Hacker Who Aided ISIS Gets 20 Years in Prison

Ardit Ferizi, aka Th3Dir3ctorY, 20, a citizen of Kosovo, will spend 20 years in a US prison for providing material support to ISIS hackers by handing over data for 1,351 US government employees.

Ferizi obtained the data by hacking into a US retail company on June 13, 2015. The hacker then filtered the stolen information, put aside records related to government officials, which he later handed over to Junaid Hussain, at that time, the leader of the Islamic State Hacking Division (ISHD).

Ferizi provided data for one of the ISIS kill lists
Hussain then uploaded this information online, asking fellow ISIS members to seek out these individuals and execute lone wolf attacks. Some of Hussain's statements included:

“ We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands! ”

Because of this leak, the US Army targeted and killed Hussain in a drone strike in Syria in August 2015.

The US also tracked down Ferizi and issued an arrest warrant in his name. He was arrested on October 6, 2015, at the international airport in Kuala Lumpur, Malaysia, while trying to catch a flight back to Kosovo. Ferizi was in Kuala Lumpur studying computer science.

Ferizi was very well-known in hacker circles
Before helping ISIS, Ferizi had a prodigious hacking career as the leader of the Kosova Hacker's Security (KHS) hacking crew.

As a member of KHS, Ferizi's previous targets included government websites belonging to the Presidency of Macedonia, the Greek Decentralized Administration of Macedonia and Thrace (DAMT), and the Greek Ministry of Education, Lifelong Learning and Religion. Besides defacements, KHS also stole data from IBM and Greek mobile telecoms firm OTE.

The hacker pleaded guilty to all charges on June 15, 2016. He faced a sentence of up to 35 years in prison, which was reduced to a maximum of 25 years after agreeing to plead guilty.

Read More

Google, Microsoft, Yahoo Join Forces to Create New Email Encryption Protocol

A group of independent security researchers and major Silicon Valley tech giants have submitted last Friday, March 18, 2016, a proposal for a new email protocol called SMTP STS (Strict Transport Security).

STMP has never been a secure protocol, mainly because at the moment it was invented, in 1982, online surveillance wasn't such a big problem between the few thousands of Internet-connected computers in existence at that time.

As the Web developed, and as cyber-criminals and nation-state hackers started to rear their ugly head, tech companies came up with the STARTTLS extension to the SMTP protocol, as a method of using encrypted channels to send email messages.

Unfortunately, STARTTLS was never as secure as originally intended, mainly due to a series of design flaws that allowed attackers to spoof opposing servers and tell the sender that his counterpart doesn't support encryption and that they should just send data across plaintext, as usual.

It's exactly this hole security researchers are currently trying to plug with this new extension to the SMTP protocol named STS, or Strict Transport Security.

SMTP STS is to SMTP what HSTS is to HTTPS
In theory, this new extension looks like the HSTS (HTTP Strict Transport Security) extension to HTTPS. Just like HSTS, SMTP STS brings message confidentiality and server authenticity to the process of starting an encrypted email communications channel, just like HSTS works alongside HTTPS to avoid SSL/TLS downgrades and MitM attacks.

STMP STS will allow the two servers engaged in email exchanges to cryptographically validate each other, and decide in a secure manner, which is externally tamper-proof, if they should use encryption, if encryption is supported, and what should they do if it's not.

The biggest names on the contributors list include Microsoft, Google, Yahoo, LinkedIn, and Comcast. Currently, the proposal is only a draft specification at the IEEE (Internet Engineering Task Force), but judging that so many big companies have put their name behind the submission, the chances are that we'll see it as an official specification pretty soon.

Last year, Oracle also submitted a similar proposal called DEEP (Deployable Enhanced Email Privacy).

Read More

New Carbanak Attacks Detected in Early Stages of Infection

Carbanak, the cybercriminal group that robbed more than $1 billion from 100 banks across 30 countries in 2013 and 2014, has been seen once again, and this time, security researchers say they've caught the group in their early attack stages.

In February 2015, the world was shocked to find that cybercriminals managed to steal over $1 billion from so many banks for almost two years without being detected.

Leveraging advanced infiltration and exfiltration techniques, Carbanak operated in the shadows, using the Anunak and Carberp malware to infect and then steal money from banks across the world, with the majority located in Russia.

The group took a break after security researchers ousted them in February 2015, but last autumn, and later in February this year, the group returned with new attacks, but this time around against financial institutions and the financial departments of multinational companies.

Carbanak now targets banks in the US, Australia and Middle East
Now, security firm Proofpoint says that it detected a new wave of spear-phishing campaigns that are pushing some of Carbanak's malware, along with a new threat.

These spear-phishing campaigns are directed at high-level executives in banks located in 18 countries, with most attacks hitting the US, Oman, Australia, Kuwait, and the United Arab Emirates.

"The group also expanded its targeting from financial institutions to seemingly unrelated targets in fire, safety, and HVAC," Proofpoint experts noted. "However, as we learned from the Target data breach, among others, vendors and suppliers can give attackers a point of entry into their real target."

Carbanak developed new malware called Spy.Sekur
The spear-phishing emails come boobytrapped with Word documents that when opened will leverage the CVE-2015-2545 Microsoft Office vulnerability to infect the target's PC with malware.

As Proofpoint explains, the group has developed new malware. This new threat is identified as Spy.Sekur, a Remote Access Trojan (RAT), used to open backdoors on infected workstations.

Besides Spy.Sekur, security researchers also say Carbanak deployed other, more well-known RATs, such as DarkComet, jRAT, and MorphineRAT.

Because spear-phishing campaigns are usually the first stage of any cyber-crime campaign, it appears that Proofpoint caught Carbanak red-handed, right in the middle of a new wave of attacks.

Read More

There Have Been Over 16,000 Software Bugs Detected in 2015

In 2015, security researchers from Secunia detected 16,081 vulnerabilities in 2,484 software applications from 263 different vendors.

This represents a 2% increase compared to 2014, and a 39% rise compared to 2010. The numbers are bound to be higher in reality, if we take into account all currently available software, Secunia admitting the research included far less vendors than in the previous years, and also scanned fewer applications.

What Secunia's staff discovered was that during the past year, most of the detected bugs were categorized as less critical (45.6%), moderately critical bugs accounted for 25.5%, highly critical bugs for 13.3%, and only 0.5% of detected bugs were extremely critical.

More than half of security bugs can be exploited via the Internet
What's dangerous though is that 57% of these bugs could be exploited from a remote network, 35% from the local network, while only a small percentage (8%) required the attacker to launch his exploits from the victim's computer.

Most vulnerabilities were found in Google Chrome (516), followed by Adobe Flash (457), Adobe Air (306), Mozilla Firefox (254), Microsoft Internet Explorer (197), Microsoft Windows 7 (144), Adobe Reader (133), Apple iTunes (130), Oracle Java JRE (81), and Microsoft Excel (52).

As for zero-day vulnerabilities, as mentioned above, despite the smaller number of scanned applications and vendors, Secunia managed to find 23 zero-day bugs, three more than in 2014.

Browsers patch vulnerabilities in less than a month
More troubling is the fact that Secunia discovered 1,114 vulnerabilities in the five most popular browsers in 2015. With most of today's technology revolving around the Internet, browser bugs are becoming as dangerous, as OS-level issues.

But Secunia also noticed a good thing about browser vulnerabilities, and that is the fact that browser vendors are among the quickest to issue patches when a security flaw is discovered.

In the past two years, Secunia has seen that it takes browser vendors less than 30 days to issue a patch from the moment a vulnerability is detected, to when an update is available for download.

Read More

Adware Infects Firmware of 40 Low-End Android Smartphones

An Android trojan specialized in showing unwanted ads has managed to infect the firmware of 40 low-end Android smartphones, and even a few popular applications, some of them created by cyber-security vendors.

The trojan, named Android.Gmobi.1, or just Gmobi, was discovered this month by Dr.Web security researchers, which pinpointed its origin to a software development kit (SDK) that the developers of the affected firmware images and Android apps used to automate some features inside their products.

Dr.Web didn't provide the name of the SDK but said it helped developers automate the task of showing notifications on an Android smartphone.

Gmobi is specialized in showing ads
The way the trojan operates is simple. Once the device is connected to the Internet or wakes up after being asleep for more than a minute, it will start collecting information on the device and send it to a C&C server.

This includes details such as the user's emails, roaming availability, GPS coordinates, mobile network data, device technical details, and if the user has Google Play installed on his device.

Once these details reach the server, it replies with commands to update the local ads database, add shortcuts for various advertisements on the home screen, display an ad via a notification box, show a notification that when tapped starts an app, or install another app covertly, if the app/firmware through which the trojan operates has the necessary privileges.

Gmobi can show ads in the status bar, via dialogs, interactive dialogs, on top of other apps, on top of the screen (if no app is running), or launch a local browser or Google Play to a specified page.

Removing the trojan is impossible in some cases
Unfortunately, because the trojan is directly embedded in the firmware, removing this threat via an antivirus or by uninstalling the firmware might alter normal OS behavior. For these cases, users have to wait for OEMs to issue new versions of their firmware.

As for the apps where the SDK was used, Dr.Web says that they've informed the developers, and most of them have patched or are in the process of updating their code. The researchers did give out the name of one of the smartphones where Gmobi was detected, which is Micromax AQ5001.

Affected apps included two Trend Micro apps, Dr. Safety and Dr. Booster, and the ASUS WebStorage apps. Dr.Web says that Trend Micro has already patched their applications.

Read More

Yahoo Fixes Ridiculously Simple Email Address Spoofing Bug

Yahoo! has patched an email spoofing issue that allowed attackers to send malicious emails in the name of any person they wished.

Yahoo! Mail received a more polished, "modern" update a few years back, after Marissa Mayer took over the company. Since not all users liked the new email UI, the company still allowed the old interface to exist alongside the new one for a while and then created a "Basic" view for their newer UI, with far less JavaScript, so there would be a lower chance of things going astray.

Security researcher Lawrence Amer of Vulnerability Lab has come across an issue in Yahoo! Mail's Basic interface, often called Classic Mode, which allows attackers an easy avenue to spoof the incoming address of their emails.Researcher managed to spoof an email just by tweaking with a URL

The researcher says that he was able to easily capture HTTP requests sent to the server whenever he was sending emails from this Basic interface.

In the request's URL, he found the parameter responsible for altering the "from address" belonging to each newly created email, alongside the sender's name.

By tweaking these two, the researcher was capable of sending emails that looked like they were coming from other persons, without Yahoo! detecting the issue and flagging them as spam or scams.

Ever since he discovered the issue back in October 2015, the researcher has been working with Yahoo! to address the bug, which received its final patch a week ago, on March 7, 2016.Issue was rated as medium severity but has a potential for harm

The bug was a serious issue since it allowed people to spoof email addresses and send legitimate-looking emails. A bug like this would have been worth thousands of dollars on the hacking black market since it would have provided the perfect avenue for sending effective phishing emails.

A simple scenario would be to send an email made to look like it was coming from Yahoo's security team, asking users to reset their passwords or validate accounts, but in reality, sending victims to a malicious URL where their login and account details would be recorded.

A video depicting the vulnerability and how it could be exploited are presented below, courtesy of Mr. Amer.

Read More

Crook Fesses Up to International Telephone Hacking Scheme

Muhammad Sohail Qasmani, 47, from Pakistan, pleaded guilty to charges of conspiracy to commit wire fraud, as part of an international crime gang that hacked telephone servers and defrauded companies of well over $19.6 million / €17.4 million.

PBX (Private Branch Exchange) systems are private telephone networks used within a company, that connect to external telephony providers. Just like routers manage IP addresses inside a LAN, PBX systems manage telephone numbers inside a closed enterprise phone network.

Hackers hijacked unused telephone numbers
Starting with 2008, a criminal group operating from Pakistan has hacked PBX systems belonging to various companies across the globe. Hackers were illegally accessing the devices and scanning for unused numbers.

They would then hijack these unused telephone extensions and initiate calls to premium numbers for services such as adult entertainment, private chat lines, and psychic hotlines.

All of these premium numbers were registered and under the control of Noor Aziz, 53, of Karachi, Pakistan, who would benefit from the revenue provided by these hijacked phone calls. The companies that had their phone numbers hijacked, would eventually have to foot the bill for all the illegal calls.

Aziz worked with Qasmani, who set up a company in Bangkok through which Aziz laundered money and paid the people that hacked the PBX systems, and the ones that constantly dialed each number (called dialers) to call the fake premium services.

Criminal group had more than 650 members
FBI agents investigating the case discovered that between 2008 and 2012, Aziz transferred over $19.6 million / €17.4 million to Qasmani's company. In turn, Qasmani rerouted these funds to 650 different people in ten countries such as  the Philippines, India, Pakistan, Malaysia, China, the United Arab Emirates, Saudi Arabia, Indonesia, Thailand, and Italy.

US authorities arrested Aziz in June 2012, indicted him, and later set him free on bail. Shortly after, Aziz fled and still remains a fugitive to this day. The FBI suspects Aziz may be hiding in Saudi Arabia.

More recently, US authorities arrested Qasmani on December 22, 2014, at the Los Angeles airport after he arrived via a flight from Bangkok, Thailand. After admitting his role in this scheme, Qasmani now faces up to 20 years in jail and a $250,000 fine. A judge will decide on his sentence on May 17, 2016.

Read More

Researchers Say They've Created Hack-Proof RFID Chip

A team of researchers from MIT (Massachusetts Institute of Technology) and TI (Texas Instruments) have created a new RFID (Radio-Frequency IDentification) chip which they claim cannot be hacked.

The two teams said they took special care to protect against two types of attacks that are plaguing modern-day RFID chips deployed with chip-n-PIN credit cards.

These attacks are known under the names of side-channel attacks and power glitch attacks.

Protection against side-channel attacks
Side-channel attacks occur when nearby attackers can watch, record, or analyze data from cryptographic operations performed by the chip. They can watch for fluctuations in power usage during these tasks, and by collecting enormous ammounts of information, they can later extract the cryptographic key used to run the chip's secure transactions.

MIT and TI researchers say their new chip will regularly change the cryptographic key based on a random-number generator, which will also run on the bank's server. The two will work in tandem and would generate unique cryptographic keys for each card transaction.

The solution researchers chose makes side-channel attacks "almost" impossible to carry out because they won't have enough data to analyze and extract the cryptographic key. But...

Protection against power glitch attacks
Researchers did reveal that despite adding side-channel attack protection, the chip could still be hacked by power glitch attacks.

This type of attack works when attackers cut the chip's electrical power supply, right before the chip wants to generate a new cryptographic key. When power returns, the chip would use the old cryptographic key, and forget about generating a new one.

By doing this repeatedly, attackers could force the chip to work with the same encryption key until they amassed enough information to carry out a side-channel attack.

The MIT and TI teams resolved this issue by adding a 3.3-volt capacitor made of ferroelectric crystal that can store extra energy that would allow it to finish as many operations as it can after any power supply was abruptly removed, and then send any data to 571 different 1.5-volt storage cells.

When power returns to the chip, it would first recharge the 3.3-volt capacitor, and then retrieve its previous data from the 1.5-volt cells, continuing from where it was interrupted.

After going through a testing phase, MIT and TI researchers said the chips performed as designed. Their work is only at a prototype stage right now, and will not be ready for production for many years. Researchers presented their work at this year's International Solid-State Circuits Conference, held in San Francisco.

Read More

Windows 10 Nearly Overtakes Windows 7 on Steam

Windows 10 adoption continues to grow on Valve’s Steam gaming platform, and figures for the month of January show that the new operating system is very close to overtaking Windows 7.

Right now, Windows continues to be the preferred operating system on Steam, and it’s no surprise why, so it’s very clear that Linux is not yet an alternative despite the number of games that’s growing on the platform. Windows is powering 95.39 percent of computers running Steam while Mac OS X is the runner-up with 3.55 percent. Linux is third with 0.95 percent, down 0.01 percent.

Windows 7 64-bit is obviously the top choice with 34.31 percent, but it’s down 0.50 percent for the month of January while Windows 10 64-bit is not only the runner-up, but it’s also up 1.52 percent.

Switch of places expected in the coming months

If the same trend is maintained, Windows 10 could overtake Windows 7 in approximately a couple of months, thus becoming the number one platform on Steam, mostly thanks to the improvements that it comes with, including DirectX 12.

The third platform in the charts is Windows 8.1 64-bit, but it’s far behind with just 14.03 percent while Windows 7 32-bit is next with 7.77 percent. What’s surprising, however, is that Windows XP 32-bit also improved last month by 0.14 percent to eventually reach 2.31 percent.

Certainly, there’s no better gaming platform than Windows on the desktop right now, and Windows 10 is quickly becoming the preferred choice for the majority of users, so these figures can only be good news for Microsoft and developers investing in this particular platform.

Worldwide, Windows 10 is currently the second most-used desktop operating system with a share of approximately 13 percent while Windows 7 continues to be leader with more than 45 percent. The gap is bigger when no gaming is involved, but that could change soon as well if enterprises complete their migration plans.

Read More

South American Hacktivist Leaks Data From Colombian Government Websites

The hacker known as Hanom1960 has breached, stole, and leaked information from Colombia's Ministry of Information Technologies and Communications and Ministry of National Education.

Hanom, who claims he's part of the newer generation of LulsZec members, made its debut on the hacking scene last week, after hacking and dumping data from the Costa Rica's Ministry of Foreign Affairs.

Government data dumped online

The hacker's most recent shenanigans allowed him to be in possession of a new batch of data, which he recently uploaded online, and contains troves of personal information about Colombian government employees.

The database belonging to the Ministry of Education contains usernames, for both site users and administrators, hashed passwords, real names, emails, telephone numbers, birth dates, employee roles, area of expertise, and employee codes. The data dump includes details for over 2,800 users.

The database belonging to the Ministry of Information Technologies and Communications included data on some of the Ministry's digital and physical assets, and also some personal details for persons with administrative accounts on various of the Ministry's equipment/nodes.

Over 1,300 such entries were included, with data like employee names, email addresses, passwords, and equipment addresses.

Data dump wants to bring attention to the country's corrupt political class

In a private Twitter conversation, Hanom1960 pointed Softpedia to an El Tiempo article which shows some of the rampant corruption that's affecting Columbia' political class.

The article in question talks about an official investigation into various cases where local Columbian authorities have diverted state funds for unnecessary and foolish expenses like the purchase of vehicles, smartphones, floral arrangements, and personal meals.

Hanom1960 also revealed to Softpedia that he plans to release another data dump in the following days, containing information acquired after breaching Chile's government websites. Just as before, he justified the attack as a way to highlight corruption in that country as well.

If these are his true reasons, then Hanom is going to be a busy man this year, since most governments around the world face similar corruption cases and allegations every day.

Read More

Hacker Doxes 80 Miami Police Officers

A hacker that goes by the name of Lorde Bashtien has released the personal details of 80 police officers from the Miami Police Department, the Miami-Dade Police Department, and the Miami Beach Police Department.

According to Vice, who spoke with the hacker before his Twitter account was suspended, the data was taken from FBI servers, not local Miami police servers.

Hacker has connections to CWA

The hacker seems to have connections to the now-defunct CWA hacking group. CWA has previously hacked CIA Director John Brennan, FBI Deputy Director Mark Giuliano, US National Intelligence Director James Clapper, President Barack Obama’s Senior Advisor on science and technology John Holdren.

The group also hacked JABS (Joint Automated Booking System), an application used to record and manage arrested US citizens, and also boasted of having access to a secret FBI portal.

In November, CWA released the personal details of 2,400 US government officials. Vice reporters have verified the hacker's claims and say that the data is authentic.

Lorde Bashtien announces more upcoming data leaks

The dox, hacker term used for releasing someone's personal details, includes full names, work phones, emails, and work titles. The data is in the same format as the data from November, so it may be plausible that it's from the same source.

Lorde Bashtien motivated his actions as a personal grudge against Miami PD after police officers targeted some of his friends last year, during a raid at a house they rented, which ended with gunfire. This revelation might have given his nationality and location away, as being a Miami resident.

Despite such high-profile hacks, with a deep impact on government employee safety, the FBI has failed to catch the hackers until now.

After creating a new Twitter account, Lorde Bashtien tweeted "more leaks soon, stay tuned," hinting at other data he may release in the future.

Read More

Codoso Chinese Espionage Group Linked to New Attacks

Security researchers from Palo Alto Networks are reporting on increased activity from the Chinese-linked cyber-espionage group that previously hacked Forbes.com and later Samsung Pay.

The group, known as C0d0s0, or simpler as Codoso, does not seem to have a clear direction and purpose for this most recent campaign and appears to be harvesting information on random Internet users, probably building a database of possible pawns for future attacks.

Just as before, the group is using some of the most sophisticated attack methods seen around, deploying malware through compromised but legitimate websites, via watering hole techniques.

There were also cases where spear-phishing emails were used against targets in the telecommunications, high tech, education, manufacturing, and legal services industries.

In all cases, the malware chosen for Codoso's attacks is a new variant of the Derusbi family, also utilized by other Chinese cyber-espionage groups.

This malware works by using DLL side-loading tecniques to inject malicious content in legitimate applications. This allows it to avoid some security tools and alter registry keys to gain boot persistence.

Group seems to be interested in collecting data on random Internet users

Once in action, the malware will collect data about targets and send it to a remote C&C server. Palo Alto detected three servers used in the most recent wave of Codoso attacks, all with connections between them and registered in Hong Kong.

The group is collecting data about users like their IP address, their MAC address, username, hostname, CPU details, and Internet Explorer user agent string.

Palo Alto researchers suspect this may be the incipient stage of a more dangerous attack to come.

"The tactics, techniques, and procedures (TTPs) used by C0d0so0 appear to be more sophisticated than many other adversary groups with multiple layers of obfuscation in use, as well as specific victim targeting in what appears to be an attempt at creating a staging area for additional attack," Palo Alto researchers Josh Grunzweig and Bryan Lee said about the group. We'll now have to wait and see what the group is really after this time around.

Read More