All posts in “hacking”

There’s now a crowdfunding campaign to buy stolen hacking tools

"Just a few clicks and it's all mine!"
“Just a few clicks and it’s all mine!”

Image: Getty Images/Cultura RF

It’s quite the dilemma: A nefarious group of hackers plans to sell a cache of stolen National Security Agency exploits, but you can’t quite come up with the cryptocurrency needed to buy it. 

What to do?

Well, if you’re two prominent security researchers, the answer is simple: crowdfund it. That’s right, there’s now a Patreon for buying stolen NSA hacking tools.

But it’s not what you might think. The researchers behind the Patreon campaign, Hacker Fantastic and x0rz, hope that by purchasing the data they will be able to analyze it and possibly prevent another attack like the WannaCry ransomware. 

It all comes back to the Shadow Brokers, the group that dumped a host of exploits in April after ostensibly trying to sell them first. Its members made news again in May when they announced that they not only have more code, but that they intend to launch a subscription service to dole it out.

“TheShadowBrokers is launching new monthly subscription model,” they explained. “Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month.”

It’s a threat that should not be taken lightly. Just a single NSA exploit — EternalBlue — was crucial to the global spread of WannaCry. Imagine a new WannaCry-like worm every time the Shadow Brokers released additional exploits. It would be more than a digital nightmare — people could die

WannaCry is no joke.

WannaCry is no joke.

Image: B. TONGO/EPA/REX/SHUTTERSTOCK

That doesn’t need to happen, however. Hacker Fantastic and x0rz argue that early access to the exploits could provide security researchers time to develop and share fixes for vulnerable code. That’s where the Patreon campaign comes in. 

The Shadow Brokers requested payment in the cryptocurrency Zcash, and the two researchers think paying up is actually the smart move. Why? Because one way or another, those exploits are likely to get out. 

“I think they will eventually dump it to cause mayhem,” confirmed x0rz via Twitter direct message. “So far [the Shadow Brokers] didn’t say they are willing to dump them for free (but we can guess they will).”

X0rz, who declined to provide a real name, went on to note that gaining access “even 48hours before [the dump] can be good for the community” so that “vendors and [Free and open-source software] developers can catch up and fix the vulns.”

This approach is not without its critics. To be sure, giving 100 ZEC (approximately $23,344 at the time of this writing) to unknown criminal elements is not exactly without risk. The Shadow Brokers could use it to fund malicious actions, or at the very least just keep the money and not deliver. 

Hacker Fantastic and x0rz think it’s worth the risk, however. 

Those interested in helping the campaign reach its goal can donate any amount of money, but those who kick $1,300 or more will get direct access to the Shadow Brokers’ exploits as soon as they are released to paying members. 

To prevent some random criminal from using this crowdfunding campaign to gain nation-state level toolkits for his or herself, Hacker Fantastic and x0rz are limiting code sharing to “whitehat ethical hackers” who can prove who they are. So that’s good. 

Meanwhile, the clock is ticking. As the Shadow Brokers’ sale ends June 30, the two researchers have only a month to scrape together the money. Should they fall short, any funds they did collect will be donated. 

But if they succeed? Well, then we all may just have a fighting chance against the next WannaCry. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80178%2f03c26aa7 8a69 4552 b095 864acdbca801

Hackers just gave you another reason to hate vaping

It turns out vaping may be bad for more than just your look. 

With a few tweaks of the pen, a security researcher has demonstrated that vaporizers can be modified in such a way as to pass code to your computer. 

The problem, as with many things security related, comes down to the USB port. Used for both charging and data transfer, the port is a convenient place to plug in phones or other devices that need a battery boost—devices like vape pens. 

In a video demonstrating his work, the researcher, who goes by FourOctets, plugs an e-cigarette into a computer’s USB and the device immediately lights up as if to charge. A few seconds go by and the computer starts to react. 

“DO U EVEN VAPE BRO!!!!!,” reads a message that pops up on the screen. 

Essentially, the vaporizer issued a custom command to the computer, and the computer was all too happy to oblige. 

Take this as the weirdest example yet that you should never plug random devices into your USB ports.

While FourOctets has no ill-intent, it is easy to imagine someone less scrupulous loading a computer with something not quite as funny. Like, say, a keylogger. Or ransomware

So how did he make this happen? Thankfully for people worried about their e-cigs catching a virus, it required some hands-on work. 

“It started as more of a joke than anything,” FourOctets elaborated over Twitter direct message (he declined to give his real name). “This is done with extra hardware and a little bit of code.”

As to the point of the demonstration, other than the fact that it is legitimately hilarious? 

“Another goal usually when doing dumb stuff like this is that stuff is not always what it seems and that random stuff that can plug into a computer can be dangerous,” he explained. “A lot of folks aren’t aware that something like this is even possible whether it be with firmware or added hardware and a tiny bit of code found online.” 

So should you be worried that your vape pen is delivering malicious code to your laptop? 

“It’s probably pretty unlikely to ever get something like this from the factory that would do this,” FourOctets noted, “but the possibility is there and people need to be mindful of that.”

So, you know, something to maybe consider the next time you’re ripping that sweet cotton. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f5%2f3169faf5 09a3 89a1%2fthumb%2f00001

Sony hackers accused of having a new ransomware side hustle

Working on that side hustle.
Working on that side hustle.

Image:  B. TONGO/EPA/REX/SHUTTERSTOCK

Crime doesn’t pay. Well, unless it’s your side hustle when you’re not working as a hacker for the North Korean government. 

Then it pays. Bitcoin, specifically. 

Security experts researching the ransomware WannaCry have zeroed in on a group they believe to be responsible for the attack that encrypted computers around the globe. It’s known as Lazarus, and you may already be familiar with what is thought to be their greatest hit: the 2014 Sony Pictures hack

But this time around there’s a twist. While the 2014 attack was believed to be directed by the North Korean government, clues surrounding the WannaCry ransomware suggest that the hackers have struck out on their own in order to make a little cash on the side. 

“Analysis of these early WannaCry attacks by Symantec’s Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry,” Symantec explains on its blog. “Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign.”

So, a hacking group believed to be affiliated with the North Korean government, but not working at the behest of the government, is likely responsible for the WannaCry digital carnage. Got it?

Encrypting your data has never been so easy.

Encrypting your data has never been so easy.

Image: Getty Images

How sure is Symantec of their verdict? Attribution for an attack like this is tricky work, and while it’s almost impossible to know with 100 percent certainty, the researchers are standing by their assessment. 

“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Symantec Security Response Technical Director Vikram Thakur told Reuters

And Symantec is not the first to point a finger at Lazarus. Another researcher, Google security researcher Neel Mehta, claimed a similar link — although that was far from definitive. 

Interestingly, as The New York Times reports, China has been hit particularly hard by WannaCry. If Chinese government officials determine that a North Korean affiliated group is indeed responsible, one imagines they won’t be too happy with their ally to the east. 

But hey, it’s worth the risk for all that sweet Bitcoin, right? Maybe not. Despite the widespread nature of the attack, only approximately $111,000 in ransom has been paid to the three Bitcoin addresses associated with the ransomware at the time of this writing. And it won’t be easy to convert the ransom into cash. 

So if the Lazarus hackers did strike out on their own with the goal of hitting digital pay-dirt, they may be dissatisfied with the result. But that’s OK — there are plenty of other stolen NSA exploits for them to play with. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f5%2f306107eb a6ce a8ed%2fthumb%2f00001

When it comes to online security, being paranoid is no longer enough

The struggle is real.
The struggle is real.

Image: Ambar Del Moral/mashable

You just wanted to see the photos your friend shared. Or buy a pair of shoes. Or read that story. 

Now your email account’s been hacked, your credit card number’s been stolen, and your computer for some reason is mining bitcoin. 

Welcome to the Internet of Today. The Internet of Tomorrow is shaping up to be a lot worse. 

But this is not the story of hijacked wireless security cameras crashing the internet, ransomware locking up England’s NHS, or a teddy bear that exposes you to hackers. Rather, this is about how securely navigating the internet for simple day-to-day tasks is becoming harder and harder while at the same time our dependency on successfully doing so is only increasing.

If things continue as they are now, soon not even maintaining a healthy paranoia — a prerequisite today for online life — will be enough to keep your data secure. A new approach is called for as we barrel blindly toward our shared dark online destiny. 

The old tricks aren’t working

A look at two common pieces of advice for safely traversing the internet wilds, and how quickly they have become outdated, helps to put things into perspective. 

Let’s start with something as non-controversial as the old recommendation to use two-factor authentication (2FA). Two-factor authentication safeguards your online accounts with a second layer of protection, and is an absolute must these days. In its most common form, 2FA is a random number texted to your phone when you try to log into an online account. You need that number, plus your password, to get access. 

Pretty neat, right? There’s just one problem: 2FA in its most common form is now completely busted. There’s a known exploit in telephone signaling protocols that lets hackers redirect SMS messages to any phone they want. This is not just theoretical. As previously reported by the International Business Times, a group of hackers recently took advantage of this exploit to hijack 2FA text messages and drain individual bank accounts across Europe. 

Ouch.

For real, though.

For real, though.

Image: getty

Sure, there are other forms of 2FA that don’t use SMS (and you definitely should use those), but the speed at which an accepted security best practice was turned to trash is astonishing. And it’s not the only one. 

Virtual private networks (VPN) work by encrypting your online data and running it through their own server before sending it out to the world. This, in theory, is great because it prevents would-be hackers from seeing what you’re doing. 

Good stuff, right? Well, yeah, except for the fact that a lot of companies offering VPN services are actually all kinds of shady. Basically, if you’re not careful, using a VPN might actually make you less secure. To make things even crazier, it’s incredibly hard to tell which VPN is legit and which is not. 

In other words, you might be better off not even trying. 

Another blow to online privacy. 

What to do?

Clearly, navigating the internet securely is no easy task — even if you’re paying attention. A sophisticated Google Doc phishing scam that hit a slew of journalists in May made it clear that even the professionally skeptical are not immune to a well-crafted attack. 

So where does that leave the rest of us? What happens when our online paranoia and fear of every unknown email, link, and update isn’t enough to keep us safe? Because that’s clearly where we’re heading. And anyway, as the old saying goes: Just because you’re paranoid doesn’t mean they aren’t actually out to get you.

As larger portions of our lives migrate online, it becomes correspondingly more important that we are able to protect that space. A new form of digital literacy is called for — one that is less about learning to use Microsoft Excel and more about knowing how to lock down every aspect of our digital selves. 

Sound depressing? Maybe, but so is getting your bank account drained by unknown hackers — something the Internet of Tomorrow will be all too happy to assist with. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f5%2f6f9dd1f2 b1ea 3227%2fthumb%2f00001

Hackers may be working to bring back WannaCry just for the lulz

When it comes to online currency, lulz just might outvalue Bitcoin. 

A unknown group of hackers is working behind the scenes to restart the ransomware WannaCry, and one security expert believes the culprits this time around aren’t who you think. 

And neither is their motivation. 

Contrary to what you might expect, it appears not to be the initial group responsible for WannaCry now working to startle the ransomware monster awake from its slumber. Rather, we may have some internet randos to thank.

Why? The leading theory, proposed by security researcher Marcus Hutchins, suggests it’s all about shits and giggles. 

WannaCry rushed onto the international scene on May 12, infecting and encrypting hundreds of thousands of computer systems running unpatched Windows operating systems. The ransomware demanded that victims pay around $300 in the cryptocurrency Bitcoin to their attackers if they ever wanted to see their files again.

“Yeah, it’s most likely scriptkiddies doing it for lulz.”

Some paid up, but computers stayed encrypted

And while the damage was bad — England’s National Health Service was hit particularly hard — it could have been a lot worse. The ransomware — which utilized a stolen NSA exploit called EternalBlue — stopped spreading when Hutchins registered a mysterious domain he discovered in the malware code and sinkholed it. 

Hutchins explained the process on his blog, noting that “a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them.”

Hutchins means business.

Hutchins means business.

Image: AP/REX/Shutterstock

The ransomware, it seems, was designed to contact Hutchins’ domain before it spread to the next victim. Hutchins’ registration of that domain created a kind of kill switch — effectively telling WannaCry to stop spreading. 

As long as that domain, and one other discovered and sinkholed by a different researcher, remain up and active the ransomware won’t spread. Which brings us back to our lulz-pirates. 

Hutchins has observed an intentional distributed denial of service attack aimed at his domain with the apparent goal of knocking it offline. Wired reports that the traffic appears to be coming courtesy of the Mirai botnet — the same botnet, comprised of IoT devices like wireless security cameras, that brought down parts of the internet in the fall of 2016. 

Why would anyone do this? Could the initial WannaCry developers simply want more computers infected with the hope of making more money? Probably not. 

As Hutchins confirmed via Twitter direct message, the initial attackers can’t appear to even keep up with the volume of decryption requests they’ve already received.

“[The] decryption system is stupid and completely unscalable,” he observed.

In other words, infecting more computers won’t exactly translate to more Bitcoin in their wallets. That leaves another possibility: someone just looking to mess with people. 

“Yeah, it’s most likely scriptkiddies doing it for lulz,” Hutchins further speculated — using a term that refers to relatively low-skilled hackers. 

So there you have it. If someone manages to knock Hutchins’ sinkhole offline, allowing WannaCry to spread further in the process, you’ll likely have some random prankster with a messed up sense of humor to thank. 

But don’t stress about it too much. “The DDoS is unlikely to be successful,” reassures Hutchins. 

Phew. Now if only Hutchins could solve our other internet security problems. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f5%2fa8628eea c593 2540%2fthumb%2f00001