[This article is originally published in theconversation.com written by Misha Ketchell - Uploaded by the Association Member: Jennifer Levin] 

With more than half of its 1.4 billion people online, the world’s most populous country is home to a slew of cyberspies and hackers. Indeed, China has likely stolen more secrets from businesses and governments than any other country.

Covert espionage is the main Chinese cyber threat to the U.S. While disruptive cyber attacks occasionally come from China, those that cause overt damage, like destroying data or causing power outages, are more common from the other top state threats, namely Russia, Iran, and North Korea.

But Chinese cyberaggression toward the U.S. has been evolving. Before their espionage became a serious threat, Chinese hackers were conducting disruptive cyber attacks against the U.S. and other countries.

Hackers unite

Chinese hackers were among the first to come together in defense of their country. Their first operation against the U.S. occurred in 1999 during the Kosovo conflict, when the U.S. inadvertently bombed the Chinese embassy in Belgrade, killing three Chinese reporters. The patriotic hackers planted messages denouncing “NATO’s brutal action” on several U.S. government websites.

Chinese hackers struck the U.S. again in 2001 after a Chinese fighter plane collided with a U.S. reconnaissance aircraft. The midair collision killed the Chinese pilot and led to the forced landing and detention of the American crew. Both Chinese and American hackers responded with disruptive cyberattacks, with the Chinese hackers defacing thousands of U.S.-based websites, including the White House site.

What is especially important about this incident, though, is what happened next. The People’s Daily, China’s Communist Party newspaper, issued an editorial decrying the attack against the White House. The paper called it, and the other attacks, “web terrorism” and “unforgivable acts violating the law.” On the anniversary of the incident in 2002, the government asked Chinese hackers to forgo further attacks against U.S.-based sites. They complied.

That was the last big cyber attack from Chinese patriotic hackers against the U.S. While Russia seems to condone, if not outright encourage or even sponsor, its patriotic hackers, China has taken a stance against that sort of activity, at least with respect to U.S.-based sites.

Targets at home

In addition to reining in its patriotic hackers, China appears to have refrained from conducting cyber attacks that cause overt damage to critical infrastructure in other countries, like the Russians did to Ukraine’s power grid. However, it has used disruptive cyber attacks to help enforce censorship policies within its own borders.

The Chinese government’s “Great Firewall” keeps internet users in China from accessing censored foreign sites such as those that advocate Tibetan autonomy. Users’ traffic is filtered based on domain names, internet addresses, and keywords in web addresses.

Chinese hackers have also used denial-of-service attacks to temporarily take out sites whose activity the government wants to block. These attacks overwhelm target servers with large amounts of activity, preventing others from using the sites and often knocking the servers offline.

Back in 1999, the government launched DoS attacks against foreign websites associated with Falun Gong, a spiritual movement banned in China. Then in 2011, a Chinese military TV program showed software tools being used in possible cyber attacks against Falun Gong sites in the U.S. The tools were developed by the Electrical Engineering University of China’s armed forces, the People’s Liberation Army.

More recently, in 2015, U.S. and other foreign users visiting sites running analytics software from the Chinese search engine provider Baidu unwittingly picked up malware. The malicious code was injected into traffic going back to the users by a device collocated with the Great Firewall. The malware then launched DDoS attacks against GreatFire.org, a site that helps Chinese users evade censorship, and the Chinese language edition of The New York Times.

Espionage at the forefront

By 2003, China’s interest in cyberespionage was apparent: A series of cyberintrusions that U.S. investigators code-named “Titan Rain” was traced back to computers in southern China. The hackers, believed by some to be from the Chinese army, had invaded and stolen sensitive data from computers belonging to the U.S. Department of Defense, defense contractors, and other government agencies.

Titan Rain was followed by a rash of espionage incidents that originated in China and were given code names like “Byzantine Hades,” “GhostNet” and “Aurora.” The thieves were after a wide range of data.

They stole intellectual property, including Google’s source code and designs for weapons systems. They took government secrets, including user names and passwords. And they compromised data associated with Chinese human rights activists, including their email messages. Typically, the intrusions started with spear-phishing.

In 2013, the American cyberintelligence firm Mandiant, now part of FireEye, issued a landmark report on a Chinese espionage group it named “Advanced Persistent Threat 1.” According to the report, APT1 had stolen hundreds of terabytes of data from at least 141 organizations since 2006.

The Mandiant report gave details of the operations and provided evidence linking those thefts to Unit 61398 of the People’s Liberation Army – and named five officers of the unit. This was the first time any security firm had publicly disclosed data tying a cyber operation against the U.S. to a foreign government. In 2014, the U.S. indicted the five Chinese officers for computer hacking and economic espionage.

Mandiant described APT1 as “one of more than 20 APT groups with origins in China.” Many of these are believed to be associated with the government. A report from the nonprofit Institute for Critical Infrastructure Technology describes 15 state-sponsored advanced persistent threat groups, including APT1 and two others associated with PLA units. The report does not identify sponsors for the remaining groups.

The Five-Year Plan

According to the institute, China’s espionage supports the country’s 13th Five-Year Plan (covering the years 2016 to 2020), which calls for technology innovations and socioeconomic reforms. The goal is “innovative, coordinated, green, open and inclusive growth.” The ICIT report said most of the technology needed to realize the plan will likely be acquired by stealing trade secrets from companies in other countries.

In its 2015 Global Threat Report, the American cyberintelligence firm CrowdStrike identified dozens of Chinese adversaries targeting business sectors that are key to the Five-Year Plan. It found 28 groups going after defense and law enforcement systems alone. Other sectors victimized worldwide included energy, transportation, government, technology, health care, finance, telecommunications, media, manufacturing, and agriculture.

China’s theft of military and trade secrets has been so rampant that editorial cartoonists Jeff Parker and Dave Granlund depicted it as “Chinese takeout.”

US-China agreement

In September 2015, President Obama met with China’s President Xi Jinping to address a range of issues affecting the two countries. With respect to economic espionage, they agreed that their governments would not conduct or knowingly support cyber-enabled theft of business secrets that would provide a competitive advantage to their commercial sectors. They did not agree to restrict government espionage, a practice that countries generally consider to be fair game.

In June 2016, FireEye reported that since 2014 there had been a dramatic drop in cyberespionage from 72 suspected China-based groups. FireEye attributed the reduction to several “factors including President Xi’s military and political initiatives, the widespread exposure of Chinese cyberoperations, and mounting pressure from the U.S. Government.” The ICIT believes China may also be asserting greater control over its operatives and focusing on unspecified high-priority targets.

The U.S.-China agreement also calls for the two countries to cooperate in fighting cybercrime. Just weeks after the deal was signed, China announced it had arrested hackers connected with the 2015 intrusions into the Office of Personnel Management’s database. Those had exposed highly sensitive personal and financial data of about 22 million federal employees seeking security clearances. The Washington Post observed that the arrests could “mark the first measure of accountability for what has been characterized as one of the most devastating breaches of U.S. government data in history.”

The cyber threat to the U.S. from China is mostly one of espionage, and even that threat seems to be declining. Nevertheless, companies need to be wary of losing their data, not just to China, but to any country or group seeking to profit from U.S. trade secrets and other sensitive data. That calls for staying ahead of the cybersecurity curve.

Categorized in Internet Privacy

 Source: This article was Published securityintelligence.com By Jasmine Henry - Contributed by Member: Deborah Tannen

The dark component of the deep web is the primary highway for the exchange and commerce among cybercriminal groups. In fact, very few cybercriminals work alone. Eighty percent of cybercrime is linked to criminal collectives, and stolen data-shaped goods surface rapidly on darknet forums and marketplaces following cybersecurity incidents with data loss.

Adapting to these trends is essential. Organizations with the ability to extract threat intelligence from data-mining these elusive online sources can achieve a significant security advantage.

Deep Web and Darknet: What’s the Difference?

The part of the web accessible through search engines and used for everyday activities is known among researchers as the surface web. Anything beyond that is defined as the deep web. While estimates vary, some researchers project there is 90 percent more deep websites than surface ones, according to TechCabal. In the deep web are unindexed websites that are not accessible to everyday Internet users. Some restrict access, others are routed through many layers of anonymity to conceal their operators’ identity.

Darknet websites and technologies are a subset of the deep web classification, which consists of sites intentionally hidden and generally only accessible through technologies like The Onion Router (Tor), a software that facilitates anonymous communication, or peer-to-peer (P2P) browsers. This hidden web is closely associated with anonymity and (in some cases) criminal activity supported by open exchange and collaboration between threat actors.

How to Draw Dark Threat Intelligence

“Dark web intelligence is critical to security decision-making at any level,” said Dave McMillen, senior analyst with X-Force IRIS at IBM X-Force Incident Response and Intelligence Services (IRIS). “It is possible to collect exploits, vulnerabilities and other indicators of compromise, as well as insight into the techniques, tactics, and procedures [TTPs] that criminals use for distinct knowledge about the tools and malware threat actors favor.”

When this real-time threat data is filtered through sufficient context and separated from false positives, it becomes actionable intelligence. McMillen believes there are several ways organizations can benefit from dark-sourced intelligence. These benefits include understanding emerging threat trends to develop mitigation techniques proactively. Dark-source intelligence could also help with identifying criminal motivations and collusion before attacks. It could even aid in attributing risks and attacks to specific criminal groups.

How to Identify Darknet Security Risks

For expert threat researchers like McMillen, patterns of deep web activity can reveal an attack in progress, planned attacks, threat trends or other types of risks. Signs of a threat can emerge quickly, as financially-driven hackers try to turn stolen data into profit within hours or minutes of gaining entry to an organization’s network.

The average time it takes to identify a cybersecurity incident discovery is 197 days, according to the 2018 Cost of a Data Breach Study from the Ponemon Institute, sponsored by IBM. Companies who contain a breach within 30 days have an advantage over their less-responsive peers, saving an average of $1 million in containment costs.

“Employing dark web monitoring solutions that allow the use of focused filters to identify key phrases, such as your brand and product names, that may contain information that can negatively affect your organization is a good start in your effort to glean useful intelligence from the dark web,” McMillen said.

The collected data should then be alerted and routed through a human analysis process to provide actionable insights. Context-rich threat intelligence can reveal many different forms of risk.

1. Organization or Industry Discussion

Among the key risk factors and threats are mentions of an organization’s name in forum posts, paste sites, channels or chatrooms. Contextual analysis can determine whether threat actors are planning an attack or actively possess stolen data. Other high-risk discussions can surround niche industries or verticals, or information on compromising highly-specific technologies employed by an organization.

2. Personally Identifiable Information (PII) Exchange

When a breach has occurred, the sale of PII, personal health data, financial data or other sensitive information can be indicative of the aftermath of an attack. A single data record can sell for up to $20, according to Recorded Future. This data is generally stolen en-masse from large organizations — such as credit agencies and banks — so a few thousand credit card numbers can turn a huge profit.

Unsurprisingly, 76 percent of breaches are financially motivated, according to the 2018 Data Breach Investigations Report from Verizon.

3. Credential Exchange

Lost or stolen credentials were the most common threat action employed in 2017, contributing to 22 percent of data breaches, according to the Verizon report. While the presence of usernames and passwords on paste sites or marketplaces can indicate a data breach, contextual analysis is required to determine whether this is a recent compromise or recycled data from a prior incident.

In May 2018, threat intelligence company 4iQ uncovered a massive floating database of identity information, including over 1.4 billion unencrypted credentials.

“The breach is almost two times larger than the previous largest credential exposure,” Julio Casal, founder of 4iQ, told Information Age.

4. Information Recon

Social engineering tactics are employed in 52 percent of attacks, according to a February 2018 report from security company F-Secure. Collusion around information recon can surface in both open and closed-forum exchanges between individual threat actors and collectives.

5. Phishing Attack Coordination

As phishing and whaling attacks become more sophisticated, deep web threat intelligence can reveal popular TTPs and risks. Coordination around information recon is common. Threat actors can now purchase increasingly complex phishing-as-a-service software kits and if defenders are familiar with them, they can better educate users and put the right controls in place.

dir=”ltr”>Although malicious insiders cause fewer breaches than simple human error, the darknet is an established hub for criminal collectives to recruit employees with network credentials for a sophisticated attack. Dark Reading tracked nearly twice as many references to insider recruitment on darknet forums in 2016 as in 2015.

7. Trade Secrets and Sensitive Asset Discussions

Trade secrets and competitive intelligence are another lucrative aspect of threat actor commerce that can signal risks to researchers. In one recent incident reported by CNBC in July 2018, a likely Russian cybercriminal sold access to a law firm’s network and sensitive assets for $3,500. Having had that information ahead of time could have saved the victim time, money, and reputational damage.

What Are the Challenges to Deriving Value From Dark Sources?

While there is clear strategic and tactical value to darknet threat intelligence, significant challenges can arise on the road to deep web threat hunting and data-mining. For instance, it’s not ideal to equip security operations center (SOC) analysts with a Tor browser. The potential volume of false positives based on the sheer size of the hidden web necessitates a more effective approach.

“The dark web is fragmented and multi-layered,” McMillen said.

When researchers discover a credible source, it generally requires hours to vet intelligence and perform a complete analysis. Darknet commerce has also grown increasingly mercurial and decentralized as law enforcement tracks criminal TTPs as they emerge. Security leaders who can overcome these barriers have the potential to significantly improve security strategy in response to emerging threat trends and risk factors.

The 2018 Artificial Intelligence (AI) in Cyber-Security Study from the Ponemon Institute, sponsored by IBM Security, discovered that artificial intelligence (AI ) could provide deeper security and increased productivity at lower costs. Sixty-nine percent of respondents stated that the most significant benefit of AI was the ability to increase speed in analyzing threats.

As leaders consider how to deepen adoption of dark threat intelligence, it’s valuable to understand that not all intelligence sources can adequately capture the full scope of threat actor exchange on this vast, fast-morphing plane. Relying on stagnant, outdated or fully automated technologies may fail to mitigate important risks. The best mode of protection is one which combines the intelligence of skilled human researchers and AI to turn raw data into actionable intelligence effectively.

Categorized in Deep Web

CREDIT: Getty Images

Cloak & Dagger vulnerability uses Android's own features to fool users.

Do you like downloading and trying a wide range Android games and apps? You may want to rethink that habit, or at least proceed with caution. A newly disclosed Android vulnerability means miscreants can use apparently harmless apps to fool you into giving them "permission" to take control of your phone or tablet and watch everything you do with it.

Researchers at UC Santa Barbara and the Georgia Institute of Technology recently revealed a vulnerability they call Cloak & Dagger that can let miscreants use your phone's own permissions against you. It works like this: You download and run a new app. As so many apps do, it pops up an opening screen that asks you to to agree to something. That something could be almost anything: Click here to watch our tutorial video. Or proceed to the game. It doesn't really matter what the app appears to be asking you to do. What it's really doing is asking your permission for administrative powers that let it use your phone for...whatever it likes.

How does it manage to fool you? Using an Android feature called "Draw over other apps," in which an image or dialog box appears on top of anything else that might be on your device's screen. The "chat heads" used by Facebook Messenger are one example of how this works.

Google routinely grants apps the right to draw over other apps if they request it. They can be highly useful, but a cleverly crafted drawing could be laid on top of an Android warning about granting an app extensive permissions, while making it appear that you're saying OK to something completely different. One example is that it can activate accessibility functions. That allows the nefarious app to see and record your keystrokes, as some accessibility functions need to do in order to function.

This (silent) video shows how it works:


What can you do about it? Unfortunately current versions of Android do not ask for your permission for a newly installed app to draw over other apps. So to find out if you're affected, begin by going into Settings, clicking on apps, and then clicking on settings from the app listing (the gear in the upper right). At the bottom of the list that appears, you'll find "Special access." Click that to see which apps have the right to draw over other apps. You can get detailed information about this vulnerability and how to check your device here.

Google has known about this vulnerability for some time now--the researchers alerted the company months before telling the rest of us. And the company says it is able to detect and block Play Store apps that take advantage of it. So a good place to start would be to avoid downloading Android apps from anywhere other than the Play Store unless you know and trust the source. And hope that Google finds a way to close this security loophole soon.

Source: This article was published on inc.com by Minda Zetlin

Categorized in Internet Privacy

A TERRIFYING new malware attack – that enables hackers to silently take control of your smartphone and siphon private data – can be used on all versions of the Android operating system, researchers have sensationally claimed.

Cybercrminals can record EVERYTHING you do on your Android phone

A catastrophic new cyberattack has been uncovered – and it affects all versions of the Android operating system up to version 7.1.2, researchers at Georgia Institute of Technology have claimed.

Worst of all,  will struggle to stop this latest attack, due to the way it infiltrates your Android device's permissions, the researchers added.

Dubbed Cloak and Dagger, the terrifying new attack allows hackers to silently take control of your smartphone and steal private data, including every keystroke, chats, PIN code, online account passwords, contacts, and more.

Cloak and Dagger doesn't exploit any specific vulnerability in the Android operating system.

Instead, the clever new attack abuses legitimate app permissions that are widely-used by legitimate apps to access certain features on an Android device, researchers have claimed.

Hackers have to use two permissions to initiate the attack.

The first permission, known as "Draw On Top", is a legitimate permission that allows applications to overlap on the screen as well as on top of other apps.

The second, known as "a11y", is designed to help visually impaired Android users, allowing them to enter data with voice commands, or listen to content on-screen using a screen reader feature.

According to the findings from Georgia Institute of Technology, a malicious app submitted to the Google Play Store colds exploit these legitimate app permissions to allow hackers access to your Android smartphone.

Once the malicious app is installed on a device, hackers can make a record of every keystroke you type, install other applications without your knowledge, silently unlock the device without waking the screen.

Cybercriminals would be able to spy on every activity you do on your phone.

Hackers can silently take control of your phone and steal private data, including keystroke, chats, more
Hackers can silently take control of your phone and steal private data, including keystroke, chats,

Researchers have published a number of video demonstrations of the Cloak and Dagger attacks – and it's a little terrifying.

Unfortunately, it's not going to be easy for Google to protect users against this type of attack.

According to Yanick Fratantonio, the Georgia Institute of Technology paper's first author, "changing a feature is not like fixing a bug.

"System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device."

Google is set to change the policy around the "Draw On Top" permission with Android 8.0, which is .

That should stop the Cloak and Dagger attack, researchers have highlighted.

However, the next version of Android will take a long time to roll-out to users.

 recently revealed that "About half of devices in use at the end of 2016 had not received a platform security update in the previous year"

Yes, that's right. "About half" of all Android devices did not get a single security update in the last year.

The Android Security Year in Review highlights a number of improvements in the Android ecosystem
The Android Security Year in Review highlights a number of improvements in the Android ecosystem

That's not good news – especially when coupled with the latest findings from the Georgia Institute of Technology.

Unlike iOS software update, which are rolled-out simultaneously to all compatible devices by Apple itself,  hands over its software updates to individual device manufacturers, dubbed OEMs.


Unfortunately, a worrying number of these manufacturers are slow to adopt operating system updates and critical security patches. 

Google is well aware of the problem, and has desperately been looking for a solution for years.

The California-based company even considered a plan to publicly name and shame mobile carriers and device makers that drag their feet with important updates.

Thankfully, there is a workaround.

According to technology blog The Hacker News, the best way to disable the Cloak and Dagger attacks in Android 7.1.2 is to manually turn off the "Draw On Top" permission.

Head to Settings > Apps > Gear symbol > Special access > Draw over other apps.

Another precaution is to only download applications from trusted and verified developers on the Google Play Store.

Source: This article was published express.co.uk By AARON BROWN

Categorized in Internet Privacy

As the global infosec community continues to fight back against the threat of new attacks, the cybercriminals behind the WannaCry ransomware attacks are still at it, attempting to reap as much profits as possible. Security experts have detected new ransom demands made by the WannaCry hackers. Some experts working to mitigate the attacks and come up with a decryption key for infected users have reportedly been targeted by DDoS attacks, leveraging the proliferate Mirai botnet.

The attacks are an attempt to go after the kill switch, activated by 22-year-old British security researcher working for Kryptos Logic, Marcus Hutchins aka MalwareTech, who became the "accidental hero" by stopping the first wave of global ransomware attacks that hit numerous companies and networks across 150 countries.

Mirai-powered DDoS attacks against the WannaCry kill switch

Once news broke out about MalwareTech stopping the attacks, the sinkhole – the kill switch website used to direct malware to a specific web address to contain it – almost immediately came under attack from the WannaCry hackers.

How the global WannaCry ransomware attacks were stopped by this 'accidental hero'

"Pretty much as soon as it went public what had happened, one of the Mirai botnets started on the sinkhole," MalwareTech told Wired. He added that the DDoS attacks may not have been the work of the original WannaCry authors. Instead, he believes that this may be the work of other hacker groups that want to restart the WannaCry epidemic just for fun.

"They've obviously got no financial incentive. They're not the ransomware developers," the researcher said. "They're just doing it to cause pain." He added that the attacks appear to be coming from known Mirai-based botnets that appeared when the botnet's source code was first publicly released by its creator Anna_Senpai. Hutchins believes that the attacks are the work of low-level hackers using publicly available tools.

"Now any idiot and their dog can set up a Mirai botnet," Hutchins says.

However, Hutchins is confident that he and his colleagues at Kryptos Logic can keep the attackers at bay. The firm has also enlisted the help of an unspecified DDoS mitigation company to help defend against the hackers.

New ransom demands

Despite the spread of the attacks having been stopped, the WannaCry attackers are sending out new ransom demands to victims. According to a tweet post by Symantec, as of 18 May, victims were still receiving new messages from the WannaCry hackers.

A Twitter account cataloguing the activity of the three bitcoin wallets tied to the WannaCry attacks in real time shows that numerous people have paid ransoms and some continue to do so. As of now, over $94,000 has been raked in by the attackers, according to the Twitter bot.

However, so far, none of the money has been transferred out, indicating that the attackers controlling the bitcoin wallets may be playing it safe, in efforts to avoid attracting the attention of the numerous law enforcement agencies now actively hunting them.

WannaCry: What happens if you pay the ransom?

There's still uncertainity surrounding the identity of the WannaCry authors. Although some security experts said the North Korea hacker group Lazarus, also believed to be behind the infamous Sony hack, may be linked the ransomware, a recent statement by Interpol indicates that attribution is yet to be nailed down conclusively.

Experts are tirelessly working on creating viable decryption tools that may help WannaCry victims get back access to their lost data. Find out more about how you can recover your lost data here.

Source: This article was published International Business Times By India Ashok

Categorized in Internet Privacy

Weeks after Netflix was held to ransom by hackers over the unreleased season five of Orange Is The New Black, cyber thieves have struck again, this time targeting film giant Disney. Speaking to ABC employees at a town-hall meeting on 15 May in New York, CEO Bob Iger announced that hackers had infiltrated the company's system, stolen an unreleased film and were holding it ransom.

While Iger did not reveal which film was at risk, Deadline reports it was the Johnny Depp-led Pirates Of The Caribbean: Dead Men Tell No Tales.

The studio has yet to confirm whether it is in fact the fifth installment of the Pirates franchise that is being held. Another possible victim could be Cars 3, which has a release date of 16 June, reports said.

Disney won't pay ransom

Disney staff members were informed that the hackers demanded "an enormous amount of money" via bitcoin, Deadline reports. If the money is not transferred, Disney risks the film being leaked ahead of its 26 May release date. However, the entertainment company is yet to confirm the ransom amount, and it is not clear when the deadline for the ransom payment is.

The hackers have allegedly threatened to publish the first five minutes of the film and continue leaking the whole movie in 20-minute clips if their ransom demands are not met. However, Iger reportedly stated that he would not bend to the blackmailers by paying them off.

"Anything that has a value will always be a potential victim of theft, either digital or physical," Mark James, ESET security specialist told IBTimes UK. "If someone has it and someone wants it then in theory there's a market for it."

"Disney has refused to pay the ransom and rightly so, James added. "Paying the ransom or indeed any ransom is generally frowned upon for many reasons. Funding other criminal activity, rewarding the bad guys or funding future attacks are all good reasons to not pay as chances are it's going to get released anyway."

Will hackers leak the movie?

This movie hack comes on the heels of a large content theft by the proliferate hacker group The Dark Overlord (TDO), which included the fifth season of Netflix's Orange Is The New Black, set to be released on 9 June. The perpetrators released the first episode of the season and threatened to leak the rest if they were not paid. TDO also claimed to have content from FOX, IFC, National Geographic and ABC, and warned the networks to expect an email "demanding a modest sum of internet money".

It remains unknown if TDO is also behind the Disney hack. The group had previously threatened to leak further content soon and the modus operandi of the Disney hackers appears to be similar. The Disney hackers could follow TDO's play book and leak the movie or opt to sell it on the dark web.

Thefts like these put the film industry in a difficult position. They could pay to protect their intellectual property, and ensure fans pay to watch it in the cinema instead of for free at home. But doing so could show vulnerability and a willingness to comply, making them an easy target for hackers to strike again.

The FBI denied having advised Hollywood studios to pay ransom demands, according to The Hollywood Reporter. However, security experts chose to differ. "If your system is wiped and you didn't pay, then there's no way to recover it and you basically shut down your entire business, so the FBI will say it's easier to pay it than it is to try to fight to get it back," Hemanshu Nigam, a former federal prosecutor of online crime in LA and one-time chief security officer for News Corp said. "And if one company pays the ransom, the entire hacking community knows about it."

Disney is not the first Hollywood studio to be hacked. In 2014, Sony was attacked by a cybercriminal group suspected to be linked to North Korea. The hacker group, dubbed Lazarus, has also been associated with the recent global ransomware strikes. However, it is uncertain if the Disney hack has any connection to the WannaCry ransomware attacks.

Source: This article was published ca.news.yahoo.com By Lara Rebello

Categorized in Internet Privacy

Or is Russia retaliating for President Donald Trump’s Syria strikes through one of its cyber-proxies? 

It’s been a tough few days for America’s state-sponsored hackers. On Monday, CIA hackers were outed by an American security firm who linked their work to recent WikiLeaks dumps. And over the weekend, a shadowy group of hackers calling themselves the Shadow Brokers spilled NSA hacking tools onto the internet.

The Shadow Brokers dump and the report from security firm Symantec shines the spotlight once more on the hacking capabilities of American spy agencies, amid a growing scandal about Russian intelligence agencies’ attempts to influence the American election. It also underscores the spies’ vulnerability to detection when carrying out clandestine work online and the risk of exposure in an era when reams of data can be quickly and easily leaked and publicized.

In a blog post Monday, Symantec said it had linked 40 attacks in 16 countries to material that bear the markings of the CIA hacking tools revealed by WikiLeaks last month in its so-called Vault 7 series. The CIA has not confirmed the authenticity of the leak. Symantec described the work of a group it has dubbed “Longhorn,” which it says has been active since at least 2011 and has targeted foreign governments and firms in the financial, telecommunications, and other industries for espionage.

Symantec says it has observed attacks with technical features that match material published by WikiLeaks in Vault 7. “Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group,” Symantec researchers wrote.

Symantec tracked the group operating on computer systems in Middle East, Europe, Asia, and Africa. It documented one infection in the United States, which was quickly uninstalled. Operating in the United States is against the CIA’s charter, and Symantec said it believed the infection was unintentional.

Meanwhile, the leak of NSA hacking tools shed light on the kinds of organizations targeted by the intelligence agency. They include telecommunications firms and a large number of foreign universities, including the Chinese Institute of Higher Energy Physics, according to security researchers who have examined the code released on Saturday. These hardly surprising targets for America’s premier signals intelligence agency.

Some tools released allow the NSA to penetrate deep into the infrastructure of a telecommunications firm and collect call data on large numbers of phone numbers, a computer researcher who works under the name x0rz told Foreign Policy. By gathering such data, the NSA can analyze who talks to whom and for how long on foreign telephone systems.

Most of the released tools are old techniques, which may no longer be a part of NSA’s hacking arsenal. The NSA did not respond to emails seeking comment.

The identities behind the Shadow Brokers remain shrouded in mystery but the hackers seemed motivated to leak the NSA hacking tools by anger over what they perceive as President Donald Trump’s betrayal of his base. The group attacked Trump for last week’s missile strike against Syria in retaliation for the use of chemical weapons, in a statement accompanying the Saturday release of the hacking tools. It also denounced the removal of Trump adviser Steve Bannon from the National Security Council and the failure to repeal Obamacare.

“Dear President Trump, Respectfully, what the fuck are you doing?” the group wrote on the self-publishing website Medium.“TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you.” Publishing NSA hacking tools, the Shadow Brokers explain, constitutes “our form of protest.”

Some analysts have speculated the Shadow Brokers represent the work of a disgruntled NSA insider who has made off with a huge trove of material. Still others believe that it is the project of an American adversary, perhaps Russia. Under the latter theory, the leak of the hacking tools would seem a retaliation by Russia for the strike against Syria, a Russian ally. Publishing hacking tools allows a defender to block and render them ineffective.

The Shadow Brokers first surfaced last August when they published a first set of NSA hacking tools and held a second set in reserve, to be sold at auction. The hacking tools published in August included previously unknown vulnerabilities in widely used networking equipment. Researchers have so far discovered no such information in Saturday’s dump.

Last year’s auction did not generate significant bids, and the Shadow Brokers claimed on Saturday that their dump included the information they had planned to sell. But security researchers examining the dump said they believed the published archive was incomplete.

Source : yahoo.com

Categorized in News & Politics

Internet service providers have warned that using WhatsApp offline can expose subscribers to hacking and malicious viruses.

This was contained in a message by Airtel Nigeria, which advised Nigerians, especially subscribers on its network, to be vigilant in accepting certain messages.

It said on Tuesday in Lagos that there had been messages in circulation which tend to show that a subscriber could make use of WhatsApp without access to the internet.

“Dear customer, our attention has been drawn to messages notifying customers of the use of WhatsApp without internet.

“Kindly ignore and do not click on those links, as it redirects to cloned applications.

“The links may be used to harvest sensitive information from your device. Be cautious,” Airtel said in a text message to its customers.

The News Agency of Nigeria reports that since the beginning of 2017, the message has been circulating, while many may have fallen victims.

The hackers’ message usually reads, “First, you need to update your WhatsApp iOS to the latest WhatsApp version 2.17.1.

“Now, this allows sending the message to any contact in your list without having internet connection.

“This feature was available on Android for more than a year, but iOS users are only getting it now.

“Also, you will be getting an option to send 30 photos or videos at a time if you update your WhatsApp.”

The message has been certified to be a hoax, and should be disregarded. (NAN)

Source : punchng.com

Categorized in Internet Privacy

A mysterious group of hackers claim to be threatening to wipe up to 300 million iPhones and iCloud accounts – unless Apple pays a ransom in Bitcoin by April 7.

The group – who describe themselves as ‘Turkish Crime Family’ – claim to have demanded $75,000 in Bitcoin or Ethereum cryptocurrency, according to Motherboard.

A hacker said, ‘I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing.’

They claim to have credentials which would allow them access to hundreds of millions of users’ accounts, according to the report in Motherboard – and are threatening to wipe a number of them unless they are paid.

Screenshots of supposed discussions with Apple show Apple’s security team requesting that the gang delete a YouTube video where they supposedly access an elderly woman’s iCloud account.

Hackers threaten to wipe up to 300 million iPhones unless Apple pays ransom

(Photo by Eric Thayer/Getty Images)

What is less clear is if the threat is real – or if the group even exists. Beyond the evidence shown to Motherboard (screenshotted emails), there’s little proof.

British computer security expert Graham Cluley, writing on Bitdefender’s Hot for Security blog, says, ‘What we don’t know is whether the email exchanges between the hackers and Apple are real or faked, and – indeed – whether the so-called “Turkish Crime Gang” really has access to a large number of Apple users’ credentials.

‘If it’s true that the hackers are attempting to engage with the media in an attempt to increase their chances of a substantial payout then that would be in line with an increasingly common technique deployed by extortionists.’

Author : Rob Waugh

Source : http://metro.co.uk/2017/03/21/hackers-threaten-to-wipe-up-to-300-million-iphones-unless-apple-pays-ransom-6524809/

 

Categorized in News & Politics

Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains.

Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four group of attackers defaced over 67,000 pages.

The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war.

Mass defacements started this week

The vulnerability at the core of these series of attacks is a bug discovered by Sucuri researchers, which the WordPress team fixed with the release of WordPress 4.7.2, on January 26.

According to Sucuri, attackers can craft simple HTTP requests that allow them to bypass authentification systems and edit the titles and content of WordPress pages. This vulnerability only affects sites running on WordPress version 4.7.0 and 4.7.1.

Initially, the vulnerability was deemed of a very high-risk, and the WordPress security team kept it a secret for almost a week, allowing a large number of WordPress site owners to update their CMS without being in peril from impending attacks.

Nonetheless, WordPress and Sucuri experts realized they couldn't keep this a secret, and after a week, both teams revealed to the world that the WordPress 4.7.2 release included a secret fix for the WordPress REST API.

Sucuri's initial fears became reality a few days later, as both Sucuri and WordFence started seeing attacks leveraging the REST API flaw against sites the two were protecting.

Defacement attempts via REST API flaw over time
Defacement attempts via REST API flaw over time (via Sucuri)
 
Defacement attempts via REST API flaw over timeDefacement attempts via REST API flaw over time (via WordFence)

As time passed by, the number of attacks against the REST API flaw grew in numbers, and it became clear for both companies that attackers had discovered how to exploit the flaw on sites that were left without an update, although nobody expected this sharp rise in hacked pages in such a short time.

"This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites," said Mark Maunder, Wordfence Founder and CEO. "During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor."

Hacking groups engaging in recent WordPress defacementsHacking groups engaging in recent WordPress defacements

In reality, the number of attacks is way higher, if we take into account that not all sites are protected by WordFence and Sucuri firewalls.

WordPress REST API flaw at the heart of recent defacement attacks

According to Maunder, the REST API flaw blew new life into the activity of many defacers, a term used to describe hackers that take over websites and rewrite the content of pages.

Based on Google Trends data that took into consideration the signature (name) of each of these hacking crews, we can see sharp increases in popularity and mentions for various groups, right after Sucuri revealed the REST API flaw in a blog post at the start of February.

WordPress REST API attacks reflected in Google TrendsWordPress REST API attacks reflected in Google Trends (via WordFence)

Most of the defaced sites are easily reachable via a Google query, just by searching the hacking group's name. All defacements are just a simple image or some text, but Sucuri CTO Daniel Cid believes these will change in the future after more capable SEO spamming groups get involved.

Defaced websites indexed by GoogleDefaced websites indexed by Google

At the time of writing, there's a feeding frenzy in regards to defacing unpatched WordPress sites, with many groups rewriting each other's defacement message.

We've seen a similar behavior involving recent database ransom attacks targeting MongoDB servers, where different groups were rewriting each other's ransom notes.

Over the weekend, Google also warned WordPress website owners registered in the Google Search Console. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners, but some emails reached WordPress 4.7.2 owners, some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.

Author : Catalin Cimpanu

Source : https://www.bleepingcomputer.com/news/security/attacks-on-wordpress-sites-intensify-as-hackers-deface-over-1-5-million-pages/

Categorized in Internet Privacy
Page 1 of 2

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media

Book Your Seat for Webinar GET FREE REGISTRATION FOR MEMBERS ONLY      Register Now