Syrian Electronic Army Member Pleads Guilty to Hacking, Extortion

A member of the Syrian Electronic Army hacker group arrested earlier this year in Germany has pleaded guilty to hacking and extortion charges before a judge in the Eastern District of Virginia.

Peter “Pierre” Romar, 36, pleaded guilty to conspiracy to receive extortion proceeds and conspiracy to unlawfully access computers. According to the U.S. Department of Justice, the man faces up to five years in prison. Sentencing is scheduled for October 21.
Romar had been residing in Germany, where he was arrested by local law enforcement just before U.S. authorities announced the charges against Syrian Electronic Army members. He was extradited to the United States in May.
The Syrian Electronic Army surfaced in 2011 and it was active until recently, when authorities in the United States announced criminal charges against three of the group’s members. The hacker collective breached the systems of many high-profile targets in support of the Syrian regime, including government and media organizations.
According to authorities, Romar and another SEA member, 27-year-old Firas Dardar, known online as “The Shadow,” were also involved in an extortion scheme that targeted organizations in the U.S. and other countries. The cybercriminals breached the systems of various companies and threatened to damage their computers and data unless they paid a specified amount of money.
Since victims could not send the money directly to Dardar in Syria due to sanctions, Romar acted as an intermediary in Germany. U.S. authorities are aware of 14 victims, from which the hackers demanded more than $500,000, although in many cases the amount of the ransom was negotiated and eventually lowered.
Dardar and 22-year-old Ahmad Umar Agha, the SEA member known as “The Pro,” are still at large, and they are believed to be residing in Syria. The FBI has been offering $100,000 for information leading to their arrest.

Related Reading: Briton Accused of U.S. Govt Hack Can be Extradited

Related Reading: Kosovo Hacker Linked to IS Group Gets 20 Years in U.S. Prison

Related Reading: Two Men Arrested in U.S. for Hacking Emails of Top Officials

Vulnerabilities, Backdoors Found in D-Link Mobile Hotspot

Vulnerabilities, Backdoor Found in D-Link DWR-932B LTE Router

Security researchers have discovered numerous unpatched security vulnerabilities in the D-Link DWR-932B LTE router / access point, including backdoor accounts and default Wi-Fi Protected Setup (WPS) PIN. 

The device is being sold in various countries and appears to be customers’ security nightmare because of the numerous security weaknesses. The vulnerabilities were discovered by Pierre Kim, who decided to reveal only the most significant of them, and who says that the issues affect even the latest firmware version released by the vendor.

Earlier this year, Kim disclosed numerous unpatched vulnerabilities affecting the LTE QDH routers made by Quanta, including backdoors, hardcoded PIN, flaws in the web interface, remote code execution issue, and other bugs. The flaws that impact D-Link’s router are similar to those found in Quanta’s device, it seems.

The researcher discovered two backdoor accounts on the device and says that they can be used to bypass the HTTP authentication used to manage the router. There is an “admin” account with password “admin,” as well as a “root” account, with password “1234.” By default, telnetd and SSHd are running on D-Link DWR-932B, yet the latter isn’t documented, the researcher also explains.

Next, there is a backdoor inside the /bin/appmgr program, which allows an attacker to send a specific string in UDP to the router to start an authentication-less telnet server (if a telnetd daemon is not already running). The issue is that the router listens to 0.0.0.0:39889 (UDP) for commands and that it allows access without authentication as root if “HELODBG” is received as command.

D-Link DWR-932B also comes with 28296607 as the default WPS PIN, and has it hardcoded in the /bin/appmgr program. The HostAP configuration contains the PIN as well, and so do the HTTP APIs. What’s more, although the router allows the user to generate a temp PIN for the WPS system, the PIN is weak and uses an algorithm leveraging srand(time(0)) as seed. An attacker knowing the current date as time(0) can generate valid WPS PIN suites and brute-force them, the researcher explains.

Kim also reveals that the file /etc/inadyn-mt.conf contains a user and a hardcoded password, and that the HTTP daemon /bin/qmiweb contains multiple vulnerabilities as well. The router also executes strange, purposeless shell commands as root.

Furthermore, the router supports remote FOTA (Firmware Over The Air) and contains the credentials to contact the server hardcoded in the /sbin/fotad binary, as base64-strings. The researcher discovered that, although the FOTA daemon tries to retrieve the firmware over HTTPS, the SSL certificate has been invalid for one year and a half.

The researcher also reveals that the security level of the UPNP program (miniupnp) in the router is lowered, which allows an attacker located in the LAN area to add Port forwarding from the Internet to other clients located in the LAN. “There is no restriction about the UPnP permission rules in the configuration file, contrary to common usage in UPnP where it is advised to only allow redirection of port above 1024,” Kim notes.

Because of this lack of permission rules, an attacker can forward everything from the WAN into the LAN, the researcher says. This means that they can set rules to allow traffic from the Internet to local Exchange servers, mail servers, FTP servers, HTTP servers, database servers, and the like.

An attacker can overwrite the router’s firmware with a custom firmware if they wanted to, “but with all these vulnerabilities present in the default firmware, I don't think it is worth making the effort,” Kim says. He also notes that, because the device has a sizable memory (168 MB), a decent CPU, and good free space (235 MB), along with complete toolkits installed by default, users should consider trashing it, “because it's trivial for an attacker to use this router as an attack vector.”

D-Link was informed on these issues in June, but the company failed to resolve them until now. Because 90 days have passed since the vulnerabilities were disclosed to the vendor, Kim decided to publish an advisory to reveal these bugs.

This is not the first time D-Link products have made it to the headline due to security vulnerabilities. The company patched a critical flaw in several DIR model routers in August, after a popular D-Link Wi-Fi camera was found in June to be affected by a serious flaw that was subsequently discovered in over 120 D-Link products.

Russian Hackers Target Journalists Investigating MH17 Crash

wo Russia-linked threat groups have been targeting citizen journalists investigating Moscow’s involvement in the downing of Malaysia Airlines flight MH17 in July 2014 as it was crossing Ukraine.
 
In October 2015, Trend Micro reported that the Dutch Safety Board (DSB), which had been investigating the cause of the crash, was targeted by the Russian cyberspy group known as Fancy Bear, Pawn Storm, APT28, Sofacy, Sednit and Tsar Team. The DSB published its report on the incident in the same month.
The same actor also appears to have targeted Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.
Bellingcat has published numerous articles on the MH17 crash and its reporting has been used in the investigation conducted by the Joint Investigation Team (JIT), which includes members from Australia, Belgium, Malaysia, the Netherlands and Ukraine. Bellingcat founder Eliot Higgins was an official witness in the investigation.
The JIT, which focused on the criminal investigation, published its report on Wednesday, saying that the plane crashed after being hit by a missile brought in from Russia and fired from an area controlled by pro-Russian separatists.
According to threat intelligence firm ThreatConnect, Bellingcat members who covered the crash of flight MH17 had received spear phishing emails between February 2015 and July 2016. The emails, designed to look like they were coming from Google, were similar to the ones described in June by researchers at SecureWorks, who identified thousands of email accounts targeted by Fancy Bear, including ones belonging to journalists.
The attacks aimed at Bellingcat also involved domains and domain registration data that was previously linked to Fancy Bear activity, ThreatConnect said.
In addition to Fancy Bear, Bellingcat has been targeted by CyberBerkut, which claims to be a pro-Russia hacktivist group based in Ukraine. CyberBerkut has taken credit for attacks on Ukrainian, Polish and German government systems.
In February 2015, CyberBerkut breached a Bellingcat contributor’s account and used it to post a story titled “CyberBerkut is already here.” The targeted user was Ruslan Leviev, a Russian opposition blogger and Bellingcat contributor who had covered several Russia-related topics. Leviev said the attackers hijacked his Yandex, LiveJournal and Twitter accounts. The Yandex account was protected with a strong password and two-factor authentication, which led the blogger to believe that the attacker either had direct access to Yandex servers or had knowledge of a zero-day vulnerability.
While it is possible that Leviev was targeted for other Russia-related reporting and the attack carried out by CyberBerkut has nothing to do with Fancy Bear’s interest in the MH17 investigation, ThreatConnect believes a more likely scenario is that the two threat groups are somehow connected.
One possibility is that CyberBerkut targeted Leviev in a more aggressive attack after Fancy Bear’s spear-phishing emails failed. The information used to register CyberBerkut domains also suggests a tie to Fancy Bear.
Furthermore, there is evidence that CyberBerkut is connected to DCLeaks, a Russian-backed influence outlet that has been linked to Guccifer 2.0, the hacker who took credit for the attacks on the U.S. Democratic Party. While Guccifer 2.0 claims to be a hacktivist based in Romania, researchers believe he’s just a persona used by Fancy Bear to throw investigators off track.

Related: Russian Cyberspies Use "Komplex" Trojan to Target OS X Systems

All Your iMessage Contacts Are Belong to Apple

Apple can’t tap into iMessage conversations, thanks to end-to-end encryption, but the iPhone maker does know who you message or attempt to message with.

Earlier this year, Apple entered a spat with the FBI when it refused to unlock an iPhone that belonged to Islamic terrorist Syed Rizwan Farook, who together with his wife Tashfeen Malik, killed 14 people in a mass shooting in San Bernardino, California in December 2015. Apple at the time claimed that it couldn't unlock the device and said the FBI was essentially asking it to create a backdoor into the iPhone.

In the end, the FBI was able to unlock the device without Apple’s involvement (it was helped by an outside party which reportedly cost more than $1 million, but the spat sparked debate over the use of backdoors. Privacy advocates, security experts, and tech companies supported Apple’s decision, arguing that available encryption products would be undermined if a backdoor was included in them.

As it turns out, Apple’s stance might have been influenced by marketing reasons too, and not purely by its determination to protect user privacy. When the Apple/FBI battle ended, the tech company emerged as a determined privacy advocate, but the incident didn’t tell the entire story. The document (below) obtained by The Intercept shows that Apple can tap into some information regarding user’s iMessage conversations, and that it does share these details with law enforcement when required to do.

Specifically, while it can’t view the conversations you carry out with your iMessage contacts, Apple does log the queries the messaging app makes to its servers to determine whether the person you are trying to contact is using the iMessage system or not. Based on these details, a message is sent to the Messages or SMS app, and it appears in conversations either as a blue or a green bubble.

Apple’s logs record each such query and include information like your phone number, the phone number you entered, the date and time when you entered the number, and your IP address. Basically, this means that Apple knows who you were trying to contact (or at least their phone number), when you were trying to contact that person, and your approximate location at that time based on your IP address (which could be spoofed via VPN).

Not only does Apple log these details, but it also shares them with the police when court orders compel it to. While Apple says that it retains those logs for only 30 days, court orders that request such information can typically be extended in additional 30-day periods, The Intercept notes. These can be combined to create extensive lists of numbers someone has been entering.

The document, reportedly titled “iMessage FAQ for Law Enforcement,” clearly states that these logs do not offer proof that you actually contacted a number you entered in the Message app. “The document implies that Messages transmits these numbers to Apple when you open a new chat window and select a contact or number with whom to communicate, but it’s unclear exactly when these queries are triggered, and how often,” The Intercept explains.

The content of sent messages remains safe from intruding eyes, because iMessage is encrypted end-to-end, but Apple admits to be sharing requested information with the police, if that information is in its possession. “In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices,” Apple told The Intercept.

“We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place,” an Apple spokesperson also said.

In the end, Apple remains true to its claim that your conversations are private and that only you and your contacts can access them, though the company does know who you might have been talking to. Apple might not be willing to weaken the security of its products by including a backdoor, but it should be more straightforward when it comes to the kind of information it can access and subsequently share with law enforcement.

Related: Video Conferencing Solution Protects Content and Metadata

Related: Researcher Proves FBI Wrong With iPhone Passcode Hack

Related: WhatsApp Toughens Encryption After Apple-FBI Row

Leak of 200 Million Yahoo Accounts Linked to 2014 Hack

An investigation conducted into the two Yahoo security incidents disclosed recently revealed the existence of a connection and led researchers to believe that the claim of 200 million accounts being stolen in 2012 is likely false.

In early August, a hacker claimed to possess 200 million Yahoo user accounts stolen from the tech giant back in 2012. The hacker, known online as Peace and peace_of_mind, had offered to sell the data for 3 Bitcoin on a marketplace called TheRealDeal, where he had previously sold hundreds of millions of Tumblr, Myspace, VK and LinkedIn accounts.
Then, earlier this month, Yahoo confirmed that attackers, which the company believes were sponsored by a nation state, breached its systems in 2014 and stole at least 500 million user accounts. Yahoo never confirmed the alleged 2012 incident, although some suggested that the company discovered the 2014 breach while investigating those claims.
Security firm InfoArmor launched an investigation and determined that the vast majority of the 200 million credentials were not associated with Yahoo accounts. Experts believe the data likely comes from multiple third-party leaks and that some of the credentials match only because people reuse passwords. It’s worth noting that some people questioned the validity of the 2012 dump ever since samples of the data were made available.
InfoArmor believes Peace faked the data after having a falling-out with tessa88, another hacker who recently offered to sell hundreds of millions of accounts stolen from various services. According to researchers, tessa88 and Peace exchanged stolen information, until the former was called out over fake and low-quality dumps.
However, evidence uncovered by InfoArmor suggests that there is a link between these cybercriminals and the threat actor that carried out the 2014 attack confirmed by Yahoo.
Researchers believe tessa88 is linked to the real Yahoo hackers through an unidentified actor that played the role of a proxy. This proxy allegedly obtained the Yahoo data from professional black hats in Eastern Europe and provided it to various other actors, including cybercriminals and a state-sponsored party that had been interested in exclusive database acquisitions.
Tessa88 had previously received accounts from the proxy and InfoArmor believes tessa88 and Peace expected to get the Yahoo data as well. However, since that did not happen, Peace created a fake dump and claimed it came from a 2012 breach.
According to the security firm, the 500 million accounts were stolen from Yahoo after the compromised database was divided into hundreds of equal parts. The files, which contained data organized alphabetically, were exfiltrated in segments.
InfoArmor said the actual Yahoo dump is still not available on any cybercrime forums. However, the data has been monetized by some cybercriminals and the company believes it might have also been leveraged in attacks targeting U.S. government personnel.
Yahoo breach aftermath
News of the breach has caused serious problems for Yahoo, just as the company’s core business is about to be acquired by Verizon for $4.8 billion. Some believe the incident could impact the deal, but Verizon has yet to comment.
Several class actions have been filed against Yahoo by customers, including people who claim to be directly affected by the breach.
Earlier this week, U.S. Senator Patrick Leahy sent a letter to Yahoo CEO Marissa Mayer asking how such a massive breach could go undetected for two years. Senator Mark Warner has asked the Securities and Exchange Commission (SEC) to determine if the company fulfilled obligations to keep the public and investors informed, as required by law.
Mayer reportedly neglected cybersecurity since she took over the company. According to The New York Times, current and former employees said the CEO focused on functionality and design improvements rather than security.
Alex Stamos, who left his CISO position at Yahoo last year to become Facebook’s CSO, was allegedly denied financial resources for proactive security solutions. Mayer is said to have also rejected a proposal to reset all user passwords fearing that the move would result in more users abandoning its services.
Related: Yahoo Pressed to Explain Huge 'State Sponsored' Hack
Related: Russia? China? Who Hacked Yahoo, and Why?

Russian Cyberspies Use "Komplex" Trojan to Target OS X Systems

Researchers at Palo Alto Networks have come across an OS X Trojan they believe has been used by a notorious Russia-linked cyber espionage group in attacks aimed at the aerospace industry.

The malware, dubbed “Komplex,” appears to have been developed by the threat actor known as Sofacy, Pawn Storm, APT28, Sednit, Fancy Bear and Tsar Team. The gang has been tied to numerous high-profile attacks, including ones aimed at the U.S. government and the country’s political parties, the German parliament, and the World Anti-Doping Agency (WADA).
According to Palo Alto Networks, Komplex attacks start with a binder component that deploys a decoy document, which is displayed with the Preview application in OS X, and the Trojan’s dropper. The dropper component is designed to drop and execute the main payload and ensure its persistence by configuring the system to launch it when OS X starts.
Once it infects a device, the malware establishes contact with its command and control (C&C) server and collects system information. The Trojan allows attackers to execute arbitrary commands and download additional files to the affected machine.
Palo Alto Networks’ analysis revealed that Komplex is likely the unnamed Mac Trojan described in a June 2015 blog post by BAE Systems. At the time, the malware had been delivered via a vulnerability in the MacKeeper security and optimization software.
Researchers also discovered links between Komplex and the variant of the Carberp malware used by the Sofacy group in attacks targeting the U.S. government. While Carberp is designed to target Windows systems, experts have identified several similarities, including in URL generation logic, file extensions, encryption and decryption methods, command handling, and Internet connectivity checks.
“Based on these observations, we believe that the author of Sofacy’s Carberp variant used the same code, or at least the same design, to create the Komplex Trojan,” Palo Alto Networks explained in a blog post. “A benefit of retaining many of the same functionalities within the Windows and OS X Trojans is that it would require fewer alterations to the C2 server application to handle cross-platform implants.”
Experts also uncovered C&C infrastructure overlaps as some of the domains used by Komplex are known to be associated with Sofacy activity.
Ryan Olson, intelligence director at Palo Alto Networks’ Unit 42, told SecurityWeek that they first detected Komplex at the beginning of August. While there is no indication of significant changes in the malware functionality compared to the variant analyzed by BAE Systems last year, the attackers have apparently switched from exploiting MacKeeper vulnerabilities to using decoy documents.
While experts have not been able to precisely determine which organizations have been targeted with this OS X Trojan, based on decoy documents, they believe one of the targets was likely associated with the aerospace industry.
Related: Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux

Spammers Increasingly Hijacking IPv4 Addresses

As new IPv4 addresses are more and more difficult to come by, spammers are increasingly hijacking existing IP address ranges for their nefarious purposes, Spamhaus researchers warn. 

The issue, researchers explain, is that spammers need a constant flow of fresh IP addresses, because those they use get a bad reputation of being sources of spam quite fast. This issue isn’t new, and spammers are constantly looking for new means of getting fresh IP addresses.

Back in January, researchers accused Verizon of routing over 4 million IP addresses that were in the hands of cybercriminals. At the time, the Internet Service Provider (ISP) was accused of not looking closely at the routing requests, which allowed cybercriminals to use their stolen addresses unhindered.

Now, Spamhaus reveals that spammers are “hijacking existing IP address ranges from under the noses of the legitimate owners and ARIN (American Registry for Internet Numbers),” and that Legacy IP address ranges are most targeted by cybercriminals. These addresses, issued before ARIN's inception in 1997, can’t be revoked even if the yearly fees aren’t paid, meaning that they can lie dormant, sometimes forgotten by the legitimate owners.

One of the first incidents where hijacked legacy IP address ranges were used for spam was observed in 2012, when cybercriminals were abusing the 147.50.0.0/16 ranges, owned by Chemstress Consultant Company. The original record is dated in 1991, but hijackers started their abuse in 2011 by registering a domain to “Timothy Tausch,” the name from the original ARIN records.

After that, the hijackers tricked ARIN into updating Timothy Tausch's contact information with an email address they were in control of. Next, the 147.50.0.0/16 IP addresses started being announced on behalf of the hijacker. The nefarious activity was rapidly shut down by the ISP for non-payment, researchers say.

In recent years, hijacking incidents have been getting worse, researchers say. Below, you can see a chart of the network BGP announcements of ranges believed to be hijacked (only ranges with “live” SBL listings are included – nobody has claimed legitimate ownership yet).

According to Spamhaus, while the announcements on the left-hand side of the chart are mainly legitimate, they slowly decrease as more companies that become defunct stop using their IP address ranges.

“Then, in recent years, these ranges start being hijacked by spammers, at times, announcements of up to 5 million IP addresses,” Spamhaus researchers explain. “Sending email through hijacked IP address ranges is of course one of the few criminal provisions of the U.S. CAN-SPAM Act. And hijacking usually involves other serious crimes such as wire fraud, forgery, and identity theft.”

According to Spamhaus, it appears that this type of malicious activity might continue until law enforcement begins prosecuting the criminal hijacking gangs and the spammers they work with. They also explain that ARIN’s ability to take action is sometimes limited, because it must abide by procedures defined via its Policy Development Process, and might not be able to take action even when notified of false information being added to its records.

Related: Necurs Botnet Fuels Jump in Spam Email

Related: Top Websites Fail to Prevent Email Spoofing

U.S. Hacker Pleads Guilty to Stealing Nude Celebrity Photos

Chicago  - A Chicago hacker who stole nude photos from the accounts of at least 30 celebrities pleaded guilty Tuesday in US federal court. 

Under a plea agreement with prosecutors, Edward Majerczyk admitted to one count of "unauthorized access to a protected computer to obtain information."
Prosecutors agreed to ask for a reduced sentence of nine months in prison. The charge carried a maximum sentence of five years.
In 2013 and 2014, Majerczyk hacked into the Apple iCloud and Gmail accounts of celebrities, including actresses Jennifer Lawrence and Brie Larson, and model Kate Upton, and stole photographs of the women in various states of undress.
The photographs were later leaked online, causing a scandal.
Majerczyk's lawyer Thomas Needham told US District Judge Charles Kocoras in Chicago that the 29-year-old hacker made no effort to "sell or disseminate" the photos, according to the Chicago Tribune.
When asked by the judge if the photos were for Majerczyk's own "satisfaction and enjoyment," the man's lawyer responded in the affirmative.
Federal investigators are reportedly still looking for the person who publicly released the photographs after Majerczyk stole them.
The federal judge scheduled a January 10 hearing to impose his sentence. Jennifer Lawrence spoke out to Vanity Fair in 2014 about the online publication of the photos. She said she had intended them for a boyfriend with whom she was in a long-distance relationship, and that she had been distraught over their release.
"It is not a scandal. It is a sex crime," Lawrence told the magazine. "It is a sexual violation. It's disgusting."
According to the plea agreement filed with the court, Majerczyk tricked his victims into thinking that they had received a security alert from a legitimate internet service provider, but a link in the email he sent took them to a fake website, where they were instructed to enter their logins and passwords.
Majerczyk then used that information to hack into the celebrities' accounts and looked through their private information.
Some 300 people were tricked in this way, the court filing said, including at least 30 celebrities.

Microsoft Teams with Bank of America on 'Blockchain'

Microsoft and Bank of America Merrill Lynch on Tuesday announced they are working together to make financial transactions more efficient with blockchain technology -- the foundation of bitcoin digital currency. 

The companies said they will build and test frameworks for blockchain-powered exchanges between businesses and their customers and banks.
Blockchains are considered tamper-proof registers in which entries are time-stamped and linked to previous "blocks" in a data chain.
Blockchains serve as public ledgers considered easy to audit and verify. They are also automated, speeding up transactions and limiting potential for error or revision.
Microsoft planned to use its Azure cloud service platform to enable blockchain transactions between a major corporate treasury and a financial institution.
"By working with Bank of America-Merrill Lynch on cloud-based blockchain technology, we aim to increase efficiency and reduce risk in our own treasury operations," Microsoft chief financial officer Amy Hood said in a release.
"Businesses across the globe -- including Microsoft -- are undergoing digital transformation to grow, compete and be more agile, and we see significant potential for blockchain to drive this transformation."
Processes underlying trade finance processes are highly manual, time-consuming and costly, according to the companies. Blockchain technology can digitize and automate those processes, along with allowing for data to be quickly analyzed and audited.
"The potential benefits of blockchain will help drive meaningful supply chain efficiencies to the clients of both Microsoft and the bank," said BAML head of global transaction services Ather Williams.
Blockchain technology debuted in 2009 as a public ledger for digital currency bitcoin, but its potential for securely tracking transactions has it being eyed for other uses.
Microsoft Azure Blockchain as a Service was introduced late last year, boasting global scale, high-grade security, and regulatory compliance.
More than 80 percent of the world's largest banks are Azure customers, according to US-based Microsoft.
Azure competes with colossus Amazon Web Services in providing businesses computing capabilities in the internet cloud.
Microsoft and BAML made their announcement at a Sibos financial services event in Geneva, where they planned to demonstrate blockchain technology.
Related: Bitcoin's 'Blockchain' Tech May Transform Banking

Apple Confirms Weakened Security in Local iOS 10 Backups

iOS 10 Allows for Brute Force Attacks of 6,000,000 Passwords Per Second to be Attempted on Local Backups

Apple admitted recently to an issue affecting the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC and said a fix would be included in an upcoming update. 

Released mid-September, iOS 10 addressed a total of seven vulnerabilities, the most severe of which could be exploited by a man-in-the-middle (MitM) attacker to prevent a device from receiving updates. Because iOS 10 rendered some devices useless, Apple was quick to release iOS 10.0.1, which also included a new fix for one of the “Trident” security flaws patched last month.

The security weakness of local backups was discovered in iOS 10 backups by ElcomSoft, a company that specializes in password recovery tools. According to them, the bug introduced by Apple in iOS 10 makes local backups significantly more susceptible to brute-force attacks than those for previous operating system versions.  

According to ElcomSoft, they were able to recover passwords from iOS 10 backups at speeds several thousand times faster when compared to recovering from password-protected iOS 9 backups. The changes that Apple introduced in iOS 10 for offline (iTunes) backups appear to be the root cause of the problem.

ElcomSoft’s Oleg Afonin explains in a blog post that an alternative password verification mechanism was added to iOS 10 backups, but that it skips certain security checks, thus allowing for a brute-force attacker to try passwords 2,500 times faster than what the old mechanism would allow for. The attack, he says, was executed against a local backup on a machine powered by an Intel i5 processor.

ElcomSoft hasn’t provided specific details on the security vulnerability, but revealed that it has added an exploit for it to its Elcomsoft Phone Breaker 6.10. On the same machine, the company reveals, the tool could try only 2,400 passwords per second for iOS 9 backups, but iOS 10 allows for a total of 6,000,000 passwords per second to be attempted.

Only the password-protected local backups produced by iOS 10 devices allow an attacker to leverage this new vector. The old protection mechanism, Afonin notes, continues to be available for iOS 10 backups and delivers the same level of protection as it did for previous platform versions.

“All versions of iOS prior to iOS 10 used to use extremely robust protection. Chances of recovering a long, complex password were slim, and even then a high-end GPU would be needed to accelerate the recovery. As a result of our discovery, we can now break iOS 10 backup passwords much faster even without GPU acceleration,” Vladimir Katalov, ElcomSoft CEO, says.

Apple has already confirmed that the issue exists, and even told Forbes that it was considering a patch in an upcoming security update. The company revealed that the issue indeed affects the encryption strength for iOS 10 backups performed using iTunes on the Mac or PC, but underlined that iCloud backups are not affected by it.

The good news, of course, is that the attack can be performed only if the attacker can access or create a local iOS 10 backup to work with. Because the backup contains all of the content on the iOS device, including contacts, calls, messages, media files, and even passwords, a successful attack would result in full device compromise and even the compromise of other user accounts.

After security researchers discovered a series of zero-day iOS vulnerabilities leveraged in targeted attacks against human rights activists, journalists, and other persons of interest, Apple in early September released updates for Mac OS X and Safari too to address the same issues.

OpenSSL Patch for Low Severity Issue Creates Critical Flaw

A fix included in the OpenSSL updates released last week introduced a critical vulnerability that could potentially lead to arbitrary code execution, the OpenSSL Project warned on Monday.

OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u were released on September 22 to address more than a dozen security holes. One of the issues affecting OpenSSL 1.1.0 is a low severity denial-of-service (DoS) bug related to excessive allocation of memory in the tls_get_message_header() function.
The flaw, reported by Shi Lei of Qihoo 360 and identified as CVE-2016-6307, is considered “low severity” because it can only be exploited if certain conditions are met.
The OpenSSL Project rolled out a fix in version 1.1.0a, but Google Security Engineer Robert Swiecki soon discovered that the patch created a critical use-after-free vulnerability related to large message sizes.
“The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location,” the OpenSSL Project wrote in its advisory.
The critical flaw (CVE-2016-6309) can result in a crash, but it could also lead to arbitrary code execution. The problem has been addressed with the release of OpenSSL 1.1.0b.
OpenSSL developers also announced on Monday the release of version 1.0.2j, which patches a missing CRL sanity check issue affecting only version 1.0.2i (CVE-2016-7052).
The OpenSSL Project hopes that by quickly releasing a patch for the critical vulnerability, users will update their installations directly to the newest versions instead of the ones made available last week.
The most serious weakness fixed last week is CVE-2016-6304, which can be exploited for DoS attacks by sending an excessively large OCSP Status Request extension to the targeted server. Another interesting issue fixed last week, albeit a low severity one, is Sweet32, a recently disclosed attack method that can be leveraged to recover potentially sensitive data from a large volume of encrypted traffic.

Related Reading: Encrypted Network Traffic Comes at a Cost

UK Man Involved in 2012 Yahoo Hack Sentenced to Prison

The U.K. National Crime Agency (NCA) announced last week that one of the members of an international cybercrime group has been given a two-year jail sentence.

The individual, 23-year-old Nazariy Markuta from London, is believed to be a member of a hacker collective known as “D33Ds Company.” In 2012, the group leaked more than 450,000 email addresses and passwords from Yahoo’s Contributor Network.
The NCA has not named the affected company in its press release and instead referred to it as a “major Silicon Valley firm.”
An investigation conducted by the British law enforcement agency in collaboration with the FBI led to the identification of Markuta, who is believed to be a key member of D33Ds Company.
The man was arrested at his home in North-West London in March 2015. At the time of his arrest, agents discovered thousands of payment card records in his possession. Investigators determined that, between 2012 and 2014, he leveraged SQL injection vulnerabilities to also breach the systems of a video game reseller and an SMS messaging service.
Markuta had pleaded guilty to eight counts related to hacking and fraud – crimes covered by the Serious Crime Act 2007, the Computer Misuse Act 1990 and the Fraud Act 2006. He has been sentenced to a total of more than 11 years, but he will only spend up to two years in prison since it’s a concurrent sentence.
The fact that one of the individuals who hacked its systems back in 2012 has been sentenced to prison is likely of little comfort to Yahoo these days. Two other data breaches suffered by the company have come to light over the past weeks, shortly after Verizon agreed to buy its core business for $4.8 billion.
In early August, a hacker offered to sell the credentials of 200 million users allegedly stolen from Yahoo back in 2012. Then, last week, Yahoo admitted suffering a massive data breach in 2014, when attackers believed to be sponsored by a nation state accessed information associated with at least 500 million user accounts.
It’s still unclear who is behind the 2014 attack, but experts have speculated that it could be Russia, China or even North Korea.

Related Reading: Celebrity Email Hacker Sentenced to 6 Months in Prison

Related Reading: Romanian Hacker "Guccifer" Sentenced to Prison in US

Related Reading: Kosovo Hacker Linked to IS Group Gets 20 Years in U.S. Prison

Smartphone hacks 3-D printer by measuring 'leaked' energy and acoustic waves

The ubiquity of smartphones and their sophisticated gadgetry make them an ideal tool to steal sensitive data from 3-D printers.

That's according to a new University at Buffalo study that explores security vulnerabilities of 3-D printing, also called additive manufacturing, which analysts say will become a multibillion-dollar industry employed to build everything from rocket engines to heart valves.

"Many companies are betting on 3-D printing to revolutionize their businesses, but there are still security unknowns associated with these machines that leave intellectual property vulnerable," said Wenyao Xu, PhD, assistant professor in UB's Department of Computer Science and Engineering, and the study's lead author.

Xu and collaborators will present the research, "My Smartphone Knows What You Print: Exploring Smartphone-based Side-channel Attacks Against 3D Printers," at the Association for Computing Machinery's 23rd annual Conference on Computer and Communications Security in October in Austria.

Not a cyberattack

Unlike most security hacks, the researchers did not simulate a cyberattack. Many 3-D printers have features, such as encryption and watermarks, designed to foil such incursions.

Instead, the researchers programmed a common smartphone's built-in sensors to measure electromagnetic energy and acoustic waves that emanate from 3-D printers. These sensors can infer the location of the print nozzle as it moves to create the three-dimensional object being printed.

The smartphone, at 20 centimeters away from the printer, gathered enough data to enable the researchers to replicate printing a simple object, such as a door stop, with a 94 percent accuracy rate. For complex objects, such as an automotive part or medical device, the accuracy rate was lower but still above 90 percent.

"The tests show that smartphones are quite capable of retrieving enough data to put sensitive information at risk," says Kui Ren, PhD, professor in UB's Department of Computer Science and Engineering, a co-author of the study.

The richest source of information came from electromagnetic waves, which accounted for about 80 percent of the useful data. The remaining data came from acoustic waves.

Ultimately, the results are eye-opening because they show how anyone with a smartphone -- from a disgruntled employee to an industrial spy -- might steal intellectual property from an unsuspecting business, especially "mission critical" industries where one breakdown of a system can have a serious impact on the entire organization.

"Smartphones are so common that industries may let their guard down, thus creating a situation where intellectual property is ripe for theft," says Chi Zhou, PhD, assistant professor in UB's Department of Industrial and Systems Engineering, another study co-author.

Making 3-D printers more secure

The researchers suggests several ways to make 3-D printing more secure. Perhaps the simplest deterrent from such an attack is distance. The ability to obtain accurate data for simple objects diminished to 87 percent at 30 centimeters, and 66 percent at 40 centimeters, according to the study.

Another option is to increase the print speed. The researchers said that emerging materials may allow 3-D printers to work faster, thus making it more difficult for smartphone sensors to determine the print nozzle's movement.

Other ideas include software-based solutions, such as programming the printer to operate at different speeds, and hardware-based ideas, such as acoustic and electromagnetic shields.

Microsoft Removes Windows Journal Due to Security Flaws

Microsoft has decided to remove the Windows Journal application from its operating systems due to the discovery of several vulnerabilities that can be exploited through specially crafted Journal files.

Windows Journal is a note-taking application available in Windows versions from XP Tablet PC Edition through Windows 10. Notes and drawings created with the app are saved in .jnt files.

Over the past few years, researchers from various companies discovered roughly a dozen denial-of-service (DoS) and remote code execution vulnerabilities in Windows Journal.

The most recent issue was reported to Microsoft last month by Fortinet researcher Honggang Ren. The flaw identified by the expert is a heap overflow that can cause the application to crash. Fortinet published a blog post last week detailing the vulnerability.

Microsoft has not released a patch for the vulnerability found by the Fortinet researcher as it has decided to remove the component altogether. The update that removes Journal from Windows 7, 8, 8.1 and 10 is KB3161102, which the company first announced last month.

“The file format that's used by Windows Journal (Journal Note File, or JNT) has been demonstrated to be susceptible to many security exploits,” Microsoft explained.

The company has advised customers to migrate to OneNote, but users who depend on Journal can install it separately after they apply KB3161102. Those who want to continue using the app will be shown a security alert whenever they attempt to open Journal Note (JNT) or Journal Template (JTP) files.

Two memory corruption vulnerabilities have been resolved in Journal this year, including CVE-2016-0182, reported independently by Jason Kratzer and Bingchang Liu, and CVE-2016-0038, discovered by Rohit Mothe.

Microsoft informed customers this month that it has addressed an Internet Explorer/Edge vulnerability exploited in the wild. Experts revealed that the flaw had been leveraged in major malvertising campaigns since at least 2014.

Related: Microsoft Patches Browser Vulnerability Exploited in Attacks

Related: Microsoft Patches Flaw Related to "Malicious Butler" Attack

Related: Microsoft Patches Flaws in Windows, Office, Browsers

Necurs Botnet Fuels Jump in Spam Email

The volume of spam email has increased significantly this year, being comparable to record levels observed in 2010. Researchers from Cisco Talos believe the increase has been driven mainly from increased activity of the Necurs botnet.

Over the past five years, spam volumes have been relatively low compared to 2010, when they reached an all-time high. However, it appears that this lull might have ended this year, as spam is on the rise once again. Citing data from the Composite Block List (CBL), Cisco Talos researchers note that 2016’s spam volumes are nearly as high as they were back in mid-2010.

Furthermore, the overall size of the SpamCop Block List (SCBL) over the past year shows a spike of more than 450,000 IP addresses in August 2016, although the SCBL size was under 200,000 IPs last year, Cisco says.

The surge in spam email volumes this year, researchers explain, can only mean that dedicated botnets have increased their activity. However, anti-spam systems can usually catch spam campaigns fast because botnets are using a non-targeted/shotgun approach. Even so, researchers say, attacks cannot be predicted before they start.

Responsible for this year’s spike in spam campaigns, Cisco says, might be the Necurs botnet, which was associated only several months ago with the Locky ransomware and the Dridex Trojan. When Necurs suffered an outage in June, Locky and Dridex infections came to a relative stop, but the ransomware returned with a vengeance when the botnet was restored three weeks later.

Both Necurs’ outage and the lack of activity behind Dridex and Locky were supposedly connected to the arrests in Russia related to the Lurk Trojan, which Cisco now confirms. Necurs was only one of the major threats to be silenced following said arrests, but its return also marked a major change in behavior, Cisco says.

“And not only had Necurs returned, but it switched from sending largely Russian dating and stock pump-n-dump spam, to sending malicious attachment-based spam. This was the first time we'd seen Necurs send attachments,” the security researchers say.

Also associated with the Lurk gang, the Angler exploit kit disappeared in June, taking EK traffic down along with it, which has determined threat actors to find new means to deliver their malicious payloads, and spam botnets appear to have become their main choice. Although new anti-spam technologies and high-profile takedowns of spam-related botnets have diminished spam volumes over time, it appears that this attack technique is once again popular among cybercriminals.

According to Cisco, Necurs remains a highly active spam botnet mainly because its operators have found an ingenious method to continue using infected hosts for many years. For that, they only send spam from a subset of infected machines, and then stop using these hosts for several weeks, to draw attention away from them and to trick security personnel into believing that the host has been cleaned.

“Many of the host IPs sending Necurs' spam have been infected for more than two years. To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks,” researchers say. “At Talos, we see this pattern over, and over again for many Necurs-affiliated IPs.”

And because spammers have only a small window of opportunity between the start of a campaign until anti-spam systems are deployed, they try to send as much email as possible to ensure that they can successfully land malicious email into their victims' inboxes.

“Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be critical to an organization's survival. Restoration plans need to be regularly reviewed and tested to ensure no mistakes have been made and that items have not been overlooked. Lastly, reach out to your users and be sure they understand that strange attachments are never to be trusted,” Cisco says.

Russia? China? Who Hacked Yahoo, and Why?

Yahoo's claim that it is the victim of a gigantic state-sponsored hack raises the question of whether it is the latest target for hackers with the backing of Russia, China or even North Korea, experts say.

The US internet giant was under pressure Friday to explain how it sustained such a massive breach in 2014, which possibly affected 500 million accounts.

Yahoo said the stolen information may have included email addresses and scrambled passwords, along with both encrypted or unencrypted security questions and answers that could help gain access to victims' other online accounts.

Sometimes the link between the target of a hack and a particular state may suggest itself easily.

One of the highest-profile hacks came when North Korea is thought to have targeted entertainment titan Sony in 2014, apparently in revenge for producing the comedy film "The Interview" about a CIA plot to assassinate leader Kim Jong-Un.

More recently, a mysterious group calling itself Fancy Bears hacked the medical records of athletes held by the World Anti-Doping Agency (WADA). It is still dripping the information out.

Commercial motives

Many experts believe that cyberattack was carried out by Russia after its track and field athletes were banned from the Olympics and its entire Paralympics team turfed out of their Games over evidence of state-sponsored doping.

While motivation for those cyberattacks seems clear, it might initially appear less obvious why countries such as Russia, North Korea or even China would target a company like Yahoo.

Chinese hackers have been accused of plundering industrial and corporate secrets and of orchestrating a breach of US government files on its employees that affected more than 21 million people and reportedly led to the hasty withdrawal of US intelligence operatives from China to protect their lives.

But political motives can be as strong as commercial ones, analysts note.

"Would, for example, Russian intelligence wish to conduct a large-scale hack on a major internet company like Yahoo? Absolutely they would," Shashank Joshi, senior research fellow at the London-based Royal United Services Institute, told AFP.

"It is an incredibly valuable commodity. The ability to access email addresses for US persons, perhaps a Russian dissident -- any intelligence agency worth its salt would want that sort of data, although it is very hard to use because of the encrypted passwords," he said.

Julien Nocetti, of the French Institute of International Relations (IFRI), said the hack was too big for an independent group to carry out.

"Given the scale of the revelations about Yahoo, it indicates that a lot of resources, technical equipment and coordination were required -- this definitely comes from a state," he said.

Given the tensions between Russia and the United States over the Syrian war "you could put forward the theory that this could be a Russian attempt to test the Americans' cyber defences", he said.

- Finding the source -

Yahoo has so far given no evidence to support its claim that it has been targeted by a state. RUSI's Joshi said finding the source "is the most fundamental problem when it comes to cyber-attacks".

"This completely bedevils even the most well-resourced people," he said.

However, he believes Yahoo would only have pointed the finger at state involvement if it had some evidence.

"The way you identify responsibility for a hack is to look for signatures that correspond to earlier known facts and then see what you know about them," he said.

For example, in case of the hacking of Democratic National Committee (DNC) emails this year which exposed bias within the party in favour of Hillary Clinton, cyber-security experts found evidence of a so-called Advanced Persistent Threat (APT).

"That is a code word for state hackers who were clearly operating in a system and matched up with earlier such hacks" carried out by Russia's state and military intelligence agencies, Joshi said.

But in Russia, so often accused of state-sponsored hacking, one expert said it was naive to immediately blame a state and scoffed at the suggestion the hackers were sophisticated spies.

"Anyone could have hacked a database of users like Yahoo because it's a classic commercial server," said Oleg Demidov, a consultant at the Moscow-based independent think-tank PIR Center.

"At the moment, this looks like a traditional hack aimed at making money or carving out a reputation by selling a load of personal data," he added.