When the Hackers Get Hacked

Nulled.io, a forum that sells compromised passwords, stolen bitcoins and other neat stuff was hacked recently, exposing email addresses of people buying and selling, purchase histories and messages between buyers and sellers for 500,000 members.

Here is what the website looks like today:

Nulled.io

If you look at their “tag line” below their logo, it says EXPECT THE UNEXPECTED.  Perhaps they needed to heed their own advice.

This data was discovered by security analysis firm Risk Based Security and it is available to anyone who is interested can look at this data.  The size of data hacks that we are beginning to see is amazing.  This leak is almost 10 gigabytes in size.  No longer are we seeing people expose a database or a few email messages;  now they are dumping an entire website.

I ASSUME that two groups of people who might be interested are folks like law enforcement (FBI, Scotland Yard) and intelligence agencies (NSA, CIA, MI5, MI6).  One group is interested in who they can arrest and charge with a crime.  The other is interested in who they can turn and use for their own purposes.  In either case, there are likely some people who are going to get an unwanted visit from the men in black.

The private messages provide an insight into the minds of criminals including what can be bought and sold as well as the tech support requirements (the private messages act as a form of hacker help desk) as hackers try to get their hacks working.

In total, there are over 2 million posts, 800,00 messages, 5,000 purchases and 12,000 invoices.

How the site was hacked is unknown, but the software that the site runs on, Invision Power Services’ IPS Community Suite, was riddled with critical vulnerabilities according to Risk Based Security.

Maybe the hackers need to read the news and keep their software patched and up to date.  MAYBE, they should have done penetration testing.  I wonder if they know anyone who knows how to do that kind of stuff – like most of their members?

One possible scenario, and there certainly are a lot of possibilities, is that a disgruntled buyer decided to take out his or her frustration on the site.

In any case, it just goes to show that there IS no honor among thieves.

 

Information for this post came from Ars Technica and Risk Based Security.

Facebooktwitterredditlinkedinmailby feather

5 Year Old Qualcomm Bug Leaves Many Phones Vulnerable

A 5 year old bug in a Qualcomm chipset used in many Android phones allows a hacker to elevate their privileges and read SMS and call history data, change system settings or disable the lock screen.

Hackers could exploit this bug by having physical access to an unlocked phone or by getting a user to install a malicious app.

The bug affects older versions of the Android OS, like version 4.3 and earlier, the most.  Since that software is likely not supported by anyone, those phones likely will never be patched.

The Android OS added something call Security Enhancements for Android in version 4.4 which reduces significantly but does not eliminate the problem.  This is the main reason why Apple tries really hard to force people to upgrade OS versions, even if it means that they have to trash their old phones.

Congress is now investigating the issue of OS support in old phones (yes – we’re from the government and we’re here to help you), however, that is unlikely to change anything any time soon.

Google released a patch for this bug on May 1, but given the carrier’s track record at releasing patches, it is likely going to be months before most users see that patch – if ever.  Google says that Nexus phones are not vulnerable to this – I assume this means that they do not use the Qualcomm chip that is at the heart of this problem,

For any given user, it would be difficult to figure out whether their particular phone is susceptible, but users running Lollipop (V5) and Marshmallow (V6) are likely least affected.

One more time, Apple beats Google because they control the supply chain end to end.  In a closed world, where one company makes the phones and the OS, they can force patches quickly.  In the Android world, Google can release patches and patch their Nexus phones, but have very little control over the  handset makers like LG and Samsung or the Carriers like AT&T or Sprint.

Congress could potentially have some impact here, but I am not counting on them doing anything smart.  They do not seem to have a good track record.

 

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Denial of Service Attack Meets Ransomware

Cloudflare, the denial of service prevention vendor, is reporting hearing of gangs who threaten denial of service attacks unless the victim pays a ransom in bitcoins.  Even though they have heard from over 100 customers, none have been attacked, whether they pay or not.

Here is the scam.  You use the name of a known DDoS group – in this case, the Armada Collective – and threaten people with being attacked.  The attacker may – or may not – have any relation to that group.

You set the payment level low for avoiding the attack – in this case, 10 bitcoins or about $4,000.

You threaten people that if they don’t pay they will be attacked and the fee to stop the attack will go up to 20 bitcoins and go up by 10 bitcoins a day.

You also tell people that you have a magic attack that bypasses anti-DDoS vendors like Cloudflare.

And then, you sit around and wait until some people pay up.

This is a whole lot simpler than actually having a way to launch a DDoS attack or having a way to bypass Cloudflare’s protections.

To date, according to a company that reviews the bitcoin blockchain, these attackers have received at least $100,000.  While that is not much, there may be other bitcoin accounts that they have not examined and  the attackers only cost is sending out a few emails.

While there certainly is no way to know if the attacker can launch an attack, at least so far, they do not seem to have either the ability or desire to do so.

The folks at Cloudflare have talked to other anti-DDoS vendors and they also have customers who have received the emails.

It is certainly possible that these attackers COULD have the capability to launch an attack – we just do not know.

One reason to doubt it is that they seem to be reusing bitcoin accounts between different targets.  Given bitcoin is anonymous, if they did, in fact, plan to attack someone, they would not have an easy way to figure out who has paid and who has not paid.

At the moment, Cloudflare seems to think this is an empty threat, but things do change.  Now that they have been outed on Cloudflare’s blog, they could decide to escalate.  OR, they could decide to fold for a while, wait for people to forget and try it again.

No one knows.

Information for this post came from Cloudflare.

Facebooktwitterredditlinkedinmailby feather

Home Depot Still Dealing With The After Effects Of The Breach

In late 2014 Home Depot announced that hackers compromised their security and stole 50 million credit cards and another 50 million loyalty cards.  18 months later, there are still three class action lawsuits pending.  One is close to settling.  In a recent 10-K filing with the SEC, Home Depot said that they had spent over $150 million on the breach, net of what their insurance paid, which is reputed to be another $90-$100 million.

While I do not have any personal knowledge of the breach, industry reports suggest that their cyber hygiene was sub-standard, an issue that could affect the outcome of the three class actions still in play.

Some people say that the breach was not so bad.  They measure that by the stock price and that has held up.  Part of that may be that Home Depot did a better job of communicating, but it may be that investors know that the business will eventually recover.  If you assume that they spent $161 million so far and there are still lawsuits to settle, they could easily spend a quarter of a billion dollars – or more – before this is over.  That, I suggest, is bad.  It is money that would have otherwise flowed to shareholders or been reinvested in the business.  Now it will go to lawyers and plaintiffs.

The first lawsuit to be filed was by consumers and it is the least painful.  Since the banks make consumers whole, for the most part, the value of the damage is small. Currently, there is a preliminary settlement for this suit, which, if approved, would cost Home Depot another $20 million plus a requirement to enhance security – whatever that costs.

The second suit is from the banks.   They say they spent $150 million reissuing cards.  Fraud is on top of that.  Home Depot’s lawyers say that the banks don’t have standing to sue.  We shall see.  Home Depot’s story is that they don’t have a contract with YOUR bank – the one that reissued your card, only their bank.  This has been tried before without success, but you can’t blame a guy for trying.  Stay tuned.  This COULD cost Home Depot a lot of money, depending.

The third lawsuit is from the shareholders, who filed a derivative lawsuit against the company and 12 board members directly.  This is the one that could hurt.  So far, it has been next to impossible to succeed at suing Boards and Directors, but this is no ordinary breach, so stay tuned.  The suit says that the company and the Board breached their fiduciary duty by failing to make sure that the company took reasonable steps to protect consumer’s information.  What is unclear is what the damage is. If the stock price didn’t take a hit, were they damaged?  Of course, the company will spend $150-$250-$350 million dealing with the breach.  Maybe the company would be much better off if the executives could focus for 3 or 4 years on running the company rather than fending off lawsuits.  IF this suit prevails, it could open up the floodgates for similar shareholder lawsuits.

We do need to remember that the $161 million expense is pretax, so depending on their tax rate, it will be less.  Of course, that means that you and I get to pay again for Home Depot’s mismanagement – the first time in bank fees that the banks use to cover the breach cost and the second time in tax savings because breach costs are tax deductible.

All companies should be watching for the outcome of this case and checking out their cyber breach preparedness.  For small companies, suits like this are often fatal.

Information for this post came from JDSupra.

Facebooktwitterredditlinkedinmailby feather

GCHQ Pulls Kill Switch On Smart Meter Rollout

GCHQ is The British version of the CIA.  Usually, they are out chasing bad guys in foreign countries.  This week they are protecting British citizens.  With all of the news of intelligence agencies eavesdropping on citizens, it is nice to hear a story where they are decidedly, doing the right thing.

This all started with a plan to roll out smart meters to manage electricity and gas to every building in England.

This amounted to 53 million meters.

These smart meters don’t just read the amount of electric or gas that you use, they can shut off your utilities completely and do other things as well.

Imagine, if a hacker – or unfriendly government – were to gain control of all of these meters and shut down power to every building in the country, what would happen.  What if, they not only did that, but overwrote the firmware in the  meters so that the utilities could no longer control those meters to turn the electric back on and had to replace all 53 million meters.  This is not far fetched.  This is basically what happened in Ukraine last December when the Russian government decided to mess with Ukraine’s infrastructure.

Well, how could that happen?  It appears that the utilities and meter manufacturers, according to sources, understand a lot more about how to make a meter than how to write software.  In reality, this is not a big surprise.

So what did they do?  They created a system where all 53 million meters were protected with the same encryption key.

If that one key was compromised – say by reverse engineering a meter – the attacker might then be able to control every other meter in the country.

What could possibly go wrong.

In this case, GCHQ,which apparently does not have a vested interest in reading your electric meter, but the kibosh on the whole thing.  Good for them!

The program to replace all the meters is already forecast to cost about $18 billion.  Customers are supposed to save about $39 a year, but they will have to buy a $45 device to read their usage.

Depending on how bad the software that these “metal bashers”, as the meter companies are called not so fondly, is, how much more rewriting the software, both for the meters and at the utilities will cost.  The software will need to manage 50 million encryption keys instead of just one key, which could be simple or could be very complex.

In this case, hopefully, no one is going to complain about the spy agency watching because if the utilities had their way, it would only be a matter of when, not if, Britain went dark.

As I always say – security or convenience.  Pick one.

 

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed