Author Archives: Graham CLULEY

Suspected Syrian Electronic Army hackers indicted for conspiracy and identity theft

Two men have been indicted for their alleged involvement in hacking campaigns that targeted critics of Bashar al-Assad’s regime in Syria.

The men – Ahmad Umar Agha (also known by his online handle of “The Pro”) and Firas Dardar (“The Shadow”) – have been named in charges by a Virginia federal grand jury on counts of conspiracy and aggravated identity theft.

Agha and Dardar are both Syrian nationals, and their alleged attacks were perpetrated under the banner of the notorious “Syrian Electronic Army”.

In one of the most notorious hacks conducted by the Syrian Electronic Army, the group broke into the Associated Press’s Twitter account in 2013 and posted a message claiming that there had been an explosion in the White House, and President Barack Obama had been injured.

That bogus news alert caused the stock market to temporarily plummet, wiping $136 billion off the Dow Jones.

Other high profile victims of the Syrian Electronic Army include Forbes, Microsoft, Facebook, CNN, The Guardian, The Telegraph, and the Washington Post, amongst many others.

Although many of the Syrian Electronic Army’s social media hacks appeared to be designed more to be attention-seeking pranks than more dangerous data breaches, that’s not to say that all of their activities were entirely benign.

For instance, the Syrian Electronic Army did not shirk from hacking into the computer systems of international companies to steal information, and – in some cases – extort large sums of money.

In a typical Syrian Electronic Army attack a user at an organisation would be targeted with a carefully-crafted phishing email, with the intention of stealing login credentials.

If the theft of a user’s credentials was successful, the hackers would then use the username and password to login to an organisation, whereupon they could compromise social media accounts, deface websites, meddle with DNS records, or launch further phishing attacks.

Ahmad Umar Agha and Firas Dardar are no stranger to being persons of interest to the FBI having previously been charged in 2014 and put on the FBI’s Cyber Most Wanted list in 2016 when a $100,000 bounty was offered for information which resulted in their arrest.

But don’t imagine that the two suspected hackers will be defending themselves in a US court anytime soon. Both are thought not to be in custody, and residing in Syria.

For now, at least, they seem to be beyond the reach of the US authorities.

If you are responsible for security at your company, ensure that staff who have remote access to email or your website’s CMS are using two-factor authentication to reduce the chances of them being a victim of the type of attack typically perpetrated by the Syrian Electronic Army.

HOTforSecurity: The Dark Overlord: Suspected hacking group member arrested in Serbia

Is The Dark Overlord’s days numbered?

Serbian police have arrested a man suspected of being a member of the notorious and high profile hacking and extortion group.

The Dark Overlord has made quite a name for itself in recent years by not just stealing sensitive information from compromised computer networks, but also demanding a ransom be paid.

What happens if you choose not to pay the ransom? Well, The Dark Overlord threatens to release the stolen data to the media, or simply publish it openly on the internet. And that’s the kind of attention that few organisations are wanting.

Past victims of The Dark Overlord “hack-then-extort” group include Hollywood studios, investment banks, Gorilla Glue, a celebrity plastic surgery clinic, and healthcare organisations.

The hacking group is thought to have made hundreds of thousands of dollars through its extortion attempts.

The 38-year-old man, who the authorities have not named other than by his initials (“S.S”), was arrested by police in Belgrade as part of a joint operation with the FBI.

Of course, with the information made available so far it’s very difficult to say if this is the end of the line for The Dark Overlord’s operations. We simply do not know how many people are involved in the hacking gang, or what position the arrested man is thought to have had within the group.

As a consequence it’s quite possible that we may continue to see other hacks (and extortion attempts) carried out under the banner of “The Dark Overlord”, whether it be the same group or by copycats trying to take advantage of the gang’s notoriety.

Sure enough, Joseph Cox at Motherboard reports that since the arrest of “S.S” he has been contacted by someone who has access to The Dark Overlord’s email account with a simple stark message:

“We’re still here”

But one thing is certain, Other members of The Dark Overlord hacking collective must be having some sleepless nights right now, wondering if they might be the next to get a surprise visit from the authorities.

For now, my advice to businesses remains the same. Educate your staff about phishing scams, put strong authentication in place, patch against vulnerabilities and adopt a layered approach to security to reduce the risk that your company will be hacked, and the privacy of your customers put at risk.



HOTforSecurity

The Dark Overlord: Suspected hacking group member arrested in Serbia

Is The Dark Overlord’s days numbered?

Serbian police have arrested a man suspected of being a member of the notorious and high profile hacking and extortion group.

The Dark Overlord has made quite a name for itself in recent years by not just stealing sensitive information from compromised computer networks, but also demanding a ransom be paid.

What happens if you choose not to pay the ransom? Well, The Dark Overlord threatens to release the stolen data to the media, or simply publish it openly on the internet. And that’s the kind of attention that few organisations are wanting.

Past victims of The Dark Overlord “hack-then-extort” group include Hollywood studios, investment banks, Gorilla Glue, a celebrity plastic surgery clinic, and healthcare organisations.

The hacking group is thought to have made hundreds of thousands of dollars through its extortion attempts.

The 38-year-old man, who the authorities have not named other than by his initials (“S.S”), was arrested by police in Belgrade as part of a joint operation with the FBI.

Of course, with the information made available so far it’s very difficult to say if this is the end of the line for The Dark Overlord’s operations. We simply do not know how many people are involved in the hacking gang, or what position the arrested man is thought to have had within the group.

As a consequence it’s quite possible that we may continue to see other hacks (and extortion attempts) carried out under the banner of “The Dark Overlord”, whether it be the same group or by copycats trying to take advantage of the gang’s notoriety.

Sure enough, Joseph Cox at Motherboard reports that since the arrest of “S.S” he has been contacted by someone who has access to The Dark Overlord’s email account with a simple stark message:

“We’re still here”

But one thing is certain, Other members of The Dark Overlord hacking collective must be having some sleepless nights right now, wondering if they might be the next to get a surprise visit from the authorities.

For now, my advice to businesses remains the same. Educate your staff about phishing scams, put strong authentication in place, patch against vulnerabilities and adopt a layered approach to security to reduce the risk that your company will be hacked, and the privacy of your customers put at risk.

Rail Europe data breach lasted almost three months

Travel website Rail Europe has informed customers that their lifelong dream to see the sights of Europe by train may have turned into a nightmare.

Real Europe North America Inc (RENA) is writing to customers to inform them that it has discovered evidence that hackers gained unauthorised access to its ecommerce website used to book tickets, and might have stolen a significant amount of sensitive data.

According to the company, personal information put at risk by the data breach includes:

  • Customers’ names
  • Customers’ gender
  • Customers’ delivery address
  • Customers’ invoicing address
  • Customers’ telephone number
  • Customers’ email address
  • Customers’ credit/debit card number
  • Payment card expiration date and CVV

In addition, in some cases, usernames and passwords of registered users may also have been grabbed. As a consequence it obviously makes sense to change your Rail Europe password, and, if you have made the mistake of using the same password anywhere else on the internet, to change those as well.

Now that would be bad news at the best of times, but what makes this data breach even worse is that it is believed that hackers had access to RENA’s systems for almost three months.

RENA first realised that it might have a problem with its Rail Europe website when it was contacted by one of its banks on February 16 2018. The company says it “immediately cut off from the internet all compromised servers” upon realising that personal information of customers’ may have been compromised, and discovered that its problems had begun on November 29, 2017.

RENA says it has since “replaced and rebuilt” the Rail Europe website, changed passwords, renewed certificates, and hardened its IT security.

In addition, in a letter filed with the California Attorney General, the company is offer identity theft protection to affected customers, in case any users suffer from identity theft as a result of the breach.

Although the number of customers affected by the data breach has not been made public by the company, the breadth of personal data which has been put at risk and the fact that hackers appear to have had access to Rail Europe’s payment systems for such a long time, underline the seriousness of the threat.

What currently remains a mystery, to the general public at least, is just how the hackers managed to breach Rail Europe’s infrastructure. One very real possibility is that the failure may have been down to poor authentication – if a hacker had been able to grab a careless IT worker’s password for a server they might have ended up with free reign to do what they like.

All businesses need to recognise the most critical parts of their infrastructure and protect them with a layered defence, forcing users to authenticate they are who they claim to be. In this modern age, a simple username and password is not enough.

Another theory is that Rail Europe’s website may have been poorly maintained, allowing a remote hacker to crowbar their way in by exploiting an unpatched vulnerability or incorrect configuration.

My advice to other companies? Test your defences. Adopt a hacking mindset and try to find your company’s weaknesses before a hacker finds and exploits them for their own gain.

HOTforSecurity: Rail Europe data breach lasted almost three months

Travel website Rail Europe has informed customers that their lifelong dream to see the sights of Europe by train may have turned into a nightmare.

Real Europe North America Inc (RENA) is writing to customers to inform them that it has discovered evidence that hackers gained unauthorised access to its ecommerce website used to book tickets, and might have stolen a significant amount of sensitive data.

According to the company, personal information put at risk by the data breach includes:

  • Customers’ names
  • Customers’ gender
  • Customers’ delivery address
  • Customers’ invoicing address
  • Customers’ telephone number
  • Customers’ email address
  • Customers’ credit/debit card number
  • Payment card expiration date and CVV

In addition, in some cases, usernames and passwords of registered users may also have been grabbed. As a consequence it obviously makes sense to change your Rail Europe password, and, if you have made the mistake of using the same password anywhere else on the internet, to change those as well.

Now that would be bad news at the best of times, but what makes this data breach even worse is that it is believed that hackers had access to RENA’s systems for almost three months.

RENA first realised that it might have a problem with its Rail Europe website when it was contacted by one of its banks on February 16 2018. The company says it “immediately cut off from the internet all compromised servers” upon realising that personal information of customers’ may have been compromised, and discovered that its problems had begun on November 29, 2017.

RENA says it has since “replaced and rebuilt” the Rail Europe website, changed passwords, renewed certificates, and hardened its IT security.

In addition, in a letter filed with the California Attorney General, the company is offer identity theft protection to affected customers, in case any users suffer from identity theft as a result of the breach.

Although the number of customers affected by the data breach has not been made public by the company, the breadth of personal data which has been put at risk and the fact that hackers appear to have had access to Rail Europe’s payment systems for such a long time, underline the seriousness of the threat.

What currently remains a mystery, to the general public at least, is just how the hackers managed to breach Rail Europe’s infrastructure. One very real possibility is that the failure may have been down to poor authentication – if a hacker had been able to grab a careless IT worker’s password for a server they might have ended up with free reign to do what they like.

All businesses need to recognise the most critical parts of their infrastructure and protect them with a layered defence, forcing users to authenticate they are who they claim to be. In this modern age, a simple username and password is not enough.

Another theory is that Rail Europe’s website may have been poorly maintained, allowing a remote hacker to crowbar their way in by exploiting an unpatched vulnerability or incorrect configuration.

My advice to other companies? Test your defences. Adopt a hacking mindset and try to find your company’s weaknesses before a hacker finds and exploits them for their own gain.



HOTforSecurity

Smashing Security #078: Hounds hunt hackers, too-human Google AI, and ethnic recognition tech – WTF?

Smashing Security #078: Hounds hunt hackers, too-human Google AI, and ethnic recognition tech - WTF?

Dogs are trained to sniff out hackers’ hard drives, facial recognition takes an ugly turn, and do you trust Google to book your hair appointment?

All this and more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by investigative journalist Geoff White.

12 Common Threat Intelligence Use Cases

12 Common Threat Intelligence Use Cases

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!

Recorded Future provides the only complete threat intelligence solution powered by patented machine learning to help security teams defend against cyberattacks.

Are you using threat intelligence to its full potential?

The term “threat intelligence” is often misunderstood and with so many security options out there, organizations struggle to find the right solution to meet their needs. The Gartner “Market Guide for Security Threat Intelligence Products and Services” explains the different use cases and how to best leverage threat intelligence in your organization.

You will learn how to:

  • Identify 12 common threat intelligence use cases.
  • Align these use cases to your specific requirements.
  • Implement strategies for getting value from threat intelligence.
  • Evaluate vendors based on your business needs.

Download this report to get clarity on threat intelligence definitions and learn how to make the right decisions for your organization today.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Text bombs and “Black Dots of Death” plague WhatsApp and iMessage users

If you believed all the headlines you would think the problem is more serious than it really is.

“Beware the ‘Black Dot of Death’ that will obliterate your iPhone with one text message”, reads The Metro newspaper. “Warnings about WhatsApp ‘text bomb’ that could destroy your phone.” says the Liverpool Echo. And “This WhatsApp ‘text bomb’ is destroying recipient’s phones” claims the Birmingham Mail.

Yes, it is true that so-called “text bomb” vulnerabilities are capable of crashing normal operations on your Android or iPhone, but to claim that your phone is “destroyed”? Well, that’s crazy.

The problem first emerged six days ago, when a Reddit user claimed that a specially-crafted text message could crash a number of messaging apps including WhatsApp.

At first sight that message looks fairly harmless – a sentence followed by a laugh-until-you-cry emoji, surrounded by quotation marks. But secretly hidden between the emoji and the final quote mark are thousands of hidden characters that don’t get displayed.

Unfortunately, apps like WhatsApp fail to handle the hidden character shenanigans gracefully, get their knickers in a twist, and fall over – causing the app to crash, and in some cases other instabilities on the device.

The payload, the text bomb’s creator said, was more dramatic in its impact on Android devices than iOS.

Now, that’s not the kind of news that Apple devotees want to take lying down. So it was only a matter of a day or two before a similar “text bomb” was reported specifically causing crashes on Apple devices.

The so-called “Black Dot of Death” is a message you might receive which contains an emoji of a medium-sized black circle, perhaps accompanied by an emoji of a pointed finger urging you to click on the ominous black hole.

The “Black dot” itself appears to be harmless, but once again hidden inside the message are many invisible Unicode characters that simply overload the phone, ultimately causing your iMessage app to crash in unpredictable ways.

The bug reportedly affects the current version of iOS (11.3), as well as the iOS 11.4 beta.

CNET offers advice on how affected iOS users can recover their systems, while they wait for a proper patch from Apple. In short, your phone is not destroyed.

In February, Apple fixed a similar ‘killer text bomb’ vulnerability after pranksters started sending boobytrapped messages containing a Unicode symbol representing a letter from the South Indian language of Telugu.

The fact that a similar ‘text bomb’, known as the “chaiOS bug”, was messing up users’ Macs, iPhones, and iPads in January suggests that this continues to be an ongoing problem for Apple.

I’m confident that Apple will roll out a patch for the “black dot of death” bug soon enough, but I find it hard to have any confidence that this will be the last time they find their devices vulnerable to this type of denial-of-service attack.

And I would like to think this should go without saying, but just in case – please don’t be tempted to try any of these text bomb attack out on anyone else, even as a prank. It’s simply not funny.

Zero-day flaw exploited in targeted attacks is fixed by Microsoft

This month's Patch Tuesday bundle of updates from Microsoft included a fix for a critical vulnerability that has been actively exploited by at least one hacking gang in targeted attacks.

The post Zero-day flaw exploited in targeted attacks is fixed by Microsoft appeared first on The State of Security.

Data breach disclosure is still taking too long, report reveals as GDPR looms

Data breach disclosure is still taking too long, report reveals as GDPR looms

The accepted wisdom in the field of cybersecurity is that things are getting worse, and that more businesses are losing control of more data than ever before.

What a bunch of pessimists we are… The truth, however, might be rather different.

Read more in my article on the Bitdefender Business Insights blog.

Smashing Security #077: Why Paris Hilton doesn’t use iCloud, lottery hacking, and Facebook dating

Smashing Security #077: Why Paris Hilton doesn’t use iCloud, lottery hacking, and Facebook dating

The tricky-to-pronounce Paytsar Bkhchadzhyan is jailed for hacking Paris Hilton, we hear the story of the man who hacked the lottery and almost got away with $16.5 million, and Facebook thinks it is the perfect partner to find you a date.

Find out in this special splinter episode of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest Dave Bittner from The Cyberwire podcast.

Drupe app removed from Google Play store after photos and messages leaked publicly

Repeat after me.

If you’re still arguing about which is the better smartphone operating system for security – iOS or Android – you’re having the wrong debate.

The big data security issue with smartphones is not so much with what operating system you are running (although obviously it’s imperative to keep that up-to-date with patches) but instead with the third-party apps that you choose to install.

That threat is brought home loud and clear by the discovery that a popular Android app called Drupe, downloaded over 10 million times, has been leaving users’ selfie snapshots, audio messages, and other sensitive data exposed for anybody to see.

The Drupe communications app was supposed to make it more intuitive for Android users to contact each other with easy options to quickly call, SMS, email your buddies or start a Google Hangouts or Skype conversation.

However, as Motherboard reports, Drupe’s developers made a colossal blunder.

Because some of the data that Drupe was collecting from its users was being uploaded to unprotected Amazon AWS buckets, making the information accessible to anybody on the internet… no password required.

Security researcher Simone Margaritelli discovered the problem this weekend, and estimated that billions of pictures and audio messages from Drupe were lying around online for anyone to access if they knew where to look.

Fortunately Margaritelli acted responsibly, and after being informed of the problem Drupe configured the Amazon AWS buckets so they were no longer publicly accessible.

In a blog post Drupe played down the threat, claiming that only a small proportion of Drupe users – including those who had used the “Walkie Talkie” feature – had had their data exposed.

Separately the company refuted Margaritelli’s claims that billions of records might have been put at risk.

Whether there were billions of records exposed or not is missing the point in my opinion. What happened was clearly reckless behaviour on the part of app developers who simply had not prioritised the security and privacy of user data.

It’s not as though there haven’t been endless headlines of Amazon storage buckets leaking very sensitive information through sheer sloppiness on the part of companies.

And concerns just rise further when you see that Drupe requests such a wide and unnecessary range of access permissions when Android users install their app.

At the time of writing Drupe is not available in the Google Play store. Google is reportedly in contact with Drupe to discuss “the app’s handling of user data.”

The app is also available from the Apple iOS store, although it is unclear whether it suffers from the same or similar security concerns.

Always remember that when you give an app access to your data, you are putting your trust in the hands of third party developers. Do they have your best interest at heart? Do they even know how to keep your data secure and private?

It’s hard to write a good smartphone app. It’s even harder to create an app that properly looks after users’ data and leaves them secure.

Smashing Security #076: Spying phones, hacked ski lifts, and World Password Day

Smashing Security #076: Spying phones, hacked ski lifts, and World Password Day

Cheap Android smartphones sold on Amazon have been sending customers’ full text messages to a Chinese server, ski lifts are found to be the latest devices left open to abuse by hackers, and we remind you why password managers are a good idea on World Password Day. Oh, and our guest serenades us with a hit from the 1980s!

All this and more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by broadcaster and journalist David McClelland.