All posts in “Cybersecurity”

This man might expose the Russian hacking operation

Image: Sergei Konkov/TASS via getty images

He’s Ukrainian. He goes by the name “Profexer.” And he’s allegedly behind the software that kicked off the Great DNC Hacking of 2016—you know, the one that may have swayed an entire American presidential election.

Other personal details about the reportedly young man are vanishingly scarce, according to The New York Times, but its his professional credentials that may illuminate key parts of how the Russian government runs its hacking operations. 

Profexer may not have been a Russian government operative himself, but he is the alleged author of the malware that helped Russian operatives hack the Democratic National Committee (and steal DNC emails) in an attempt to sway the 2016 United States presidential election in favor of President Donald Trump. 

So: If the man himself doesn’t work for Moscow, then who is he?

He built dangerous malware where few could find it

If you were one of the few who found themselves adept at uncovering malware code on the Russian-language dark web a few months ago, you might have come across Profexer’s work.

Per the Times, his malware, called P.A.S. web shell, was the only one mentioned in the Department of Homeland Security’s first report about Russian hacking in the U.S. election. And let’s say you were able to find it, by chance? The malware was free. Profexer made his money on the people who wanted customized versions of that free stuff. The man was reportedly respected enough to earn both awe and cash.

He was scared once officials found his malware 

Profexer dismantled his dark web site once his malware showed up in the DHS report. Six days later, he reassured fellow hackers that no one had killed him. In a brief debate with another hacker over the possibility of his capture, he said authorities would be able to find him without a problem, “it depends only on politics.”

He turned himself in after U.S. officials identified his malware

Rather than wait, Profexer walked out from behind his computer. Ukrainian law enforcement didn’t arrest him, reportedly because the man behind the malware built it without using it. Officials did, however, acquaint Profexer with the FBI, for whom he is now a witness.

He knows who used his creations…sort of

Profexer knows the people who used his malware, but only in the same way we know Profexer—by their screennames. 

If he can identify which users were likely Russian operatives, more questions might be answered, and officials might better understand how the Russian government runs cyberoperations. Do they, as The Times suggested, spend more time looking for useful malware, rather than developing it themselves? Are Russian cyber officials as much crowdsourcers as they are hackers, gathering the best tools they can find before aiming them at their own targets? And was this effective enough to count government subcontracting hacker-built software as the future of diplomatic warfare? 

Needless to say: More to come.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f81242%2fb6d3a512 c741 4ae5 9f87 ef4bc2b1cff0

Remotely hacking ships shouldn’t be this easy, and yet …

The Internet of Things has shown us time and time again that nothing connected to the internet is safe from hackers, and yet we’ve mostly written off security-camera fueled botnets as someone else’s problem. 

But what if the thing in question happens to be a boat loaded with weapons?

A group of cybersecurity researchers is having a field day online with the discovery that the configuration of certain ships’ satellite antenna systems leaves them wide open to attack — and the possible consequences are startling.

Anyone who gained access to the system in question, and was so inclined, could manually change a ship’s GPS coordinates or possibly even brick the boat’s navigation system entirely by uploading new firmware. And why would anyone want to do that?

“Next gen boat ransomware?,” suggested the security researcher x0rz over Twitter direct message with Mashable. “Military special operations? Somalian pirates 2.0?” 

The recent revelation appears to have kicked off with the creation of a ship-tracking map, credited to Jeff Merrick, which shows the real-time locations of boats around the globe. The map is powered by data from Shodan, a search engine that lets users search for internet-connected devices and, according to x0rz, uses data from boats’ very small aperture terminals (VSAT) to pinpoint their locations.

VSATs are common tech on yachts, and allow for internet access and communication even when boats are in movement. Interestingly, at least some boats with one type of VSAT, the SAILOR 900, have public IPv4 addresses without any firewall. And, you guessed it, Shodan makes it possible to search for this type of device. 

Once located, data about the boat — such as its location — is readily available. 

Oh there it is.

Oh there it is.

Image: mashable

But here’s where things get wild: The default login credentials, which are easily found online, remain unchanged on at least some of these devices (we’re choosing not to publish those credentials for what we hope are obvious reasons) — allowing anyone to gain administrator-level access. Once in, x0rz confirmed to Mashable, a ship’s GPS coordinates can be manually changed. What’s more, an attacker could upload their own firmware and possibly brick the entire navigation system in the process. 

“It’s just badly configured,” explained x0rz, “but just like as the rest of the Internet (banking, energy, corporate, …).”

With just a little googling, a person can determine a bit more about the vessel in question — like, for example, that it contains a “secure, sealed, climate-controlled armoury.”  

This isn’t the first time someone has called out Cobham, the UK company that manufactures the SAILOR 900, for potentially problematic security vulnerabilities. A 2014 security white paper from IOActive, a cybersecurity research team, dived into the SAILOR 900 and found that the “vulnerabilities in these terminals make attacks that disrupt or spoof information consumed by the on-board navigations systems, such as ECDIS, technically possible, since navigation charts can be updated in real time via satellite.”

So what does Cobham have to say about all of this? We reached out to the company, but have yet to receive a response. We’ll update if and when we do. 

How worried should we be?

Like so many things, the answer to whether or not we should be concerned about ships being hacked is: it depends. Importantly, x0rz pointed out that the number of boats easily accessible in the above-described manner is limited. However, he also noted that “one is enough to cause a catastrophic event, right?”

And if the boat in question is carrying hazardous material, weapons, or happens to be something other than a pleasure yacht? Well, then we may suddenly find ourselves taking these kind of vulnerabilities a lot more seriously. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

A security researcher just revealed a huge Myspace security flaw. (And yes you should care.)

Tom, u up? MySpace — you know that game-changing social media platform that you created and sold — appears to have some serious security issues, dude. 

Security researcher Leigh-Anne Galloway shared a blog post on Monday detailing a huge security flaw she spotted on Myspace’s account recovery page back in April. 

“In April this year whilst roaming the plains of the wild world web, I stumbled across an old Myspace account of mine,” Galloway explains in the post. “Attempting to gain access and delete the account I discovered a business process so flawed it deserves its own place in history.”

Essentially, Galloway discovered that an attacker could use public information — info as basic as name, email address, username, and date of birth — to gain access to any myspace account by simply using the ‘Do Not Have Access To Old Email Address Form.”

Galloway shared the issue with the company … and, according to Galloway, she “received almost no response from Myspace, except an automated one.”

Why is this so troubling?

In 2016 you may recall that Myspace suffered a massive security breach involving 427 million passwords belonging to approximately 360 million users who created accounts before 2013. The database of passwords was then put online for all to see.

This is a bigger deal than it seems. In addition to the breach allowing hackers to access a trove of personal user information and direct messages from Myspace, basically everyone reuses their passwords (which for the record, is not something you should do). So the 2016 Myspace breach may have put a lot more people and accounts at risk than expected.

This, coupled with the fact that it’s been about three months since Galloway reported the most recent security flaw and she’s only received an automated response begs one very serious question: What are you doing Myspace?

In response to a request for comment, a Myspace spokesperson told Mashable, “In response to some recent concerns raised regarding Myspace user account reactivation, we have enhanced our process by adding an additional verification step to avoid improper access.”

“We take data security very seriously at Myspace,” the spokesperson went on. “We will continue to monitor the security of these accounts and make appropriate modifications.”

Okay, Myspace. But why did it take so long to even address the issue?

What even is Myspace nowadays?

The Myspace that today’s users know is far from the Myspace you left behind to join Facebook back in the day, and maybe that’s part of the problem.

After co-founder Tom Anderson sold the social media platform to NewsCorp in 2005, it was acquired in 2011 by Tim and Chris Vanderhook and Justin Timberlake. A year later, Timberlake attempted to bring sexy back to the site with a swanky new redesign and then the world basically never heard another peep about Myspace ever again.

Cut to today where the site appears to be a somewhat confusing, music-centered hub where people can stay informed on the music world but also chat with one another and maintain a personal profile.

The website’s stats page proudly displays the number of songs on the site, and a search bar at the bottom of the homepage gives you access to articles, songs, videos, and artists on what vaguely resembles iTunes.

Image: screengrab/myspace

Image: screengrab/myspace

According to the site, Myspace is currently comprised of 150 engineers, designers, writers, and strategists. For comparison, as of March 31, 2017 Facebook reported a whopping 18,770 employees. And back in 2016 Myspace received a reported 15 million monthly unique global visitors, whereas Facebook currently has around 2 billion monthly active users.

In other words: Myspace is not top dog. But you still have to care.

Do I really have to?

Yes.

You may not use Myspace anymore but if you have an old dormant account, you either have to keep tabs on it or delete it completely. Breaches have happened before and they can happen again. That said, there’s no denying that the months-long delay in Myspace addressing the issue is concerning.

Myspace may be struggling to stay relevant in the modern era of social media, but there is one easy way to get people to take your site seriously: address your security flaws.

Https%3a%2f%2fvdist.aws.mashable.com%2fjw%2f2017%2f5%2f9e0648d8 8f77 b38e%2fthumb%2f00001

Dark web marketplace AlphaBay reportedly shut down by authorities

Probably not an accurate representation of a typical AlphaBay customer.
Probably not an accurate representation of a typical AlphaBay customer.

Image: imageBROKER/REX/Shutterstock

AlphaBay, a dark web marketplace for wares in the “not exactly legal” category, went offline in early July, and many users assumed the admins decided to make away with their money. 

But a new report from The Wall Street Journal claims that AlphaBay was actually taken down in a coordinated action by the authorities in the U.S., Canada and Thailand. 

Alexandre Cazes, a Canadian citizen and allegedly one of the site’s operators, was arrested in the bust, WSJ‘s sources claim. There will be no trial for him, though, as he was found hanged in his cell in Thailand on Wednesday. Two raids related to the bust were also carried out in Canada, Montreal Gazette reports

The details on the bust are scarce. But it’s not hard to imagine why the authorities would want to shut down AlphaBay.  Launched in 2014, the site was accessible only on the dark web and accepted two forms of cryptocurrency: Bitcoin and the anonymity-oriented Monero. It allowed users to purchase or sell drugs, guns, stolen user data and other illegal goods. 

Operating AlphaBay was likely a very profitable operation. Nicolas Christin — associate research professor at Carnegie Mellon University and online marketplace expert — told WSJ that estimated the daily sales on the site were between $600,000 and $800,000. According to a Bangkok Post article, Thai police impounded four Lamborghinis and three houses from Cazes, with a total value of $11.8 million.  

AlphaBay was the most successful successor of Silk Road, another dark web marketplace which was shut down by the FBI in 2013. That site’s founder, Ross Ulbricht, was sentenced to life in prison in 2015. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f7%2ffc0b899c 904d 4c5b%2fthumb%2f00001

Hackers targeted U.S. nuclear plants using … fake Microsoft Word résumés

Image: Medicimage/REX/Shutterstock

The FBI and U.S. Department of Homeland security have been helping multiple U.S. energy companies fend off cyberattacks from foreign hackers, according to bombshell reports from the New York Times and Bloomberg on Thursday.

The stories explain how hackers working for a foreign government breached at least a dozen U.S. power plants, raising concerns (yet again) over vulnerabilities in the electrical grid.

Both stories go into tremendous detail about how the attacks were pulled off, but the New York Times story in particular featured a strange little anecdote that stood out in the context of reading about “nuclear plants” and “hacking.”

Here’s the excerpt:

The fake résumés were Microsoft Word documents that were laced with malicious code. Once the recipients clicked on those documents, attackers could steal their credentials and proceed to other machines on a network.

Wait, what?

Is the security of U.S. nuclear facilities really being threatened by a dusty old MS Word document? Aren’t you supposed to send your résumé as a PDF anyways?

Luckily, it’s a little more complicated than that. Federal officials say the hackers were only able to penetrate the business side of the nuclear facility — not the operations of the plant — and that there was no threat to public safety. 

Furthermore, Wired reports that most industrial control systems run on obscure computers that typically aren’t connected to the internet. So hackers would presumably need to go to great lengths to access the operations systems.

Still, even if hackers have to do much more to execute a full-scale power grid attack, it’s scary to know that it could all start from something as innocuous as a MS Word document.

This is just one more reason we should all be using Google Docs.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003