image
By Waqas Hungary’s Prosecution Service has accused an ethical hacker and computer specialist of infiltrating the Magyar Telekom database. The office found him involved in a crime that disrupted the operations of a “public utility” thereby attempting to endanger the society. Reportedly, the hacker identified serious vulnerabilities in Magyar Telekom and reported them to the company. He […] This is a post from HackRead.com Read the original post: Ethical hacker may get 8 years in prison for reporting flaws in Magyar Telekom

Source

image
Interior decorating website Houzz on Friday issued a notice that user data – including usernames, passwords and IP addresses – had been accessed by an “unauthorized third party.” Houzz connects consumers to varying home-goods departments or professionals for purchasing furniture. The Palo Alto, Calif.-based company said that a rogue third-party had obtained a file with the user data. That data includes internal account data like user ID, prior Houzz usernames, one-way encrypted passwords (salted uniquely per user), IP address, and city and ZIP code inferred from IP address. Also accessed was publicly visible info from a user’s Houzz profile (first name, last name, city, state, country, profile description). If users had logged into Houzz using Facebook, the user’s public Facebook ID was exposed as well. “Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party,” the company said in an alert on its website. “The security of user data is our priority. We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment and remediation efforts. We have also notified law enforcement authorities.” Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks. User Social Security numbers, payment cards, bank accounts and other financial information were not impacted. Houzz said that it learned about the incident in late December, but it didn’t say how long the third party had access to the file for. The company said that not all Houzz users were impacted by the incident. When asked specifically how many Houzz customers were impacted and what the root cause of the breach stemmed from, a Houzz spokesperson told Threatpost: “Because the investigation is still ongoing, the best information we are able to provide has already been covered in the FAQ.” In the email to impacted customers, Houzz urged them to change their passwords in their account settings. @troyhunt FYI, web site @houzz got hacked. Just got this email notice. pic.twitter.com/QKB7iUGu1W — Stewart Rand (@stewssr) January 31, 2019 Tim Erlin, vice president of product management and strategy at Tripwire, said that the breach highlights the risks of password reuse. “While it might not be clear how this sensitive data was obtained, this is a good example of the risks of password reuse,” he said in an email. “If you used the same password for your Houzz account that you used for a more sensitive account, then you’ve put that more sensitive account at risk as well. Using unique passwords is a good way to protect yourself from this type of risk. Using multi-factor authentication is another way to reduce the risk. The internet is all about connection, and sometimes those connections work to the advantage of attackers.” The breach is only the latest security incident so far in January – Discover Financial, IT management giant Rubrik, Airbus, the City of St. John in New Brunswick, Canada and the State Bank of India have all reported data exposures. Separately this week, 2.2 billion records were discovered on the Dark Web as part of a data dump that’s being called “Collections #2-5.” Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Source

image
By Uzair Amir UAE Launched Aggressive Cyber Espionage Campaign using KARMA and Expertise of Ex-NSA Operatives. Though it seems hard to believe it is indeed true that the smartphones of several prominent political and governmental personalities worldwide have been hacked by former US intelligence officers who now work for the UAE (United Arab Emirates) government. Prominent figures targeted […] This is a post from HackRead.com Read the original post: Hackers used Karma tool to hack iPhones of prominent Govt officials

Source

image
More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union's law enforcement agency. In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators. Prior to the takedown, the service had more than 151,000 registered users and was responsible for launching some four million attacks over three years. Now, those same authorities are targeting people who paid the service to conduct attacks. Webstresser.org (formerly Webstresser.co), as it appeared in 2017. In the United Kingdom, police have seized more than 60 personal electronic devices from a number of Webstresser users, and some 250 customers of the service will soon face legal action, Europol said in a statement released this week. “Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol officials warned. The focus on Webstresser's customers is the latest phase of “Operation Power Off,” which targeted one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that even completely unskilled users can rent to knock nearly any website or Internet user offline. Operation Power Off is part of a broader law enforcement effort to disrupt the burgeoning booter service industry and to weaken demand for such services. In December, authorities in the United States filed criminal charges against three men accused of running booter services, and orchestrated a coordinated takedown of 15 different booter sites. This seizure notice appeared on the homepage of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites in December 2018. The takedowns come as courts in the United States and Europe are beginning to hand down serious punishment for booter service operators, their customers, and for those convicted of launching large-scale DDoS attacks. Last month, a 34-year-old Connecticut man received a 10-year prison sentence for carrying out DDoS attacks a number of hospitals in 2014. Also last month, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia's Internet access in 2016. In December 2018, the ringleader of an online crime group that launched DDoS attacks against Web sites — including several against KrebsOnSecurity — was sentenced to three years in a U.K. prison. And in 2017, a 20-year-old from Britain was sentenced to two years in jail for renting out Titanium Stresser, a booter service that earned him $300,000 over several years it was in operation. Many in the hacker community have criticized authorities for targeting booter service administrators and users and for not pursuing what they perceive as more serious cybercriminals, noting that the vast majority of both groups are young men under the age of 21 and are using booter services to settle petty disputes over online games. But not all countries involved in Operation Power Off are taking such a punitive approach. In the Netherlands, the police and the prosecutor’s office have deployed new legal intervention called “Hack_Right,” a diversion program intended for first-time cyber offenders. Europol says at least one user of Webstresser has already received this alternative sanction. “Skills in coding, gaming, computer programming, cyber security or anything IT-related are in high demand and there are many careers and opportunities available to use these wisely,” Europol said. According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

Source

image
Many of you might have this question in your mind: “Is it illegal to test a website for vulnerability without permission from the owner?” Or… “Is it illegal to disclose a vulnerability publicly?” Well, the answer is YES, it’s illegal most of the times and doing so could backfire even when you have good intentions. Last year, Hungarian police arrested a 20-year-old ethical hacker accused of finding and exploiting serious vulnerabilities in Magyar Telekom, the largest Hungarian telecommunication company, who is now facing up to 8 years in prison. According to local Hungarian media, the defender first discovered a severe vulnerability in Magyar Telekom systems in April 2018 and reported it to the company officials, who later invited him to a meeting. Reportedly, the hacker then traveled to Budapest for the meeting, which didn't go well as he expected, and apparently, the company did not permit him to test its systems further. However, the man continued probing Magyar Telekom networks and discovered another severe vulnerability at the beginning of May that could have allowed an attacker to access all public and retail mobile and data traffic, and monitor company's servers. When Magyar Telekom detected an “uninvited” intrusion on their internal network, the company on same day reported the incident to the police, leading to his arrest. The hacker is currently on trial. The Hungarian Prosecution Service is requesting a prison sentence, while the Hungarian Civil Liberties Union, a non-profit human rights watchdog, is defending the hacker, claiming that the indictment is inaccurate, incomplete and in false colors. However, the Prosecutor's Office said “anyone who reads the prosecutor’s document can make sure that the indictment contains all information,” arguing that the defendant crossed a line and due to the danger his actions may have posed to society, he must face legal consequences. The Prosecutor's Office also offered the man a plea bargain, which said if he admitted his guilt, he would be given a 2-year suspended sentence, and if not, he would have to serve five years in jail. After he refused the plea deal, the hacker has now been charged with an upgraded crime in the indictment, i.e., disrupting the operation of a “public utility,” which could soon end him up behind bars for up to 8 years, if proven guilty. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

Many of you might have this question in your mind:

“Is it illegal to test a website for vulnerability without permission from the owner?”

Or… “Is it illegal to disclose a vulnerability publicly?”

Well, the answer is YES, it’s illegal most of the times and doing so could backfire even when you have good intentions.

Last year, Hungarian police arrested a 20-year-old ethical hacker accused of

Source

image
UPDATE An Iran-linked APT known as Chafer has been spotted targeting various entities based in Iran with an enhanced version of a custom malware that takes a very unique approach to communication by using the Microsoft Background Intelligent Transfer Service (BITS) mechanism over HTTP. Meanwhile the victimology suggests the threat group is waging a cyber-espionage operation against diplomats there. Remexi, Remixed Over the course of the autumn, analysts at Kaspersky Lab observed attackers targeting embassies using an improved version of the Remexi malware, which Chafer has used in the past. It’s a spyware, capable of exfiltrating keystrokes, screenshots and browser-related data like cookies and history. Remexi developers used the C programming language and the GCC compiler on Windows in the MinGW environment to create the latest version of the malware (which has a March 2018 time stamp). The main notable aspect of the code is that it consists of several working threads dedicated to different tasks that it deploys in its working directory, according to Kaspersky. These include command-and-control (C2) command parsing, data exfiltration, launching victim activity logging in a separate module and seven threads for various espionage and auxiliary functions. It’s also worth noting how these threads share information. “One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator infinitely,” Kaspersky analysts said, in a posting this week. “If the mouse-hooking function registers a button hit, it lets the screenshotting thread know about it through a global variable. After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0. In that case, it takes a screenshot.” Legit Microsoft Tools in the Mix A notable aspect of the improved trojan is the fact that the Remexi developers are relying on legitimate Microsoft utilities. For instance, for both C2 communication and exfiltration, Remexi uses the aforementioned BITS mechanism over HTTP. “One of the things we keep in mind when we attribute a campaign to one or another actor is malefactors’ tactics, techniques and procedures (TTP),” said Denis Legezo, senior security researcher, Global Research and Analysis Team (GReAT) at Kaspersky Lab. “Some of them develop all the needed tools from scratch, and others extensively use third-party applications alongside the code by their own developers. Chafer now is among the latter ones. Data exfiltration using BITS/bitsadmin.exe isn’t typical at all.” He added, “In terms of protective measures, such communication mechanism means that the system administrators have to check BITS inbound/outbound traffic to external network resources in their environments.” This “greater reliance on freely available software tools, also known as ‘living off the land'” offers threat groups a key advantage, according to previous Chafer analysis from Symantec: “By limiting their use of malware, groups such as Chafer hope to be less conspicuous on a victim’s network and, if discovered, make their attack more difficult to attribute.” Remexi also employs XOR encryption with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data. There are unique keys used by different samples, including the use of the word “salamati,” which means “health” in Farsi. How Remexi is arriving on victims’ desktops remains a bit of a mystery. “So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread,” analysts said. “However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware.” That said, in earlier attacks from 2015, Symantec found evidence that Chafer had been compromising targeted organizations by attacking their web servers, likely through SQL injection attacks, in order to drop malware onto them. In 2017, the group added a new infection method to its toolkit, using malicious documents which are likely circulated using spear-phishing emails sent to individuals working in targeted organizations. Victimology As for the victimology, Kaspersky speculates that the campaign could a domestic affair. In addition to the aforementioned “salamati” being used as a Farsi-language human-readable encryption key, the vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses, including those tied to foreign diplomatic entities based in the country. “They were after local hosts for years, but foreign diplomatic entities are something new for them from our point of view,” Legezo told Threatpost. “We saw several emerging actors moving from domestic campaigns to international ones. Such development seems quite logical: they got experience, toolsets became more mature and the set of tasks also broadens.” Also, “among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name ‘Mohamadreza New,'” the analysts noted. “Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false flag.” This victim set could signal a return to Chafer’s roots. According to the prior analysis from Symantec, foreign diplomats inside Iran have been a target for Chafer in the past. But the APT, which has been around since at least 2014, switched up its tactics in 2017 to expand beyond Iran to “hit organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia and Turkey.” Outside of the Middle East, Symantec also found evidence of attacks against one African airline and attempts to compromise an international travel reservations firm. Sectors targeted included airlines; aircraft services; software and IT services companies serving the air and sea transport sectors; telecom services; payroll services; engineering consultancies; and document management software. “So far, the campaign’s TTPs aren’t state of the art, but a trend among emerging actors is quite visible: they are becoming more mature and broadening their set of targets,” Legezo told Threatpost. “Speaking about targeted malware, one shouldn’t consider anyone as an amateur. Maybe we don’t see ‘advanced’ (from ‘APT’ abbreviation) techniques used in every campaign, but ‘persistent’ is here for sure anytime. Therefore, it’s important to think about protective measures, like security software, a remediation plan and threat intelligence in advance.” This post was updated at 2:35 p.m. ET on Feb. 4 to reflect additional researcher insights.

Source

More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union’s law enforcement agency.

In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators. Prior to the takedown, the service had more than 151,000 registered users and was responsible for launching some four million attacks over three years. Now, those same authorities are targeting people who paid the service to conduct attacks.

Webstresser.org (formerly Webstresser.co), as it appeared in 2017.

In the United Kingdom, police have seized more than 60 personal electronic devices from a number of Webstresser users, and some 250 customers of the service will soon face legal action, Europol said in a statement released this week.

“Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol officials warned.

The focus on Webstresser’s customers is the latest phase of “Operation Power Off,” which targeted one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that even completely unskilled users can rent to knock nearly any website or Internet user offline.

Operation Power Off is part of a broader law enforcement effort to disrupt the burgeoning booter service industry and to weaken demand for such services. In December, authorities in the United States filed criminal charges against three men accused of running booter services, and orchestrated a coordinated takedown of 15 different booter sites.

This seizure notice appeared on the homepage of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites in December 2018.

The takedowns come as courts in the United States and Europe are beginning to hand down serious punishment for booter service operators, their customers, and for those convicted of launching large-scale DDoS attacks. Last month, a 34-year-old Connecticut man received a 10-year prison sentence for carrying out DDoS attacks a number of hospitals in 2014. Also last month, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia’s Internet access in 2016.

In December 2018, the ringleader of an online crime group that launched DDoS attacks against Web sites — including several against KrebsOnSecurity — was sentenced to three years in a U.K. prison. And in 2017, a 20-year-old from Britain was sentenced to two years in jail for renting out Titanium Stresser, a booter service that earned him $300,000 over several years it was in operation.

Many in the hacker community have criticized authorities for targeting booter service administrators and users and for not pursuing what they perceive as more serious cybercriminals, noting that the vast majority of both groups are young men under the age of 21 and are using booter services to settle petty disputes over online games.

But not all countries involved in Operation Power Off are taking such a punitive approach. In the Netherlands, the police and the prosecutor’s office have deployed new legal intervention called “Hack_Right,” a diversion program intended for first-time cyber offenders. Europol says at least one user of Webstresser has already received this alternative sanction.

“Skills in coding, gaming, computer programming, cyber security or anything IT-related are in high demand and there are many careers and opportunities available to use these wisely,” Europol said.

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

Source

image
Data privacy dominated the week of news ending Feb. 1. News headlines included both Facebook and Google finding themselves in hot water over distributing data-sucking apps on iOS devices. A severe flaw was also found in kid-tracking IoT smartwatches that could expose sensitive information for 35,000 children. Also this week was a new data dump of 2.2 billion compromised credentials discovered on the Dark Web, This was labeled “Collections #2-5.” Threatpost editors Lindsey O’Donnell and Tara Seals discuss these top news stories and more in this week’s Threatpost news wrap. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/8482943/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) For direct download click here.

Source

image
Ah, the Super Bowl. For some, this Sunday’s show down between the Los Angeles Rams and the New England Patriots will be about gathering family and friends around for a great American pastime: The Super Bowl party. Some are just in it for the commercials. Some see a gambling opportunity; and for fans of the two teams playing, it’s the culmination of everything they’ve been hoping for since September. And for cybercriminals, Super Bowl LIII is a massive fraud and infrastructure attack opportunity, and a perfect chance to attack those streaming the event. Consumer Frauds and Scams The ZeroFOX team said that it has found several instances this week of advertisements to place online sports bets and discussions about online betting for the Super Bowl, many of them fraudulent. Other common scams that are making the rounds are offers for tickets to see the game in Atlanta, cheap hotel rooms in the Peach City, and discounted official merchandise and jerseys. “Watch out for those offering great deals on things like tickets, places to stay or that cool jersey you’ve been eyeing – be sure to take extra steps to verify that you’re getting what you’re paying for,” said Kirsten Ashbaugh, threat analyst on the ZeroFOX Alpha Team, in a report shared with Threatpost. “And if you do decide to place a wager, check the relevant state laws to make sure you’re in the clear.” Although sports betting, including online betting, has become legal in some states over the past year, it may not be legal or accessible depending on where one lives. “Only a handful of states have legalized this type of betting, and not all of them offer the ability to bet online,” Ashbaugh said. “The ones that do may restrict even online betting to those physically within state boundaries. If you do decide to partake, be sure to check if your state allows you to bet online, and look to make sure the website or app you’re using is reputable.” On the fraudulent ticket and travel front, game day ticket sales last week increased 65 percent, but instances of fraud attacks also spiked, according to data from Forter sent to Threatpost. The firm identified two types of criminals that have been actively trying to exploit both ticketing sites and football enthusiasts ahead of the big game: Foreign fraudsters and domestic “legacy” fraudsters. Forter’s analysis found that most fraud comes from outside of the U.S., making up 3.8 percent of total attempted Super Bowl ticket purchases. And when it comes to domestic threats, a New York-based crime ring has been targeting the ticketing industry and the Super Bowl specifically. “The culprit uses sophisticated technology to alter IP address and fake their location, and frequently changes personal account details to avoid detection,” a Forter spokesperson explained via email. “So far, this scam has led to one massive failed attempt at purchasing $10,000 worth of Super Bowl tickets.” Those looking for last-minute tickets should thus be on high alert. “Sellers may offer tickets that either are fake, created falsely online, or they could be reselling tickets that someone else is already planning on using,” ZeroFOX’s Ashbaugh noted. “You could get to the gate and be out of luck. It’s also a good idea to never post pictures on social media or elsewhere of your tickets to events like the Super Bowl, because people could use those photos or the ticket number to create fake tickets.” Infrastructure Risks One of the other concerns at the Super Bowl involves the critical applications and networks that support the event, hosted both locally and in the cloud. Broadcast networks, industrial control systems, civil-service networks and other related systems are also all at risk, according to Daniel Smith, a researcher at Radware. He noted in a Thursday posting that there’s a precedent for the concern: “While there hasn’t been a recent attack of scale reported against the Super Bowl, last year we did witness a piece of malware named Olympic Destroyer that targeted and disrupted the opening ceremonies and entry into the 2018 Winter Olympics.” Also, today’s stadiums, theaters, arenas and amphitheaters are target-rich environments, he added. They require small cells, WiFi and distributed antennae system (DAS) deployments to serve fans with modern, interactive game-watching enhancements. Often, the technologies designed to enhance the spectators’ experience are easily exploited to harvest information from attendees, according to Smith. It’s an attractive cybercrime opportunity, given the sheer amount of data traffic that these systems support. Extreme Networks reported that last year’s attendees at Super Bowl LII in Minnesota transferred 16.32 Terabytes of data with a peak rate of 7.867 Gbps. “This Super Bowl, like years before, will bring large crowds once again that will demand connectivity and are expected to consume record breaking volumes this year,” Smith said. “This is an enormous demand for connectivity and the technology involved could poses a security risk for event organizers, partners, sponsors and attendees as their activities in the stadium begin to produce more digital oil: data.” Infected Streams Last year, the Big Game drew an estimated 103 million viewers and saw record-breaking streaming traffic, according to NBC. Super Bowl LII had an average online viewership of 2 million, a 15 percent gain over the 2017 event. The stream was available on NBC Sports app, NBCSports.com and the Yahoo Sports app, among others. At its peak, the online audience clocked in at 3.1 million concurrent streams. It’s safe to say that this year’s digital audience will likely improve on that. So as the Los Angeles Rams face off against the New England Patriots this year, cybercriminals will be looking to take advantage of the thirst for multimedia and streaming access to the game. In the era of “cord-cutting,” those without television packages will look for ways to watch Super Bowl LIII digitally, as will those who have to work or who will otherwise not be in front of a TV. Against this backdrop, cybercriminals have been focused on spreading malicious software via unsanctioned streams, designed to harvest and steal personal information. “On Super Bowl Sunday, millions of sports fans worldwide will descend onto the internet eagerly searching for a free stream,” Ray Walsh, digital privacy expert at BestVPN.com, said via email. “The result is every hacker’s dream. This year, hackers are expected to have set up more infected streams than ever before. Anybody arriving on an infected page to hit the ‘Click Here to Watch the Super Bowl in HD’ button is in for a nasty surprise. Malware, spyware, trojans and ransomware are all going to be on the menu — which means that sports fans are going to end up with serious infections.” Fans should instead stick to watching official HD streams, he added, to avoid misery.

Source