Hacking & Security

600TB MongoDB Database 'accidentally' exposed on the Internet

The Hacker News - 23 Červenec, 2015 - 08:55
System administrators have reportedly exposed almost 600 Terabytes (TB) of MongoDB database due to running outdated and unpatched versions of the NoSQL MongoDB database. The open source MongoDB is the most popular NoSQL database used by companies of all sizes, from eBay and Sourceforge to The New York Times and LinkedIn. According to Shodan's representative John Matherly, nearly 30,000
Kategorie: Hacking & Security

Digital Substation Takeover: Contest Overview

Positive Research Center - 23 Červenec, 2015 - 08:11

Digital Substation Takeover, presented by iGRIDS, was held at PHDays V. The contest's participants tried themselves in hacking a real electrical substation designed according to IEC 61850. The general task was to perform a successful attack against the electrical equipment control system.

What it's all about

A special high voltage (500 kV) substation model had been developed for the contest. It included switches, time servers, protective relays that are used in modern high voltage electric networks to ensure protection in emergency situations and incidents (in case of a short circuit, faults in a power transmission line etc.).

Several scenarios were offered, each of them corresponding to unauthorized access to switches: circuit breaker opening, earthing switch closing despite operation blocking. The contest's organizers suggested that the most difficult task—that is to cause an emergency on the site—would be followed by fireworks of burning wires of the model overhead power line set nearby.

This year's format combined various competitions with capture the flag contests. CTF teams along with the rest of the forum's participants were able to take part in them (see our article on our blog). About 50 PHDays attendees and several CTF teams took part in Digital Substation Takeover.

Technical details

The model used the following equipment:

  • Siemens SICAM PAS v. 7.0,
  • common protective relays and switches,
  • GPS and GLONASS time servers,
  • industrial switches.

The course of the contest

Since the contest was held for the first time at PHDays and due to its specific nature, participants spent the first day studying power-system protection, switches, and operation blocking. They had to analyze large amounts of information found on special forums, vendors' sites etc.

The contest comprised several tasks of different difficulty levels:

  • temporal destruction to the substation's information infrastructure (was performed six times);
  • time server reprogramming (was performed once);
  • unauthorized disconnection of consumers (twice);
  • detecting an unknown vulnerability (once).

The most difficult task was to take control over primary devices and issue a command bypassing blocking. No one managed to solve this task (though one team got quite close).

Sergey Sidorov took first place, Alexander Kalinin came second. RDot and ReallyNonamesFor gained some points for hacking the substation.

Not quite at ease

During the contest, representatives of power supply companies, such as the Federal Grid Company of Unified Energy System (FGC UES), were watching the process closely.

"To tell the truth, when I saw those people lounging in beanbags and hacking industrial control and protection systems for some virtual profit, I felt uncomfortable," said Mikhail Seleznev in an interview [ru] with Digital Substation, an online magazine. Mikhail is the head of the ICS and metrology division of the relay protection department at FGC UES. "No one can guarantee that a group of such creative individuals won't gather together and use the knowledge their obtained during this contest to crack real infrastructure—just for the fun of it. Are they aware of the weight of possible consequences of such actions?"

However, Mikhail doubts that it's IEC 61850 that should undergo any changes: "The standard should continue to develop for the benefit of the purposes it was designed for. Information security should be the subject of other standards. There has been much talk about ICS protection recently. In fact, it is important to engage representatives of power supply companies in such discussions—and in putting new methods into practice."

iGRIDS, the organizers of the contest, registered everything that occurred on the stand. By the middle of the contest, it became obvious that the range of threats was broader than they had expected. The developers assure that they will take into account new attack variations when developing subsequent versions of protection systems. And they’ve already got an invitation to take part in PHDays VI!

Malý trest pro mladého hackera, velké varování pro Spamhaus

Novinky.cz - bezpečnost - 23 Červenec, 2015 - 08:06
Britský teenager dostal za jeden z největších počítačových útoků v dějinách jen 240 hodin veřejných prací. Soudce ale varoval, že tak nízký trest bylo možné udělit jen kvůli výjimečným okolnostem.
Kategorie: Hacking & Security

Hacking Team: We're Victim of a Criminal Cyber Attack

The Hacker News - 22 Červenec, 2015 - 21:47
Hacking Team, the Italy-based spyware company that sells spying software to law enforcement agencies worldwide, says the company has always operated with the law and regulation in an ethical manner. However, there was only one Violation of Law in this entire event, and that is – "the massive cyber attack on the Hacking Team." company stated. The recent hack on Hacking Team exposed
Kategorie: Hacking & Security

Hacking Team may not have had a backdoor, but it could kill client installs

Ars Technica - 22 Červenec, 2015 - 21:11

In a rare press release issued Wednesday morning, Hacking Team, the embattled Italian surveillance software vendor, reiterated that it did not and does not have a "backdoor" into its clients’ installations of the Remote Control System, or RCS. But new analysis of its leaked source code seems to directly contradict this claim.

Hacking team said:

There have been reports that our software contained some sort of "backdoor" that permitted Hacking Team insight into the operations of our clients or the ability to disable their software. This is not true. No such backdoors were ever present, and clients have been permitted to examine the source code to reassure themselves of this fact.

According to new research by Joseph Greenwood, a UK-based researcher with 4Armed who has been examining the leaked RCS source code in detail, this is a distinction without a difference.

Read 11 remaining paragraphs | Comments

Kategorie: Hacking & Security

Bartalex Variants Spotted Dropping Pony, Dyre Malware

Threatpost - 22 Červenec, 2015 - 20:54
Some strains of Bartalex malware, a macro-based malware that first surfaced earlier this year, are dropping Pony malware and the Dyre banking Trojan.
Kategorie: Hacking & Security

Bug in latest version of OS X gives attackers unfettered root privileges

Ars Technica - 22 Červenec, 2015 - 20:34

A bug in the latest version of Apple's OS X gives attackers the ability to obtain unfettered root user privileges, a feat that makes it easier to surreptitiously infect Macs with rootkits and other types of persistent malware.

The privilege-escalation bug, which was reported in a blog post published Tuesday by security researcher Stefan Esser, is the type of security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications. Hacking Team, the Italian malware-as-a-service provider that catered to governments around the world, recently exploited similar elevation-of-privileges bugs in Microsoft Windows. When combined with a zero-day exploit targeting Adobe's Flash media player, Hacking Team was able to pierce security protections built into Google Chrome, widely regarded as the Internet's most secure browser by default.

According to Esser, the OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Developers didn't use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that allows attackers to open or create files with root privileges that can reside anywhere in the OS X file system.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

EFF Hopeful Car Hacking Demo Could Help Yield DMCA Exemption

Threatpost - 22 Červenec, 2015 - 20:03
The latest car hacking research from Charlie Miller and Chris Valasek has elicited a broad spectrum of reactions: admiration for the skill; outrage at the danger the demo may have put drivers; and even a patch from an automaker. And the EFF is hoping it might also help produce a new exemption to the Digital Millennium […]
Kategorie: Hacking & Security

LifeLock's woes continue as FTC claims violation of 2010 settlement

Sophos Naked Security - 22 Červenec, 2015 - 18:52
LifeLock hasn't abided by the 2010 settlement requiring the company to stop making misleading claims that "guaranteed" customers would be protected against identity theft, according to the FTC.

Spike in ATM Skimming in Mexico?

Krebs on Security - 22 Červenec, 2015 - 16:57

Several sources in the financial industry say they are seeing a spike in fraud on customer cards used at ATMs in Mexico. The reason behind that apparent increase hopefully will be fodder for another story. In this post, we’ll take a closer look at a pair of ATM skimming devices that were found this month attached to a cash machine in Puerto Vallarta — a popular tourist destination on Mexico’s Pacific coast.

On Saturday, July 18, 2015, municipal police in Puerto Vallara arrested a man who had just replaced the battery in a pair of skimming devices he or an associate had installed at an ATM in a busy spot of the town. This skimming kit targeted certain models of cash machines made by Korean ATM manufacturer Hyosung, and included a card skimming device as well as a hidden camera to record the victim’s ATM card PIN.

Here’s a look at the hidden camera installed over the compromised card reader. Would you have noticed anything amiss here?

The tiny pinhole camera was hidden in a molded plastic fascia designed to fit over top of the area directly above the PIN pad. The only clue that something is wrong here is a gap of about one millimeter between the PIN capture device and the actual ATM. Check out the backside of the false front:

The backside of the false fascia shows the location of the hidden camera.

The left side of the false fascia (as seen from the front, installed) contains the battery units that power the video camera:

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

The device used to record data from the magnetic stripe as the customer inserts his ATM card into the machine is nothing special, but it does blend in pretty well as we can see here:

The card skimming device, as attached to a compromised ATM in Puerto Vallarta.

Have a gander at the electronics that power this badboy:

According to a local news clipping about the skimming incident, the fraudster caught red-handed was found in possession of a Carte Vitale card, a health insurance card of the national health care system in France.

The French health care card found on the man apprehended by Mexican police. Image: Noticiaspv.com

The man gave his name as Dominique Mardokh, the same name on the insurance card. Also, the picture on the insurance card matched his appearance in real life; here’s a picture of Mardokh in the back of a police car.

According to the news site Noticiaspv.com, the suspect was apprehended by police as he fled the scene in a vehicle with license plates from Quintana Roo, a state nearly 2,500 km away on the Atlantic side of Mexico that is the home of another very popular tourist destination: Cancún.

Ironically, the healthcare card that identified this skimmer scammer is far more secure than the bank cards he was allegedly stealing with the help of the skimming devices. That’s because the healthcare card stores data about its owner on a small computer chip which makes the card difficult for thieves to duplicate.

Virtually all European banks and most non-US financial institutions issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), but unfortunately chip cards have been slow to catch on in the United States. Most US-based cards still store account data in plain text on a magnetic stripe, which can be easily copied by skimming devices and encoded onto new cards.

For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.

This skimmers found in Mexico (where most credit cards also are identified by microchip) abuse that same dynamic: Undoubtedly, the thieves in this scheme compromised ATMs at popular tourist destinations because they knew these places were overrun with American tourists.

In October 2015, U.S. merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers (and many U.S. banks are only now thinking about issuing chip-based cards to customers). Unfortunately, that liability shift doesn’t apply to ATMs in the U.S. until October 2017.

Whether or not your card has a chip in it, one way to defeat skimmers that rely on hidden cameras (and that’s most of them) is to simply cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).

Are you as fascinated by ATM skimmers as I am? Check out my series on this topic, All About Skimmers.

Update, July 28, 8:54 a.m. ET: ATM maker NCR has just released an advisory also warning about a spike in ATM skimming tied to Mexico. See the alert here (PDF).

Kategorie: Hacking & Security

Hacking Team Claims It Always Sold ‘Strictly Within the Law’

Threatpost - 22 Červenec, 2015 - 16:39
Hacking Team officials are disputing reports that the company sold its surveillance and intrusion software to oppressive regimes in countries that were under sanction. The company said it sold its products “strictly within the law and regulation as it applied at the time any sale was made.” The new statement from Hacking Team comes after two […]
Kategorie: Hacking & Security

Obama administration decides not to blame China publicly for OPM hack

Ars Technica - 22 Červenec, 2015 - 15:38

US government officials are nearly certain that the Chinese government was involved in the theft of sensitive personal information about millions of government employees, members of the US military, and employees of government contractors requiring background checks or security clearances from the systems of the Office of Personnel Management. But according to a report by the Washington Post, the Obama administration has decided to not publicly and officially call out China for the attack—in part because it might require the administration to reveal some of the US' hacking of China to make the case, and expose other information intelligence and warfare capabilities of the National Security Agency, Department of Homeland Security, and FBI.

Ellen Nakashima, the Post's national security reporter, citied anonymous conversations with officials involved with the White House's decision-making process surrounding the OPM, and reported that the administration "has not ruled out economic sanctions or other punitive measures" for the theft of data from OPM. But US officials, including Director of National Intelligence James Clapper, have "even expressed grudging admiration for the OPM hack, saying US spy agencies would do the same against other governments," she reported.

Part of the calculus that went into the decision, one official told Nakashima, was that “we don’t see enough benefit in doing the attribution at this point to outweigh whatever loss we might [experience] in terms of intelligence-collection capabilities.” Another official said that the White House might opt to simply put sanctions in place under other justifications, and then privately communicate to the Chinese government that the sanctions were in fact in retaliation for the OPM hack.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Google Patches 43 Bugs in Chrome

Threatpost - 22 Červenec, 2015 - 15:23
A new version of Google Chrome is available, and it contains patches for 43 security vulnerabilities, many of them in the high-risk category. Two of the more serious vulnerabilities fixed in Chrome 44 are a pair of universal cross-site scripting bugs. One of the flaws is in blink, the Web layout engine in Chrome. The […]
Kategorie: Hacking & Security

Facebook can't say 'No' to New York, says New York

Sophos Naked Security - 22 Červenec, 2015 - 14:55
Facebook can't "plead the Fourth Amendment" on your behalf, says a New York appeals court - you have to do it yourself.

Interview: Chris Camejo, Director of Assessment Services for NTT Com Security

InfoSec Institute Resources - 22 Červenec, 2015 - 14:10

Chris Camejo, Director of Assessment Services for NTT Com Security (formerly Integralis), comes from a technical assessment background, having personally coordinated and conducted numerous large-scale, multi-discipline penetration tests spanning multiple countries for global clients. As part of NTT Com Security’s threat intelligence capabilities, he follows the latest tactics and techniques of attackers and have conducted […]

The post Interview: Chris Camejo, Director of Assessment Services for NTT Com Security appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Podvodné e-maily, GE Money Bank

CSIRT.cz - 22 Červenec, 2015 - 14:05

Po phishingové vlně z minulého týdne, která mířila na elektronické bankovnictví Komerční banky, jsme dnes zaznamenali téměř totožný e-mail určený pro klienty GE Money Bank. Uživatele tento podvodný e-mail navádí k aktualizaci certifikátů, a to z důvodu nově nalezené zranitelnosti. Po kliknutí na odkaz v e-mailu je uživatel přesměrován na falešnou stránku GE Money Bank, která vyžaduje zadání přihlašovacích údajů do elektronického bankovnictví.

Ukázka phishingové zprávy:

Kategorie: Hacking & Security

NodeJS Security for Beginners

InfoSec Institute Resources - 22 Červenec, 2015 - 14:00

Introduction: NodeJS is an extremely powerful and lightweight technology, which is being widely adopted. Just like any other technology sometimes developers make mistakes during the development process, which may lead to serious vulnerabilities. In this series of articles, we discuss various NodeJS specific and traditional vulnerabilities that we may come across when dealing with NodeJS […]

The post NodeJS Security for Beginners appeared first on InfoSec Institute.

Kategorie: Hacking & Security

​Google, Yahoo, Facebook Collaborate to Blacklist Bad Bots

The Hacker News - 22 Červenec, 2015 - 13:44
The major tech companies including Google, Facebook, and Yahoo! have joined their hands to launch a new program meant to block fake web traffic by blacklisting flagged IP addresses. Today, majority of data center traffic is non-human or illegitimate, so to fight against this issue the Trustworthy Accountability Group (TAG) has announced a program that will tap into Google's internal
Kategorie: Hacking & Security

FBI again thwarts Tor to unmask visitors to a Dark Web child sex abuse site

Sophos Naked Security - 22 Červenec, 2015 - 13:30
Did the FBI plant a drive-by installation of some kind of malware on hundreds of thousands of computers so it could track down paedophiles?

Chyba v přihlašování ohrožuje stamilióny uživatelů

Novinky.cz - bezpečnost - 22 Červenec, 2015 - 12:00
Komerční článek - Až 600 miliónů uživatelů aplikací a na ně napojených profilů může být ohroženo tím, že mnoho aplikací neomezuje počet pokusů o zadání hesla.
Kategorie: Hacking & Security
Syndikovat obsah