Tag: hackers

Guccifer, the Hacker Who Launched Clinton Email Flap, Speaks Out After Nearly a Decade Behind Bars

ARCEL LEHEL LAZAR walked out of Federal Correctional Institute Schuylkill, a Pennsylvania prison, in August 2021. The 51-year-old formerly known only as Guccifer had spent over four years incarcerated for an email hacking spree against America’s elite. Though these inbox disclosures arguably changed the course of the nation’s recent history, Lazar himself remains an obscure figure. This month, in a series of phone interviews with The Intercept, Lazar opened up for the first time about his new life and strange legacy.

Lazar is not a household name by unauthorized access standards — no Edward Snowden or Chelsea Manning — but people will be familiar with his work. Throughout 2013, Lazar stole the private correspondence of everyone from a former member of the Joint Chiefs of Staff to “Sex and the City” author Candace Bushnell.

There’s an irony to his present obscurity: Guccifer’s prolific career often seemed motivated by an appetite for global media fame more than any ideology or principle. He acted as an agent of chaos, not a whistleblower, and his exploits provided as much entertainment as anything else. It’s thanks to Guccifer’s infiltration of Dorothy Bush Koch’s AOL account that the world knows that her brother — George W. Bush — is fond of fine bathroom self-portraiture.

“I knew all the time what these guys are talking about,” Lazar told me with a degree of satisfaction. “I used to know more than they knew about each other.”

Ten years after his email rampage, Lazar said that, back then, he’d hoped not for celebrity but to find some hidden explanation for America’s 21st century slump — a skeleton key buried within the emails of the rich and famous, something that might expose those causing our national rot and reverse it. Instead, he might have inadvertently put Donald Trump in the White House.

Keep reading

In a first, cryptographic keys protecting SSH connections stolen in new attack

For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.

Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans taken over the past seven years. The researchers suspect keys used in IPsec connections could suffer the same fate. SSH is the cryptographic protocol used in secure shell connections that allows computers to remotely access servers, usually in security-sensitive enterprise environments. IPsec is a protocol used by virtual private networks that route traffic through an encrypted tunnel.

The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.

While the percentage is infinitesimally small, the finding is nonetheless surprising for several reasons—most notably because most SSH software in use—including OpenSSH—has deployed a countermeasure for decades that checks for signature faults before sending a signature over the Internet. Another reason for the surprise is that until now, researchers believed that signature faults exposed only RSA keys used in the TLS—or Transport Layer Security—protocol encrypting Web and email connections. They believed SSH traffic was immune from such attacks because passive attackers—meaning adversaries simply observing traffic as it goes by—couldn’t see some of the necessary information when the errors happened.

The researchers noted that since the 2018 release of TLS version 1.3, the protocol has encrypted handshake messages occurring while a web or email session is being negotiated. That has acted as an additional countermeasure protecting key compromise in the event of a computational error. Keegan Ryan, a researcher at the University of California San Diego and one of the authors of the research, suggested it may be time for other protocols to include the same additional protection.

Keep reading

Almost Entire US State Becomes Victim of Major Data Breach

A significant data breach in Maine has compromised the personal information of at least 1.3 million residents.

This breach, reported by The Hill, occurred earlier this year and involved a cyberattack on the MOVEit file transfer system. This system is widely used by various government agencies at both state and federal levels. The breach resulted in the exposure of names, dates of birth, social security numbers and government IDs of potentially all 1.38 million residents in Maine.

The cyberattack, initiated by a Russian ransomware group, had a global impact, affecting at least 70 million people. The Maine government, in a press release, stated, “Since the onset of the incident, the cybercriminals involved claimed their primary targets were businesses, with a promise to erase data from certain entities, including governments.” However, despite assurances from the cybercriminals that data obtained from governments has been erased, the state is urging individuals to protect their personal information.

Keep reading

Is a Cyber 9/11 Coming?

Talk of a “Cyber 9/11” has been circulating for years.  With the next presidential election twelve months away now, some folks are predicting that a major cyber event will happen before then, throwing a monkey wrench into the 2024 election process.

What the heck is Cyber 9/11?

What does Cyber 9/11 mean?  Is there a real risk?  What should we be preparing for?

There are two aspects to the Cyber 9/11 concept.  The first is the disaster itself; 9/11 was a catastrophe that ended the lives of over 3000 people in one day.  There are fears that if power grids were hacked or enough damage was done to logistical centers, the ensuing chaos would cause deaths.

Quite memorably, back in 2000, a disgruntled public works employee in Australia hacked into the water treatment system and caused raw sewage to pour into public areas, flooding a Hyatt hotel.  One man acting alone caused a disgusting, expensive mess. Of course security experts are concerned with what a team of angry individuals could do.

The second aspect to a potential Cyber 9/11 is the change in the regulatory landscape that occurred after 9/11 in 2001.  I remember flying as a teenager in the 90s. So many things changed later.  The airport changes were most obvious to regular citizens, but the passage of the Patriot Act in October 2001 was far more consequential.  It dramatically changed the way surveillance was conducted.

Under the Fourth Amendment, private citizens are supposed to be protected from warrantless search and seizures.  The Patriot Act really weakened that. Law enforcement is now allowed to delay the notice of search warrants.  They don’t need nearly as much oversight from judges to conduct phone and internet surveillance.

These Constitution-weakening changes occurred after 9/11 in 2001.

Keep reading

The World’s Largest Biometric Digital ID System, India’s Aadhaar, Just Suffered Its Biggest Ever Data Breach

In one fell swoop, roughly 10% of the global population appears to have had some of their most valuable personal identifiable information (PII) compromised. Yet Aadhaar continues to receive plaudits from Silicon Valley. 

An anonymous hacker claims to have breached the digital ID numbers, as well as other sensitive personal data, of around 815 million Indian citizens.

To put that number in perspective, it is more than 60% of the 1.3 billion Indian people enrolled in the government’s Aadhaar biometric digital identity program, and roughly 10% of the entire global population. Thanks to the breach — the largest single one in the country’s history, according to the Hindustan Times — the personal data of hundreds of millions of Indians are now up for grabs on the dark web, for as little as $80,000.

To register for an Aadhaar card, Indian residents have to provide basic demographic information, including name, date of birth, age, address and gender, as well as biometric information, including ten fingerprints, two eyeball scans and a facial photograph. Much of that data has apparently been compromised.

Media reports suggest that the source of the leak was the Covid-19 test data of the Indian Council of Medical Research (ICMR), which is linked to each individual’s Aadhaar number.

Keep reading

Conservatives are increasingly knives out for the nation’s top cyber agency

An agency set up under Donald Trump to protect elections and key U.S. infrastructure from foreign hackers is now fighting off increasingly intense threats from hard-right Republicans who argue it’s gone too far and are looking for ways to rein it in.

These lawmakers insist work by the Cybersecurity and Infrastructure Security Agency to combat online disinformation during elections singles out conservative voices and infringes upon free speech rights — an allegation the agency vehemently denies and the Biden administration is contesting in court. The accusations started in the wake of the 2020 election and are ramping up ahead of 2024, with lawmakers now calling for crippling cuts at the agency.

“CISA has blatantly violated the First Amendment and colluded with Big Tech to censor the speech of ordinary Americans,” Rand Paul (R-Ky.), the ranking member of the Senate Homeland Security Committee, which oversees CISA, said in a statement to POLITICO.

Keep reading

Chinese Hack of Microsoft Engineer Opened Door to US Government Email Breach

The recently uncovered Chinese hack of hundreds of thousands of emails from top U.S. officials began with the breach of a Microsoft engineer’s account, the company stated on Sept. 6.

The Chinese hacking group, which Microsoft dubbed Storm-0558, penetrated the engineer’s account, giving it access to a cryptographic key that the group later used to break into the U.S. government accounts, Microsoft said in a blog post after a months-long investigation.

The revelation offered details on a Chinese state-sponsored cyberattack that alarmed Washington, which spanned 25 organizations and affected the State and Commerce departments, as well as at least one lawmaker and a Washington think tank.

Among the individuals whose email systems were breached were Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink. Rep. Don Bacon (R-Neb.) said in August that he was also a victim of the hacking campaign.

Microsoft stated that the Chinese hackers had likely exploited the crash of the company’s internal system in April 2021 that leaked the key, which the engineer’s corporate account had access to. The hacker group subsequently forged credentials to compromise Microsoft’s Outlook on the web and Outlook systems. The tech giant stated that it has corrected the technical vulnerabilities.

The hacking attempt surfaced at a sensitive time. The investigation began the same day that Secretary of State Antony Blinken headed to China to engage with senior Chinese officials, the highest-ranking official under the Biden administration to do so. CNN, citing two unnamed U.S. officials, reported in July that the Biden administration believes that the hacking operation had given Beijing clues about U.S. thinking ahead of the U.S. visit.

Keep reading

Hackers Can Silently Grab Your IP Through Skype — Microsoft Is In No Rush to Fix It

Hackers are able to grab a target’s IP address, potentially revealing their general physical location, by simply sending a link over the Skype mobile app. The target does not need to click the link or otherwise interact with the hacker beyond opening the message, according to a security researcher who demonstrated the issue and successfully discovered my IP address by using it.

Yossi, the independent security researcher who uncovered the vulnerability, reported the issue to Microsoft earlier this month, according to Yossi and a cache of emails and bug reports he shared with 404 Media. In those emails Microsoft said the issue does not require immediate servicing, and gave no indication that it plans to fix the security hole. Only after 404 Media contacted Microsoft for comment did the company say it would patch the issue in an upcoming update.

The attack could pose a serious risk to activists, political dissidents, journalists, those targeted by cybercriminals, and many more people. At minimum, an IP address can show what area of a city someone is in. An IP address can be even more revealing in a less densely populated area, because there are fewer people who could be associated with it.

“I think just about anybody could be harmed by this,” Cooper Quintin, a security researcher and senior public interest technologist at activist organization the Electronic Frontier Foundation (EFF), said when I explained the issue to him. Quintin said the major concern was “finding people’s location for physical escalations, and finding people’s IP address for digital escalations.”

To verify that the vulnerability has the impact that Yossi described, I asked him to test it out on me. To start, Yossi sent me a link via Skype text chat to google.com. The link was to the real Google site, and not an imposter.

I then opened Skype on an iPad and viewed the chat message. I didn’t even click the link. But very soon after, Yossi pasted my IP address into the chat. It was correct.

Keep reading

Researchers claim US-registered cloud host facilitated state-backed cyberattacks

A little-known cloud company provided web hosting and internet services to more than two dozen different state-sponsored hacking groups and commercial spyware operators, according to researchers at cybersecurity company Halcyon.

In a report released on Tuesday, Halcyon said it had identified that the U.S.-registered company Cloudzy was “knowingly or unwittingly” acting as a command-and-control provider (C2P) to well-known state-sponsored hacking groups. C2Ps are internet providers that allow hackers to host virtual private servers and other anonymized services used by ransomware affiliates to carry out cyberattacks and extortion.

Halcyon said that the two-dozen groups that rely on Cloudzy include the China-backed espionage group APT10; North Korea-backed hackers Kimsuky; and Kremlin-backed groups Turla, Nobelium and FIN12.

FIN12 was the subject of a joint FBI-CISA advisory in October 2020 after carrying out a spate of ransomware attacks targeting the U.S. healthcare industry. In its report, Halcyon said that Cloudzy — then doing business as Router Hosting — hosted at least 40 command and control servers used by FIN12 during its cyberattacks.

The list of groups facilitated by Cloudzy also includes hacking groups from Iran, Pakistan and Vietnam, along with Tel Aviv-based malware maker Candiru, which sells its phone-snooping spyware to government customers. Candiru was sanctioned by the U.S. government in 2021 for engaging in activities contrary to U.S. national security.

Halcyon says that about half of the total servers hosted by Cloudzy appear to be directly supporting malicious activity.

The cybersecurity firm concluded that although the cloud host is registered in the U.S., Halcyon says it has “high confidence” that the cloud host is a cutout for AbrNOC, a cloud host that operates out of the Iranian capital of Tehran, which could put American customers in conflict with U.S. government sanctions.

Cloudzy, which claims to operate out of New York City, is registered in Wyoming, while a support phone number listed by the company is linked to a different address in Las Vegas. AbrNOC shares the same logo as Cloudzy, albeit in a different color, and also shares the same fictitiously named employees, according to Halcyon researchers. A man named Hannan Nozari is listed as abrNOC’s CEO and identifies himself as the founder of both web hosts companies in his Twitter bio, as well as a “Noob on the Internet.”

Nozari did not respond to messages sent by TechCrunch via LinkedIn and email, and TechCrunch was unable to reach anyone at Cloudzy via the number listed on the company’s website.

Keep reading

US Marshals Service Suffers ‘Major’ Data Hack, Compromising Sensitive Information

The United States Marshals Service (USMS) suffered a “major” security breach earlier this month when hackers broke into a computer system and accessed sensitive information about employees and investigative targets, officials confirmed on Feb. 27.

In a statement, a spokesman for USMS—which is responsible for apprehending and handling federal prisoners, pursuing fugitives, and operating the Witness Security Program—said the law enforcement agency discovered the hack and theft of data from its network on Feb. 17.

Spokesman Drew Wade told The Hill that the agency found that the “ransomware and data exfiltration event” had impacted a “stand-alone” system.

After discovering the breach, the Marshals Service “disconnected” the system and the Department of Justice began a forensic investigation, according to Wade.

“The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” Wade said.

Keep reading