Chinese hackers said to have accessed law enforcement targets

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Law Enforcement, National security, Terrorism, Cyber Terrorism & Related Crimes, Science & Related Space Technology, Social Media, Technology & Digital Security Comments Off

May 242013

Chinese hackers said to have accessed law enforcement targets

Cyber marauders sought more than just information on activists — they wanted access to FBI, DOJ investigations on spies in the U.S.

Computer World
by John P. Mello Jr
May 21, 2013

CSO -

In January 2010, Google shocked the cyber world by confessing it had been the target of an advanced persistent threat lasting months and mounted by hackers connected to China’s People Liberation Army.

“[We] have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists,” Google Senior Vice President and Chief Legal Officer David Drummond wrote in blog post at the time.

Now, more that three years after that posting on what came to be known as Operation Aurora, it appears that the cyber marauders were after more than just information on activists. They were also after information on investigations on Chinese spies in the United States being conducted by the FBI and U.S. Department of Justice.

The Aurora hackers gained access on Google’s servers to a database that contained information on U.S. surveillance targets, the Washington Post reported on Monday, citing former and current government officials as sources for the story.

Such information would be invaluable to China because it would allow its intelligence operatives to destroy information before counter intelligence agents got their hands on it and allow the spies to evade capture and prosecution.

The database included years of surveillance information, including thousands of court orders issued to law enforcement officials around the nation seeking to monitor suspects’ email, as well as classified orders targeting foreign subjects and issued under the Foreign Intelligence Surveillance Act.

The incident set off a tiff between Google, the DOJ and FBI, the Post reported, because the federal agencies wanted to access the company’s technical logs and other information about the breach to assess the potential damage done to its counter espionage efforts.
** Also see: Opinion varies on action against Chinese cyberattacks

Google representative Jay Nancarrow said in an email that the company is not commenting on the matter at this time.

Google wasn’t a lone target in Operation Aurora. More than 20 companies were attacked, including Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical.

Last month, a Microsoft executive said that the Aurora bandits had also breached his company’s servers snooping for accounts it had lawful wiretap orders on. Since that time, the executive has recanted those remarks.

“I was referring to statements in the media from the January 2010 timeframe,” Dave Aucsmith, senior director for Microsoft’s Institute for Advanced Technology, said in a statement.

“My comments were not meant to cite any specific Microsoft analysis or findings about motive or attacks, but I recognize that my language was imprecise,” he added.

Matt Thomlinson, Microsoft’s general manager for trustworthy computing and security added in an email, “The so-called ‘Aurora’ attacks did not breach the MS network.”

The Chinese government has denied being behind Aurora. It has noted that cyber attacks and espionage are against Chinese law and has done all it can to combat such online activities.

While an attack on the database is feasible, because of the breadth of Aurora, it’s unlikely it was a specific target, reasoned Jeffrey Carr, CEO of Taia Global and author of “Inside Cyber Warfare: Mapping the Cyber Underworld.”

“Google was only one of 20-plus companies attacked at the same time by the same group,” he said in an interview. “So I would be surprised if the database was the objective of the attack. It was likely a crime of opportunity.”

It’s also an object lesson for organizations dealing with cloud storage that’s operated by a third party, added Alan Brill, senior managing director for Kroll Advisory Solutions.

”There’s more trust being given to cloud services than some of them deserve,” he said in an interview. “It has become so easy [to store data somewhere else] that you might store something somewhere without thinking whether or not you really ought to do that.”

Direct Link: http://www.computerworld.com/s/article/9239440/Chinese_hackers_said_to_have_accessed_law_enforcement_targets?taxonomyId=82

Hackers claim attacks against ImageShack, Symantec, other websites

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security Comments Off

Nov 252012

Hackers claim attacks against ImageShack, Symantec, other websites

Anonymous goes on a hacking spree on Guy Fawkes Day

ComputerWorls / TechWorld
by Lucian Constatin
November 5, 2012

Different hacker groups claim to have breached servers belonging to ImageShack, Symantec, and other organizations.

Update, November 7:

This story initially reported that HTP (Hack The Planet) had targeted Paypal. Paypal has since issued a statement that it has not suffered a security breach and the Cyberwarnews.info story that reported the payment processing company had been the victim of an 0 day exploit has been updated to state that ZPanel had been targeted by hackers, not Paypal.

On Sunday, a hacker group called HTP claimed to have compromised Web servers, MySQL databases, routers and management servers used by the ImageShack and yfrog image hosting services.

“ImageShack has been completely owned, from the ground up,” the hackers wrote in a Pastebin post. “We have had root and physical control of every server and router they own. For years.”

The post included source code, configuration files, database information, internal network IP (Internet Protocol) assignments and many other details allegedly taken from the hacked ImageShack servers.

ImageShack was targeted in order to test how well the company has strengthened the security of its systems after suffering a security breach in 2009, the hackers said.

ImageShack did not immediately return a request for comment.

In the same post, HTP claims to have hacked servers belonging to Symantec. The leaked data includes information the hackers claim to have copied from a Symantec database, including the names, email addresses and hashed passwords of hundreds of users. Many of the email addresses are on the @symantec.com domain.

“Saved by your WAF [web application firewall]? You wish,” the hackers said. “All the other major AV corps are owned too, yours just pissed us off the most. Oh, and if you think we’re listing everything here, take the blue pill.”

“Symantec is aware of the claims being made online,” Katherine James, Symantec’s head of enterprise and corporate public relations for EMEA, said Monday via email. “We take each and every claim very seriously and have a process in place for investigating each incident. Our first priority is to make sure that any customer information remains protected. We are investigating these claims and have no further information to provide at this time.”

On Sunday, hackers associated with the Anonymous hacktivist collective compromised and defaced various websites including several NBC websites, a Lady Gaga fan site called Gaga Daily and several Australian websites.

The Anonymous hacks were in preparation for or part of the group’s scheduled protests on Nov. 5, which is also known as Guy Fawkes Day, primarily in the U.K. One of the group’s symbols is the Guy Fawkes mask that appears in the comic book series and movie “V for Vendetta.”

Fawkes was a conspirator in a failed plot to blow up the British Parliament in 1605 to kill King James I. He was executed for his role in the conspiracy and ever since it has been tradition to burn effigies of him on Nov. 5.

More attacks are expected from Anonymous members as the day unfolds, as well as a scheduled march during the evening at the Houses of Parliament in London.

Direct Link: http://www.techworld.com.au/article/441022/hackers_claim_attacks_against_imageshack_symantec_other_websites/

Researchers: Java Zero-Day Leveraged Two Flaws

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security Comments Off

Aug 292012

Researchers: Java Zero-Day Leveraged Two Flaws

KREBS on SECURITY

Wednesday, August 29, 2012

New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.

Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.

“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”

ONE BILLION USERS AT RISK?

How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).

To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia’s 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.

EXPLOIT WORKS AGAINST OS X, LINUX

Not long after news broke that miscreants were exploiting an unpatched security hole in Java to break into PCs, I began seeing tweets from non-Windows users urging people to switch to Mac OS X or Linux. Unfortunately, this latest Java exploit has been shown to work flawlessly to compromise browsers on all three operating systems.

According to Rapid7, the Java exploit found being used in targeted attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a free software tool built to test the security of networks. Rapid7 said the exploit has been successfully tested to work against nearly all browser configurations on Windows systems, and against Safari on OS X 10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04.

WHO BURNS THROUGH TWO-ZERO DAYS IN ONE SHOT?

On Monday, I interviewed the author of the BlackHole exploit kit, an extremely popular software package sold in the underground that is designed to be stitched into hacked sites and use browser exploits to drop malware on visiting PCs. The BlackHole author said he intended to (and did, it appears) fold the exploit into his kit, but said he was surprised that someone would just leak such a reliable exploit, which he said would fetch at least $100,000 if sold privately in the criminal underground.

This stats page, shared by researchers at Seculert, comes from a working BlackHole exploit panel. The success rate of this kit — 21 percent — is roughly double the normal rate thanks to the inclusion of this Java zero-day.

But lost in all of the coverage of this vulnerability is the growing body of evidence suggesting this Java exploit was first wielded in targeted espionage attacks of the sort used to extract corporate and government secrets. So who burns through two zero day flaws to execute a targeted attack? In all likelihood, an individual or group motivated by a non-materialistic ideology, or at least a certainty that what will be gained is worth far more than the vulnerability itself.

Experts at Silicon Valley-based AlienVault published an analysis that highlighted some interesting text strings in the exploit (“xiaomaolv” and conglaiyebuqi”) which suggest the initial attacks were paired with Chinese crimeware known as the Gondad Exploit Kit.

Other curious markers in the exploit code indicate that the targeted attacks were carried out using Internet servers that have been connected with other targeted espionage attacks traced back to Chinese threat actor groups. Among the control servers used in this latest attack was “domain.rm6.org,” an Internet address that played a central role in the Nitro attacks of 2011, which according to Symantec and other security firms was a series of Chinese-based espionage attacks directed against at least 48 chemical and defense companies.

Unfortunately, the miscreants involved in these targeted attacks have been finding success using the same resources and tools well into 2010 and earlier. That’s according to a presentation given in 2010 by researchers exploit and malware researchers Val Smith and Anthony Lai, called “Balancing the Pwn Deficit” (PDF).

The paper details the history and methods of Chinese hacking groups, and notes that the two strings found in the most recent Java exploit are a favorite invocation for script variables that are re-used in various attack tools of Chinese origin. The terms “xiaomaolv” and conglaiyebuqi” and several others used, they found, come from lyrics from songs by the artist known as Jay Zhou.

“The fact that there are embedded song lyrics, potentially tells us several things,” they wrote. “One, it helps to confirm that this attack was created in the geographic region assumed. It is unusual for attackers from one country and language, to take lyrics from a popular song in another country and language and embed them in their attacks.”

PATCH AVAILABLE?

As I noted earlier this week, Oracle has moved Java to a patch cycle of every four months, and its next security update is not scheduled until October. On Tuesday, I contacted Oracle to find out if they intended to address this problem separately before then, but I have not yet received a response. Nor could I find any mention of this problem on any of the various Java blogs that Oracle inherited when it took control of Java from Sun a few years ago. In fact, most of those Java blogs seem to have gone missing.

In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.

Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.

If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

For browser-specific instructions on disabling Java, click here.

If you want to test whether you’ve successfully disabled Java, check out Rapid7′s page, isjavaexploitable.com.

Direct Link: http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/

Symantec expects Anonymous to publish more stolen source code

Feb 102012

Symantec expects Anonymous to publish more stolen source code

Confirms that BitTorrent file is pcAnywhere’s source code after sting operation fails

COMPUTER WORLD

By Gregg Keizer

February 7, 2012

Computerworld –

Symantec today confirmed that the pcAnywhere source code published on the Web Monday by hackers who tried to extort $50,000 from the company was legitimate.

A company spokesman also said that Symantec expects that the rest of the source code stolen from its network in 2006 will also be made public.

Symantec’s acknowledgement followed the appearance late Monday of a 1.3GB file on various file-sharing websites, including Pirate Bay, that claimed to be the source code of the pcAnywhere remote-access software.

Download activity for the BitTorrent file has been moderately brisk: As of mid-morning Tuesday, Pirate Bay identified 376 “seeders,” the term for a computer that has a complete copy of the file — and about 200 “leechers,” or computers that have downloaded only part of the complete torrent.

The Anonymous hacking group claimed responsibility for posting the pcAnywhere source code.

“We can confirm that the source code is legitimate,” said Cris Paden, a spokesman for Symantec, in an email reply to questions. “It is part of the original cache of code for 2006 versions of the products that Anonymous has claimed to have been in possession during the last few weeks.”

Also on Monday, an individual or group going by the name “Yama Tough” had published a series of emails on Pastebin that detailed an attempt to extort $50,000 from Symantec.

Previously, Yama Tough had claimed responsibility for stealing the source code to pcAnywhere and other Symantec security software. At one point, Yama Tough had threated to publish the source code, but then recanted.

The Pastebin-posted emails covered negotiations between Yama Tough and someone identified as “Sam Thomas,” supposedly a Symantec employee, over payment for not disclosing the source code. In fact, Thomas was a pseudonym used by U.S. authorities, whom Symantec had alerted to the threat.

“In January, an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession,” said Paden. “Symantec conducted an internal investigation into this incident and also contacted law enforcement, given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation.”

Paden declined to identify the law enforcement agency, but the Federal Bureau of Investigation (FBI) has jurisdiction in extortion attempts that affect foreign or interstate commerce.

The negotiations went on for nearly a month — the emails began on Jan. 18 — but broke down when Yama Tough rejected Thomas’ conditions, which included an offer of payments of $2,500 each month for the first three months, with the balance to be paid on proof that the copy of the stolen source code had been destroyed.

Yama Tough tried to spin a different story on Twitter.

“They’ve been tricked trolled into offering a bribe so the false statement be [sic] made we never had the code and lied =),” Yama Tough said yesterday in a tweet.

Symantec’s Paden also said today that it expects Anonymous to shortly publish source code belonging to other products.

“So far, they have posted code for the 2006 version of Norton Utilities and pcAnywhere,” said Paden. “We also anticipate that at some point, they will post the code for Norton Antivirus [NAV] Corporate Edition and Norton Internet Security [NIS]. NAV Corporate Edition is no longer for sale or supported, and NIS has been completely rebuilt.”"

Yama Tough promised that the source code for NAV Corporate Edition would hit the Web today. “NAV release coming in seven hours,” Yama Tough said on Twitter about six hours ago.

Two weeks ago, Symantec took the unprecedented step of telling users of pcAnywhere to disable or uninstall the software until it could finish patching vulnerabilities it had uncovered. Symantec wrapped up that patching last week, and gave the all-clear to customers.

Symantec has also offered free upgrades to pcAnywhere 12.5 for users of editions prior to version 12.0.

Direct Link: http://www.computerworld.com/s/article/9224039/Symantec_expects_Anonymous_to_publish_more_stolen_source_code

Symantec Confirms ‘Segment’ of Source Code Was Stolen

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, Technology & Digital Security No Responses »

Jan 092012

Symantec Confirms ‘Segment’ of Source Code Was Stolen

The New York Times

By NICOLE PERLROTH

January 6, 2012

SymantecEmployees at the Symantec Security Operation Center in Alexandria, Va.

Hackers have stolen some of the programming code for two of Symantec’s antivirus products for businesses.

A Symantec spokesman, Cris Paden, confirmed the hack in an e-mail on Friday but said the products involved, Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, WEre four and five years old respectively. Symantec no longer sells the latter product, but does continue to service it. Mr. Paden said the hack does not affect the company’s flagship Norton brand consumer products.

“We have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions,” Mr. Paden wrote in an e-mail. “Symantec is working to develop remediation process to ensure long-term protection for our customers’ information.”

Source code can be exploited by competitors, or used by hackers to corrupt antivirus products or write malicious code that circumvents those products altogether. But the age of the products involved could limit the damage.

“If this code is four or five years old, it is likely it has evolved quite a bit,” says Robert Rachwald, director of security strategy at Imperva, an Internet security company. “That said, if there are any core functions that have not evolved, then hackers could take a look at Symantec’s source code and find ways to manipulate it.”

A hacker group calling itself the Lords of Dharmaraja claims to have discovered Symantec’s source code in a hack it conducted on India’s military and intelligence servers. In a post on Wednesday on the bulletin board Pastebin, the hackers wrote, “We have discovered within the Indian Spy Program source codes of a dozen software companies,” which they said had signed agreements with an Indian defense program and its Central Bureau of Investigation.

The original post, which is no longer on Pastebin but is still available through a Google cache, contained a document bearing a 1999 date that described how Symantec software was intended to work but did not contain any code. The hackers later posted a second file on Pastebin, which is no longer available, that Symantec confirmed contained a “segment” of the source code for the enterprise products.

“This does not happen very often,” Mr. Rachwald of Imperva said. “Source code is a company’s crown jewels. Most companies put lots of locks and chains around it.”

Direct Link: http://bits.blogs.nytimes.com/2012/01/06/symantec-confirms-segment-of-source-code-stolen/?nl=todaysheadlines&emc=tha26

Older Entries