos” that they got off the phone. Whatever “embarrassing” items they got was then turned over to American Media, Inc to try and punish Bezos for the coverage that they didn’t like. American Media in turn tried to use this “embarrassing” info to shut down the investigation into them helping President Trump. Except that it backfired on them when Bezos went public on Medium.

Interesting theory. But what are needed are facts. Only a broader investigation can not only separate fact from fiction, but it should be able to follow the facts to nail down the parties responsible and hold them accountable in any and every way possible. Clearly this was a very targeted and sophisticated attack. And because of that it is one that cannot go unpunished.

1 Comment »

The Chinese Are Named As The Source Of The Marriott Hack….. Hmmmmm……

Posted in Commentary with tags on December 12, 2018 by itnerd

In a plot twist that I wasn’t expecting, the Chinese are being named by the US Government as the people behind the Marriott hack. That’s the hack where 500 million people are affected. The New York Times has details on this and what the US Government is likely to do about it:

The hackers, they said, are suspected of working on behalf of the Ministry of State Security, the country’s Communist-controlled civilian spy agency. The discovery comes as the Trump administration is planning actions targeting China’s trade, cyber and economic policies, perhaps within days.

Those moves include indictments against Chinese hackers working for the intelligence services and the military, according to four government officials who spoke on the condition of anonymity. The Trump administration also plans to declassify intelligence reports to reveal Chinese efforts dating to at least 2014 to build a database containing names of executives and American government officials with security clearances.

Other options include an executive order intended to make it harder for Chinese companies to obtain critical components for telecommunications equipment, a senior American official with knowledge of the plans said.

Well, seeing as Canada is currently holding the CFO of Huawei at the request of the US because she’s been named as someone who orchestrated violations of sactions against Iran, you have to see this is as an escalation of tensions between the US and China. Assuming that the Chinese are behind this hack of course. I suspect that the story behind this hack is about to get very interesting very quickly.

1 Comment »

Experts Weigh In On Marriott Hack

Posted in Commentary with tags on December 3, 2018 by itnerd

It’s now been a few days since the now epic Marriott hack that put 500 million people at risk of having their personal data be used for who knows what nefarious purpose. Experts have started to weigh in and the consensus is that this was avoidable. World famous hacker Kevin Mitnick was the first to weigh in:

But since then others have added their thoughts. Dan Dearing, senior director of Product marketing at Pulse Secure, a San Jose-based provider of secure network and mobile access solutions to 80% of the Fortune 500 companies had this to say:

Early reports stated that security experts working with Marriott determined that there had been unauthorized access of the Starwood network since 2014.

This type of “lying in wait” threat is driving many IT organizations to rethink how they secure their network to combat hackers who are sophisticated and  patient to wait for the big payoff. The new security buzzword that describes how companies can defeat this type of threat is “zero-trust.” Essentially, IT cannot trust anything or anyone inside or outside of their network. Instead, they must deploy security tools that help enable them to always verify who the user is, whether the user is authorized to access the desired application or data, and finally if the user’s laptop or mobile device meets the security standards of the company. Only if all three conditions are met is the user allowed on the network.”

From a legal standpoint comes Cathryn Culverhouse who is a solicitor at the city law firm DMH Stallard. Cathryn is an expert on data protection and GDPR regulations. And she had this to say:

“Marriott have today announced that they have suffered a major data breach following the hack of its database. The breach is thought to include the personal data of up to 500 million customers, including (but not limited to) names, addresses, passport numbers and account details. This is clearly sensitive personal information from which individuals can easily be identified. Such information getting into the hands of fraudsters could have severe consequences , especially in respect of identity or bank fraud.  

“Marriott are likely to be investigated by the ICO and could receive a hefty fine (up to 4% of their annual global turnover) given the large scale breach of sensitive information. This is likely to have a damaging impact on the hotel’s reputation.  

“If a customer of Marriott has been affected by the breach they should be notified by Marriott without delay – although delay is not defined within GDPR and such a timeline will depend on the circumstances.

“Customers who may have been affected should visit the website set up by Marriott (https://answers.kroll.com/) to obtain more information, including details of the year-long subscription to a fraud-detecting service in the US, UK and Canada that Marriott are providing to their customers free of charge.

“These customers also have a potential claim against Marriott for compensation in respect of any losses.”   

Finally, there’s Nick Wyatt, Head of Tourism at GlobalData, a leading data and analytics company, who offers his view on how the company can turn the disaster into a positive:

“Marriott cannot afford for this to happen again and so must now invest very heavily in improved detection and response-based technologies such as deception-based solutions, endpoint detection and response, software defined segmentation, and behavior analytics.

“GlobalData forecasts that by 2021, global cybersecurity products and services revenues are expected to reach US$140bn, up from US$114bn in 2017 and breaches like this present a great opportunity for cybersecurity consultants like Accenture, IBM, KPMG, PwC, FireEye, Herjavec Group, and Root9B. Other hotel companies cannot afford to ignore this issue and these companies can profit greatly as a result.

“In the more immediate term, Marriott must show that it is employing post-breach consultants to help take all actions possible to protect critical digital assets.  Such firms will also look to identify the characteristics of the hackers in a bid to pre-empt further attacks. If Marriott can demonstrate that it is using such services, its claims of reducing future data security risks will have far more credibility.

‘‘Marriott has a chance to repair the reputational damage inflicted by shaping the future for the better and being seen as the catalyst for improved industry standard systems would be a great fillip. It must seize this opportunity to turn a great negative into a positive.”

This hack has the potential to be the biggest hack in history….. Until the next one. Thus I hope that companies large and small are looking at this hack and taking the advice of experts such as these so that they don’t become the next victim and put their customer’s data and information at risk.

Leave a comment »

Another Man Pleads Guilty To iCloud Celebrity Hack

Posted in Commentary with tags , on July 4, 2016 by itnerd

You might recall that several celebrities had their iCloud accounts hacked and their nude pictures posted for all to see. You may also recall that one person has already plead guilty to doing this. Well a second man is going to join that first individual in the grey bar hotel according to the US Department Of Justice website. Edward Majerczyk has pled guilty to felony violation under the Computer Fraud and Abuse Act and to unauthorised access to a protected computer to obtain information. He faces a maximum sentence of five years in prison. The feds couldn’t prove that he leaked the photographs, which implies that this may not yet be over. Thus you may want to stay tuned for more arrests.

1 Comment »

Hacking Team Malware For Android Deconstructed…. Found To Be Very Scary

Posted in Commentary with tags , on July 22, 2015 by itnerd

The more that I hear about the Hacking Team hack, the scarier the news gets. This latest piece of news comes from Trend Micro who looked at RCSAndroid (Remote Control System Android) from the Hacking Team. Their assessment was this:

The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed. The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations.

Why is that? I’ll them tell you:

Based on the leaked code, the RCSAndroid app can do the following intrusive routines to spy on targets:

  • Capture screenshots using the “screencap” command and framebuffer direct reading
  • Monitor clipboard content
  • Collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn
  • Record using the microphone
  • Collect SMS, MMS, and Gmail messages
  • Record location
  • Gather device information
  • Capture photos using the front and back cameras
  • Collect contacts and decode messages from IM accounts, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.
  • Capture real-time voice calls in any network or app by hooking into the “mediaserver” system service

The really scary part is that this code has been in the wild since 2012. Now the Trend Micro article does describe how to protect yourself from this. But if you are infected, you’re pretty much screwed because it can only be removed with the help of the company that made your Android device. Lovely.

What’s also scary is that we’re not done yet with this as there will likely be more from this hack that will keep people like me awake at night.

1 Comment »

Hackers Demonstrate How Easy It Is To Hack Into A Car From Miles Away

Posted in Commentary with tags , on July 22, 2015 by itnerd

Last week, I suggested that car manufacturers needed a “Patch Tuesday” to ensure that the driving public is safe(er) because of some high profile recalls due to software bugs that were safety related. I didn’t address security and given this video from Wired Magazine, I perhaps should have. In short, a couple of security experts have shown how easy it is to hack into a car from miles away. In this case a Jeep Cherokee via the Uconnect system in the car. What they managed to do should scare you. But I won’t spoil the surprise. Watch this video to see what they did:

As you can see, they were able to control, steering, brakes and the engine among other things.

Here’s why it should scare you:

  1. Software companies for the most part are used to responding to people finding security holes in their software. But this is a new concept to car companies.
  2. Car companies are also not used to hunting for these sorts of bugs. Thus it is likely all sorts of vulnerabilities like this exist. Which means that it is likely that in the era of the connected car that any car can be pwned.
  3. Let’s pretend for a second that car companies are able to respond to issues like these. How do they get patches to end users? Tesla does over the air updates. But no other car company comes close.

Now the people who found these holes in Uconnect reported these holes to Chrysler and gave them time to fix their issues via a software update which you can likely find here (have your VIN number handy). But the only people who will know to upgrade their Uconnect systems are those who are aware of this issue. That’s why the “Patch Tuesday” article that I wrote is so timely. The car industry needs to get something like this out to drivers quickly given the scope of the issue. There’s also one other issue. Someone with less honorable intentions could cause a lot of mayhem via exploits like this. Thus one wonders what the car industry is doing to protect drivers. That’s something that I really would like to know and the car industry needs to articulate that sooner rather than later.

5 Comments »

Walmart Canada Looking Into Credit Card Hack

Posted in Commentary with tags , , on July 11, 2015 by itnerd

It appears that a website run by a company named PNI Digital Media which is owned by Staples on behalf of Walmart Canada might have been hacked and credit card data might have been stolen:

“We were recently informed of a potential compromise of customer credit card data involving Walmart Canada’s Photocentre website, www.walmartcanadaphotocentre.ca, which is operated by a third-party,” said Alex Roberton, director of corporate affairs and social media at Walmart Canada. “We recommend Walmart Canada’s Online Photocentre customers monitor their card transactions closely and immediately alert their financial institution about any unauthorized charges.”

Mr. Roberton said the company has disabled the website and its mobile applications and notified the Office of the Privacy Commissioner of Canada.

Walmart said it has “no reason to believe” its Walmart.ca and Walmart.com destinations or its in-store transactions have been affected.

Still 60,000 people might have been affected by this. That’s not good. This is one story that is sure to develop as the scope of this hack is revealed. Stay tuned.

Leave a comment »

FBI Nabs Chicago Man’s Computers In Relation To Epic iCloud Hack

Posted in Commentary with tags , on June 11, 2015 by itnerd

Remember that iCloud hack that resulted in the nudie pix of various celebrities being leaked to the world? Well, the FBI apparently has hit the home of a Chicago man and taken all his computers as part of the investigation. Here’s what Gawker had to say:

A recently unsealed federal search warrant and related affidavit pertaining to the FBI’s investigation into the iCloud hacker ring shows the investigation moving offline. On October 15th, 2014, federal agents entered the neat, modest brick home of Emilio Herrera on the South Side of Chicago. According to a sworn affidavit by Special Agent Josh Sedowsky of the FBI’s Cybercrimes Unit, someone in this house had been on an iCloud hacking spree.

“Based on victim account records obtained from Apple,” Sedowsky wrote, “one or more computers used at [Herrera’s house] access or attempted to access without authorization multiple celebrities’ e-mail and iCloud accounts over the course of several months.

Now, here’s the part that has me floored:

Herrera’s alleged iCloud cracking went way beyond that narrow list of celebs: between May 31, 2013, and August 31, 2014, his IP address “was used to access approximately 572 unique iCloud accounts,” and “in total, the unique iCloud accounts were accessed 3,263 times.”

Really? He didn’t hide his own IP address? Folks, he isn’t some sort of hacking mastermind. He’s a low grade script kiddie. Of course that assumes that he’s the responsible party as he hasn’t been charged with anything. Yet. Stay tuned to this space to see if he does get charged.

Leave a comment »

« Older Entries