Breach a 'security disaster' for IEEE
posted by Keito
2012-09-29 19:21:01'The IEEE (Institute of Electrical and Electronics Engineers) describes itself on its website as "the world's largest professional association for the advancement of technology."
But after a data breach that left the usernames and passwords of 100,000 of its members exposed in plain text for a month, some security experts said it is clear both the organization and at least some of its members should also be in the business of the advancement of common sense security.
The breach discovered by an independent security researcher, demonstrates an almost inexplicable lack of basic security protocols, including some of the most vulnerable passwords possible.
Torsten George, vice president of worldwide marketing and products for Agiliance, a security risk management firm, called it "plain stupid."
Paul Ducklin, writing at Sophos' Naked Security blog, called it, "a veritable security disaster for the IEEE."
The IEEE announced the breach earlier this week. Redo Dragusin, a Romanian researcher and now a teaching assistant in the Department of Computer Science at the University of Copenhagen, said he discovered it on Sept. 18, and notified IEEE on Monday, Sept. 24.
"The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery," Dragusin wrote. "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places."
He said the unencrypted passwords were the most "troublesome" element of the breach, but also said, "the simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs ..." which included more than 100GB of data containing detailed information on more than 376 million HTTP requests made by IEEE members.
A number of IEEE members were also failing to use basic security. Dragusin found that seven of the top-10 most popular passwords were combinations of the number string "1234567890," in order. Others in the top 20 included "password" and "admin."
IEEE sent a letter to its members the next day, acknowledging the breach, but saying, "This matter has been addressed and resolved. None of your financial information was made accessible in this situation. However, it was theoretically possible for an unauthorized third party, using your ID and password, to have accessed your IEEE account."
Because of that, the organization said it had terminated the access of its members under their current passwords, and would have to, "authenticate through a series of personal security questions you set up at the time you opened the account and to change your password."
The IEEE was unresponsive to questions from CSO Online about why the passwords were in plain text, how access to the weblogs was unrestricted and why the group did not discover the breach itself.
Adrienne McGarr, a public relations spokeswoman, emailed a copy of the statement IEEE had already posted on its website, saying the issue was addressed and resolved and members were being notified.
"IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused," the statement said.
George said the group has not taken the privacy of member information seriously, adding that the IEEE is not alone -- that this is somewhat typical of too many organizations.
"This illustrates a check-box mentality of compliance," he said. "It is looking at security as a necessary evil, but only to fulfill a regulatory mandate."
The failure to encrypt the data is especially mystifying, he said, "especially after the LinkedIn breach," a reference to the breach in June of the professional networking site that led to the posting of 6.5 million member passwords on a Russian hacking site. At the time LinkedIn was not using the preferred encryption method called salted hashing.
Following the breach, LinkedIn was hit with a $5 million class-action lawsuit.
George said it looks like the failure to restrict access to the webserver logs at IEEE was human error. "Somebody must have changed the access and forgot to change it back," he said. "It's a human mistake that's made very easily. But if they had done continuous monitoring, they would have noticed the restriction was not in place.
"You can't rely on humans," he said. "You have to automate the process."
Dragusin made it clear in his post that he did not intend to use the information for malicious means. Besides notifying IEEE, "I did not, and plan not to release the raw log data to anyone else," he wrote.
But that does not make him a hero to Paul Ducklin's, who mocked Dragusin's professed "uncertainty" about what to do with the information. Ducklin noted that Dragusin waited a week from the time he discovered the breach to notify IEEE, but still found time to "register his vanity name-and-shame domain, ieeelog.com, on 19 September 2012.
"Nor did it prevent him grabbing and processing 100GB of log data he knew wasn't supposed to be accessible," he wrote. "How is this bad? It probably isn't. But it's more of a 'don't be evil' outlook than one of 'actually be good.'"
George said that the IEEE, in addition to improving its own security standards, should force its members to have more rigorous passwords.
"You can mandate password policies," he said. "You can require that they include a combination of characters and digits. You can require that they be changed every 30 days. There is a lot of room for improvement."'
FBI denies link to leak of 12 million Apple codes
posted by Keito
2012-09-06 19:57:13Following on from the leaked Apple UDID codes earlier this week, the FBI has come out saying "We never had info in question. Bottom Line: TOTALLY FALSE"... Funny that! =) It couldn't possibly be that a 3 letter agency is lying to the public and gathering information about innocent civilians via any means at hand?... Could it?!
The BBC covers it as such:
'The FBI says there is "no evidence" that a hacker group gained access to 12 million identifying codes for Apple devices via an FBI agent's laptop.
AntiSec, a hacker group, posted a file on the internet on Monday that it said contained more than one million of Apple's so-called UDID codes.
UDIDs are a 40-character string unique to each Apple device.
AntiSec said it gained the codes from the laptop of an FBI agent called Christopher Stangl.
Mr Stangl works in the bureau's Regional Cyber Action Team, Wired Magazine reports.
AntiSec suggested that the 12 million codes were being used by the FBI to track the associated users.
Along with the posted file, the group said in a statement that it had only released one million IDs and had scrubbed identifying information, including full names, telephone numbers and addresses.
Commenting on the AntiSec revelation, the FBI said it had no indication of any link to its agent or computer.
"At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data," the bureau said in a statement on Tuesday.
Peter Kruse, an e-crime specialist with CSIS Security Group in Denmark, tweeted on Tuesday that the leak "is real" and that he confirmed three of his own devices in the data.
Johannes Ullrich of the SANS Internet Storm Center told the AFP that while "there is nothing else in the file that would implicate the FBI... it is not clear who would have a file like this".
Hackers identifying themselves with AntiSec have made previous hits this year on the websites of Panda Labs' anti-malware products and New York Ironwork - a company that sells equipment to US police.'
For those that want to take a look at the source of this leak, check it out here. It reads as follows...
"Now I know what a ghost is. Unfinished business, that's what."
― Salman Rushdie, The Satanic Verses
we share ideas sometimes through the voice of twitter.com/@AnonymousIRC
so then there is where to look for news.
So well, some of you know what we were at during these last long weeks, and
probably less people know we were also testing new stuff and shits for our next
so, whatever. Happy to bring this Special #FFF Edition to you (so special that's
even not on friday), again for the utterly lulz.
we have written our very honest statement here, ofc it was intended for those
who are truely interested on reading it, for those fellows who dont give a fuck
about ideology and who are just lurking for the candy, skip it and jump
directly to the candy and lulzy part titled: Candy and Lulzy part. we hope you
find it useful as well as funny. and for those who dont care about the whole
fucking shit... wtf r u doing here?? go and download a movie.
so here we go...
just a comment: we are still waiting for published news about the
$ 2 billions worth loans Assad has taken from Russia,
mentioned on the syrian mails
and also about the transfer of money to austrian banks etc....
and also cocks...
So, don't be lazy journos and look for them.
a few words.
"For when all else is done, only words remain. Words endure."
In July 2012 NSA's General Keith Alexander (alias the Bilderberg Biddy) spoke
at Defcon, the hacker conference in Las Vegas, wearing jeans and a cool EFF
t-shirt (LOL. Wtf was that?). He was trying to seduce hackers into improving
Internet security and colonoscopy systems, and to recruit them, ofc, for his
future cyberwars. It was an amusing hypocritical attempt made by the system to
flatter hackers into becoming tools for the state, while his so-righteous
employer hunts any who doesn't bow to them like fucking dogs.
We got the message.
We decided we'd help out Internet security by auditing FBI first. We all know
by now they make Internet insecure on purpose to help their bottom line. But
it's a shitty job, especially since they decided to hunt us down and jail our
It's the old double standard that has been around since the 80's. Govt Agencies
are obsessed with witchhunts against hackers worldwide, whilst they also
recruit hackers to carry out their own political agendas.
You are forbidden to outsmart the system, to defy it, to work around it. In
short, while you may hack for the status quo, you are forbidden to hack the
status quo. Just do what you're told. Don't worry about dirty geopolitical
games, that's business for the elite. They're the ones that give dancing orders
to our favorite general, Keith, while he happily puts on a ballet tutu. Just
dance along, hackers. Otherwise... well...
In 1989 hagbard (23yrs old) was murdered after being involved into cold war spy
games related to KGB and US. Tron, another hacker, was
murdered in 1998 (aged 26) after messing around with a myriad of cryptographic
stuff (yeah, it's usually a hot item) and after making cryptophon easily
accesible for the masses. And then you have Gareth Williams (31), the GCHQ
hacker murdered and "bagged" inside a MI6's "safe" house (we'd hate to see what
the unsafe ones look like) in August of 2010 after talking about being curious
about leaking something to Wikileaks with fellow hackers on irc. And the list
goes on. It's easy to cover up when they want to, hackers often have complex
personalities, so faking their suicide fits well.
You are welcome to hack what the system wants you to hack. If not, you will be
Jeremy Hammond faces the rest of his productive life in prison for being an
ideological motivated political dissident. He was twice jailed for following
his own beliefs. He worked until the end to uncover corruption and the
connivance between the state and big corporations. He denounces the abuses and
bribes of the US prison system, and he's again facing that abuse and torture at
the hands of authorities.
Last year, Bradley Manning was tortured after allegedly giving WikiLeaks
confidential data belonging to US govt... oh shit. The world shouldn't know how
some soldiers enjoy killing people and even less when they kill journalists. Of
course, the common housewife doesn't deserve to know the truth about the
hypocrisy in the international diplomacy or how world dictators spend money in
luxury whilst their own people starve. Yep, the truth belongs only to the
elite, and if you are not part of them (forget it, that won't happen), fuck
People are frustrated, they feel the system manipulating them more than ever.
Never underestimate the power of frustrated people.
For the last few years we have broke into systems belonging to Governments and
Big corporations just to find out they are spending millions of tax dollars to
spy on their citizens. They work to discredit dissenting voices. They pay their
friends for overpriced and insecure networks and services.
We showed how former govt and military officials were making new businesses
using their government relationships.
They funnel public money to their own interests for overpriced contracts for
crap level services. They use those
relationships to extra-officially resolve affairs involving their businesses.
We exposed a criminal System eliminating those who think different;
criminalizing them. This System won't tolerate those who dig for the truth, it
can't. So no one has the right to question anything coming from this system. if
you buy a piece of hardware or software you just need to use it as it was
supposed to be used: anything else is forbidden.
No tinkering allowed.
If you buy a Playstation, you are not allowed to use it as you want to -- you
can only use it the Sony wants you to. If you have found a way to improve
something, just shut up. You are not allowed to share this info with anyone
else and let them make improvements, too. We are not the real owners of
anything anymore. We just borrow things from the System. Shiny, colorful
things, we agree to play with for a fee. A fee for life.
Because this system works only if you keep working to buy new things.
Not important if they are good things, just buy new crap, even better like that.
So everything gets outdated soon.
You home, stuff, car and computer, you will pay for everything you have for all
of your life. All the time: a monthly fee, forever until you die. That's the
future; nothing is really yours. LAAS - Life As A Service.
You will rent your life.
And better hurry up and work all day if you want to stay alive. Work 'til
you're exhausted and don't think. No -- thinking is bad. Play games instead, do
drugs too, why not? Or go to the movies. The Entertainment Industry is here to
resolve all your philosophical and trascendental problems. Shiny colorful crap.
but please don't think too much.
Thinking is dangerous.
Accept the offer, it's the perfect deal.
You get all those amazing shiny colorful beads.
It will only cost you freedom...and your life.
Indians did it with Manhattan.
There's nothing to worry about it, is there?
And what if you are a lone wolf who quietly outside the system, doing your own
thing, without saying a word? They will be mad as hell. They will try to find
you. You will be fucked up anyway, sooner or later. Because the system wants
you clearly identified, with all your personal details well packed into a
government database so it can make its watchdogs' lives easier.
Security researchers are often questioned and their movements tracked by Secret
Service, FBI and other shits. They are asked about their projects, who their
clients are, who they are talking to, what they know about other hackers, etc..
So be a good monkey, follow the rules, head down and you'll get some coins
that let you keep renting your life.
But hey! Wait...
We are hackers...
We are supposed to look beyond the rules, to find things others don't see. And
THE SYSTEM, yeah the whole fucking system, it's just another system.
...and we do that.
we hack systems.
This is our next challenge: to decide whether to become tools for the system,
or for ourselves. The system plans to use us to hold the next in their endless
wars, their cyberwars.
Hackers vs. hackers, slaves vs slaves.
We are trapped.
Jack Henry Abbott, a writer who was incarcerated almost his whole life for his
crimes, wrote before hanging himself: "As long as I am nothing but a ghost of
the civil dead, I can do nothing…", the 'civil dead' are those, like himself,
who had their autonomy systematically destroyed by the state. Now his words
extend to cover all of us. We have seen our own autonomy being systematically
destroyed by the State. We are becoming ghosts of our dead civil rights.
So yes we are criminals, we are the criminals our dear system have created:
Argumentum ad Baculum
In a world where you fear the words you use to express yourself. Where you are
punished for choosing the wrong ones, we have just decided to follow our own
way. There's no worst kind of slavery than one where you are afraid of your own
Governments around the globe are already in control of us in real life, and
they have now declared war on the people to take over the Internet.
It's happening now. It's not waiting for you to wake up.
So now my dear friends, it's your turn to decide where you belong,
and what you are made of.
"When the people fear the government there is tyranny, when the government
fears the people there is liberty."
― Thomas Jefferson
CANDY! CANDY! CANDY!...............candy.
HOW TO GET THE CANDY ONCE YOU HAVE DOWNLOADED THE FILE
first check the file MD5:
(lol yes, a "1337" there for the lulz, God is in the detail)
then decrypt the file using openssl:
openssl aes-256-cbc -d -a -in file.txt -out decryptedfile.tar.gz
tar -xvzf decryptedfile.tar.gz
and then check file integrity using the MD5 included in the password u used to
^ yeah that one.
if everything looks fine
then perhaps it is.
there you have. 1,000,001 Apple Devices UDIDs linking to their users and their
the original file contained around 12,000,000 devices. we decided a million would be
enough to release.
we trimmed out other personal data as, full names, cell numbers, addresses,
not all devices have the same amount of personal data linked. some devices
contained lot of info.
others no more than zipcodes or almost anything. we left those main columns we
consider enough to help a significant amount of users to look if their devices
are listed there or not. the DevTokens are included for those mobile hackers
who could figure out some use from the dataset.
file contains details to identify Apple devices.
Apple Device UDID, Apple Push Notification Service DevToken, Device Name,
We never liked the concept of UDIDs since the beginning indeed.
Really bad decision from Apple.
so the big question:
why exposing this personal data?
well we have learnt it seems quite clear nobody pays attention if you just come
and say 'hey, FBI is using your device details and info and who the fuck knows
what the hell are they experimenting with that', well sorry, but nobody will care.
FBI will, as usual, deny or ignore this uncomfortable thingie and everybody will
forget the whole thing at amazing speed. so next option, we could have released
mail and a very small extract of the data. some people would eventually pick up
the issue but well, lets be honest, that will be ephemeral too.
So without even being sure if the current choice will guarantee that people
will pay attention to this fucking shouted
'FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME
SHIT' well at least it seems our best bet, and even in this
case we will probably see their damage control teams going hard lobbying media
with bullshits to discredit this, but well, whatever, at least we tried and
eventually, looking at the massive number of devices concerned, someone should
care about it. Also we think it's the right moment to release this knowing that
Apple is looking for alternatives for those UDID currently and since a while
blocked axx to it, but well, in this case it's too late for those concerned
owners on the list. we always thought it was a really bad idea. that hardware
coded IDs for devices concept should be erradicated from any device on the
market in the future.
so now candy was delivered.
few words, and just a few, about how the shit came. we don't like too much
about disclosing this part, we understood it would be needed, so, fuck
whatever. lost asset. Hope it serves for something.
During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
"NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc. the personal details fields referring to people
appears many times empty leaving the whole list incompleted on many parts. no
other file on the same folder makes mention about this list or its purpose.
to journalists: no more interviews to anyone till Adrian Chen get featured in
the front page of Gawker, a whole day, with a huge picture of him dressing a
ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith
Alexander. go, go, go.
(and there you ll get your desired pageviews number too) Until that happens,
this whole statement will be the only thing getting out
directly from us. So no tutu, no sources.
Our support to Wikileaks and Julian Assange.
respect to Tunisian and Egyptian people, keep the good fight. Dont accept new
oppressors in the place of the old ones.
To Syrian rebels: If Assad wins he will exterminate all of you till the very
last one, so better go and kill the motherfucker and his
bunch of suckers for once.
Support to Pussy Riot: Hang in there, babes! Resistance forever.
we r sorry mike about what happened to you and princess.
we didnt want to bring you in troubles with the feds
and we ve heard about the reasons leading you to have spoken out to them,
it's sad you ve just hanged around couple of weeks with us
(we vagely understood u felt misplaced),
but looking back to some events, at the end, it was also a good choice for
hope u finish understanding it's not about the things we think we have seen.
its always about those things we dont see.
theres always another behind behind the behind.
Greetings to all other groups struggling on their daily fight.
Remember that fights between us it's what our adversaries are looking for.
Now this is your time.
"This is the highest wisdom that I own; freedom and life are earned by those
alone who conquer them each day anew."
LulzSec, AntiSec, LulzXmas series, ALL YOUR BASE ARE BELONG TO US,
MegaCockLulzFestival, "I'm 12 and wat iz diz?", CIA Tango Down,
#FuckFBIFriday, #StratforHasTheButtInFlames, #BlueHairedAaronBarr,
#WestboroChurchLovesEatingCocks, White Hats Can't Jump, "Keith Alexander
dressing an exhuberant ballet tutu" image and others are all trademarks of
Anonymous Inc. and well...all the people in general...
Romney aber, sag's ihm, er kann mich im Arsche lecken!
Disclaimer: We like beer and the use of manipulated bacterial ADN to transmit
well that's all now we can move on and go to sleep.
Computer virus hits second energy firm
posted by Keito
2012-09-02 16:33:08'Computer systems at energy firm RasGas have been taken offline by a computer virus only days after a similar attack on oil giant Aramco.
The attacks come as security experts warn of efforts by malicious hackers to target the oil and energy industry.
The attack forced the Qatar-based RasGas firm to shut down its website and email systems.
RasGas, one of the world's largest producers of liquid petroleum gas, said production was not hit by the attack.
The company said it spotted the "unknown virus" earlier this week and took desktop computers, email and web servers offline as it cleaned up.
The report comes only days after Saudi Arabia's Aramco revealed it had completed a clean-up operation after a virus knocked out 30,000 of its computers. The cyber- assault on Aramco also only hit desktop computers rather than operational plant and machinery.
Both attacks come in the wake of alerts issued by security firms about a virus called "Shamoon" or "Disstrack" that specifically targets companies in the oil and energy sectors.
Unlike many other contemporary viruses Shamoon/Disstrack does not attempt to steal data but instead tries to delete it irrecoverably. The virus spreads around internal computer networks by exploiting shared hard drives.
Neither RasGas nor Aramco has released details of which virus penetrated its networks.
The vast majority of computer viruses are designed to help cyber-thieves steal credit card numbers, online bank account credentials and other valuable digital assets such as login names and passwords.
However, an increasing number of viruses are customised to take aim at specific industries, nations or companies.
The best known of these viruses is the Stuxnet worm which was written to disable equipment used in Iran's nuclear enrichment efforts.'
Oil Producer Saudi Aramco Reveals Cyber Attack Hit 30,000 Workstations
posted by Keito
2012-08-29 20:53:43'Saudi Aramco, the world's biggest oil producer, has resumed operating its main internal computer networks after a virus infected about 30,000 of its workstations in mid-August.
Immediately after the Aug. 15 attack, the company announced it had cut off its electronic systems from outside access to prevent further attacks. Saudi Aramco said the virus "originated from external sources" and that its investigation into the matter was ongoing. There was no mention of whether this was related to this month's Shamoon attacks.
“The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network,” Saudi Aramco said over Facebook.
“We would like to emphasize and assure our stakeholders, customers and partners that our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever,” Saudi Aramco’s chief executive, Khalid al-Falih, said in a statement.
However, one of Saudi Aramco’s websites which was taken offline after the attack - www.aramco.com - remained down yesterday. E-mails sent by Reuters to people within the company continued to bounce back.
Supposed hacktivists have claimed the hit on the oil giant, saying they would hit the company again tomorrow. The group said it was “fed up of crimes and atrocities taking place in various countries around the world”, in a post on Pastebin. They said they were targeting the House of Saud, the ruling royal family of Saudi Arabia, and targeted Aramco as it was “the largest financial source for Al-Saud regime”.
The group, calling itself the ‘Cutting Sword of Justice’, claimed to have hacked Aramco systems in several countries before sending a virus across 30,000 computers achieving a 75 percent infection rate of all the company’s systems. It refuted suggestions that a nation state was behind the attack.
Symantec, one of the world’s largest internet security companies, said on the day after the Saudi Aramco attack that it had discovered a new virus that was targeting at least one organisation in the global energy sector, although it did not name that organisation.
“It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable,” Symantec said in a blog posting about the virus, which it called W32.Disttrack. “Threats with such destructive payloads are unusual and are not typical of targeted attacks.”
Saudi Aramco’s al-Falih said in his statement yesterday: “Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber attack.”'
Private Key Found Embedded In Major SCADA Equipment
posted by Keito
2012-08-23 21:10:07"RuggedOS (A Siemens Subsidiary of Flame and Stuxnet fame), an operating system used in mission-critical hardware such as routers and SCADA gear, has been found to contain an embedded private encryption key. Now that all affected RuggedCom devices are sharing the same key, a compromise on one device gets you the rest for free. If the claims are valid, systems in use which would be affected include U.S. Navy, petroleum giant Chevron, and the Wisconsin Department of Transportation. The SCADA gear which RuggedOS typically runs on is often connected to machinery controlling electrical substations, traffic control systems, and other critical infrastructure. This is the second security nightmare for RuggedCom this year, the first being the discovery of a backdoor containing a non-modifiable account."