Posts

Cheating Website hacked hard

Bad guys hacked bad guys. Hmmm, whose side should we take?

2DAshleymadison.com got hacked. This site helps and suggests married people cheat. The hack threatens millions of users, potentially revealing their credit card information, addresses, real names, pictures and content of their chat logs.

This dating site has 37 million users and is owned by Avid Life Media. Their other sites, Established Men and Cougar Life, were also hacked.

The hackers responsible call themselves The Impact Team. They object strongly to Ashleymadison.com and had threatened to release all the hacked data unless the site closed down.

The Impact Team is especially unnerved over the site’s Full Delete service that supposedly wipes clean a customer’s profile and everything associated for $19. The Impact Team alleges that Ashleymadison.com took the money but did not delete, retaining clients’ credit card information, names and addresses.

The site denies the claims and is offering the deletion service for free. It’s also fighting to get the millions of personal data pieces removed from cyber space. If it’s already been exposed… too late.

Sounds like some spuses are going to get the frying pan for sure.

The Hacking Team might sell all this personal data for a lot of dough, but that’s a rumor. Either way, the customers are surely shaking in their boots.

A similar thing happened with another site called Adult Friend Finder. Recently, the sex life of its nearly four million users was revealed—purchased underground for $16,800.

What do these recent hacking incidents teach us? Not to cheat? Well, maybe, but more so that you risk a lot by putting your identity and other sensitive information online. Online services cannot guarantee protection from hackers. Maybe Ashleymadison.com’s customers should have used a virtual credit card number, but that wouldn’t have kept other sensitive information concealed.

Had this site used encryption, the hackers would have seen nothing but a bunch of garbled characters: zero value. But most sites don’t use encryption. And when they do, it’s often crackable.

Some sites, like Ashley Madison, have a privacy flaw: If someone knows your e-mail, they can find out if you’re registered with the site because its password reset requires only the e-mail.

If you don’t want anyone to know you have an account with a site, then create an e-mail just for that site. But that’s only one small thing you can do. Your private information may still get hacked into and revealed to the world.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Big Bad Hackers taken down

Darkode anyone? Not anymore. This underground bad hackers’ forum was recently demolished by the FBI, says a report on www.justice.gov. The dozen hackers associated with Darkode are facing criminal charges.

4DThough there are about 800 of such forums, Darkode was among the worst (or shall I say “best”?), presenting a serious threat to worldwide computers. Gone is Darkode’s ventures of buying, selling and trading malware, and exchanging hacking strategies—to actually carry out crimes, not just fun brainstorming.

The dismantling of Darkode comes as a result of infiltration also by the efforts of law enforcement representing 20 countries including Australia, Colombia, Canada, Germany, Latvia, Denmark, Finland, Romania, Nigeria, Sweden and the UK. This is the biggest bust of a black hat forum to date.

Here is the cyber smut list from the www.justice.gov article:

  • J. Gudmunds, 27. He created a botnet that stole data on 200 million occasions.
  • M. Culbertson, 20. He’s the brains behind Dendroid, malware for sale on Darkode that was supposed to steal and control data from Google Android. Clever name, too: “Dend” refers to branching out (as in neuronal dendrites).
  • E. Crocker, 29. He’s the mastermind behind a Facebook spreader that infected the computers of FB users, converting them to bots.
  • N. Ahmed, P. Fleitz and D. Watts, 27, 31 and 28, respectively. They’re behind the spam that sent out millions of e-mails intended to bypass spam filters of cell phones.
  • M. Saifuddin, 29. He tried to transfer credit card numbers to other Darkode members.
  • D. Placek, 27. He allegedly created Darkode and sold malware on it.
  • M. Skorjanc, F. Ruiz and M. Leniqi, 28, 36 and 34, respectively. They’ve been charged with conspiracy to commit wire and bank fraud, racketeering conspiracy and conspiracy to commit computer fraud and extortion.
  • Rory Stephen Guidry. He reportedly sold botnets on Darkode.

The article points out that all of these wrongdoings are accusations at this point, and that these defendants are presumed innocent until proven guilty.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

These are the Bigtime Hackers

Hackers with big skills and a big ego will be drawn to Facebook and Twitter as their targets. But they’ll also target dozens of other companies, reports an article on arstechnica.com.

11DOne group in particular stands out as the attackers, using zero-day exploits. They are known as Wild Neutron and Morpho, says the article, and have been active possibly since 2011, burrowing their way into various businesses: healthcare, pharmaceutical, technology.

It’s been speculated that the hackers want the inside information of these companies for financial gain. They’ve been at it for three or four years; we can assume they’ve been successful.

Researchers believe that these hackers have begun using a valid digital certificate that is issued to Acer Incorporated to bypass code-signing requirements that are built into modern operating systems, explains the arstechnica.com report.

Experts also have identified use of some kind of “unknown Flash Player exploit,” meaning that the hackers are using possibly a third zero-day exploit.

The report goes on to explain that recently, Reuters reported on a hacking group that allegedly busted into corporate e-mail accounts to get their hands on sensitive information for financial gain.

You’re probably wondering how these big companies could be so vulnerable, or how it is that hackers can figure out a password and username. Well, it doesn’t really work that way. A company may use passwords that, according to a password analyzer, would take nine million years to crack.

So hackers rely on the gullibility and security un-awareness of employees to bust in. They can send employees an e-mail, disguised to look like it’s from a company executive or CEO, that tricks the employee into either revealing passwords and usernames, or clicking on a malicious link that downloads a virus, giving the hacker access to the company system’s stored data. It’s like removing a dozen locks from the steel chamber door to let in the big bad wolf.

The security firms interviewed estimate that a minimum of 49 companies have been attacked by the hacking ring’s surveillance malware. The cybercriminals have, in at least one instance, got into a company’s physical security information management system.

The arstechnica.com article notes that this consists of swipe card access, HVAC, CCTV and other building security. This would allow the hackers to surveil employees, visually following them around.

This hacking group is smart. They don’t reuse e-mail addresses; they pay hosting services with bitcoins; they use multi-staged control/command networks that have encrypted virtual machines to foil forensics detectives. The only good news is that the group’s well-documented code suggests it’s a small band of hackers, not some giant one.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Even Hackers get hacked

Burglars get burgled, muggers get mugged, and hackers get hacked. This includes a sophisticated ring of hackers: Hacking Team, hailing from Italy, specializing in selling hacking software to major governments.

10DAn article on wired.com describes how a “400 gigabyte trove” went online by anonymous hackers who gutted the Hacking Team, including source code. Even their Twitter feed was hacked, and the secret hackers tweeted HT’s cracked files.

One of the exposed files apparently was a list of HT’s customer information, spanning the Middle East, Africa and the U.S.

Hacking Team must really be the Humiliated Team now, because they refused to respond to WIRED’s request for a comment. However, one of HT’s workers tweeted that their mystery hackers were spreading lies. His tweet was then hacked.

Sudan was one of the customers, and this shows that Hacking Team believed it could sell hacking software to any government, as Sudan is noted for its ultra-high restrictions to access.

Can the selling of hacking software be equated to the sales of weapons of mass destruction? More likely this is so than not. There is an arms control pact, the Wassenaar Agreement, designed to control the sales internationally of hacking tools.

Criticisms of the Wassenaar Agreement come from hackers (not necessarily only the bad ones) because the Agreement limits security research.

Eric King, from Privacy International, points out that the Agreement is required. Wired.com quotes him: “Some form of regulation is needed to prevent these companies from selling to human rights abusers.”

The Hacking Team organization, despite what it insists, should not be considered a “good guy.” For example, Citizen Lab uncovered that customers, including the United Arab Emirates and Sudan, used tools from Hacking Team to spy on a political dissident—who just happened subsequently get beaten up.

Eric King says, as quoted in wired.com, that Hacking Team “has continuously thrown mud, obfuscated, tried to confuse the truth.” The hacking of Hacking Team will help reveal the truth behind their “deviousness and duplicity in responding to what are legitimate criticisms,” says King.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Private Investigator faces Jail for Hacking

What a disgrace: A private investigator, Eric Saldarriaga, 41, got nailed for hacking into peoples’ e-mails. He may get six months in the can. Is six months reasonable for this, though?

4DA recent online New York Times article quotes a prosecutor who points out that hackers could be deterred by the threat of harsh penalties—because the mind of a hacker operates with a lot of thinking, vs. the mind of someone who impulsively pulls out a gun or knife.

So what did Saldarriaga do exactly? He paid an overseas company to get the login information for e-mail accounts: a hacker-for-hire deal. His clients included lawyers and other private investigators. He was known for gaining access to e-mail accounts without the user’s knowledge, so this is why he got some of his cases in the first place.

Breaking into e-mails is a serious crime because it can involve the accounts of big companies, revealing their trade secrets and other classified information.

One of Saldarriaga’s victims was journalist Tony Ortega, who has spent about 20 years writing about Scientology. Ortega believes that this controversial church’s reps hired Saldarriaga to get information about Ortega.

Ortega, as well as possibly most of the other victims, are adamant about learning just who hired Saldarriaga to conduct his dirty deed. One of the other victims is a professional gambler who secretly donates to charity. The Times article quotes the gambler: “For this one guy, to be sentenced today for a crime he did for other people would be a miscarriage of justice.”

Why aren’t the people who hired Saldarriaga also facing justice?

Saldarriaga’s lawyer, Peter Brill, gunned for just a three-year probationary sentence for his client because he was remorseful. In fact, his crime got him only $5,000.

Saldarriaga himself even pleaded with the judge who’s overseeing the case that he deserves some concessions because one of his actions, he claims, may have spared a woman from harm.

But that doesn’t nullify the reality that Saldarriaga intruded upon peoples’ privacy without their knowledge. And got paid for it.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Why Hacking is a National Emergency

Foreign hackers, look out: Uncle Sam is out to get you. President Obama has issued an order that allows the State Department and Treasury Departments to immobilize the financial assets of anyone out-of country suspected of committing or otherwise being involved in cyber crimes against the U.S.

7WkThis order, two years in the making, covers hacking of anything. The order refers to hacking as a national emergency. Imagine if entire power grids were hacked into. Yes, a national emergency.

Another reason hacking is a national crisis is because the guilty parties are so difficult to track down. Hackers are skilled at making it seem that an innocent entity is guilty. And a major hacking event can be committed by just a few people with limited resources.

However, the order has some criticism, including that of assigning it an over-reaction to the Sony data breach. But it seems that the government can never be too vigilant about going after hackers.

Proponents point out that the order allows our government greater flexibility to go after the key countries where major hacks come from, like Russia and China. This flexibility is very important because the U.S. has a crucial financial relationship with these countries. And that needs to be preserved.

For instance, there’d be little adverse impact to the U.S. if our government choked off the bank accounts of isolated hackers who were part of the Chinese government, vs. strangling the entire Chinese government.

In short, the activities of small hacking groups or individual hackers within a foreign government will be dealt with without penalizing the entire government—kind of like doing away with punishing the entire fourth grade class because one kid threw a spitball.

Hacking is now elevated to terrorism status; the order is based on the anti-terrorism bill. So foreign hackers, you’ve been warned; the U.S. is not reluctant to level you because the order allows for sparing your government as a whole from being sanctioned.

You can do your part to protect the Homeland simply by protecting your own devices using antivirus, antispyware, antiphishing and a firewall. Keep your devices operating system updated and uses a VPN when on public WiFi.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.

The White Hat Hacker

These days, it is hard to pick up a newspaper or go online and not see a story about a recent data breach. No other example highlights the severity of these types of hacks than the Sony breach late last year.

11DWhile a lot of information, including creative materials, financials and even full feature-length movies were released – some of the most hurtful pieces of information were the personal emails of Sony executives. This information was truly personal.

You have a right to privacy, but it’s not going to happen in cyberspace. Want total privacy? Stay offline. Of course, that’s not realistic today. So the next recourse, then, is to be careful with your information and that includes everything from downloading free things and clicking “I agree” without reading what you’re approving, to being aware of whom else is viewing your information.

This takes me to the story of a white hat hacker—a good guy—who posed as a part-time or temporary employee for eight businesses in the U.S.. Note that the businesses were aware and approved this study. His experiment was to hack into sensitive data by blatantly snooping around computers and desks; grabbing piles of documents labeled confidential; and taking photos with his smartphone of sensitive information on computer screens.

The results were that “visual hacking” can occur in less than 15 minutes; it usually goes unnoticed; and if an employee does intervene, it’s not before the hacker has already obtained some information. The 3M Visual Hacking Experiment conducted by the Ponemon Institute shed light on the reality of visual hacking:

  • Visual hacking is real: In nearly nine out of ten attempts (88 percent), a white hat hacker was able to visually hack sensitive company information, such as employee access and login credentials, that could potentially put a company at risk for a much larger data breach. On average, five pieces of information were visually hacked per trial.
  • Devices are vulnerable: The majority (53%) of information was visually hacked directly off of computer screens
  • Visual hacking generally goes unnoticed: In 70 percent of incidences, employees did not stop the white hat hacker, even when a phone was being used to take a picture of data displayed on screen.

From login credentials to company directories to confidential financial figures – data that can be visually hacked is vast and what a hacker can do with that information is even more limitless.

One way to prevent people from handing over the proverbial “keys to the kingdom” through an unwanted visual hack is to get equipped with the right tools, including privacy filters. 3M offers its ePrivacy Filter software, which when paired up with the traditional 3M Privacy Filter, allows you to protect your visual privacy from nearly every angle.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

Hacking 2015 and Beyond

2015 brings us no closer to putting the lid on hackers as any other year has. The crime of Criminal hacking will prove to be as big as ever in the new year. Here’s what we have to look forward too:

4DBank Card Breaches

There will always be the bank card thieves, being that stealing data from magnetic stripe cards is relatively easy to pull off and there are different ways to do so. This includes tampering with card swiping devices, then retrieving the stolen data later on when nobody’s around.

The U.S. is moving towards replacing the magnetic stripe with chip ‘n PIN technology, but this will take time and money. Another issue is poor implementation of this technology, which makes a hacker’s job easier. It will be a while before efficiently implemented Chip and PIN technology rules the U.S.; expect lots of more bank card breaches.

Nation-State Attacks

Governments hacking governments was big in 2014 and it’s expected to continue rising. Criminals engaging in this type of threat involve interference with encryption and gaining entry to systems via “back doors,” kind of like how a robber gets into one’s home by removing a screen in the back of the house. One of the tools to accomplish this cyber assault is called a RAT which is a form of malware, and it’s predicted that this tool will be used even more (among others) to invade government and private company networks.

Data Destruction

It’s incomprehensible to the average Joe or Jane how someone (usually a team, actually) could wipe out data on the other side of the world, but it’s happened, such as with computers in South Korea, Iran and Saudi Arabia.

And this was on a large scale: banks, media companies and oil companies. Even if all the data is backed up, there’s still the monumental issue of rebuilding systems. And it’s no picnic trying to make sure that the saved data doesn’t carry malware residue that can reinfect a rebuilt system.

Extortion

Special malware (ransomware) can block a user from accessing data or a corporation from accessing its system, until money is paid to the hacker. This happened to the Sony company (data was stolen but also deleted), but the motives aren’t crystal clear. A cyber extortion requires a skilled attack, and don’t be surprised if this happens to more big companies.

Critical Infrastructure

This type of hack hasn’t really occurred big-scale in the U.S. yet, but experts believe it’s only a matter of time before it does. Cyber criminals will carry out a critical infrastructure attack, infecting networks and gaining control of them, all designed to shut down electricity, disrupt communications and poison water among other disrupting activities.

Third-Party Breaches

A third-party breach means hacking into entity “A” to get to “B.” An example is Target: Hackers got into the HVAC company that Target was contracted with to access Target’s network. Bigger third-party breaches have occurred, and experts have no reason to believe they’ve stopped, even though tighter security has been implemented (and busted through by hackers, not surprisingly).

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Goodguy Hacker Selling Bad Guy hacks

Makes you wonder what these guys would have accomplished had they been born during the Renaissance…case in point: Kevin Mitnick, whose genius was so impressive as a cyber criminal (he hacked into IBM, Motorola, Sun Microsystems and other big-name outfits), that after serving prison time, he was hired as a good guy to help security teams develop penetration-proof systems.

4DBut Mitnick is now onto another venture: Absolute Zero Day Exploit Exchange. Mitnick wants to sell zero-day exploits (targeted surveillance), for at least a hundred grand each. In a wired.com article, for which Mitnick was interviewed, he states: “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.” He has not revealed how much he’s sold or to whom.

But Mitnick says they aren’t necessarily government related. For example, a buyer might be a penetration tester. He says he doesn’t want to help government agencies go around spying. Why would he want to assist the very people who locked him up in prison?

It’s anyone’s guess who’d be willing to shell out $100,000 for one of these tools (which would be used to garner information about bugs in the system that have not been addressed by security patches). After all, giants like Facebook pay only tens of thousands of dollars for this kind of tool.

Mitnick isn’t the only entrepreneur in the selling of secret hacking techniques; it’s already been going on. One of the skepticisms of this venture is just whom the buyer might be. Mitnick says he’ll carefully screen his buyers.

Though what Mitnick is doing is legal, it still snags attention because of his past. This guy was once the most wanted cyber criminal in the world, having made a career of hacking from his teens to early 30s, finally getting captured in 1995.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

What to do in the Aftermath of an Attack

Can you hack cleaning up the mess a hacker makes after infiltrating your computer? Would you even know the first thing to do? And yes, YOU’RE computer CAN be hacked.

2DAfter the attack, locate the portal through which the crumb-bag entered. This could be the e-mail program or browser. This may be easier said than done. Give it a shot.

Next, this portal must be disconnected/uninstalled from the Internet to prevent it from getting into other systems. Look at your Task Manager or Activity Viewer for any suspicious activity. The CPU usage must be checked too. If it goes way up, you’ll have a better chance of detecting fraudulent activity. It helps to know how your computer runs so that you know what’s typical and what’s atypical.

Otherwise head over to Microsoft’s Malicious Software Removal Tool page here: http://www.microsoft.com/security/pc-security/malware-removal.aspx

After severing ties with the hacker or hackers, take inventory of their destruction.

  • Make sure that your anti-malware and antivirus systems are up to date, and enabled. Do a full system scan with both systems.
  • If something looks odd, get rid of it. Malware will continue downloading if there’s a browser extension or plugin. Inspect every downloaded item.
  • Change every password and make it unique and long.
  • Log out of all your accounts after changing the passwords.
  • Clear the cookies, cache and history in your browser.
  • Be on the alert for strange goings-on, and do not open suspicious e-mails, let alone click on links inside them.
  • If things are still acting strange, wipe your hard drive. Reinstall the operating system. But not before you back up all your data.

Preventing an Attack

  • Have a properly configured firewall.
  • As mentioned, never click links inside of e-mails, even if they seem to be from people you know. In fact, delete without opening any e-mails with melodramatic subject lines like “You Won!”
  • Have both anti-malware and antivirus systems, and keep them up to date.
  • Use long, unique passwords.
  • Never let your computer out of sight in public.
  • If, however, your device is stolen, it should have a remote wipe feature.
  • Give your data routine backups.
  • Be very cautious what you click on, since links promising you a spectacular video can actually be a trap to download a virus into your computer.
  • Use Hotspot Shield when you’re on public Wi-Fi to scramble your communications.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.