Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Inside the CCleaner Backdoor Attack

Threatpost - 5 Říjen, 2017 - 11:18
Two members of Avast's threat intelligence team shared new information about the CCleaner backdoor attack.
Kategorie: Hacking & Security

Bezpečnostní experti bijí na poplach. Útoků na bankovní účty přibývá

Novinky.cz - bezpečnost - 5 Říjen, 2017 - 10:40
Motivace počítačových pirátů v posledních týdnech je jasná – peníze. Kyberzločinci se totiž stále častěji zaměřují na bankovní účty svých obětí. Vyplývá to z analýzy bezpečnostní společnosti Check Point o největších kybernetických hrozbách za měsíc srpen.
Kategorie: Hacking & Security

Spanish Court Agrees to Extradite Russian Spam King to the United States

The Hacker News - 5 Říjen, 2017 - 10:38
Spain's National Court ruled on Tuesday to extradite a 36-year-old Russian computer programmer, accused by American authorities of malicious hacking offences, to the United States, according to a court document. Peter Yuryevich Levashov, also known as Peter Severa, was arrested in April this year when he was travelling with his family to Barcelona, Spain from his home in Russia—a country
Kategorie: Hacking & Security

Attackers Redefining Objectives, Approaches

Threatpost - 5 Říjen, 2017 - 08:57
The nature of cyberattacks is changing and increasingly leveraging social networks as they take aim at new targets.
Kategorie: Hacking & Security

Patient Privacy in Healthcare: A Security Practitioner’s Approach

InfoSec Institute Resources - 4 Říjen, 2017 - 23:54

Data privacy, after years in the desert of “meh,” is becoming headline news. Data breaches, such as the recent one affecting up to 143 million Equifax customers, bring home how important it is to ensure that our personal data is protected. But personal data isn’t just our name, address, and social security number. Our personal […]

The post Patient Privacy in Healthcare: A Security Practitioner’s Approach appeared first on InfoSec Resources.

Patient Privacy in Healthcare: A Security Practitioner’s Approach was first posted on October 4, 2017 at 4:54 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Chips in iPhone 7s, Androids, smart TVs vulnerable to rogue Wi-Fi

Sophos Naked Security - 4 Říjen, 2017 - 21:00
Broadcom chips in iPhone 7s phones, some Android devices and smart TVs running tvOS are vulnerable

Experts Have Sobering Message on Human Rights, Privacy for Security Pros

Threatpost - 4 Říjen, 2017 - 19:26
Speakers at Virus Bulletin painted grim pictures of the threats to physical safety and civil liberties posed by commercial spyware and high-end surveillance software often sold to governments.
Kategorie: Hacking & Security

Costin Raiu and Juan Andres Guerrero-Saade on APT Fourth-Party Collection

Threatpost - 4 Říjen, 2017 - 17:00
Costin Raiu and Juan Andres Guerrero-Saade talk to Mike Mimoso live from Virus Bulletin in Madrid about APTs leveraging one anothers' attacks and compromised machines as their own.
Kategorie: Hacking & Security

DNSSEC master key change delayed after ISPs struggle

Sophos Naked Security - 4 Říjen, 2017 - 16:21
ICANN isn't going to risk breaking the internet

Hackeři získali z Yahoo údaje o všech 3 miliardách uživatelů. Firma původně přiznala třetinu

Zive.cz - bezpečnost - 4 Říjen, 2017 - 15:58
Loni v prosinci vyšlo najevo, že se v roce 2013 uskutečnil prozatím největší únik dat – útočníci získali z databáze Yahoo údaje miliardy uživatelů. Tak alespoň zněla původní zpráva firmy, kterou nyní vlastní společnost Oath spadající pod Verizon. A právě ta včera rozsah útoku ...
Kategorie: Hacking & Security

IoT: Hacking a Smart Bulb with Bluetooth – Introduction

InfoSec Institute Resources - 4 Říjen, 2017 - 15:00

We will be learning how to hack a smart bulb using Bluetooth. Since the topic is vast and lengthy, I have decided to split it into two parts. In the first part, we will learn the basics and theory on Bluetooth, and in the second part, we will see the actual exploitation. Let’s start. Our […]

The post IoT: Hacking a Smart Bulb with Bluetooth – Introduction appeared first on InfoSec Resources.

IoT: Hacking a Smart Bulb with Bluetooth – Introduction was first posted on October 4, 2017 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Cloudflare CTO Goes Inside the Cloudbleed Bug

Threatpost - 4 Říjen, 2017 - 13:50
Cloudflare’s chief technology officer was frank and apologetic about February’s Cloudbleed bug during today's Virus Bulletin 2017 keynote.
Kategorie: Hacking & Security

Email fraudsters foiled by a smiley

Sophos Naked Security - 4 Říjen, 2017 - 13:23
Kiss that $90K goodbye, untalented imposters!

The Festive Complexities of SIGINT-Capable Threat Actors

Kaspersky Securelist - 4 Říjen, 2017 - 12:00

To read the full paper and learn more about this, refer to “Walking in Your Enemy’s Shadow: When Fourth-Party Collection Becomes Attribution Hell”

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt manipulation have proven enough for many researchers to shy away from the attribution space. And yet, we haven’t even discussed the worst-case scenarios. What happens to our research methods when threat actors start hacking each other? What happens when threat actors leverage another’s seemingly closed-source toolkit? Or better yet, what if they open-source an entire suite to generate so much noise that they’ll never be heard?

Thankfully, the 2017 VirusBulletin conference is upon us and, as in previous years, we’re taking the opportunity to dive into an exciting subject, guided by our experience from doing hands-on APT research.

During the past years, we discussed the evolution of anti-malware research into intelligence brokerage, the inherent problems with doing attribution based solely on fifth-domain indicators, and an attempt to have a balanced discussion between defensive cats and the sly mice that elude them. Continuing in this direction, this year we decided to put our heads together to understand the implications that the esoteric SIGINT practice of fourth-party collection could have on threat intelligence research.

A few types of SIGINT Collection

The means by which information is generated and collected is the most important part of an analyst’s work. One must be well aware of the means and source of the information analyzed in order to either compensate or exploit its provenance. For that reason, collection can be categorized by its means of generation in relation to the position of the parties involved, as discussed below. These definitions will serve as functional categories for our understanding as outsiders looking into the more complex spheres of collection dynamics.

To showcase the types of data collection, let’s imagine a competent entity named ‘Agency-A’ as a stand-in for a ‘God on the wire‘-style SIGINT agency interested in fourth-party collection.

There are multiple types of collection categories available to this entity. The more obvious being information collected by Agency-A directly (first-party) or shared with Agency-A by partner services (second-party). Third-party collection, or information collected via access to strategic organizations, whether they realize it or not, has gotten a lot of attention over the past few years. This would include ISPs, ad networks, or social media platforms that aggregate great troves of valuable data.

Similarly, we will use further entities Agency-B as a second semi-competent SIGINT agency upon which Agency-A can be recurringly predatory for the sake of explanation. When necessary an even less competent Agency-C will serve as prey.

Yet, things get most interesting when we start talking about:

Fourth-party collection – …involves interception of a foreign intelligence service’s ‘computer network exploitation’ (CNE) activity in a variety of possible configurations. Given the nature of Agency-A as a cyber-capable SIGINT entity, two modes of fourth-party collection are available to it: passive and active. The former will take advantage of its existing visibility into data in transit either between hop points in the adversary’s infrastructure or perhaps in transit from the victim to the command-and-control servers themselves (whichever opportunity permits). On the other hand, active means involve the leveraging of diverse CNE capabilities to collect, replace, or disrupt the adversary’s campaign. Both present challenges we will explore in extensive detail further below.”

In less technical terms, fourth-party collection is the practice of spying on a spy spying on someone else. Or with age-old cryptographic interlocutors: Bob is obsessed with Alice. Alice is being spied on by her overzealous neighbour Eve. In order for Bob to be a creeper without arousing suspicion, he decides to spy on Eve with the purpose of getting to know Alice through Eve’s original privacy violation.

As you might expect there are different ways to do this and many of them enjoy the benefit of being near impossible to detect. Where possible, we have added examples of what to us looks like possible active attempts to collect on another’s collection. Otherwise, we have added thought experiments to help us wrap our heads around this shadowy practice. Two examples worth bringing to your attention (reproduced faithfully from our paper):

‘We heard you like popping boxes, so we popped your box so we can watch while you watch’

Attempting to highlight examples of fourth-party collection is a difficult exercise in the interpretation of shadows and vague remnants. While passive collection is beyond our ability to observe, active collection involves the risk of leaving a footprint in the form of artefacts. In the course of APT investigations, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has encountered strange artefacts that defy immediate understanding in the context of the investigation itself. While we cannot be certain of the intent or provenance of these artefacts, they nonetheless fit a conceptual framework of active fourth-party collection. Here’s a few examples:

Crouching Yeti’s Pixelated Servers

In July 2014, we published our research on Crouching Yeti, also known as ‘Energetic Bear’, an APT actor active since at least 2010. Between 2010 and 2014, Crouching Yeti was involved in intrusions against a variety of sectors, including:

  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information technology

Most of the victims we identified fell into the industrial and machine manufacturing sector, indicating vertical of special interest for this attacker.

To manage their victims, Crouching Yeti relied on a network of hacked websites which acted as command-and-control servers. For this, the attackers would install a PHP-based backend that could be used to collect data from or deliver commands to the victims. To manage the backend, the attackers used a control panel (also written in PHP) that, upon checking login credentials, would allow them to manage the information stolen from the victims.

In March 2014, while investigating one of the hacked sites used by Energetic Bear, we observed that for a brief period of time, the page for the control panel was modified to include an <img src> tag that pointed to a remote IP address in China. This remote 1×1 pixels wide image was likely intended to fingerprint the attackers as they logged into their control panel. The fingerprinting could have been used to collect attributory indicators. The usage of an IP address in China, which appeared to point to yet another hacked server, was most likely an attempt at a rudimentary false flag should this injection be discovered.

NetTraveler’s Most Leet Backdoor

While investigating the Nettraveler attacks, we obtained a disk image of a mothership server used by the threat actor. The mothership, a combination staging and relay server, contained a large number of scripts used by the attackers to interact with their malware, as well as VPN software and other IP masking solutions used to tunnel into their own hacking infrastructure.

Beyond the fortuitous boon of seizing such a content-rich server, GReAT researchers made a further unexpected discovery: the presence of a backdoor apparently placed by another entity.

We believe the backdoor was installed by an entity intent on maintaining prolonged access to the Nettraveler infrastructure or their stolen data. Considering that the NetTraveler operators had direct access to their mothership server and didn’t need a backdoor to operate it, we consider other possible interpretations less likely.

The artefact encountered is the following:

Name svchost.exe MD5 58a4d93d386736cb9843a267c7c3c10b Size 37,888

Interestingly, the backdoor is written in assembly and was injected into an empty Visual C executable that served as a template. This unusual implementation was likely chosen in order to confuse analysis or prevent detection by simple antivirus programs.

The backdoor is primitive and does nothing but listen to port 31337 (The most ‘LEET!’ port) and wait for a payload to be sent. The acceptable payload format is depicted here:

The assembly code is then executed and can perform any action chosen by the predatory attackers. The backdoor requires no authentication. Combining this sort of backdoor with Metasploit or other similar frameworks could have easily been used to control the system.

During the last years, we have seen a number of other peculiar incidents and cases which could constitute fourth party collection.”

To read the full paper and learn more about this, refer to “Walking in Your Enemy’s Shadow: When Fourth-Party Collection Becomes Attribution Hell”

Nikdo nebyl v bezpečí. Kyberútok na Yahoo postihl všechny uživatele

Novinky.cz - bezpečnost - 4 Říjen, 2017 - 09:21
Americká internetová společnost Yahoo oznámila, že hackerský útok, jehož obětí se stala v roce 2013, se dotkl všech uživatelských účtů, dohromady tří miliard. Loni hovořila o miliardě. Firma dodala, že postižené lidi, kteří ještě o útoku nebyli informováni, kontaktuje e-mailem. Ujistila, že hackeři neukradli hesla ani bankovní údaje.
Kategorie: Hacking & Security

2013 Yahoo Breach Affected All 3 Billion Accounts

Threatpost - 4 Říjen, 2017 - 08:57
Yahoo on Tuesday released an update to its 2013 breach, notifying users that all 3 billion accounts in existence at the time were compromised.
Kategorie: Hacking & Security

It's 3 Billion! Yes, Every Single Yahoo Account Was Hacked In 2013 Data Breach

The Hacker News - 4 Říjen, 2017 - 08:01
The largest known hack of user data in the history just got tripled in size. Yahoo, the internet company that's acquired by Verizon this year, now believes the total number of accounts compromised in the August 2013 data breach, which was disclosed in December last year, was not 1 billion—it's 3 Billion. Yes, the record-breaking Yahoo data breach affected every user on its service at the
Kategorie: Hacking & Security

3 billion Yahoo accounts affected by 2013 breach

Sophos Naked Security - 4 Říjen, 2017 - 02:31
The 2013 breach is three times worse than we thought

Five Critical Android Bugs Get Patched in October Update

Threatpost - 3 Říjen, 2017 - 22:42
Android receives three remote code execution patches for vulnerabilities rated critical as Google launches a new Pixel/Nexus Security Bulletin.
Kategorie: Hacking & Security
Syndikovat obsah