Sumber: http://securitywatch.pcmag.com/security/319544-what-it-s-like-when-the-fbi-asks-you-to-backdoor-your-software
At
a recent RSA Security Conference, Nico Sell was on stage announcing
that her company—Wickr—was making drastic changes to ensure its users'
security. She said that the company would switch from RSA encryption to elliptic curve encryption, and that the service wouldn't have a backdoor for anyone.
As
she left the stage, before she'd even had a chance to take her
microphone off, a man approached her and introduced himself as an agent
with the Federal Bureau of Investigation. He then proceeded to
"casually" ask if she'd be willing to install a backdoor into Wickr that
would allow the FBI to retrieve information.
A Common Practice
This encounter, and the agent's casual demeanor, is apparently business
as usual as intelligence and law enforcement agencies seek to gain
greater access into protected communication systems. Since her encounter
with the agent at RSA, Sell says it's a story she's heard again and
again. "It sounds like that's how they do it now," she told
SecurityWatch. "Always casual, testing, because most people would say
yes."
The FBI's goal is to see into encrypted, secure systems like Wickr and others. Under the Communications Assistance for Law Enforcement Act (CALEA) legislation,
law enforcement can tap any phone in the US but they can't read
encrypted communications. We've also seen how law enforcement have
followed the lead of the NSA, and gathered data en-masse from cellphone towers. With the NSA reportedly installing backdoors onto hardware sitting in UPS facilities and allegedly working to undermine cryptographic standards, it's not surprising that the FBI would be operating along similar lines.
The Difference
It was clear that the FBI agent didn't know who he was dealing with,
because Sell did not back down. Instead, she lectured him on topics
ranging from the First and Fourth Amendments to the Constitution, to
George Washington's creation of a Post Office in the US. "My ancestor
was a drummer boy under Washington," Sell explained. "Washington thought
it was very important to have freedom of information and private
correspondence without government surveillance."
Her lecture
concluded, she proceeded to grill the agent. "I asked if he had official
paperwork for me, if this was an official request, who his boss was,"
said Sell. "He backed down very quickly."
Though she didn't budge
for the agent, Sell makes it clear that surveillance and security is a
complicated issue. "Ten years ago, I'd have said yes," said Sell.
"Because if law enforcement asks you to catch bad guys, who wouldn't
want to help?"
The difference now, she explained, was her experiences at BlackHat. Among those, Sell pointed to a BlackHat event where Thomas Cross demonstrated
how to break into lawful intercept machines—or wiretaps. "It was very
clear that a backdoor for the good guys is always a backdoor for the
bad guys."
How To Be A Good Guy
"I'm not
against helping law enforcement, but the most important thing to me is
protecting my friends and family the best way I know how," said Sell.
She suggested that the NSA and other agencies go back to a model where
individuals are targeted, instead of monitoring all communications and
sorting it out later. "There are plenty of ways to track people without
trampling human rights," she said.
As an example of how to do
security right, Sell unsurprisingly pointed to Wickr. She said that her
company does not hold the encryption keys to decrypt users' messages, or
see their identities. That way, should Wickr be compelled to hand over
data from a court order, investigators will only find junk. And in
addition to employing who Sell calls the "best crypto people," Sell said
that individual messages are bound to their intended device. "Even in
20 years or 100 years, if the NSA miraculously breaks these [encryption]
equations, they still wouldn't be able to read these messages."
It's
clear that for Sell, this is about more than good security. "I'm doing
the right thing here, and it's the right thing for them, too," she said.
"I'm not afraid of them."
Tuesday, January 19, 2016
Huawei Telecoms Equipment Targeted by NSA Spies
Sumber: http://www.cellular-news.com/story/63996.php
Analysis of NSA documents released by the whistleblower Edward Snowden has shown that the US spy agency directly targeted equipment manufactured by China's Huawei.
The documents show that at least two, possibly three projects that were given individual codenames targeted Huawei routers, firewalls and network equipment known to have been sold to at least three major mobile network operators.
As a telecoms equipment vendor, Huawei would have been just one of many telecoms manufacturers targeted by the US spies.
Although Huawei has always denied it, there are these persistent allegations that the company was some sort of backdoor for Chinese spies, and yet it finds itself in the curious position of having been targeted to act as a backdoor for US spies instead.
The documents raise some uncomfortable questions, particularly for politicians who have accused the company of being a front for the Chinese military.
In October 2012, the USA's House Intelligence Committee carried out an investigation and concluded by recommending that US firms avoid doing business with the Chinese supplier, although much of the report's allegations appeared to be based on dissatisfaction with the company shareholding structure and openness than any proven security threat.
However, that report did include a classified annex, which was not published, but was said to support the Committee's findings.
In an unrelated interview last year, the former head of another US spy agency, the CIA Michael Hayden said that Huawei represented an "unambiguous national security threat to the USA and Australia,"
Michael Hayden was head of both the CIA and the NSA for nearly a decade up to 2008. It is likely though, that while at the CIA he would have been unaware of the actions of the rival agency.
To date, none of the allegations against Huawei have ever cited a specific example of software code that acts as a backdoor for the Chinese military. However, if classified investigations passed to US politicians or the CIA have shown evidence of such exploits, the question now has to be asked -- who put the exploits there.
Ultimately, all major telecoms vendors have been targeted by the NSA as a routine procedure by the spies, and Huawei would not expect to be exempted from that, but the security of its equipment has come under far closer scrutiny than any other telecoms equipment vendor.
It would therefore be embarrassing for the USA if allegations against Huawei in a number of countries are later found to have been based on security flaws inserted by the Americans, not the Chinese.
--
The two projects known to have targeted Huawei equipment are as follows:
HALLUXWATER
(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.
Once installed, the software communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.
The software provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls and also survives OS upgrades and automatic bootROM upgrades.
The router is reputedly used by O2, Vodafone and Deutsche Telekom, at the very least.
HEADWATER
HEADWATER is a Persistent Backdoor (PDB) software implant for selected Huawei routers. The implant will enable covert functions to be remotely executed within the router via an Internet connection.
The software implant can be transferred remotely over the Internet to the selected target router by Remote Operations Center (ROC) personnel. After the transfer process is complete, the backdoor will be installed in the router's boot ROM via an upgrade command. The backdoor will then be activated after a system reboot. Once activated, the NSA operators will be able to use DNT's HAMMERMILL Insertion Tool (HIT) to control the backdoor as it captures and examines all IP packets passing through the host router.
HEADWATER is claimed to be the cover term for the backdoor for Huawei routers and has been adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment.
According to the leaked documents, this exploit is ready for deployment. Whether it has been is unknown at this stage.
TURBOPANDA
Little is known about this project. At best, it is understood to be an Insertion Tool allows read/write to memory, execute an address or packet; joint NSA/CIA project on Huawei network equipment
It could however be an overall name for all attacks on Huawei equipment as it is referenced by other attacks as being part of the TURBOPANDA project.
As such there are no specific products being targeted, other than those mentioned above.
Analysis of NSA documents released by the whistleblower Edward Snowden has shown that the US spy agency directly targeted equipment manufactured by China's Huawei.
The documents show that at least two, possibly three projects that were given individual codenames targeted Huawei routers, firewalls and network equipment known to have been sold to at least three major mobile network operators.
As a telecoms equipment vendor, Huawei would have been just one of many telecoms manufacturers targeted by the US spies.
Although Huawei has always denied it, there are these persistent allegations that the company was some sort of backdoor for Chinese spies, and yet it finds itself in the curious position of having been targeted to act as a backdoor for US spies instead.
The documents raise some uncomfortable questions, particularly for politicians who have accused the company of being a front for the Chinese military.
In October 2012, the USA's House Intelligence Committee carried out an investigation and concluded by recommending that US firms avoid doing business with the Chinese supplier, although much of the report's allegations appeared to be based on dissatisfaction with the company shareholding structure and openness than any proven security threat.
However, that report did include a classified annex, which was not published, but was said to support the Committee's findings.
In an unrelated interview last year, the former head of another US spy agency, the CIA Michael Hayden said that Huawei represented an "unambiguous national security threat to the USA and Australia,"
Michael Hayden was head of both the CIA and the NSA for nearly a decade up to 2008. It is likely though, that while at the CIA he would have been unaware of the actions of the rival agency.
To date, none of the allegations against Huawei have ever cited a specific example of software code that acts as a backdoor for the Chinese military. However, if classified investigations passed to US politicians or the CIA have shown evidence of such exploits, the question now has to be asked -- who put the exploits there.
Ultimately, all major telecoms vendors have been targeted by the NSA as a routine procedure by the spies, and Huawei would not expect to be exempted from that, but the security of its equipment has come under far closer scrutiny than any other telecoms equipment vendor.
It would therefore be embarrassing for the USA if allegations against Huawei in a number of countries are later found to have been based on security flaws inserted by the Americans, not the Chinese.
--
The two projects known to have targeted Huawei equipment are as follows:
HALLUXWATER
(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.
Once installed, the software communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.
The software provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls and also survives OS upgrades and automatic bootROM upgrades.
The router is reputedly used by O2, Vodafone and Deutsche Telekom, at the very least.
HEADWATER
HEADWATER is a Persistent Backdoor (PDB) software implant for selected Huawei routers. The implant will enable covert functions to be remotely executed within the router via an Internet connection.
The software implant can be transferred remotely over the Internet to the selected target router by Remote Operations Center (ROC) personnel. After the transfer process is complete, the backdoor will be installed in the router's boot ROM via an upgrade command. The backdoor will then be activated after a system reboot. Once activated, the NSA operators will be able to use DNT's HAMMERMILL Insertion Tool (HIT) to control the backdoor as it captures and examines all IP packets passing through the host router.
HEADWATER is claimed to be the cover term for the backdoor for Huawei routers and has been adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment.
According to the leaked documents, this exploit is ready for deployment. Whether it has been is unknown at this stage.
TURBOPANDA
Little is known about this project. At best, it is understood to be an Insertion Tool allows read/write to memory, execute an address or packet; joint NSA/CIA project on Huawei network equipment
It could however be an overall name for all attacks on Huawei equipment as it is referenced by other attacks as being part of the TURBOPANDA project.
As such there are no specific products being targeted, other than those mentioned above.
Routers TCP 32764 Backdoor Vulnerability
Source: http://thehackernews.com/2014/04/router-manufacturers-secretly-added-tcp.html
At the beginning of this year, we reported about the secret backdoor ‘TCP 32764’ discovered in several routers
including, Linksys, Netgear, Cisco and Diamond that allowed an attacker
to send commands to the vulnerable routers at TCP port 32764 from a
command-line shell without being authenticated as the administrator.
The Reverse-engineer from France Eloi Vanderbeken,
who discovered this backdoor has found that although the flaw has been
patched in the latest firmware release, but SerComm has added the same
backdoor again in another way.
To
verify the released patch, recently he downloaded the patched firmware
version 1.1.0.55 of Netgear DGN1000 and unpacked it using binwalk tool.
He found that the file ‘scfgmgr’ which contains the backdoor is still
present there with a new option “-l”, that limits it only for a
local socket interprocess communication (Unix domain socket), or only
for the processes running on the same device.
On further investigation via reverse engineering the binaries, he found another mysterious tool called ‘ft_tool’ with “-f”option that could re-activates the TCP backdoor.
In
his illustrated report (shown below), he explained that ‘ft_tool’
actually open a raw socket, that listens incoming packages and attackers
on the local network can reactivate the backdoor at TCP port 32764 by sending the following specific packets:
- EtherType parameter should be equal to ‘0x8888’.
- Payload should contains MD5 hash of the value DGN1000 (45d1bb339b07a6618b2114dbc0d7783e).
- The package type should be 0x201.
So, an attacker can reactivate the TCP 32764 backdoor in order to execute the shell commands on the vulnerable SerComm routers even after installing the patched version.
Now
question rises, why the routers manufacturers are adding intentional
backdoors again and again?? May be the reason behind to be a helping
hand for the U.S. intelligence agency NSA.
Currently
there is no patch available for newly discovered backdoor. If you want
to check your wireless router for this backdoor, you can download
Proof-of-Concept (PoC) exploit released by the researcher from here or follow the below given steps manually:
- Use 'binwalk -e' to extract the file system
- Search for 'ft_tool' or grep -r 'scfgmgr -f
- Use IDA to confirm.
Membuat Bilangan Acak Dengan Fenomena Kuantum pada Kamera Digital
Baru-baru ini ada peneliti yang menggunakan fenomena quantum dari
cahaya untuk membangkitkan bilangan acak. Menariknya adalah karena dalam
hal ini alat yang digunakan cukup sederhana yaitu kamera di kamera
digital pada mobile phone Nokie N9.
Prinsip kerjanya sepintas sih sederhana:
LED
menghasilkan cahaya, kemudian cahaya ini diterima oleh sensor cahaya
pada kamera. Kemudian dari gambar yang ditangkap oleh sensor tersebut
dihitung angka acak. Ok, mungkin nggak sesederhana itu, jadi kalau mau
lebih mengerti lebih baik baca artikelnya di
Quantum Random Number Generator Created Using A Smartphone Camera atau sekalian papernya di Arxiv: Quantum random number generation on a mobile phone
Secara umum, bilangan acak (random number) dapat dibangkitkan menggunakan hardware maupun software. Ada bilangan acak yang tulen (true random number) dan ada juga bilangan acak yang tidak tulen (pseudo random number). Bilangan acak yang tulen dibangkitkan menggunakan dari fenomena fisika yang menghasilkan sinyal yang acak, sedangkan bilangan acak tidak tulen dibangkitkan menggunakan perangkat lunak yang menghasilkan suatu urutan angka yang seakan-akan acak.
Bilangan acak ini banyak dipakai di kriptografi, sehingga penelitian tentang bilangan acak ini sangat penting.
Referensi
Secara umum, bilangan acak (random number) dapat dibangkitkan menggunakan hardware maupun software. Ada bilangan acak yang tulen (true random number) dan ada juga bilangan acak yang tidak tulen (pseudo random number). Bilangan acak yang tulen dibangkitkan menggunakan dari fenomena fisika yang menghasilkan sinyal yang acak, sedangkan bilangan acak tidak tulen dibangkitkan menggunakan perangkat lunak yang menghasilkan suatu urutan angka yang seakan-akan acak.
Bilangan acak ini banyak dipakai di kriptografi, sehingga penelitian tentang bilangan acak ini sangat penting.
Referensi
- Quantum Random Number Generator Created Using A Smartphone Camera
- https://en.wikipedia.org/wiki/Pseudorandom_number_generator
- https://en.wikipedia.org/wiki/Hardware_random_number_generator
Truecrypt pensiun atau kena hack?
Website truecrypt hari ini menyarankan user truecrypt untuk pindah ke bitlocker di windows. Agak aneh. Hal ini menjadi perbincangan rame di situs hackernews
Screenshot tampilan:
Referensi:
Screenshot tampilan:
Referensi:
- http://truecrypt.sourceforge.net/
- http://i.imgur.com/rmuogzH.jpg
REVEALED: GCHQ's BEYOND TOP SECRET Middle Eastern INTERNET SPY BASE
Exclusive Above-top-secret details
of Britain’s covert surveillance programme - including the location of a
clandestine British base tapping undersea cables in the Middle East -
have so far remained secret, despite being leaked by fugitive NSA
sysadmin Edward Snowden. Government pressure has meant that some media
organisations, despite being in possession of these facts, have declined
to reveal them. Today, however, the Register publishes them in full.
The secret British spy base is part of a programme codenamed “CIRCUIT” and also referred to as Overseas Processing Centre 1 (OPC-1). It is located at Seeb, on the northern coast of Oman, where it taps in to various undersea cables passing through the Strait of Hormuz into the Persian/Arabian Gulf. Seeb is one of a three site GCHQ network in Oman, at locations codenamed “TIMPANI”, “GUITAR” and “CLARINET”. TIMPANI, near the Strait of Hormuz, can monitor Iraqi communications. CLARINET, in the south of Oman, is strategically close to Yemen.
British
national telco BT, referred to within GCHQ and the American NSA under
the ultra-classified codename “REMEDY”, and Vodafone Cable (which owns
the former Cable & Wireless company, aka “GERONTIC”) are the two top
earners of secret GCHQ payments running into tens of millions of pounds
annually.
The
actual locations of such codenamed “access points” into the worldwide
cable backbone are classified 3 levels above Top Secret and labelled
“Strap 3”. The true identities of the companies hidden behind codenames
such as “REMEDY”, “GERONTIC”, “STREETCAR” or “PINNAGE” are classified
one level below this, at “Strap 2”.
After these details were withheld, the government opted not to move against the Guardian newspaper last year for publishing above-top-secret information at the lower level designated “Strap 1”. This included details of the billion-pound interception storage system, Project TEMPORA, which were revealed in 2013 and which have triggered Parliamentary enquiries in Britain and Europe, and cases at the European Court of Human Rights. The Guardian was forced to destroy hard drives of leaked information to prevent political embarrassment over extensive commercial arrangements with these and other telecommunications companies who have secretly agreed to tap their own and their customers’ or partners’ overseas cables for the intelligence agency GCHQ. Intelligence chiefs also wished to conceal the identities of countries helping GCHQ and its US partner the NSA by sharing information or providing facilities.
According to documents revealed by Edward Snowden to journalists including Glenn Greenwald among others, the intelligence agency annually pays selected companies tens of millions of pounds to run secret teams which install hidden connections which copy customers' data and messages to the spooks’ processing centres. The GCHQ-contracted companies also install optical fibre taps or “probes” into equipment belonging to other companies without their knowledge or consent. Within GCHQ, each company has a special section called a “Sensitive Relationship Team” or SRT.
BT and Vodafone/C&W also operate extensive long distance optical fibre communications networks throughout the UK, installed and paid for by GCHQ, NSA, or by a third and little known UK intelligence support organization called the National Technical Assistance Centre (NTAC).
Snowden’s leaks reveal that every time GCHQ wanted to tap a new international optical fibre cable, engineers from “REMEDY” (BT) would usually be called in to plan where the taps or “probe” would physically be connected to incoming optical fibre cables, and to agree how much BT should be paid. The spooks' secret UK access network feeds Internet data from more than 18 submarine cables coming into different parts of Britain either direct to GCHQ in Cheltenham or to its remote processing station at Bude in Cornwall.
Among the cables specifically identified in one document as currently being intercepted or “on cover” are an Irish connection, Hibernia Atlantic, landing in Southport, and three European connections landing at Yarmouth, Dover, and Brighton.
Although
GCHQ interception of overseas communications can be authorised by a
general “external” tapping warrant, the wording of the law does not
permit storage of every communication for examination, as GCHQ wished to
do. In 2009, the spooks persuaded then Foreign Secretary David Miliband
to sign a new warrant legalising what they wished to do. The terms of
such warrants have never been published.
The special “external” warrants, issued under the Regulation of Investigatory Powers Act (RIPA), authorise the interception of all communications on specified international links. Miliband’s first 2009 warrant for TEMPORA authorised GCHQ to collect information about the “political intentions of foreign powers”, terrorism, proliferation, mercenaries and private military companies, and serious financial fraud.
Certificates attached to external interception warrants are re-issued every six months, and can be changed by ministers at will. GCHQ officials are then free to target anyone who is overseas or communicating from overseas without further checks or controls, if they think they fall within the terms of a current certificate.
The secret overseas internet monitoring centre, codenamed CIRCUIT, is at Seeb in the state of Oman. It is the latest of a series of secret collaborations with the autocratic Middle Eastern state, which has been ruled for 44 years by Sultan Qaboos bin Said, installed as head of state in a British-led and SAS-supported coup against his father. The Seeb centre was originally built in collaboration with the Omani government to monitor civil communications satellites orbiting above the Middle East. It has six large satellite dishes, forming part of the well-known and long running “ECHELON” intercept system run by the “Five Eyes” English-speaking (US/UK/Australia/Canada/New Zealand) intelligence agencies.
When
GCHQ obtained government approval in 2009 to go ahead with its
“Mastering the Internet” project, the Seeb base became the first of its
global network of Internet tapping locations. Another centre, OPC-2, has
been planned, according to documents leaked by Snowden.
The CIRCUIT installation at Seeb is regarded as particularly valuable by the British and Americans because it has direct access to nine submarine cables passing through the Gulf and entering the Red Sea. All of the messages and data passed back and forth on the cables is copied into giant computer storage “buffers”, and then sifted for data of special interest.
Information about Project TEMPORA and the Seeb facility was contained in 58,000 GCHQ documents which Snowden downloaded during 2012. Many of them came from an internal Wikipedia style information site called GC-Wiki. GCHQ feared the political consequences of revelations about its spying partners other than the United States and English speaking nations, according to knowledgeable sources.
Although information about the monitoring station at Seeb in its older ECHELON role has been available on the public Internet for several years, Cabinet Secretary Sir Jeremy Heywood was determined to prevent its new importance and cost becoming known.
It was this which lay behind the British government’s successful-until-today efforts to silence the Guardian and the rest of the media on the ultra-classified, beyond Top Secret specifics of Project TEMPORA - the places and names behind the codewords CIRCUIT, TIMPANI, CLARINET, REMEDY and GERONTIC. ®
Source: http://www.theregister.co.uk/2014/06/03/revealed_beyond_top_secret_british_intelligence_middleeast_internet_spy_base/
The secret British spy base is part of a programme codenamed “CIRCUIT” and also referred to as Overseas Processing Centre 1 (OPC-1). It is located at Seeb, on the northern coast of Oman, where it taps in to various undersea cables passing through the Strait of Hormuz into the Persian/Arabian Gulf. Seeb is one of a three site GCHQ network in Oman, at locations codenamed “TIMPANI”, “GUITAR” and “CLARINET”. TIMPANI, near the Strait of Hormuz, can monitor Iraqi communications. CLARINET, in the south of Oman, is strategically close to Yemen.
After these details were withheld, the government opted not to move against the Guardian newspaper last year for publishing above-top-secret information at the lower level designated “Strap 1”. This included details of the billion-pound interception storage system, Project TEMPORA, which were revealed in 2013 and which have triggered Parliamentary enquiries in Britain and Europe, and cases at the European Court of Human Rights. The Guardian was forced to destroy hard drives of leaked information to prevent political embarrassment over extensive commercial arrangements with these and other telecommunications companies who have secretly agreed to tap their own and their customers’ or partners’ overseas cables for the intelligence agency GCHQ. Intelligence chiefs also wished to conceal the identities of countries helping GCHQ and its US partner the NSA by sharing information or providing facilities.
According to documents revealed by Edward Snowden to journalists including Glenn Greenwald among others, the intelligence agency annually pays selected companies tens of millions of pounds to run secret teams which install hidden connections which copy customers' data and messages to the spooks’ processing centres. The GCHQ-contracted companies also install optical fibre taps or “probes” into equipment belonging to other companies without their knowledge or consent. Within GCHQ, each company has a special section called a “Sensitive Relationship Team” or SRT.
BT and Vodafone/C&W also operate extensive long distance optical fibre communications networks throughout the UK, installed and paid for by GCHQ, NSA, or by a third and little known UK intelligence support organization called the National Technical Assistance Centre (NTAC).
Snowden’s leaks reveal that every time GCHQ wanted to tap a new international optical fibre cable, engineers from “REMEDY” (BT) would usually be called in to plan where the taps or “probe” would physically be connected to incoming optical fibre cables, and to agree how much BT should be paid. The spooks' secret UK access network feeds Internet data from more than 18 submarine cables coming into different parts of Britain either direct to GCHQ in Cheltenham or to its remote processing station at Bude in Cornwall.
Among the cables specifically identified in one document as currently being intercepted or “on cover” are an Irish connection, Hibernia Atlantic, landing in Southport, and three European connections landing at Yarmouth, Dover, and Brighton.
Sending anything via a cable that lands in Britain? Or a country where the current ruler was put in by the SAS, maybe?
The majority of large cables come ashore in Cornwall, and have been connected directly to Bude. These include major connections such as FLAG (Fibre optic Link Around the Globe), two of whose cables have been intercepted. Because the FLAG interceptions had to be kept secret from the cables’ owners, one report states, the tapping connections were installed in an undisclosed UK location and “backhauled” to Bude, in the technical language of the communications industry.The special “external” warrants, issued under the Regulation of Investigatory Powers Act (RIPA), authorise the interception of all communications on specified international links. Miliband’s first 2009 warrant for TEMPORA authorised GCHQ to collect information about the “political intentions of foreign powers”, terrorism, proliferation, mercenaries and private military companies, and serious financial fraud.
Certificates attached to external interception warrants are re-issued every six months, and can be changed by ministers at will. GCHQ officials are then free to target anyone who is overseas or communicating from overseas without further checks or controls, if they think they fall within the terms of a current certificate.
The secret overseas internet monitoring centre, codenamed CIRCUIT, is at Seeb in the state of Oman. It is the latest of a series of secret collaborations with the autocratic Middle Eastern state, which has been ruled for 44 years by Sultan Qaboos bin Said, installed as head of state in a British-led and SAS-supported coup against his father. The Seeb centre was originally built in collaboration with the Omani government to monitor civil communications satellites orbiting above the Middle East. It has six large satellite dishes, forming part of the well-known and long running “ECHELON” intercept system run by the “Five Eyes” English-speaking (US/UK/Australia/Canada/New Zealand) intelligence agencies.
The CIRCUIT installation at Seeb is regarded as particularly valuable by the British and Americans because it has direct access to nine submarine cables passing through the Gulf and entering the Red Sea. All of the messages and data passed back and forth on the cables is copied into giant computer storage “buffers”, and then sifted for data of special interest.
Information about Project TEMPORA and the Seeb facility was contained in 58,000 GCHQ documents which Snowden downloaded during 2012. Many of them came from an internal Wikipedia style information site called GC-Wiki. GCHQ feared the political consequences of revelations about its spying partners other than the United States and English speaking nations, according to knowledgeable sources.
Although information about the monitoring station at Seeb in its older ECHELON role has been available on the public Internet for several years, Cabinet Secretary Sir Jeremy Heywood was determined to prevent its new importance and cost becoming known.
It was this which lay behind the British government’s successful-until-today efforts to silence the Guardian and the rest of the media on the ultra-classified, beyond Top Secret specifics of Project TEMPORA - the places and names behind the codewords CIRCUIT, TIMPANI, CLARINET, REMEDY and GERONTIC. ®
Source: http://www.theregister.co.uk/2014/06/03/revealed_beyond_top_secret_british_intelligence_middleeast_internet_spy_base/
Report: Chinese phone comes preloaded with spyware
BERLIN (AP) — A cheap brand of
Chinese-made smartphones carried by major online retailers comes
preinstalled with espionage software, a German security firm said
Tuesday.
G
Data Software said it found malicious code hidden deep in the propriety
software of the Star N9500 when it ordered the handset from a website
late last month. The find is the latest in a series of incidents where
smartphones have appeared preloaded with malicious software.
G
Data spokesman Thorsten Urbanski said his firm bought the phone after
getting complaints about it from several customers. He said his team
spent more than a week trying to trace the handset's maker without
success.
"The manufacturer is not mentioned," he said. "Not in the phone, not in the documentation, nothing else."
The
Associated Press found the phone for sale on several major retail
websites, offered by an array of companies listed in Shenzhen, in
southern China. It could not immediately find a reference to the phone's
manufacturer.
G Data said
the spyware it found on the N9500 could allow a hacker to steal personal
data, place rogue calls, or turn on the phone's camera and microphone. G
Data said the stolen information was sent to a server in China.
Bjoern
Rupp, chief executive of the Berlin-based mobile security consultancy
firm GSMK, said such cases are more common than people think. Last fall,
German cellphone service provider E-Plus found malicious software on
some handsets delivered to customers of its Base brand.
"We have to assume that such incidents will increasingly occur, for different commercial and other reasons," said Rupp.
Sumber: http://finance.yahoo.com/news/report-chinese-phone-comes-preloaded-spyware-153543708--finance.html
BMC Vulnerability Exposes Admin Password of 32,000 Servers in Plaintext on the Internet
The vulnerability actually resides in the Baseboard Management Controller (BMC)
in the WPCM450 line of chips incorporated into the motherboards.
Security Researcher at CARInet Security Incident Response Team, discovered
that Baseboard Management Controller (BMC) of Supermicro motherboards
contain a binary file that stores remote login passwords in clear text
and the file is available for download simply by connecting to the
specific port, 49152.
Baseboard
Management Controller (BMC) is the central part of the microcontroller
that resides on server motherboard or in the chassis of a blade server
or telecom platform. The BMC links to a main processor and other onboard
elements via a simple serial bus.
Baseboard management controllers are part of the Intelligent Platform Management Interface (IPMI) protocol,
which defines communication protocols and a server administrator can
access the BMC by using an IPMI-compliant management application loaded
on a computer or via a web interface via port 49152.
In
order to compromise vulnerable servers, an attacker can perform
Internet scanning on port 49152 to identify exploitable servers and can
download remote login passwords which is stored in a binary file
location “GET /PSBlock” of the motherboard in clear plain text.
When
recently an Internet scan is performed on the Shodan, a specialized
search engine for finding embedded systems, approximately 31,964
machines were found still vulnerable, a count that doesn't include the
vulnerable systems installed on virtual environment used in shared
hosting services.
"This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market," wrote Zachary Wikholm, a senior security engineer with the CARInet Security Incident Response Team.
An
analysis of the passwords available for download also indicates that
thousands of the passwords are really easily guessable or the default
ones.
"It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination. Since I'm not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was 'password.'"
He
also found that lot of systems are running older versions of the Linux
kernel. According to Shodan search, approximately 23,380 of the total
hosts are running the 2.4.31.x kernel, another 112,883 are running the 2.4.30.x kernel, and 710,046 systems are running the 2.4.19.x kernel.
The vulnerable 84 firmwares
are listed here and server administrators are advised to apply
available patches from vendors. In order to apply patches, you need to
flash the device with new firmware update. For quick and temporary fix,
administrators can disable all universal plug and play processes and
their related children processes using secure shell connection to a
vulnerable devices.
Dragonfly: Western Energy Companies Under Sabotage Threat
http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat
An
ongoing cyberespionage campaign against a range of targets, mainly in
the energy sector, gave attackers the ability to mount sabotage
operations against their victims. The attackers, known to Symantec as
Dragonfly, managed to compromise a number of strategically important
organizations for spying purposes and, if they had used the sabotage
capabilities open to them, could have caused damage or disruption to
energy supplies in affected countries.
Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.
The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors. Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.
This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.
In addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations. The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers.
Prior to publication, Symantec notified affected victims and relevant national authorities, such as Computer Emergency Response Centers (CERTs) that handle and respond to Internet security incidents.
Background
The Dragonfly group, which is also known by other vendors as Energetic Bear, appears to have been in operation since at least 2011 and may have been active even longer than that. Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.
The campaign against the European and American energy sector quickly expanded in scope. The group initially began sending malware in phishing emails to personnel in target firms. Later, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in energy in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.
Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.
Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based in Eastern Europe.
Figure. Top 10 countries by active infections (where attackers stole information from infected computers)
Tools employed
Dragonfly uses two main pieces of malware in its attacks. Both are remote access tool (RAT) type malware which provide the attackers with access and control of compromised computers. Dragonfly’s favored malware tool is Backdoor.Oldrea, which is also known as Havex or the Energetic Bear RAT. Oldrea acts as a back door for the attackers on to the victim’s computer, allowing them to extract data and install further malware.
Oldrea appears to be custom malware, either written by the group itself or created for it. This provides some indication of the capabilities and resources behind the Dragonfly group.
Once installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers.
The majority of C&C servers appear to be hosted on compromised servers running content management systems, indicating that the attackers may have used the same exploit to gain control of each server. Oldrea has a basic control panel which allows an authenticated user to download a compressed version of the stolen data for each particular victim.
The second main tool used by Dragonfly is Trojan.Karagany. Unlike Oldrea, Karagany was available on the underground market. The source code for version 1 of Karagany was leaked in 2010. Symantec believes that Dragonfly may have taken this source code and modified it for its own use. This version is detected by Symantec as Trojan.Karagany!gen1.
Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloging documents on infected computers.
Symantec found that the majority of computers compromised by the attackers were infected with Oldrea. Karagany was only used in around 5 percent of infections. The two pieces of malware are similar in functionality and what prompts the attackers to choose one tool over another remains unknown.
Multiple attack vectors
The Dragonfly group has used at least three infection tactics against targets in the energy sector. The earliest method was an email campaign, which saw selected executives and senior employees in target companies receive emails containing a malicious PDF attachment. Infected emails had one of two subject lines: “The account” or “Settlement of delivery problem”. All of the emails were from a single Gmail address.
The spam campaign began in February 2013 and continued into June 2013. Symantec identified seven different organizations targeted in this campaign. The number of emails sent to each organization ranged from one to 84.
The attackers then shifted their focus to watering hole attacks, comprising a number of energy-related websites and injecting an iframe into each which redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. Lightsout exploits either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer. The fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities.
In September 2013, Dragonfly began using a new version of this exploit kit, known as the Hello exploit kit. The landing page for this kit contains JavaScript which fingerprints the system, identifying installed browser plugins. The victim is then redirected to a URL which in turn determines the best exploit to use based on the information collected.
Trojanized software
The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different ICS equipment providers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.
The first identified Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had already been 250 unique downloads of the compromised software.
The second company to be compromised was a European manufacturer of specialist PLC type devices. In this instance, a software package containing a driver for one of its devices was compromised. Symantec estimates that the Trojanized software was available for download for at least six weeks in June and July 2013.
The third firm attacked was a European company which develops systems to manage wind turbines, biogas plants, and other energy infrastructure. Symantec believes that compromised software may have been available for download for approximately ten days in April 2014.
The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected companies.
Protection
Symantec has the following detections in place that will protect customers running up to date versions of our products from the malware used in these attacks:
Antivirus detections
Intrusion Prevention Signatures
For further technical details on the Dragonfly attacks, please read our whitepaper.
Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.
The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors. Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.
This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.
In addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations. The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers.
Prior to publication, Symantec notified affected victims and relevant national authorities, such as Computer Emergency Response Centers (CERTs) that handle and respond to Internet security incidents.
Background
The Dragonfly group, which is also known by other vendors as Energetic Bear, appears to have been in operation since at least 2011 and may have been active even longer than that. Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.
The campaign against the European and American energy sector quickly expanded in scope. The group initially began sending malware in phishing emails to personnel in target firms. Later, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in energy in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.
Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.
Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based in Eastern Europe.
Figure. Top 10 countries by active infections (where attackers stole information from infected computers)
Tools employed
Dragonfly uses two main pieces of malware in its attacks. Both are remote access tool (RAT) type malware which provide the attackers with access and control of compromised computers. Dragonfly’s favored malware tool is Backdoor.Oldrea, which is also known as Havex or the Energetic Bear RAT. Oldrea acts as a back door for the attackers on to the victim’s computer, allowing them to extract data and install further malware.
Oldrea appears to be custom malware, either written by the group itself or created for it. This provides some indication of the capabilities and resources behind the Dragonfly group.
Once installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers.
The majority of C&C servers appear to be hosted on compromised servers running content management systems, indicating that the attackers may have used the same exploit to gain control of each server. Oldrea has a basic control panel which allows an authenticated user to download a compressed version of the stolen data for each particular victim.
The second main tool used by Dragonfly is Trojan.Karagany. Unlike Oldrea, Karagany was available on the underground market. The source code for version 1 of Karagany was leaked in 2010. Symantec believes that Dragonfly may have taken this source code and modified it for its own use. This version is detected by Symantec as Trojan.Karagany!gen1.
Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloging documents on infected computers.
Symantec found that the majority of computers compromised by the attackers were infected with Oldrea. Karagany was only used in around 5 percent of infections. The two pieces of malware are similar in functionality and what prompts the attackers to choose one tool over another remains unknown.
Multiple attack vectors
The Dragonfly group has used at least three infection tactics against targets in the energy sector. The earliest method was an email campaign, which saw selected executives and senior employees in target companies receive emails containing a malicious PDF attachment. Infected emails had one of two subject lines: “The account” or “Settlement of delivery problem”. All of the emails were from a single Gmail address.
The spam campaign began in February 2013 and continued into June 2013. Symantec identified seven different organizations targeted in this campaign. The number of emails sent to each organization ranged from one to 84.
The attackers then shifted their focus to watering hole attacks, comprising a number of energy-related websites and injecting an iframe into each which redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. Lightsout exploits either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer. The fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities.
In September 2013, Dragonfly began using a new version of this exploit kit, known as the Hello exploit kit. The landing page for this kit contains JavaScript which fingerprints the system, identifying installed browser plugins. The victim is then redirected to a URL which in turn determines the best exploit to use based on the information collected.
Trojanized software
The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different ICS equipment providers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.
The first identified Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had already been 250 unique downloads of the compromised software.
The second company to be compromised was a European manufacturer of specialist PLC type devices. In this instance, a software package containing a driver for one of its devices was compromised. Symantec estimates that the Trojanized software was available for download for at least six weeks in June and July 2013.
The third firm attacked was a European company which develops systems to manage wind turbines, biogas plants, and other energy infrastructure. Symantec believes that compromised software may have been available for download for approximately ten days in April 2014.
The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected companies.
Protection
Symantec has the following detections in place that will protect customers running up to date versions of our products from the malware used in these attacks:
Antivirus detections
Intrusion Prevention Signatures
For further technical details on the Dragonfly attacks, please read our whitepaper.
Free eBook: Stopping Zero Day Exploits for Dummies
Zero-day malware attacks and advanced persistent threats (APTs) are growing, serious threats to organizations. Cybercriminal organizations seem to be more motivated (and more skilled) every day. Malware’s advanced evasion techniques are making detection solutions ineffective for preventing infections. Advanced information-stealing malware utilizes ever-advancing techniques for exploiting application vulnerabilities, infecting targeted endpoints, and stealing information.
Most security experts today agree that threat detection is no longer the answer. Traditional detection systems are declining in effectiveness. Anti-malware programs block only a minority of malware. Despite improvements in endpoint deployment tools and patch management processes, most organizations still take weeks or longer to deploy critical security patches. And cybercriminals continually develop new methods for bypassing detection rules.
This book discusses zero-day exploits and additional threats that are used to compromise enterprise endpoints and enable APTs and targeted attacks. It describes a promising new technology called Stateful Application Control, which provides effective yet transparent protection to enterprise endpoints.
Source: http://securityintelligence.com/media/free-download-stop-zero-day-exploits-for-dummies/
Cyber Attacks By Mikko Hypponen
https://www.bbvaopenmind.com/en/article/cyber-attacks/?fullscreen=true
In the real world, you only have to worry about the criminals who live in your city. But in the online world, you have to worry about criminals who could be on the other side of the planet. Online crime is always international because the Internet has no borders.
Today computer viruses and other malicious software are no longer written by hobbyist hackers seeking fame and glory among their peers. Most of them are written by professional criminals who are making millions with their attacks. These criminals want access to your computer, your PayPal passwords, and your credit card numbers.
I spend a big part of my life on the road, and I’ve visited many of the locations that are considered to be hotspots of online criminal activity. I’ve been to Moscow, São Paulo, Tartu, Vilnius, St. Petersburg, Beijing, and Bucharest.
I’ve met the underground and I’ve met the cops. And I’ve learned that things are never as simple as they seem from the surface. One would think that the epicenter for banking attacks, for example, would prioritize fighting them, right?
Right, but dig deeper and complications emerge. A good example is a discussion I had with a cybercrime investigator in Brazil. We spoke about the problems in Brazil and how São Paulo has become one of the largest sources of banking trojans in the world.
The investigator looked at me and said, “Yes. I understand that. But what you need to understand is that São Paulo is also one of the murder capitals of the world. People are regularly gunned down on the streets. So where exactly should we put our resources? To fight cybercrime? Or to fight crimes where people die?”
It’s all a matter of balancing. When you balance the damage done by cybercrime and compare it to a loss of life, it’s pretty obvious what’s more important.
National police forces and legal systems are finding it extremely difficult to keep up with the rapid growth of online crime. They have limited resources and expertise to investigate online criminal activity. The victims, police, prosecutors, and judges rarely uncover the full scope of the crimes that often take place across international boundaries. Action against the criminals is too slow, the arrests are few and far between, and too often the penalties are very light, especially compared with those attached to
real-world crimes.
Because of the low prioritization for prosecuting cybercriminals and the delays in launching effective cybercrime penalties, we are thereby sending the wrong message to the criminals and that’s why online crime is growing so fast. Right now would-be online criminals can see that the likelihood of their getting caught and punished is vanishingly small, yet the profits are great.
The reality for those in positions like the São Paulo investigator is that they must balance both fiscal constraints and resource limitations. They simply cannot, organizationally, respond to every type of threat. If we are to keep up with the cybercriminals, the key is cooperation. The good news is that the computer security industry is quite unique in the way direct competitors help each other.
No wonder, then, that worms and viruses were rampant in 2003. In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig, and so on. They went on to do some spectacular damage. Slammer infected a nuclear power plant in Ohio and shut down Bank of America’s ATM systems. Blaster stopped trains in their tracks outside Washington, D.C., and shut down Air Canada check-in systems at Canadian airports. Sasser thoroughly infected several hospitals in Europe.
The problems with Windows security were so bad that Microsoft had to do something. And they did. In hindsight, they did a spectacular turnaround in their security processes. They started Trustworthy Computing. They stopped all new development for a while to go back and find and fix old vulnerabilities. Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can’t even compare them.
We’ve seen other companies do similar turnarounds. When the Microsoft ship started to become tighter and harder to attack, the attackers started looking for easier targets. One favorite was Adobe Reader and Adobe Flash. For several years, one vulnerability after another was found in Adobe products, and most users were running badly outdated products as updating wasn’t straightforward. Eventually Adobe got their act together. Today, the security level of, say, Adobe Reader, is so much ahead of older readers you can’t even compare them.
The battle at hand right now is with Java and Oracle. It seems that Oracle hasn’t gotten their act together yet. And maybe don’t even have to: users are voting with their feet and Java is already disappearing from the web.
The overall security level of end-user systems is now better than ever before. The last decade has brought us great improvements. Unfortunately, the last decade has also completely changed who were fighting.
In 2003, all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also hacktivists and governments. Criminals and especially governments can afford to invest in their attacks. As an end result, we’re still not safe with our computers, even with all the great improvements.
But at least we don’t see flights grounded and trains stopped by malware every other week, like we did in 2003.
Since Bitcoin is not linked to any existing currency, its value is purely based on the value people believe it’s worth. And since it can be used to do instant transactions globally, it does have value. Sending Bitcoins around is very much like sending e-mail. If I have your address, I can send you money. I can send it to you instantly, anywhere, bypassing exchanges, banks, and the tax man. In fact, crypto currencies make banks unnecessary for moving money around—which is why banks hate the whole idea.
The beauty of the algorithm behind Bitcoin is solving two main problems of crypto currencies by joining them: how do you confirm transactions and how do you inject new units of currency into the system without causing inflation. Since there is no central bank in the system, the transactions need to be confirmed somehow—otherwise one could fabricate fake money. In Bitcoin, the confirmations are done by other members of the peer-to-peer network. At least six members of the peer-to-peer network have to confirm the transactions before they go through. But why would anybody confirm transactions for others? Because they get rewarded for it: the algorithm issues new Bitcoins as reward to users who have been participating in confirmations. This is called mining.
When Bitcoin was young, mining was easy and you could easily make dozens of Bitcoins on a home computer. However, as Bitcoin value grew, mining became harder since there were more people interested in doing it. Even though the dollar-to-BTC exchange rate has fluctuated, fact remains that in the beginning of 2013, the exchange rate for the U.S. dollar to a Bitcoin was $8 and by the fall it was $130. So Bitcoins now have very real real-world value.
When Bitcoins became valuable, people were more and more interested in Satoshi Nakamoto. He gave a few e-mail interviews, but eventually stopped correspondence altogether. Then he disappeared. When people went looking for him, they realized Satoshi Nakamoto didn’t exist. Even today, nobody knows who invented Bitcoin. Indeed, however, Bitcoin fans have been spotted wearing T-shirts saying “Satoshi Nakamoto Died for Our Sins.”
Today, there are massively large networks of computers mining Bitcoins and other competing crypto currencies (such as Litecoin). The basic idea behind mining is easy enough: if you have powerful computers, you can make money. Unfortunately, those computers don’t have to be your own computers. Some of the largest botnets run by online criminals today are monetized by mining. So, you’d have an infected home computer of a grandmother in, say, Barcelona, running Windows XP at 100 percent utilization around the clock as it is mining coins worth tens of thousands of dollars a day for a Russian cybercrime gang. It’s easy to see that such mining botnets will become very popular for online criminals in the future.
Even more importantly, such an attack does not require a user for the computers in order to make money. Most traditional botnet monetization mechanisms required a user’s presence. For example, credit card keyloggers needed a user at the keyboard to type in his payment details or ransom trojans needed a user to pay a ransom in order to regain access to his computer or his data. Mining botnets just need processing power and a network connection.
Some of the upcoming crypto currencies do not need high-end GPUs to do the mining: a regular CPU will do. When you combine that with the fact that home automation and embedded devices are becoming more and more common, we can make an interesting forecast: there will be botnets that will be making money by mining on botnets created out of embedded devices. Think botnets of infected printers or set-top boxes or microwave ovens. Or toasters.
Whether it makes sense or not, toasters with embedded computers and Internet connectivity will be reality one day. Before crypto currencies existed, it would have been hard to come up with a sensible reason for why anybody would want to write malware to infect toasters. However, mining botnets of thousands of infected toasters could actually make enough money to justify such an operation. Sooner or later, this will happen.
Who spends money on spying? Companies and countries do. When companies do it, it’s called industrial espionage. When countries do it, it’s just espionage.
In the most typical case, the attack is made through e-mail to a few carefully selected people or even a single person in the organization. The target receives what seems like an ordinary e-mail with an attached document, often from a familiar person. In reality, the whole message is a forgery. The e-mail sender’s details are forged and the seemingly harmless attached document contains the attack code. If the recipient does not realize the e-mail is a forgery, the whole case will probably go unnoticed, forever.
Program files like Windows EXE files do not get through firewalls and filters, so the attackers commonly use PDF, DOC, XLS, and PPT document files as the attachment. These are also more likely to be viewed as safe documents by the recipient. In their standard form these file types do not contain executable code, so the attackers use vulnerabilities in applications like Adobe Reader and Microsoft Word to infect the computer when the booby-trapped documents are opened.
The structure of these attack files has been deliberately broken so that it crashes the office application in use when opened, while simultaneously executing the binary code inside the document. This code usually creates two new files on the hard disk and executes them. The first is a clean document that opens up on the user’s monitor and distracts the user from the crash.
The second new file is a backdoor program that starts immediately and hides itself in the system, often using rootkit techniques. It establishes a connection from the infected computer to a specific network address, anywhere in the world. With the help of the backdoor the attacker gains access to all the information on the target computer, as well as the information in the local network that the targeted person has access to.
The attacks often use backdoor programs like Gh0st RAT or Poison Ivy to remotely monitor their targets. With such tools, they can do anything they want on the target machine. This includes logging the keyboard to collect passwords and a remote file manager to search documents with interesting content. Sometimes the attackers can eavesdrop on their target by remotely controlling the microphone of the infected computer.
I’ve been tracking targeted spying attacks since they were first observed in 2005. Targets have included large companies, governments, ministries, embassies, and nonprofit organizations like those who campaign for the freedom of Tibet, support minorities in China, or represent the Falun Gong religion. It would be easy to point the finger at the government of China. But we don’t have the smoking gun. Nobody can conclusively prove the origin of these attacks. In fact, we know with a high degree of certainty that several governments are engaging in similar attacks.
It’s also clear that what we’ve seen so far is just the beginning. Online espionage and spying can only become a more important tool for intelligence purposes in the future. Protecting against such attacks can prove to be very difficult.
The most effective method to protect data against cyber spying is to process confidential information on dedicated computers that are not connected to the Internet. Critical infrastructure should be isolated from public networks.
And isolation does not mean a firewall: it means being disconnected. And being disconnected is painful, complicated, and expensive. But it’s also safer.
Without a vulnerability, there is no exploit. And ultimately, vulnerabilities are just bugs: programming errors. And we have bugs because programs are written by human beings and human beings make errors. Software bugs have been a problem as long as we’ve had programmable computers, and they aren’t going to disappear.
Before the Internet became widespread, bugs weren’t very critical. You would be working on a word processor and would open a corrupted document file and your word processor would crash. While annoying, such a crash wasn’t too big of a deal. You might lose any unsaved work in open documents, but that’s it. But as soon as the Internet entered the picture, things changed. Suddenly bugs that used to be just a nuisance could suddenly be used to take over your computer.
We have different classes of vulnerabilities and their severity ranges from a nuisance to critical.
First, we have local and remote vulnerabilities. Local vulnerabilities can only be exploited by a local user who already has access to the system. But remote vulnerabilities are much more severe as they can be exploited from anywhere over a network connection.
Vulnerability types can then be divided by their actions on the target system: denial-of-service, privilege escalation, or code execution. Denial-of-service vulnerabilities allow the attacker to slow down or shut down the system. Privilege escalations can be used to gain additional rights on a system, and code execution allows running commands.
The most serious vulnerabilities are remote code execution vulnerabilities. And these are what the attackers need.
But even the most valuable vulnerabilities are worthless if the vulnerability gets patched. So the most valuable exploits are targeting vulnerabilities that are not known to the vendor behind the exploited product. This means that the vendor cannot fix the bug and issue a security patch to close the hole. If a security patch is available and the vulnerability starts to get exploited by the attackers five days after the patch came out, users had five days to react. If there is no patch available, they users had no time at all to secure themselves: literally zero days. This is where the term zero-day vulnerability comes from: users are vulnerable, even if they had applied all possible patches.
The knowledge of the vulnerabilities needed to create these exploits is gathered from several sources. Experienced professionals search for vulnerabilities systematically by using techniques like fuzzing or by reviewing the source code of open-source applications, looking for bugs. Specialist tools have been created to locate vulnerable code from compiled binaries. Less experienced attackers can find known vulnerabilities by reading securitythemed mailing lists or by reverse engineering security patches as they are made available by the affected vendors. Exploits are valuable even if a patch is available, as there are targets that don’t patch as quickly as they should.
Originally, only hobbyist malware writers were using exploits to do offensive attacks. Worms like Code Red, Sasser, and Blaster would spread around the world in minutes as they could remotely infect their target with exploits.
Things changed as organized criminal gangs started making serious money with keyloggers, banking trojans, and ransom trojans. As money entered the picture, the need for fresh exploits created an underground marketplace. Things changed even more as governments entered the picture. As the infamous Stuxnet malware was discovered in July 2010, security companies were amazed to notice this unique piece of malware was using a total of four different zero-day exploits—which remains a record in its own field. Stuxnet was eventually linked to an operation launched by the governments of the United States and Israel to target various objects in the Middle East and to especially slow down the nuclear program of the Islamic Republic of Iran.
Other governments learned of Stuxnet and saw the three main takeaways of it: attacks like these are effective, they are cheap, and they are deniable. All of these qualities are highly sought after in espionage and military attacks. In effect, this started a cyber arms race that today is a reality in most of the technically advanced nations. These nations weren’t just interested in running cyber defense programs to protect themselves against cyber attacks. They wanted to gain access to offensive capability and to be capable of launching offensive attacks themselves.
To have a credible offensive cyber program, a country will need a steady supply of new exploits. Exploits don’t last forever. They get found out and patched. New versions of the vulnerable software might require new exploits, and these exploits have to be weaponized and reliable. To have a credible offensive cyber program, a country needs a steady supply of fresh exploits.
As finding the vulnerabilities and creating the weaponized exploits is hard, most governments would need to outsource this job to experts. Where can they find such expertise from? Security companies and antivirus experts are not providing attack code: they specialize in defense, not attacks. Intelligence agencies and militaries have always turned to defense contractors when they need technology they can’t produce by themselves. This applies to exploits as well.
Simply by browsing the websites of the largest defense contractors in the world, you can easily find out that most of them advertise offensive capability to their customers. Northrop Grumman even runs radio ads claiming that they “provide governmental customers with both offensive and defensive solutions.”
However, even the defense contractors might have a hard time building the specialized expertise to locate unknown vulnerabilities and to create attacks against them. Many of them seem to end up buying their exploits from one of the several boutique companies specializing in finding zero-day vulnerabilities. Such companies have popped up in various countries. These companies go out of their way to find bugs that can be exploited and turned into security holes. Once found, the exploits are weaponized. In this way, they can be abused effectively and reliably. These attackers also try to make sure that the company behind the targeted product will never learn about the vulnerability—because if they did, they would fix the bug. Consequently, the customers and the public at large would not be vulnerable any more. This would make the exploit code worthless to the vendor.
Companies specializing in selling exploits operate around the world. Some of the known companies reside in the United States, the United Kingdom, Germany, Italy, and France. Others operate from Asia. Many of them like to portray themselves as being part of the computer security industry. However, we must not mistake them for security companies, as these companies do not want to improve computer security. Quite the opposite, these companies go to great lengths to make sure the vulnerabilities they find do not get closed, making all of us more vulnerable.
In some cases, exploits can be used for good. For example, sanctioned penetration tests done with tools like Metasploit can improve the security of an organization. But that’s not what we’re discussing here. We’re talking about creating zero-day vulnerabilities just to be used for secret offensive attacks.
The total size of the exploit export industry is hard to estimate. However, looking at public recruitment ads of the known actors as well as various defense contractors, it’s easy to see there is much more recruitment happening right now for offensive positions than for defensive roles. As an example, some U.S.-based defense contractors have more than a hundred open positions for people with Top Secret/SCI clearance to create exploits. Some of these positions specifically mention the need to create offensive exploits targeting iPhones, iPads, and Android devices.
If we look for offensive cyber attacks that have been linked back to a known government, the best known examples link back to the governments The Future of the of the United States and Israel. When the New York Times ran the story linking the U.S. Government and the Obama administration to Stuxnet, the White House started an investigation on who had leaked the information. Note that they never denied the story. They just wanted to know who leaked it.
As the U.S. is engaging in offensive cyber attacks on other countries, certainly other countries feel that they are free to do the same. This cyber arms race has created an increasing demand for exploits.
But eventually politicians and leaders realized just how important the Internet is. And they realized how useful the Internet was for other purposes—especially for the purposes of doing surveillance on citizens.
The two arguably most important inventions of our generation, the Internet and mobile phones, changed the world. However, they both turned out to be perfect tools for the surveillance state. And in a surveillance state, everybody is assumed guilty.
Internet surveillance really become front-page material when Edward Snowden started leaking information on PRISM, XKeyscore, and other NSA programs in the summer of 2013.
But don’t get me wrong. I do understand the need for doing both monitoring and surveillance. If somebody is suspected of running a drug ring, or planning a school shooting, or participating in a terror organization, he should be monitored, with a relevant court order.
However, that’s not what PRISM is about. PRISM is not about monitoring suspicious people. PRISM is about monitoring everyone. It’s about monitoring people that are known to be innocent. And it’s about building dossiers on everyone, eventually going back decades. Such dossiers, based on our Internet activity, will build a thorough picture of us. And if the powers-that-be ever need to find a way to twist your hand, they would certainly find something suspicious or embarrassing on everyone, if they have enough of their Internet history recorded.
United States intelligence agencies have a full legal right to monitor foreigners. Which doesn’t sound too bad—until your realize that most of us are foreigners to the Americans. In fact, 96 percent of the people on the planet turn out to be such foreigners. And when these people use U.S.- based services, they are legally under surveillance.
When the PRISM leaks started, U.S. intelligence tried to calm the rest of the world by explaining how there’s no need to worry, and about how these programs were just about fighting terrorists. But then further leaks proved the U.S. was using their tools to monitor the European Commission and the United Nations as well. It’s difficult for them to argue that they were trying to find terrorists at the European Union headquarters.
Another argument we’ve heard from the U.S. intelligence apparatus is that everyone else is doing Internet surveillance too. And indeed, most countries do have intelligence agencies, and most of them do monitor what other countries are doing. However, the U.S. has an unfair advantage. Almost all of the common Internet services, search engines, webmails, web browsers, and mobile operating systems come from the U.S. To put in another way: How many Spanish politicians and decision makers use American services? Answer: all of them. And how many American politicians and decision makers use Spanish services? Answer: none of them.
All this should make it obvious that we foreigners should not use U.S.-based services. They’ve proven to us that they are not trustworthy. Why would we voluntarily hand our data to a foreign intelligence agency?
But in practice, it’s very hard to avoid using services like Google, Facebook, LinkedIn, Dropbox, Amazon, Skydrive, iCloud, Android, Windows, iOS, and so on. This is a clear example of the failure of Europe, Asia, and Africa to compete with the U.S. on Internet services. And when the rest of the world does produce a global hit—like Skype or Nokia—it typically ends up acquired by an American company, bringing it under U.S. control.
But if you’re not doing anything wrong, why worry about this? Or, if you are worrying about this, what do you have to hide? My answer to this question is that I have nothing to hide… but I have nothing in particular that I’d want to share with an intelligence agency either. In particular, I have nothing to share with a foreign intelligence agency. If we really need a big brother, I’d much rather have a domestic big brother than a foreign big brother.
People have asked me if they really should worry about PRISM. I’ve told them that they should not be worried—they should be outraged instead. We should not just accept such blanket and wholesale surveillance from one country on the rest of the world.
Advancements in computing power and data storage have made wholesale surveillance possible. But they’ve also made leaking possible. That’s how Edward Snowden could steal three laptops which contained so much information that, printed out, it would be a long row of trucks full of paper.
Leaking has become so easy that it will keep organizations worrying about getting caught over any wrongdoing. We might hope that this would force organizations to avoid unethical practices.
While governments are watching over us, they know we are watching over them.
All this is happening right now, during our generation. We were the first generation that got online. We should do what we can to secure the net and keep it free so that it will be there for future generations to enjoy.
Preface
The real world isn’t like the online world.In the real world, you only have to worry about the criminals who live in your city. But in the online world, you have to worry about criminals who could be on the other side of the planet. Online crime is always international because the Internet has no borders.
Today computer viruses and other malicious software are no longer written by hobbyist hackers seeking fame and glory among their peers. Most of them are written by professional criminals who are making millions with their attacks. These criminals want access to your computer, your PayPal passwords, and your credit card numbers.
I spend a big part of my life on the road, and I’ve visited many of the locations that are considered to be hotspots of online criminal activity. I’ve been to Moscow, São Paulo, Tartu, Vilnius, St. Petersburg, Beijing, and Bucharest.
I’ve met the underground and I’ve met the cops. And I’ve learned that things are never as simple as they seem from the surface. One would think that the epicenter for banking attacks, for example, would prioritize fighting them, right?
Right, but dig deeper and complications emerge. A good example is a discussion I had with a cybercrime investigator in Brazil. We spoke about the problems in Brazil and how São Paulo has become one of the largest sources of banking trojans in the world.
The investigator looked at me and said, “Yes. I understand that. But what you need to understand is that São Paulo is also one of the murder capitals of the world. People are regularly gunned down on the streets. So where exactly should we put our resources? To fight cybercrime? Or to fight crimes where people die?”
It’s all a matter of balancing. When you balance the damage done by cybercrime and compare it to a loss of life, it’s pretty obvious what’s more important.
National police forces and legal systems are finding it extremely difficult to keep up with the rapid growth of online crime. They have limited resources and expertise to investigate online criminal activity. The victims, police, prosecutors, and judges rarely uncover the full scope of the crimes that often take place across international boundaries. Action against the criminals is too slow, the arrests are few and far between, and too often the penalties are very light, especially compared with those attached to
real-world crimes.
Because of the low prioritization for prosecuting cybercriminals and the delays in launching effective cybercrime penalties, we are thereby sending the wrong message to the criminals and that’s why online crime is growing so fast. Right now would-be online criminals can see that the likelihood of their getting caught and punished is vanishingly small, yet the profits are great.
The reality for those in positions like the São Paulo investigator is that they must balance both fiscal constraints and resource limitations. They simply cannot, organizationally, respond to every type of threat. If we are to keep up with the cybercriminals, the key is cooperation. The good news is that the computer security industry is quite unique in the way direct competitors help each other.
The Turning Point
If you were running Windows on your computer 10 years ago, you were running Windows XP. In fact, you were most likely running Windows XP SP1 (Service Pack 1). This is important, as Windows XP SP1 did not have a firewall enabled by default and did not feature automatic updates. So, if you were running Windows, you weren’t running a firewall and you had to patch your system manually—by downloading the patches with Internet Explorer 6, which itself was ridden with security vulnerabilities.No wonder, then, that worms and viruses were rampant in 2003. In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig, and so on. They went on to do some spectacular damage. Slammer infected a nuclear power plant in Ohio and shut down Bank of America’s ATM systems. Blaster stopped trains in their tracks outside Washington, D.C., and shut down Air Canada check-in systems at Canadian airports. Sasser thoroughly infected several hospitals in Europe.
The problems with Windows security were so bad that Microsoft had to do something. And they did. In hindsight, they did a spectacular turnaround in their security processes. They started Trustworthy Computing. They stopped all new development for a while to go back and find and fix old vulnerabilities. Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can’t even compare them.
We’ve seen other companies do similar turnarounds. When the Microsoft ship started to become tighter and harder to attack, the attackers started looking for easier targets. One favorite was Adobe Reader and Adobe Flash. For several years, one vulnerability after another was found in Adobe products, and most users were running badly outdated products as updating wasn’t straightforward. Eventually Adobe got their act together. Today, the security level of, say, Adobe Reader, is so much ahead of older readers you can’t even compare them.
The battle at hand right now is with Java and Oracle. It seems that Oracle hasn’t gotten their act together yet. And maybe don’t even have to: users are voting with their feet and Java is already disappearing from the web.
The overall security level of end-user systems is now better than ever before. The last decade has brought us great improvements. Unfortunately, the last decade has also completely changed who were fighting.
In 2003, all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also hacktivists and governments. Criminals and especially governments can afford to invest in their attacks. As an end result, we’re still not safe with our computers, even with all the great improvements.
But at least we don’t see flights grounded and trains stopped by malware every other week, like we did in 2003.
Crypto Currencies
In 2008, a mathematician called Satoshi Nakamoto submitted a technical paper for a cryptography conference. The paper described a peer-to-peer network where participating systems would do complicated mathematical calculations on something called a blockchain. This system was designed to create a completely new currency: a crypto currency. In short, a currency that is based on math. The paper was titled “Bitcoin: A Peer-to-Peer Electronic Cash System.”Since Bitcoin is not linked to any existing currency, its value is purely based on the value people believe it’s worth. And since it can be used to do instant transactions globally, it does have value. Sending Bitcoins around is very much like sending e-mail. If I have your address, I can send you money. I can send it to you instantly, anywhere, bypassing exchanges, banks, and the tax man. In fact, crypto currencies make banks unnecessary for moving money around—which is why banks hate the whole idea.
The beauty of the algorithm behind Bitcoin is solving two main problems of crypto currencies by joining them: how do you confirm transactions and how do you inject new units of currency into the system without causing inflation. Since there is no central bank in the system, the transactions need to be confirmed somehow—otherwise one could fabricate fake money. In Bitcoin, the confirmations are done by other members of the peer-to-peer network. At least six members of the peer-to-peer network have to confirm the transactions before they go through. But why would anybody confirm transactions for others? Because they get rewarded for it: the algorithm issues new Bitcoins as reward to users who have been participating in confirmations. This is called mining.
When Bitcoin was young, mining was easy and you could easily make dozens of Bitcoins on a home computer. However, as Bitcoin value grew, mining became harder since there were more people interested in doing it. Even though the dollar-to-BTC exchange rate has fluctuated, fact remains that in the beginning of 2013, the exchange rate for the U.S. dollar to a Bitcoin was $8 and by the fall it was $130. So Bitcoins now have very real real-world value.
When Bitcoins became valuable, people were more and more interested in Satoshi Nakamoto. He gave a few e-mail interviews, but eventually stopped correspondence altogether. Then he disappeared. When people went looking for him, they realized Satoshi Nakamoto didn’t exist. Even today, nobody knows who invented Bitcoin. Indeed, however, Bitcoin fans have been spotted wearing T-shirts saying “Satoshi Nakamoto Died for Our Sins.”
Today, there are massively large networks of computers mining Bitcoins and other competing crypto currencies (such as Litecoin). The basic idea behind mining is easy enough: if you have powerful computers, you can make money. Unfortunately, those computers don’t have to be your own computers. Some of the largest botnets run by online criminals today are monetized by mining. So, you’d have an infected home computer of a grandmother in, say, Barcelona, running Windows XP at 100 percent utilization around the clock as it is mining coins worth tens of thousands of dollars a day for a Russian cybercrime gang. It’s easy to see that such mining botnets will become very popular for online criminals in the future.
Even more importantly, such an attack does not require a user for the computers in order to make money. Most traditional botnet monetization mechanisms required a user’s presence. For example, credit card keyloggers needed a user at the keyboard to type in his payment details or ransom trojans needed a user to pay a ransom in order to regain access to his computer or his data. Mining botnets just need processing power and a network connection.
Some of the upcoming crypto currencies do not need high-end GPUs to do the mining: a regular CPU will do. When you combine that with the fact that home automation and embedded devices are becoming more and more common, we can make an interesting forecast: there will be botnets that will be making money by mining on botnets created out of embedded devices. Think botnets of infected printers or set-top boxes or microwave ovens. Or toasters.
Whether it makes sense or not, toasters with embedded computers and Internet connectivity will be reality one day. Before crypto currencies existed, it would have been hard to come up with a sensible reason for why anybody would want to write malware to infect toasters. However, mining botnets of thousands of infected toasters could actually make enough money to justify such an operation. Sooner or later, this will happen.
Espionage
Spying is about collecting information. When information was still written on pieces of paper, a spy had to physically go and steal it. These days information is data on computers and networks, so modern spying is often carried out with the help of malware. The cyber spies use trojans and backdoors to infect their targets’ computers, giving them access to the data even from the other side of the world.Who spends money on spying? Companies and countries do. When companies do it, it’s called industrial espionage. When countries do it, it’s just espionage.
In the most typical case, the attack is made through e-mail to a few carefully selected people or even a single person in the organization. The target receives what seems like an ordinary e-mail with an attached document, often from a familiar person. In reality, the whole message is a forgery. The e-mail sender’s details are forged and the seemingly harmless attached document contains the attack code. If the recipient does not realize the e-mail is a forgery, the whole case will probably go unnoticed, forever.
Program files like Windows EXE files do not get through firewalls and filters, so the attackers commonly use PDF, DOC, XLS, and PPT document files as the attachment. These are also more likely to be viewed as safe documents by the recipient. In their standard form these file types do not contain executable code, so the attackers use vulnerabilities in applications like Adobe Reader and Microsoft Word to infect the computer when the booby-trapped documents are opened.
The structure of these attack files has been deliberately broken so that it crashes the office application in use when opened, while simultaneously executing the binary code inside the document. This code usually creates two new files on the hard disk and executes them. The first is a clean document that opens up on the user’s monitor and distracts the user from the crash.
The second new file is a backdoor program that starts immediately and hides itself in the system, often using rootkit techniques. It establishes a connection from the infected computer to a specific network address, anywhere in the world. With the help of the backdoor the attacker gains access to all the information on the target computer, as well as the information in the local network that the targeted person has access to.
The attacks often use backdoor programs like Gh0st RAT or Poison Ivy to remotely monitor their targets. With such tools, they can do anything they want on the target machine. This includes logging the keyboard to collect passwords and a remote file manager to search documents with interesting content. Sometimes the attackers can eavesdrop on their target by remotely controlling the microphone of the infected computer.
I’ve been tracking targeted spying attacks since they were first observed in 2005. Targets have included large companies, governments, ministries, embassies, and nonprofit organizations like those who campaign for the freedom of Tibet, support minorities in China, or represent the Falun Gong religion. It would be easy to point the finger at the government of China. But we don’t have the smoking gun. Nobody can conclusively prove the origin of these attacks. In fact, we know with a high degree of certainty that several governments are engaging in similar attacks.
It’s also clear that what we’ve seen so far is just the beginning. Online espionage and spying can only become a more important tool for intelligence purposes in the future. Protecting against such attacks can prove to be very difficult.
The most effective method to protect data against cyber spying is to process confidential information on dedicated computers that are not connected to the Internet. Critical infrastructure should be isolated from public networks.
And isolation does not mean a firewall: it means being disconnected. And being disconnected is painful, complicated, and expensive. But it’s also safer.
Exploits
A very big part of criminal or governmental cyber attacks use exploits to infect the target computer.Without a vulnerability, there is no exploit. And ultimately, vulnerabilities are just bugs: programming errors. And we have bugs because programs are written by human beings and human beings make errors. Software bugs have been a problem as long as we’ve had programmable computers, and they aren’t going to disappear.
Before the Internet became widespread, bugs weren’t very critical. You would be working on a word processor and would open a corrupted document file and your word processor would crash. While annoying, such a crash wasn’t too big of a deal. You might lose any unsaved work in open documents, but that’s it. But as soon as the Internet entered the picture, things changed. Suddenly bugs that used to be just a nuisance could suddenly be used to take over your computer.
We have different classes of vulnerabilities and their severity ranges from a nuisance to critical.
First, we have local and remote vulnerabilities. Local vulnerabilities can only be exploited by a local user who already has access to the system. But remote vulnerabilities are much more severe as they can be exploited from anywhere over a network connection.
Vulnerability types can then be divided by their actions on the target system: denial-of-service, privilege escalation, or code execution. Denial-of-service vulnerabilities allow the attacker to slow down or shut down the system. Privilege escalations can be used to gain additional rights on a system, and code execution allows running commands.
The most serious vulnerabilities are remote code execution vulnerabilities. And these are what the attackers need.
But even the most valuable vulnerabilities are worthless if the vulnerability gets patched. So the most valuable exploits are targeting vulnerabilities that are not known to the vendor behind the exploited product. This means that the vendor cannot fix the bug and issue a security patch to close the hole. If a security patch is available and the vulnerability starts to get exploited by the attackers five days after the patch came out, users had five days to react. If there is no patch available, they users had no time at all to secure themselves: literally zero days. This is where the term zero-day vulnerability comes from: users are vulnerable, even if they had applied all possible patches.
The knowledge of the vulnerabilities needed to create these exploits is gathered from several sources. Experienced professionals search for vulnerabilities systematically by using techniques like fuzzing or by reviewing the source code of open-source applications, looking for bugs. Specialist tools have been created to locate vulnerable code from compiled binaries. Less experienced attackers can find known vulnerabilities by reading securitythemed mailing lists or by reverse engineering security patches as they are made available by the affected vendors. Exploits are valuable even if a patch is available, as there are targets that don’t patch as quickly as they should.
Originally, only hobbyist malware writers were using exploits to do offensive attacks. Worms like Code Red, Sasser, and Blaster would spread around the world in minutes as they could remotely infect their target with exploits.
Things changed as organized criminal gangs started making serious money with keyloggers, banking trojans, and ransom trojans. As money entered the picture, the need for fresh exploits created an underground marketplace. Things changed even more as governments entered the picture. As the infamous Stuxnet malware was discovered in July 2010, security companies were amazed to notice this unique piece of malware was using a total of four different zero-day exploits—which remains a record in its own field. Stuxnet was eventually linked to an operation launched by the governments of the United States and Israel to target various objects in the Middle East and to especially slow down the nuclear program of the Islamic Republic of Iran.
Other governments learned of Stuxnet and saw the three main takeaways of it: attacks like these are effective, they are cheap, and they are deniable. All of these qualities are highly sought after in espionage and military attacks. In effect, this started a cyber arms race that today is a reality in most of the technically advanced nations. These nations weren’t just interested in running cyber defense programs to protect themselves against cyber attacks. They wanted to gain access to offensive capability and to be capable of launching offensive attacks themselves.
To have a credible offensive cyber program, a country will need a steady supply of new exploits. Exploits don’t last forever. They get found out and patched. New versions of the vulnerable software might require new exploits, and these exploits have to be weaponized and reliable. To have a credible offensive cyber program, a country needs a steady supply of fresh exploits.
As finding the vulnerabilities and creating the weaponized exploits is hard, most governments would need to outsource this job to experts. Where can they find such expertise from? Security companies and antivirus experts are not providing attack code: they specialize in defense, not attacks. Intelligence agencies and militaries have always turned to defense contractors when they need technology they can’t produce by themselves. This applies to exploits as well.
Simply by browsing the websites of the largest defense contractors in the world, you can easily find out that most of them advertise offensive capability to their customers. Northrop Grumman even runs radio ads claiming that they “provide governmental customers with both offensive and defensive solutions.”
However, even the defense contractors might have a hard time building the specialized expertise to locate unknown vulnerabilities and to create attacks against them. Many of them seem to end up buying their exploits from one of the several boutique companies specializing in finding zero-day vulnerabilities. Such companies have popped up in various countries. These companies go out of their way to find bugs that can be exploited and turned into security holes. Once found, the exploits are weaponized. In this way, they can be abused effectively and reliably. These attackers also try to make sure that the company behind the targeted product will never learn about the vulnerability—because if they did, they would fix the bug. Consequently, the customers and the public at large would not be vulnerable any more. This would make the exploit code worthless to the vendor.
Companies specializing in selling exploits operate around the world. Some of the known companies reside in the United States, the United Kingdom, Germany, Italy, and France. Others operate from Asia. Many of them like to portray themselves as being part of the computer security industry. However, we must not mistake them for security companies, as these companies do not want to improve computer security. Quite the opposite, these companies go to great lengths to make sure the vulnerabilities they find do not get closed, making all of us more vulnerable.
In some cases, exploits can be used for good. For example, sanctioned penetration tests done with tools like Metasploit can improve the security of an organization. But that’s not what we’re discussing here. We’re talking about creating zero-day vulnerabilities just to be used for secret offensive attacks.
The total size of the exploit export industry is hard to estimate. However, looking at public recruitment ads of the known actors as well as various defense contractors, it’s easy to see there is much more recruitment happening right now for offensive positions than for defensive roles. As an example, some U.S.-based defense contractors have more than a hundred open positions for people with Top Secret/SCI clearance to create exploits. Some of these positions specifically mention the need to create offensive exploits targeting iPhones, iPads, and Android devices.
If we look for offensive cyber attacks that have been linked back to a known government, the best known examples link back to the governments The Future of the of the United States and Israel. When the New York Times ran the story linking the U.S. Government and the Obama administration to Stuxnet, the White House started an investigation on who had leaked the information. Note that they never denied the story. They just wanted to know who leaked it.
As the U.S. is engaging in offensive cyber attacks on other countries, certainly other countries feel that they are free to do the same. This cyber arms race has created an increasing demand for exploits.
Government Surveillance
When the Internet became commonplace in the mid-1990s, the decision makers ignored it. They didn’t see it as important or in any way relevant to them. As a direct result, global freedom flourished in the unrestricted online world. Suddenly people all over the world had in their reach something truly and really global. And suddenly, people weren’t just consuming content; they were creating content for others to see.But eventually politicians and leaders realized just how important the Internet is. And they realized how useful the Internet was for other purposes—especially for the purposes of doing surveillance on citizens.
The two arguably most important inventions of our generation, the Internet and mobile phones, changed the world. However, they both turned out to be perfect tools for the surveillance state. And in a surveillance state, everybody is assumed guilty.
Internet surveillance really become front-page material when Edward Snowden started leaking information on PRISM, XKeyscore, and other NSA programs in the summer of 2013.
But don’t get me wrong. I do understand the need for doing both monitoring and surveillance. If somebody is suspected of running a drug ring, or planning a school shooting, or participating in a terror organization, he should be monitored, with a relevant court order.
However, that’s not what PRISM is about. PRISM is not about monitoring suspicious people. PRISM is about monitoring everyone. It’s about monitoring people that are known to be innocent. And it’s about building dossiers on everyone, eventually going back decades. Such dossiers, based on our Internet activity, will build a thorough picture of us. And if the powers-that-be ever need to find a way to twist your hand, they would certainly find something suspicious or embarrassing on everyone, if they have enough of their Internet history recorded.
United States intelligence agencies have a full legal right to monitor foreigners. Which doesn’t sound too bad—until your realize that most of us are foreigners to the Americans. In fact, 96 percent of the people on the planet turn out to be such foreigners. And when these people use U.S.- based services, they are legally under surveillance.
When the PRISM leaks started, U.S. intelligence tried to calm the rest of the world by explaining how there’s no need to worry, and about how these programs were just about fighting terrorists. But then further leaks proved the U.S. was using their tools to monitor the European Commission and the United Nations as well. It’s difficult for them to argue that they were trying to find terrorists at the European Union headquarters.
Another argument we’ve heard from the U.S. intelligence apparatus is that everyone else is doing Internet surveillance too. And indeed, most countries do have intelligence agencies, and most of them do monitor what other countries are doing. However, the U.S. has an unfair advantage. Almost all of the common Internet services, search engines, webmails, web browsers, and mobile operating systems come from the U.S. To put in another way: How many Spanish politicians and decision makers use American services? Answer: all of them. And how many American politicians and decision makers use Spanish services? Answer: none of them.
All this should make it obvious that we foreigners should not use U.S.-based services. They’ve proven to us that they are not trustworthy. Why would we voluntarily hand our data to a foreign intelligence agency?
But in practice, it’s very hard to avoid using services like Google, Facebook, LinkedIn, Dropbox, Amazon, Skydrive, iCloud, Android, Windows, iOS, and so on. This is a clear example of the failure of Europe, Asia, and Africa to compete with the U.S. on Internet services. And when the rest of the world does produce a global hit—like Skype or Nokia—it typically ends up acquired by an American company, bringing it under U.S. control.
But if you’re not doing anything wrong, why worry about this? Or, if you are worrying about this, what do you have to hide? My answer to this question is that I have nothing to hide… but I have nothing in particular that I’d want to share with an intelligence agency either. In particular, I have nothing to share with a foreign intelligence agency. If we really need a big brother, I’d much rather have a domestic big brother than a foreign big brother.
People have asked me if they really should worry about PRISM. I’ve told them that they should not be worried—they should be outraged instead. We should not just accept such blanket and wholesale surveillance from one country on the rest of the world.
Advancements in computing power and data storage have made wholesale surveillance possible. But they’ve also made leaking possible. That’s how Edward Snowden could steal three laptops which contained so much information that, printed out, it would be a long row of trucks full of paper.
Leaking has become so easy that it will keep organizations worrying about getting caught over any wrongdoing. We might hope that this would force organizations to avoid unethical practices.
While governments are watching over us, they know we are watching over them.
Summary
We’ve seen massive shifts in cyber attacks over the last two decades: from simple viruses written by teenagers to multimillion-dollar cyber attacks launched by nation-states.All this is happening right now, during our generation. We were the first generation that got online. We should do what we can to secure the net and keep it free so that it will be there for future generations to enjoy.
Ada Malware baru: Mayhem
http://www.itnews.com.au/News/390053,new-mayhem-malware-targets-linux-unix-servers.aspx
A
new malware that runs on UNIX-like servers even with restricted
privileges has already infected machines in Australia and is actively
hunting for more targets, a new research paper has shown.
Three researchers from Russian web provider Yandex - Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov - said in the technical analysis of the malware, published on security and anti-virus specialist publication Virus Bulletin, that Mayhem functions like a traditional Windows bot.
Mayhem was discovered in April this year and does not require a privilege escalation vulnerability - it does not have to run as the root super user - to work on Linux-based systems, or on FreeBSD servers.
Servers are infected through the execution of a hypertext preprocessor (PHP) script that establishes Mayhem on the victim computer and sets up a communications channel with a command and control server.
The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server.
Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information.
According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013.
At the time, Fort Disco had created a botnet with six contral and command sites and over 25,000 infected Windows computers, according to Arbor Networks security analysts.
A total of 1400 infections have been recorded around the world for Mayhem so far, with most of these in the United States, Russia, Germany and Canada, the researchers said.
Sidorov told iTnews that recently discovered data from the largest Mayhem command and control server showed that there were 14 infected machines in Australia, and two in New Zealand.
Commenting on the research, Virus Bulletin editor Martijn Grooten said the threat Mayhem poses was relatively small compared to existing botnets.
But he warned that Mayhem should be taken seriously nevertheless, as it had the ability to compromise powerful Linux servers and was actively looking for other sites and machines to infect.
"It is another reminder to those running web servers that these have become prime targets for malware authors," Grooten said.
The researchers warned that despite increasingly being targeted by malware authors, many webmasters who run UNIX-like operating systems don't have the opportunity to update their infrastructure automatically, and that serious maintenance is expensive and therefore often not undertaken.
This, combined with lack of anti-virus technologies, active defences and process memory checking modules in the UNIX world, meant "it is easy for hackers to find vulnerable web servers and to use such servers in their botnets," the researchers stated.
New Mayhem malware targets Linux, UNIX servers
Infections found in Australia and New Zealand.
Three researchers from Russian web provider Yandex - Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov - said in the technical analysis of the malware, published on security and anti-virus specialist publication Virus Bulletin, that Mayhem functions like a traditional Windows bot.
Mayhem was discovered in April this year and does not require a privilege escalation vulnerability - it does not have to run as the root super user - to work on Linux-based systems, or on FreeBSD servers.
Servers are infected through the execution of a hypertext preprocessor (PHP) script that establishes Mayhem on the victim computer and sets up a communications channel with a command and control server.
The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server.
Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information.
According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013.
At the time, Fort Disco had created a botnet with six contral and command sites and over 25,000 infected Windows computers, according to Arbor Networks security analysts.
A total of 1400 infections have been recorded around the world for Mayhem so far, with most of these in the United States, Russia, Germany and Canada, the researchers said.
Sidorov told iTnews that recently discovered data from the largest Mayhem command and control server showed that there were 14 infected machines in Australia, and two in New Zealand.
Commenting on the research, Virus Bulletin editor Martijn Grooten said the threat Mayhem poses was relatively small compared to existing botnets.
But he warned that Mayhem should be taken seriously nevertheless, as it had the ability to compromise powerful Linux servers and was actively looking for other sites and machines to infect.
"It is another reminder to those running web servers that these have become prime targets for malware authors," Grooten said.
The researchers warned that despite increasingly being targeted by malware authors, many webmasters who run UNIX-like operating systems don't have the opportunity to update their infrastructure automatically, and that serious maintenance is expensive and therefore often not undertaken.
This, combined with lack of anti-virus technologies, active defences and process memory checking modules in the UNIX world, meant "it is easy for hackers to find vulnerable web servers and to use such servers in their botnets," the researchers stated.
Ransomware Menyerang NAS
Ada saja yang kurang kerjaan membuat ransomware yang menyerang NAS merek tertentu
Sumber: https://twitter.com/MikeEvangelist/status/495970097497128960
Sumber: https://twitter.com/MikeEvangelist/status/495970097497128960
How to bypass Zeus trojan self protection mechanism
http://int0xcc.svbtle.com/how-to-bypass-zeus-trojans-self-protection-mechanism
How to bypass Zeus Trojan’s self protection mechanism
Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was
Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within .
After successfully unpacking and fixing the dump we get the following output
OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones wont run . This is usually done to “force” the bot masters to buy a Cryptor service .
If you double click the binary it will not run , It will simply exit. Now lets see where things are going wrong and how to bypass the protection
For that purpose we will generate an API call Graph made by the unpacked binary to see the exit point of program .
So from this we got an idea that it is reading file buffer and performing some operations on it and now lets see what operation it is performing on it .
Now if we dig deeper we find out the file buffer is read and the some cryptography operations are performed .
And if go inside CheckSelfProtection() function we will observe that this function will RC4 the whole binary buffer with a static encryption key and will search for placeholder “DAVE”
In my case the RC4 Key was
Packer integrity
We can copy that 0x200 byte data from the packer into the overlay of our unpacked file.
And if found it goes further on verifying the integrity of that data structure and decodes another payload using a 4 byte XOR key taken from that structure.
The Total size of the data Structure is 0x200 bytes and on the basis size, Installer and injector are decrypted . Let now understand the structure of that 0x200 Data Structure.
During installation phase iSizeOfPacket bytes are copied from the data chunk into heap . And then later on used to decode installer subroutine using XOR cipher .
The installer and injector is differentiated by iSizeOfPacket field, if the size is 0x0c then it is still in installation phase if it is 0x1e6 then it has been replaced by installation routine with a new packer data structure .
The installation subroutine is then decoded using Xorkey with a data buffer of size SizeOfDecodedData using this simple XOR function.
During the installation phase the Packer data structure is rewritten and encrypted using RC4 resulting in data of length 0x1e6 which mainly consists of installation data like
1 : Registry Keys
2 : Random Numbers Generated for Seeding .
3 : Local Path Name
4 : Computer Name and Version
Replacing this Packer Overlay data with the old one will let you skip the installation phase and binary wont be relaunched again using CreateProcessA in %appdata%. Yet we will have to patch a jump after it Compares its path in the overlay data with the current path.
All we need for that is C2C we address and RC4 communication key . Both of them you can get from Base Config Decoding Subroutine which is again based on simple XOR cipher
After getting C2C and RC4 key . It can be submitted here to get a shell on that C2C web panel .
Once you get the shell you can then edit the cp.php ( login file for Zeus panel ) and boost up your Metasploit exploit after the bot master has logged in .
And if you know how to proceed further and you can get a meterpreter shell on the spammers machine . webcam_snap is one beautiful Meterpreter script command which I personally like ( http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics#webcam_snap)
It takes a webcam capture from the victims computer and saves it in the target machine.
And if you enter that , you might get back something like this in your computer :)
Hacking spammer’s for Dummies
orHow to bypass Zeus Trojan’s self protection mechanism
Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was
HiAttachment is basically a Zip file consisting of an exe file named “image.scr” with a nice mspaint icon .
A Person from your office was found dead outside . Please open the picture to see if you know him .
Regards
Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within .
After successfully unpacking and fixing the dump we get the following output
OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones wont run . This is usually done to “force” the bot masters to buy a Cryptor service .
If you double click the binary it will not run , It will simply exit. Now lets see where things are going wrong and how to bypass the protection
For that purpose we will generate an API call Graph made by the unpacked binary to see the exit point of program .
So from this we got an idea that it is reading file buffer and performing some operations on it and now lets see what operation it is performing on it .
Now if we dig deeper we find out the file buffer is read and the some cryptography operations are performed .
And if go inside CheckSelfProtection() function we will observe that this function will RC4 the whole binary buffer with a static encryption key and will search for placeholder “DAVE”
In my case the RC4 Key was
Packer integrity
We can copy that 0x200 byte data from the packer into the overlay of our unpacked file.
And if found it goes further on verifying the integrity of that data structure and decodes another payload using a 4 byte XOR key taken from that structure.
The Total size of the data Structure is 0x200 bytes and on the basis size, Installer and injector are decrypted . Let now understand the structure of that 0x200 Data Structure.
During installation phase iSizeOfPacket bytes are copied from the data chunk into heap . And then later on used to decode installer subroutine using XOR cipher .
structZeus_packer_overlay{
DWORD SIGNATURE;SetBackColor( cRed );
DWORD Crc32HASH;SetBackColor( cBlue );
WORD iSizeOfPacket;unsignedintSizeOfDecodedData;unsignedintUnknown1;SetBackColor( cRed );unsignedintXorKey;}Zeus_Packer_OverLay;
Before decoding the installer routine CRC32 hash is checked and SizeOfDecodedData data is copied to heap location in this function.The installer and injector is differentiated by iSizeOfPacket field, if the size is 0x0c then it is still in installation phase if it is 0x1e6 then it has been replaced by installation routine with a new packer data structure .
The installation subroutine is then decoded using Xorkey with a data buffer of size SizeOfDecodedData using this simple XOR function.
During the installation phase the Packer data structure is rewritten and encrypted using RC4 resulting in data of length 0x1e6 which mainly consists of installation data like
1 : Registry Keys
2 : Random Numbers Generated for Seeding .
3 : Local Path Name
4 : Computer Name and Version
Replacing this Packer Overlay data with the old one will let you skip the installation phase and binary wont be relaunched again using CreateProcessA in %appdata%. Yet we will have to patch a jump after it Compares its path in the overlay data with the current path.
Owning a Zeus C2C panel / Spammer
There exists a publicly known RCE vulnerability in some versions of Zeus ( as well as Zeus lite, KINS,ICE-IX) As described in detail here (http://xs-sniper.com/blog/2010/09/27/turning-the-tables/) . Our good friend Xylitol has already provided a ready to use tool to exploit such vulnerability : http://cybercrime-tracker.net/tools.phpAll we need for that is C2C we address and RC4 communication key . Both of them you can get from Base Config Decoding Subroutine which is again based on simple XOR cipher
After getting C2C and RC4 key . It can be submitted here to get a shell on that C2C web panel .
Once you get the shell you can then edit the cp.php ( login file for Zeus panel ) and boost up your Metasploit exploit after the bot master has logged in .
And if you know how to proceed further and you can get a meterpreter shell on the spammers machine . webcam_snap is one beautiful Meterpreter script command which I personally like ( http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics#webcam_snap)
It takes a webcam capture from the victims computer and saves it in the target machine.
And if you enter that , you might get back something like this in your computer :)
Subscribe to:
Posts (Atom)