UK man accused of hacking US government computers

A British man has been arrested and charged with hacking into computer systems of the US army, Nasa, the Environmental Protection Agency and other agencies at a cost of millions of dollars to the federal government. 

Lauri Love, 28, of Stradishall, England, and his partners stole information about government employees, including military service members, since at least October 2012 by hacking into government networks and leaving behind "back doors" through which they could return to get data, a grand jury in Newark said in an indictment. 

British authorities said on Monday that Love was also charged under a UK law that allows people to be arrested for starting attacks from the UK on computers anywhere in the world. He has been released on bail until February. Attempts to reach Love for comment on Monday weren't immediately successful. 

The US government said the purpose of the attacks was "to disrupt the operations and infrastructure" of the federal government. The New Jersey indictment does not accuse Love of selling information or doing anything else with it for financial gain. 

Love was arrested on Friday at his home about 70 miles (112 kilometers) north of London. 

He's accused of working with two co-conspirators in Australia and one in Sweden, none of whom have been charged. Their names were not disclosed in the court filing that was made public on Monday. 

The indictment includes pieces of instant message conversations that Love allegedly had with his partners. 

In one, he seems to brag about infiltrating Nasa networks: "ahaha, we owning lots of nasa sites," he said, according to the government. In another exchange, he marvels at the information the group has accessed, writing "this ... stuff is really sensitive," according to prosecutors. 

Love was charged in New Jersey because he allegedly used a server in the township of Parsippany. He also faces federal charges in Virginia for other alleged intrusions.

Read More

Backdoor in D-link router allows attackers full access

D-Link has patched a backdoor present in a number of its routers that was publicized almost two months ago and could allow an attacker to remotely access the administrative panel on the hardware, run code and make any number of changes.

The Thanksgiving patch parade addressed the issue in a number of affected routers, most of them older versions that are still in circulation and largely untouched by consumers in particular.

Customer premise equipment such as wireless routers, modems and other set-top devices pose a real security issue because patches require a firmware update that are often ignored. There’s plenty of research too that examines the risks posed not only by buggy routers, but by other home and small business networking equipment.

Using available tools and online search engines such as Shodan, attackers can easily find Internet-facing equipment that’s vulnerable, and target those boxes with any number of exploits or scripts focusing on weak or default credentials, giving someone remote access to the gear.

The D-Link issue is much more serious given the access it could afford a remote attacker. Researcher Craig Heffner reported finding the vulnerability in October; he said that an attacker using a certain string “xmlset_roodkcableoj28840ybtide” could access the Web interface of a number of different D-Link routers without credentials.

D-Link routers DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240, along with Planex routers BRL-04R, BRL-04UR and BRL-04CW also use the same firmware, Heffner said. The firmware revisions issued last Thursday are for DI-524, DI-524UP, DIR 100 and DIR-120 routers, D-Link said in its advisory.

“Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string,” the company’s original advisory said. “This backdoor allows an attacker to bypass password authentication and access the router’s administrative web interface.”

Backdoors in hardware such as networking gear are generally for remote administration purposes. Researcher Travis Goodspeed told Heffner that this backdoor is used by a particular binary in the firmware enables an administrator to use this particular string to automatically reconfigure the device’s settings.

“My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something,” Heffner wrote. “The only problem was that the web server required a username and password, which the end user could change.”

Read More

Vulnerability in Android 4.3 allow to remove Device lock

There is a vulnerability in Android 4.3 Jelly Bean that enables a malicious app to disable all of the security locks on a given device, leaving it open to further attacks. Jelly Bean is the most widely deployed version of Android right now.

The vulnerability in Android exists in the way that the operating system handles the flow of events when a user wants to change one of the security locks on a device. There are several different kinds of security locks on Android devices, including PIN codes, facial recognition and gesture locks. When a user wants to change one of these locks, he is asked to enter one of the other ones in order to confirm his control of the device. The vulnerability in Jelly Bean, discovered by researchers at Curesec in Germany, allows a malicious app to skip this step and disable the other security locks.

“The bug exists on the ‘com.android.settings.ChooseLockGeneric class’. This class is used to allow the user to modify the type of lock mechanism the device should have. Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin),” the advisory from Curesec says.

If a malicious app is installed on a vulnerable device, it could control the code flow that determines whether Android enables the mechanism that requires a security code in order to change one of the other security locks. A Google representative said the problem was fixed in Android Kit Kat 4.4.

“We can control the flow to reach the updatePreferencesOrFinish() method and see that IF we provide a Password Type the flow continues to updateUnlockMethodAndFinish(). Above we can see that IF the password is of type PASSWORD_QUALITY_UNSPECIFIED the code that gets executed and effectively unblocks the device. As a result any [rogue] app can at any time remove all existing locks,” the advisory says.

The researchers at Curesec said that they reported the vulnerability to the Android security team at Google on Oct. 11, received a reply the next day and then didn’t get any further feedback from Google after that. The advisory includes a short bit of proof-of-concept code which the researchers say could be used by an installed malicious app. In the comments of their blog post on the bug, the researchers explained that the permissions model in Android can be bypassed with this bug.

“The commandline shown is just a simple PoC so the problem is understood by anyone without needing to write his own application to test it. For executing actions in Android your application needs the exact permission to do this.
For instance an app wants to read SMS or use the Internet, there is a Permission for that. However due the bug you do not need any permission to remove all device locks,” the researchers said.

Read More

State Bank of Patiala hacked and defaced by Pakistani Hacker

A Pakistani hacker with the online handle " Kai-H4xOrR" from PAKISTAN HAXORS CREW(PHC), has hacked into the State Bank of Patiala(SBP) sub-domain and managed to deface the website.

In the defacement page, hacker stated that the security breach is payback "For Hacking Sui Gas Site".

"And Dont mess with Pakistan else you will lose both your Name and this Game   Backoff Lamers from our cyber space. Everybody Knows whose cyber space is more vulnerable" The defacement message reads.

"You will hack 1, we will hack thousands" hacker sent a warning message to Indian Hackers who deface Pakistani websites.   

The hacker has uploaded his defacement here: "https://hindi.sbp.co.in/index.html".  The main page and other pages are not affected by this defacement.  At the time of writing, the website still displays the defacement.

Read More

Neverquest Trojan: Built to Steal from Hundreds of Banks

Neverquest is a new banking trojan that spreads itself via social media, email and file transfer protocols. It possesses the capacity to recognize hundreds of online banking and other financial sites. When an infected user attempts to login to one of the sites the trojan reacts by activating itself and pilfering its victim’s credentials.

Neverquest then relays the stolen credentials back to a command and control server. Once there, the attackers can use the credentials to log into affected accounts via virtual network computing (VNC). VNC is essentially a shared desktop system, so the criminals basically use the victim’s computer to log into the victim’s online bank and perform the theft. It makes it quite impossible for the bank to distinguish legitimate users from criminals.

Kaspersky Lab announced earlier this week that the trojan has infected thousands of user-machines but – as malware expert Sergey Golovanov explains – it has the potential to do much more damage throughout the holiday season because of its efficient and versatile self-replication features. In fact, back in 2009, the Bredolab malware used the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the third most widely distributed piece of malware on the Internet.

“When a user on an infected machine visits one of the sites on the list, the malware controls the browser’s connection with the server,” Golovanov explained in an analysis on Securelist. “Malicious users can obtain usernames and passwords entered by the user, and modify webpage content. All of the data entered by the user will be entered onto the modified webpage and transmitted to malicious users.”

Once the attacker has control of a victim’s account, he can empty it completely into an account under his control. In many cases, however, Golovanov notes that the attackers are moving the stolen money through a series of victim accounts. In this way, they dump money from one victim’s account into another and repeat this process several times before directly obtaining the money themselves in order to make their activities difficult to trace.

Neverquest is for sale on at least one underground forum. It only seems to affect users browsing with Internet Explorer and Mozilla Firefox, but Neverquest’s creators boast that it can be modified to attack “any bank in any country.”

The malware also contains a feature that searches for specific banking-related keywords while the infected user surfs the web. If a user visits a site that includes these keywords, the trojan activates itself and begins intercepting user communications and sending them back to the attackers. If the site the victim is visiting ends up being a bank, the attackers add this new site to the list of sites that automatically trigger Neverquest. This update is then sent along through Neverquest’s command and control infrastructure to all other infected machines.

Fidelity.com, the website of one of the world’s largest mutual fund investment firms, appears to be one of the trojan’s top targets according to the report.

“Its website offers clients a long list of ways to manage their finances online,” Golovanov wrote on Securelist. “This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims.”

Neverquest is also designed to start harvesting data when an infected user visits any number of sites not related to finance, including Google, Yahoo, Amazon AWS, Facebook, Twitter, Skype and many more.

“The weeks prior to the Christmas and New Year holidays are traditionally a period of high malicious user activity,” Golovanov wrote. “As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent. We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft.”

He continues:

“Protection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated solution that secures transactions. In particular, the solution must be able to control a running browser process and prevent any manipulation by other applications.” 
Luckily, Kaspersky Lab has such technology called Safe Money. As a part of Kaspersky Internet Security and Kaspersky PURE, it protects user’s interactiona with financial sites, paying specific attention to the security of the encrypted connection and the absence of third-party control over web browsers.

Read More

New Linux worm targets routers, cameras,  “Internet of things” devices

Researchers have discovered a Linux worm capable of infecting a wide range of home routers, set-top boxes, security cameras, and other consumer devices that are increasingly equipped with an Internet connection.

Linux.Darlloz, as the worm has been dubbed, is now classified as a low-level threat, partly because its current version targets only devices that run on CPUs made by Intel, Symantec researcher Kaoru Hayashi wrote in a blog post published Wednesday. But with a minor modification, the malware could begin using variants that incorporate already available executable and linkable format (ELF) files that infect a much wider range of "Internet-of-things" devices, including those that run chips made by ARM and those that use the PPC, MIPS, and MIPSEL architectures.

"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability," Hayashi explained. "If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."

The researcher went on to say the attacker behind the Intel version is also hosting ELF files that exploit the other chip architectures.

The “e_machine” value in ELF header indicates that the worm is for ARM architecture.

Symantec

Out of date

While not posing much of a real-world threat now, Darlloz demonstrates a major shortcoming with most Internet-of-things devices available today—they typically run Linux or other types of open source code that are woefully out of date. Making matters worse, many Internet-connected consumer devices can't be updated because their lightweight hardware can't handle the requirements of newer code versions. Hijacking one of these devices thus becomes much easier than exploiting, say, an up-to-date version of Windows, OS X, or Linux.

Darlloz exploits a vulnerability in the PHP scripting language that was patched 18 months ago. Devices that use older versions of PHP to provide a Web-based interface to make configuration changes may be vulnerable to the attack. With minor modifications, the worm could potentially be reprogrammed to exploit dozens of patched vulnerabilities that still haven't made their way into most consumer devices.

Readers who want to tighten the security of their routers and other devices should consider doing research ahead of purchases and buying only gear that can be updated easily. For existing devices, update to the latest available version, change default passwords, and block incoming POST requests and other types of HTTP calls if at all possible.

Read More

Turkish Hackers Hacks official Vodafone Iceland website, leaks 77,000 accounts and SMS logs

Famous Turkish hacker going with the handle of @AgentCorporatio from Turkish Agent Hacker Group has hacked and defaced the official website of telecom giant Vodafone Iceland. As a result of hack, the hacker has leaked around 77k user accounts with customers SMS logs.

The hacker who contacted me on Twitter explained that reason for targeting Vodafone was to mark his protest against USA and Israel. He also left a deface page and a message on hacked site, explained in following words:

• Agent Hacker Group! Turkish hackers says: nsa, mola vakti. Vidafone.is full download, full users account, + vodafone… to be continued.

After analyzing the leaked data I have found it legit and loaded with Vodafone customer’s user details in XLS file such as names, emails, addresses, SMS logs, and phone numbers. Other then the user data, the leak contains database, client details, tender details, accounts and financial details, franchise location maps and business markups.

A screenshot of leaked Vodafone customers SMS logs is available below: 

Read More