Igor Delovski Board

[delovski]

Is the Botnet Battle Already Lost?

"Now, there is a general feeling of hopelessness among security
professionals involved in finding and disabling botnets. It remains to be
seen how this despair affects security products and the attitudes of the
technology executives who rely on them."

[delovski]

The SpamHuntress Wiki Page and accompanying Blog

"Ann Elisabeth Nordbø works as a security specialist at Nittedalsnettet,
a local ISP in Norway that's wholly owned by Hafslund. She's the mailserver
administrator, and likes tuning her servers to reject as much spam as
possible.

One website (spamhuntress.com) was perhaps the first blog to take
webspam seriously, and quickly shot to the top in that field."

[Ike]

Digg: The world's most sophisticated Trojan uncovered

"Botnet software installs its own anti-virus engine. Security experts have
discovered new spambot software that installs its own anti-virus scanner
to eliminate competition, alongside a number of other sophisticated features."

[Ike]

JoS: Exposing Blog thief?

"What would YOU do if you discovered somebody was directly ripping off
(republishing without permission) one of your blog postings on his
AdSense-riddled blog? And not only that, but the whole blog seems to be
composed of rip-offs from lots of people such as Guy Kawasaki."

[delovski]

Slashdot: Joanna Rutkowska Discusses VM Rootkits

"There's an interesting interview on eWeek with Joanna Rutkowska,
the stealth malware researcher who created 'Blue Pill' VM rootkit and planted
an unsigned driver on Windows Vista, bypassing the new device driver
signing policy. She roundly dismisses the quality of existing anti-virus &
anti-rootkit products and makes the argument that the world is not ready
for VM technology. From the article: 'Hardware virtualization, as recently
introduced by Intel and AMD, is very powerful technology. It's my personal
opinion that this technology has been introduced a little bit too early,
before the major operating system vendors were able to redesign their
systems so that they could make a conscious use of this technology,
hopefully preventing its abuse.' "

[XNote]

Reddit: Paypal Building Rocked by Explosions

"An explosion at eBay's PayPal division Tuesday night shattered a window
and forced the evacuation of 26 employees, as crews combed the company's
North First Street complex for incendiary devices."

[Ike]

Digg: New phishing statistics

"Phishtank, a service run by the good folks at OpenDNS, have
published their first set of phishing statistics. Interesting stuff, showing
that Paypal and eBay continue to be the most targeted organizations in
phishing attacks, but some German banks are climbing up the scales."

[delovski]

Slashdot: How to Prevent Form Spam Without Captchas

"Spam submitted to web contact forms and forums continues to be a huge
problem. The standard way out is the use of captchas. However, captchas
can be hard to read even for humans. And if implemented wrong, they will
be read by the bots. The SANS Internet Storm Center covers a nice set of
alternatives to captchas. For example, the use of style sheets to hide certain
form fields from humans, but make them 'attractive' to bots. The idea of
these methods is to increase the work a spammer has to do to spam the
form without inconveniencing regular users."

[delovski]

Slashdot: Cybercrime — an Epidemic?

"'Cybercrime is pervasive, nondiscriminatory, and dramatically on the
increase.' So states TEAM CYMRU, an altruistic group of researchers
focused on making the Internet more secure. This article is a look into the
root causes of Cybercrime, its participants, and their motivations, as well
as suggestions on what we can do to stop this epidemic."

"Many victims do not seem to draw the correlation between their losses
and cybercrime; worse, they often view it as a crime that is impossible to
investigate and prosecute. For cybercrime to be acknowledged as an
important issue, the victims must report such incidents to a receptive law
enforcement community with a well-informed judiciary. Attempts such as
the president's National Strategy to Secure Cyberspace represent a
significant first step in the right direction. To have the desired impact,
however, the detailed provisions delineated as action/recommendations
must be implemented."

[delovski]

Slashdot: Best Method For Foiling Email Harvesters?

"One of the common ways that spammers generate email mailing lists is
by harvesting email addressess from websites. But in many cases you also
need to make it easy for your customers to reach you. I have found three
common solutions to this problem: 1.) Use an image to replace your email
address. 2.) Use ascii encodings for some/all of the characters. 3.) Use
javascript to concatenate and/or obfuscate your email address. Which of
these methods are most effective? Are email harvesters able to interpret
javascript? What do you use?"

[Ike]

World’s Worst Spammers Named and Shamed

"What this reveals, rather alarmingly, is that around 80% of spam that
targets Internet users in North America and Europe is actually generated
by a small hardcore group of no more than 200 professional spam gangs."

[delovski]

Slashdot: Spammers Learn to Outsource Their Captcha Needs

"Guardian Unlimited reporter Charles Arthur speaks with a spammer,
discussing the possibility that his colleagues may be paying people in
developing countries to fill in captchas. In his report, Arthur discusses
Nicholas Negroponte's gift of hand-powered laptops to developing nations
and the wide array of troubles that could arise as the world's exploitable
poor go online."

From the article: "I've no doubt it will radically alter the life of many in
the developing world for the better. I also expect that once a few have
got into the hands of people aching to make a dollar, with time on their
hands and an internet connection provided one way or another, we'll see
a significant rise in captcha-solved spam. But, as my spammer contact
pointed out, it's nothing personal. You have to understand: it's just business."

[delovski]

Reddit needs a Captcha. A new user just dropped 265 spam-comments in 5 minutes.

"Maybe there just needs to be a comment throttle. Just store a timestamp
in the users profile and only let them post once per minute or something. I
mean, how often do you find yourself posting faster than once per minute?
If it is very often, maybe you need to think things out more!

In any case, that would have reduced this to "6 spam comments in 5
minutes" which wouldn't be nearly as annoying."

[delovski]

Slashdot: RFID Personal Firewall

"Prof. Andrew Tanenbaum and his student Melanie Rieback (who published
the RFID virus paper in March) and 3 coauthors have now published a paper
on a personal RFID firewall called the RFID Guardian. This device protects
its owner from hostile RFID tags and scans in his or her vicinity, while letting
friendly ones through. Their work has won the Best Paper award at the
USENIX LISA Conference."

[delovski]

JoS: Virus won't let me install AV

"Although I had Free AVG installed, a virus closed it down, and won't
let me either restart it, uninstall and reinstall it, or install another AV
like ClamWin."

[delovski]

NY Times: Attack of the Zombie Computers Is Growing Threat

"With growing sophistication, they are taking advantage of programs that
secretly install themselves on thousands or even millions of personal computers,
band these computers together into an unwitting army of zombies, and use
the collective power of the dragooned network to commit Internet crimes.

These systems, called botnets, are being blamed for the huge spike in spam
that bedeviled the Internet in recent months, as well as fraud and data theft."

[Ike]

Slashdot: Six Rootkit Detectors To Protect Your PC

"InformationWeek has a review of 6 rootkit detectors.This issue became
big last year when Sony released some music CDs which came with a rootkit
that silently burrowed into PCs. This review looks at how you can block
rootkits and protect your machine using F-Secure Backlight, IceSword,
RKDetector, RootkitBuster, RootkitRevealer, and Rookit Unhooker."

Later in the comments: "Hey, thanks for the mention in the article but that
is a really old version you've used to test! The last version I've released
publicly is AFX Windows Rootkit 2005, it's open source and can be found
on http://www.rootkit.com/ [rootkit.com] the other more recent versions
I've sold privately.

Now on the subject of rootkit detection. Most of these use the method
based on Microsoft's Strider: GhostBuster. Which uses a low-level method
to gather seemingly clean system information then gathers the same
information using a high-level method. The idea is that rootkits will have
only hooked the high-level methods so there should be a difference in
results. Whatever is listed in the low-level results and not listed in the
high-level results is displayed as "hidden information". Effectively they
are using the rootkit's own hiding functions against itself to detect it. If
the rootkit doesn't hide itself to avoid detection it's still made itself visible.

The problem is that you put yourself in an arms race with who can hook
system information at the lowest level. Luckily since we (the sysadmin)
have access to the hardware and presumably the attacker does not, a
hardware method of gathering system information would be the best. You
can bet money that we are going to be seeing hardware level rootkit
detectors sooner or later.

...

Basically you're just hooking accept() Winsock API in all processes and
then any listening service is a potential backdoor. This is a simple user-mode
method. Someone could write a more specific version for a particular
service such as IIS that hooks deeper into the code that receives network
data."

[Ike]

Mafia 2.0: Is The Mob Married To Your Computer?

"How the mob could be using your PC to run rackets on the internet and
what you can do about it."

[delovski]

Slashdot: "Free Wi-Fi" Scam In the Wild

"DeadlyBattleRobot writes in with a story from Computerworld about a
rather simple scam that has been observed in the wild in several US airports.

Bad guys set up a computer-to-computer (ad hoc) network and name it
"Free Wi-Fi." You join it and, if you have file sharing enabled, your computer
becomes a zombie. The perp has set up Internet sharing so you actually
get the connectivity you expected, and you are none the wiser. Of course
no one reading this would fall for such an elementary con. The article gives
detailed instructions on how to make sure your computer doesn't connect
automatically to any offered network, and how to tell if an access point is
really an ad hoc network (it's harder on Vista)."

[Ike]

Slashdot: Trojan Analysis Leads To Russian Data Hoard

"An attack by a single Trojan variant compromises thousands, circumvents
SSL, and uploads the results to a Russian dropzone server. A unique blow-
by-blow analysis reveals evidence of cooperation between groups of malware
specialists acting as service providers and points to the future of malware's
growing underground economy."

[Ike]

Slashdot: PayPal Asks E-mail Services to Block Messages

"PayPal, the Internet-based money transfer system owned by eBay, is trying
to persuade e-mail providers to block messages that lack digital signatures,
which are aimed at cutting down on phishing scams, a company attorney
said Tuesday.So far, no agreements have been reached,..." "...PayPal is using
several technologies to digitally sign its e-mails now, including DomainKeys,
Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables
verification of the sender and integrity of the message that's sent." "...An
agreement with, for example, Google for its Gmail service could potentially
stop spam messages that look legitimate and bypass spam filters."

[delovski]

Spamhaus: 200 Known Spam Operations responsible for 80% of your spam

"The Register of Known Spam Operations (ROKSO) database collates information
and evidence on known professional spam operations that have been terminated
by a minimum of 3 Internet Service Providers for spam offenses."

[delovski]

Join the fight against phishing: PhishTank

"PhishTank is a collaborative clearing house for data and information
about phishing on the Internet. Also, PhishTank provides an open API for
developers and researchers to integrate anti-phishing data into their
applications at no charge."

[Ike]

nytimes: Digital Fears Emerge After Data Siege in Estonia

"The Russian government has denied any involvement in the attacks, which
came close to shutting down the country’s digital infrastructure, clogging the
Web sites of the president, the prime minister, Parliament and other government
agencies, staggering Estonia’s biggest bank and overwhelming the sites of
several daily newspapers.

Computer security experts from NATO, the European Union, the United States
and Israel have since converged on Tallinn to offer help and to learn what
they can about cyberwar in the digital age."

On Digg: The First Cyberwar? Groundzero: Estonia

"We are talking about hacking here or hyping a story? This (if memory
serves) would be the largest DDoS attack ever.

But seriously guys.... Did you see who wrote this article??? John Markoff
.... name ring a bell? (http://en.wikipedia.org/wiki/John_Markoff). You may
remember him as the author of the (in)famous Kevin Mitnick article."

[Maja]

Email Obfuscation Helps Spammers

"Google returns 27 million results for "* at * dot com". That's 27 million
email addresses waiting to be spammed. Google doesn’t allow you to
search for the "@" sign, so that’s 27 million email addresses that wouldn’t
be available on Google if they were not obfuscated."

[XNote]

Jeff Atwood: How to Clean Up a Windows Spyware Infestation

"But the unpatched browser spyware infestation from visiting GCW-- just
from visiting the web pages, even if you don't download a single thing-- is
nearly immediate and completely devastating.
...

Our first order of business is to stop any spyware that's currently running.
You'll need something a bit more heavy-duty than mere Task Manager--
get Sysinternals' Process Explorer.
....

Stopping the running spyware is only half the battle. Now we need to stop
the spyware from restarting the next time we boot the system. Msconfig
is a partial solution, but again we need something more powerful than what
is provided out of the box. Namely, SysInternals' AutoRuns utility."

[delovski]

Slashdot: Former Spammer Reveals Secrets in New Book

"A retired spammer is looking to make money from a tell-all book rather
than fleecing people dependent on pharmaceuticals and people with
gambling problems. In this Computerworld article 'Ed', a retired spammer,
predicts the spam problem will only get worse, aided by consumers with
dependencies and faster broadband speeds.

From the article: 'He sent spam to recovering gambling addicts enticing
them to gambling Web sites. He used e-mail addresses of people known to
have bought antianxiety medication or antidepressants and targeted them
with pharmaceutical spam. Response rates to spam tend to be a fraction of
1 percent. But Ed said he once got a 30 percent response rate for a campaign.

The product? A niche type of adult entertainment: photos of fully clothed
women popping balloons ... "Yes, I know I'm going to hell," said Ed."

[delovski]

Gathering 'Storm' Superworm Poses Grave Threat to PC Nets

"Although it's most commonly called a worm, Storm is really more: a worm,
a Trojan horse and a bot all rolled into one. It's also the most successful
example we have of a new breed of worm, and I've seen estimates that
between 1 million and 50 million computers have been infected worldwide."

[Ike]

ars technica - Storm worm going out with a bang, mounts DDoS
attacks against researchers

"... the worm now attacks those who publish new information on the inner
workings of the worm. Researchers are allegedly "running scared" from the
worm, which seemingly has a sentient ability to detect and attack whoever
threatens it."

[delovski]

reddit - Russian bloggers expose Gravikol 21 pharmaceutical scam targeting pensioners

"This third group wrecked most havoc on the Farmit operations, possibly
halting them at some point. By placing orders to non-existing locations or by
canceling the orders after the couriers have arrived, the callers managed to
distract Farmit from fulfilling the genuine orders."

[delovski]

Slashdot: Digital Picture Frames Infected by Trojan Viruses

"The San Francisco Chronicle is running a story on viruses loaded into
digital picture frames, similar to the ones we discussed at the end of last
year. The difference is in the virus used: 'The authors of the new Trojan
Horse are well-funded professionals whose malware has 'specific designs
to capture something and not leave traces ...

This would be a nuclear bomb of malware.' Apparently, a number of regular
folks have hooked them up to their home computer and loaded the virus.
And if you think you're too smart to be fooled, apparently the Anti-Virus
software makers have not caught up to the threat quite yet."

[Ike]

Mac is the first to fall in Pwn2Own hack contest

"A brand-new MacBook Air running a fully patched version of Leopard was
the first to fall in a contest that pitted the security of machines running OS
X, Vista and Linux. The exploit took less than two minutes to pull off."

[delovski]

Malware authors take aim at growing number of Macs

"With Apple's market share now around 8.5 percent -- and growing quickly,
with sales of almost 2.5 million Macs in the last quarter -- these Mac newbies
are a tempting target for profit-minded cybercriminals."

[delovski]

linuxjournal.com - With Linux, Even Rootkits Are Open Source

"... as a commercial "penetration testing" firm released what may be the
most difficult to detect Linux rootkit to date — under an open source license.

Whatever is said, the one thing that can't be changed is the reality that
easy, pre-packaged Linux malware is now in the hands of every hacker
from here to Helsinki and back."

[delovski]

Slashdot: World Bank Under Cybersiege In "Unprecedented Crisis"

"The World Bank Group's computer network — one of the largest repositori-
es of sensitive data about the economies of every nation — has been raided
repeatedly by outsiders for more than a year, FOX News has learned. It is
still not known how much information was stolen. But sources inside the bank
confirm that servers in the institution's highly-restricted treasury unit were
deeply penetrated with spy software last April.

Invaders also had full access to the rest of the bank's network for nearly a
month in June and July. In total, at least six major intrusions — two of them
using the same group of IP addresses originating from China — have been
detected at the World Bank since the summer of 2007, with the most recent
breach occurring just last month. In a frantic midnight e-mail to colleagues,
the bank's senior technology manager referred to the situation as an
'unprecedented crisis.'

In fact, it may be the worst security breach ever at a global financial ins-
titution. And it has left bank officials scrambling to try to understand the
nature of the year-long cyber-assault, while also trying to keep the news
from leaking to the public."

[delovski]

washington.edu - Adeona - private, reliable, open source

"Adeona is the first Open Source system for tracking the location of your
lost or stolen laptop that does not rely on a proprietary, central service
which is a project of University of Washington. What it does is that it sits
in the background of your computer and continually monitors the current
location of the laptop, gathering information (such as IP addresses and
local network topology) that can be used to identify its current location.

The Mac OS X version also has an option to capture pictures of the laptop
user or thief using the built-in iSight camera."

[delovski]

reddit - 0WN3D on Mac OS

"I am a longtime Mac OS user and defender of Mac OS security. Under a dif-
ferent username, two weeks ago I was doing battle with people suggesting
that Mac OS and Safari were anything less than secure. Last week, I disco-
vered that my desktop has been part of an IRC botnet for months."

[Ike]

darkreading.com - Botmaster: It's All About Infecting, Selling Big
Batches of Bots

"The botmaster also shed light on the dog-eat-dog world of cybercrime. He
said he once used a stolen account and impersonated a law enforcement of-
ficial in order to chase another botmaster away from his 6,000 node botnet.

And there are different levels of expertise in the bot world, too: only 20 per-
cent of botmasters actually understand the bot code they get via online foru-
ms, and about three- to five percent write their own botnet code, he said."

[Ike]

Slashdot - Coder of Swiss Wiretapping Trojan Speaks Out

"Ruben Unteregger has worked for a long time as a software-engineer for
the Swiss company ERA IT Solutions. His job there was to code malware that
would invade PCs of private users, and allow the wiretapping of VoIP calls —
in particular, calls made through Skype. In the German-spoken areas, the
trojans were called 'Bundestrojaner' because the Swiss government was in-
volved with their development and use. Unfortunately, Unteregger has to re-
main silent about the customers of the company. Last night, he published the
source code of his Skype-trojan under the GPL."

[delovski]

/. - First iPhone Worm Discovered, Rickrolls Jailbroken Phones

"Users of jailbroken iPhones in Australia are reporting that their wallpa-
pers have been changed by a worm to an image of '80s pop icon Rick
Astley. This is the first time a worm has been reported in the wild for the
Apple iPhone. According to a report by Sophos, the worm, which exploits
users who have installed SSH and not changed the default password, hu-
nts for other vulnerable iPhones and infects them. Users are advised to
properly secure their jailbroken iPhones with a non-default password, ..."

[Ike]

ars - Researchers' well-aimed stone takes down Goliath botnet

"Botnets can be taken down by a relatively small team if the efforts are co-
ordinated and all the right steps are taken at the right time. That's what ha-
ppened in the case of the Mega-D botnet—though the spam hiatus is likely
to be temporary."

[delovski]

Slashdot: AT&T Breach May Be Worse Than Initially Thought

"I'm somewhat of an authority on GSM security, having given presentati-
ons on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about
GSM at this year's Defcon). This is my take on the iPad ICCID disclosure
— the short version is that (thanks to a bad decision by the US cell com-
panies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the
disclosure of IMSIs leads to some very severe consequences, such as na-
me and phone number disclosure, global tower-level tracking, and making
live interception a whole lot easier. My recommendation? AT&T has 114
thousand SIM cards to replace and some nasty architectural problems to
fix."

[Ike]

digg - How even the dumbest Russian spies can outwit the NSA

"arstechnica.com - The recently-busted Russian spy ring appears to con-
sist entirely of complete incompetents. But as amateur as they were, they
had a trick for passing messages over the Internet that the NSA's expen-
sive Internet snooping and data-mining programs could never detect: ste-
ganography."

[Ike]

reddit - OS X malware - link in post, follow at own risk

"I've seen a number of people asking for a link to the MacDefender malware
for whatever reason, and I made it very clear what it is. Here's a screenshot
of the page it leads to."

[delovski]

Slashdot - Rogue SSL Certs Issued For CIA, MI6, Mossad

"The number of rogue SSL certificates issued by Dutch CA DigiNotar has
balooned from one to a couple dozen to over 250 to 531 in just a few days.

As Jacob Appelbaum of the Tor project shared the full list of the rogue cer-
tificates, it became clear that fraudulent certificates for domains of a number
of intelligence agencies from around the world were also issued during the
CA's compromise — including the CIA, MI6 and Mossad. Additional targeted
domains include Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, Wordpress
and many others."

[delovski]

Nick Mathewson - Tor and the BEAST SSL attack

"Today, Juliano Rizzo and Thai Duong presented a new attack on TLS <= 1.0
at the Ekoparty security conference in Buenos Aires. Let's talk about how it
works, and how it relates to the Tor protocol.

Short version: Don't panic. The Tor software itself is just fine, and the free-
software browser vendors look like they're responding well and quickly. I'll
be talking about why Tor is fine; I'll bet that the TBB folks will have more to
say about browsers sometime soon."

[delovski]

reddit - Adobe source code breach; it’s bad, real bad

"If the perpetrators are truly evil-doers, their theft of Adobe source code
could mean bad things for the company and its customers, security experts
said."

[delovski]

ars - Meet “badBIOS,” the mysterious Mac and PC malware that
jumps airgaps

"The malware, Ruiu believes, is transmitted though USB drives to infect
the lowest levels of computer hardware. With the ability to target a com-
puter's Basic Input/Output System (BIOS), Unified Extensible Firmware
Interface (UEFI), and possibly other firmware standards, the malware can
attack a wide variety of platforms, escape common forms of detection,
and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posi-
ted another theory that sounds like something from the screenplay of a
post-apocalyptic movie: "badBIOS," as Ruiu dubbed the malware, has the
ability to use high-frequency transmissions passed between computer spe-
akers and microphones to bridge airgaps."

[Ike]

Stuxnet's Secret Twin

http://www.foreignpolicy.com/articles/2013/11/19/stuxnets_secret_twin_iran_nukes_cyber_attack?page=0%2C0

I've spent the last three years conducting that analysis -- not just of the computer code, but of the physical characteristics of the plant environment that was attacked and of the process that this nuclear plant operates. What I've found is that the full picture, which includes the first and lesser-known Stuxnet variant, invites a re-evaluation of the attack. It turns out that it was far more dangerous than the cyberweapon that is now lodged in the public's imagination.

[Ike]

http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/

Wired: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

Earlier this year, researchers say, someone mysteriously hijacked internet traffic headed to government agencies, corporate offices and other recipients in the U.S. and elsewhere and redirected it to Belarus and Iceland, before sending it on its way to its legitimate destinations. They did so repeatedly over several months. But luckily someone did notice.

[Ike]

';--have i been pwned?

"Check if you have an account that has been compromised in a data breach"

[Ike]

r - The Naked Celebrity Photo Leak

"All The Different Ways That 'iCloud' Naked Celebrity Photo Leak Might Have
Happened - One of the strangest theories surrounding the hack is that a
group of celebrities who attended the recent Emmy Awards were somehow
hacked using the venue's Wi-Fi connection."

[Ike]

New OS X backdoor malware roping Macs into botnet

http://www.net-security.org/malware_news.php?id=2875


The Mac.BackDoor.iWorm threat in detail

http://news.drweb.com/show/?i=5977&c=5&lng=en&p=0

[delovski]

lawfareblog - Someone Is Learning How to Take Down the Internet

"Over the past year or two, someone has been probing the defenses of
the companies that run critical pieces of the Internet. These probes take
the form of precisely calibrated attacks designed to determine exactly
how well these companies can defend themselves, and what would be
required to take them down. We don't know who is doing this, but it feels
like a large a large nation state. China and Russia would be my first
guesses."

[delovski]

robinlinus.github.io - Your Social Media Fingerprint

"Without your consent most major web platforms leak whether you are
logged in. This allows any website to detect on which platforms you're
signed up. Since there are lots of platforms with specific demographics
an attacker could reason about your personality, too."

[Ike]

http://www.disinfosec.com/2016/10/12/hacking-mac/

Hacking Mac With EmPyre

So, lets have some fun and look at how to hack into Mac OSX hosts using Social Engineering and Malicious Office Documents.

[Ike]

mjg59 - Fixing the IoT isn't going to be easy

"We can't easily fix the already broken devices, we can't easily stop more
broken devices from being shipped and we can't easily guarantee that we
can fix future devices that end up broken. The only solution I see working
at all is to require ISPs to cut people off, and that's going to involve a great
deal of pain. The harsh reality is that this is almost certainly just the tip of
the iceberg, and things are going to get much worse before they get any
better."

[delovski]

nomoreransom.org - No more ransom!

"Nevertheless, it is sometimes possible to help infected users to regain access
to their encrypted files or locked systems, without having to pay. We have
created a repository of keys and applications that can decrypt data locked by
different types of ransomware."

[delovski]

hn - Friday's Massive DDoS Attack Came from Just 100,000 Hacked IoT Devices

"Dyn disclosed on Wednesday that a botnet of an estimated 100,000 internet-
connected devices was hijacked to flood its systems with unwanted requests
and close down the Internet for millions of users."

1. Change Default Passwords of your connected devices
2. Disable Universal Plug-and-Play (UPnP)
3. Disable Remote Management through Telnet
4. Check for Software Updates and Patches

[delovski]

dailydot - Bruce Schneier: 'The internet era of fun and games is over'

"The more we connect things to each other, the more vulnerabilities in one
thing affect other things. We're talking about vulnerabilities in digital video
recorders and webcams that allowed hackers to take websites. ... There was
one story of a vulnerability in an Amazon account [that] allowed hackers to
get to an Apple account, which allowed them to get to a Gmail account, which
allowed them to get to a Twitter account. Target corporation, remember that
attack? That was a vulnerability in their HVAC contractor that allowed the
attackers to get into Target. And vulnerabilities like this are hard to fix. No
one system might be at fault. There might be two secure systems that come
together to create insecurity."

[delovski]

vf - How a Grad Student Found Spyware That Could Control Anybody's
iPhone from Anywhere in the World

"Ever since Snowden, and even before, experts in cyber-security have watched
warily as a handful of obscure companies launched efforts to replicate and sell
weaponized 'government-grade' spyware to the highest bidders. The ultimate
prize, security experts knew, was the ability to hack remotely into the digital
brains of the world's most popular hardware - the desktops, laptops, tablets,
and especially the mobile phones made by Apple. And not just break into Apple
devices but actually take control of them. It was a hacker's dream: the ability
to monitor a user's communications in real time and also to turn on his mic
and record his conversations.

...

'Ohhhh, that's an exploit,' Marczak murmured. He had seen enough spyware
to realize the sudden opening and closing of Safari almost certainly meant a
hostile program was using an undiscovered exploit to hack into the phone."

[delovski]

sans.org - Mac OS X Malware Analysis

"As Apple's market share raises so will the Malware! Will incident responders
be ready to address this rising threat? Leveraging the knowledge and
experience from the mature windows based malware analysis environment,
a roadmap will be built that will equip those already familiar with malware
analysis to make the transition to the Mac OS X platform. Topics covered will
include analysis of filesystem events, network traffic capture & analysis, live
response tools, and examination of OS X constructs such as..."

[delovski]

welivesecurity - The rise of TeleBots: Analyzing disruptive KillDisk attacks

"As with campaigns attributed to BlackEnergy group the attackers used
spearphishing emails with Microsoft Excel documents attached that contain
malicious macros as an initial infection vector. This time malicious documents
don't have any content with social engineering directing potential victims to
click an Enable Content button. It seems that the attackers are depending on
the victims to decide entirely on their own whether to click it or not."

[delovski]

y - Ransomware spiked 6,000% in 2016 and most victims paid the hackers, IBM finds

"The problem is, the business model works: 70 percent of business victims
paid the hackers to get their data back, the study found. Of those who paid,
50 percent paid more than $10,000 and 20 percent paid more than $40,000."

[Ike]

http://money.cnn.com/2016/12/20/technology/ad-fraud-online-methbot/index.html?iid=hp-stack-dom

http://money.cnn.com/2016/12/20/technology/ad-fraud-online-methbot/index.html?iid=hp-stack-dom

Russian 'methbot' fraud steals $180 million in online ads

Hackers fooled ad fraud blockers because they figured out how to build software that mimicked a real person who only surfed during the daytime -- using the Google Chrome web browser on a Macbook laptop.
"The Methbot is a beautiful simulacrum of a real browser. It's gotten better over time. And by better, I mean, a more perfect life-like copy," said White Ops CEO Michael Tiffany.

[delovski]

HN - Don't Fall For This Dangerously Convincing Ongoing Phishing Attack

"The hackers first look for an attachment that victims have previously sent
to their contacts and a relevant subject from an actual sent email. Then the
criminals will start gathering up contact email addresses, who become the
new targets of the attackers."

[delovski]

discover - Researchers Uncover Twitter Bot Army That's 350,000 Strong

"They seem drawn to political conversations, but are often used to artificially
inflate the number of followers a profile has, send spam and manipulate online
sentiment. Herded by shadowy 'botmasters,' these accounts can be financially
lucrative, especially after they've been around for a few years."

[delovski]

ars - A rash of invisible, fileless malware is infecting banks around
the globe

"What's interesting here is that these attacks are ongoing globally against
banks themselves, Kaspersky Lab expert Kurt Baumgartner told Ars. The
banks have not been adequately prepared in many cases to deal with this.
He went on to say that people behind the attacks are "pushing money out
of the banks from within the banks, by targeting computers that run auto-
matic teller machines."

[Ike]

r - Cloudflare have been leaking customer HTTPS sessions for months.
Uber, 1Password, FitBit, OKCupid, etc.

"The examples we're finding are so bad, I cancelled some weekend plans
to go into the office on Sunday to help build some tools to cleanup. I've
informed cloudflare what I'm working on. I'm finding private messages
from major dating sites, full messages from a well-known chat service,
online password manager data, frames from adult video sites, hotel bo-
okings. We're talking full https requests, client IP addresses, full respon-
ses, cookies, passwords, keys, data, everything."

[Ike]

r - Vault 7: CIA Hacking Tools Revealed

"CIA has more hacking capabilities than the NSA, including hundreds of zero-
day exploits to gain access to 99% of devices on the planet without revealing
these exploits to manufacturers as the US government has agreed to."

[delovski]

r - CIA planned to hack cars and trucks to carry out undetectable
assassinations claims WikiLeaks

"The important thing in the near term is that if you're hacking a true self
driving car, your plans might involve kidnapping or lawful arrest. But if the
car you're hacking is NOT a true self driving type, the only reason you'd
hack it is for assassination or annoyance.

And the CIA isn't known for being harmlessly annoying."

[Ike]

http://thehackernews.com/2017/03/cia-wikileaks-hacking.html

7 Things That Happened After WikiLeaks Dumped The CIA Hacking Files

[delovski]

r - TIL in 2008 Russian hackers managed to infiltrate a computer network that wasn't even connected to the internet

"TIL in 2008 Russian hackers managed to infiltrate a computer network that
wasn't even connected to the internet. Bugged USB drives were planted in a
kiosk outside NATO headquarters in the hope that a NATO employee would
happen to buy one and use it on their classified network, which they did."

[delovski]

r - I'm Eugene Kaspersky, cybersecurity guy and CEO of Kaspersky Lab! Ask me Anything!

"The US Senate Intel committee is currently interviewing the heads of the
intelligence community. They were just asked whether they would be
comfortable running Kaspersky software on their computers. The answer
was unanimous: No. Thoughts?"

[XNote]

http://www.jutarnji.hr/vijesti/svijet/cure-podaci-o-stvarnim-razmjerima-najveceg-globalnog-hakerskog-udara-u-povijesti-evo-tko-je-sve-medu-zrtvama-velikog-napada/6056599/

[Ike]

https://it.slashdot.org/story/17/05/20/1959240/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two

IOCs are available in a GitHub repo.

Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."

[XNote]

https://www.reddit.com/r/IAmA/comments/6cmmdf/iama_the_accidental_hero_who_helped_stop_the/

[delovski]

wired - How An Entire Nation Became Russia's Test Lab for Cyberwar

"A hacker army has systematically undermined practically every sector
of Ukraine: media, finance, transportation, military, politics, energy. Wave
after wave of intrusions have deleted data, destroyed computers, and in
some cases paralyzed organizations' most basic functions. 'You can't really
find a space in Ukraine where there hasn't been an attack,' says Kenneth
Geers, a NATO ambassador who focuses on cybersecurity."

[Ike]

https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html

A Cyberattack the World Isn't Ready For

[delovski]

THN - A Nearly-Undetectable Malware Targeting Mac Computers

"Although there is no evidence at this point linking this malware to a specific
group, the fact that it has been seen specifically at biomedical research
institutions certainly seems like it could be the result of exactly that kind of
espionage."

[delovski]

WP - SEC reveals it was hacked

"The Securities and Exchange Commission, the country's top Wall Street
regulator, announced Wednesday that hackers breached its system for
storing documents filed by publicly traded companies last year, potentially
accessing data that allowed the intruders to make an illegal profit."

[delovski]

wp - Israel hacked Kaspersky, then tipped the NSA that its tools had been breached

"In 2015, Israeli government hackers saw something suspicious in the com-
puters of a Moscow-based cybersecurity firm: hacking tools that could only
have come from the National Security Agency.

Israel notified the NSA, where alarmed officials immediately began a hunt
for the breach, according to people familiar with the matter, who said an
investigation by the agency revealed that the tools were in the possession
of the Russian government."

r - reddit duscussion of the article

""I guess Kaspersky is rumoured to be to the Russian government what
Apple / Google / Microsoft / Facebook are proven to be to the US government.

As a European I asked myself what other options there are besides
US/UK/RU Anti-virus suites. Turns out, there are quite a lot of them!"

[Ike]

https://motherboard.vice.com/en_us/article/j5j4y4/internal-kaspersky-investigation-says-nsa-workers-computer-was-infested-with-malware

It was after the NSA worker installed the pirated Office software and re-
enabled the Kaspersky scanner that Kaspersky detected the backdoor on
his computer - along with other malicious files including Java exploit code,
various viruses, adware, and run-of-the-mill hacking tools, such as a pas-
sword dumping tool, the company says.

The Kaspersky software detected that the backdoor was trying to
communicate with a URL - http://xvidmovies.in to be a malicious
command-and-control server.

[Ike]

https://www.reddit.com/r/business/comments/7elolq/uber_concealed_cyberattack_that_exposed_57/

Uber Concealed Cyberattack That Exposed 57 Million People's Data

[delovski]

r - China is spying through 42 apps, delete them: Indian Intelligence Bureau to soldiers

"The IAF, for instance, had earlier asked all its officers and airmen as well as
their families to avoid using Chinese Xiaomi smartphones and notebooks on the
ground that they could transfer user data to remote servers located in China."

[delovski]

bi - Thieves stole potentially millions of dollars in bitcoin in a hacking attack on a cryptocurrency company

"The contents of a digital wallet belonging to cryptocurrency company
NiceHash, which included potentially millions of dollars worth of customers'
bitcoin, was stolen in a major security breach early Wednesday."

[Ike]

https://arstechnica.com/information-technology/2017/12/suspicious-event-routes-traffic-for-big-name-sites-through-russia/

Suspicious event routes traffic for big-name sites through Russia

Traffic sent to and from Google, Facebook, Apple, and Microsoft was briefly routed through a previously unknown Russian Internet provider Wednesday under circumstances researchers said was suspicious and intentional.

[Ike]

coindesk - Bitcoin Exchange Youbit to Declare Bankruptcy After Hack

"The exchange was previously targeted in April in an attack which South
Korean officials believe was conducted with the support of neighboring
North Korea. Recent reports indicate that intelligence services in South
Korea suspect that North Korea is behind additional attacks against
domestic cryptocurrency exchanges, including market-leader Bithumb."

[Ike]

wp - The intelligence coup of the century

"But what none of its customers ever knew was that Crypto AG was secretly
owned by the CIA in a highly classified partnership with West German
intelligence. These spy agencies rigged the company's devices so they could
easily break the codes that countries used to send encrypted messages."

[Ike]

r - I Was the Homeland Security Adviser to Trump. We're Being Hacked.

"It was reported several years ago that Russia has access to the U.S. power grid.

The GOP just attempted a coup, openly, after denying assistance to and
ensuring a shaky existence for much of the U.S. populace for a year during
a pandemic. If you thought that was callous, just wait until those major GOP
donors who would profit from evictions and property sales reap a windfall.

Things may get really weird."

[Ike]

windows10forums.com - Windows Defender false threat on Windows 10

"Windows Defender - It claims in its "Threat Blocked" report that the file has
'Trojan:Script/Wacatac.B!ml'. Most amazingly when I run a custom scan on this
file it says "0 threats found", but it will still remove the file periodically when I
try to use it even if this removal does not happen each time I use it.

Windows Security > Virus & threat protection > Manage settings > Add
or remove exclusions"

[Ike]

git - Mobile Verification Toolkit

"Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and
automate the process of gathering forensic traces helpful to identify a potential
compromise of Android and iOS devices."

[Ike]

Objective-See - The Art of Mac Malware

"Mac Malware Resources:

All about Mac antivirus"
The Safe Mac Malware Catalog
OS X Incident Response: Scripting and Analysis
OS Internals

I'm writing a (free) book: The Art of Mac Malware ...have a read, it's free"

Plus: https://github.com/objective-see

[Ike]

r - iMazing 2.14 now detects traces left by known spyware such as the recent Pegasus surveillance tool - even in the free version

"In this context, Amnesty International published MVT, an open-source
command-line tool designed to help investigators and technologists detect
signs of infection in mobile devices.

We have implemented MVT's detection methodology as an easy to use and
entirely free feature in iMazing."

[Ike]

Y! - 10 Days Inside Putin's Invisible War With Ukraine

"Whether on the front lines or not, Ukrainians live with the constant knowledge
that their systems and technology and borders are under siege, that at the
moment of a military action against their country, the internet will likely go
dark, their connection to the world severed."

[Ike]

Y! - Hackers have found a sneaky new way to spy on iPhone users -- here's how

"The malicious keyboard is then able to record everything a victim types and
all of this information is sent back to a command and control (C&C) server
operated by the hackers behind this campaign."