PDA

View Full Version : Cyber Security



DigitalChaos
05-12-2017, 02:09 PM
Cyber Security. Information Security. Whatever you want to call it, it is in just about everything now. Sometimes we need to discuss the more technical aspects of these things. Leaked data from major companies, hacked emails from political candidates, hospitals and public transit being shut down from attacks, nuclear processing facilities being sabotaged, whistleblowers leaking NSA data, NSA losing their hacking tools, the Internet of Things fucking everything up... it's only going to get worse!





...Original discussion from a politics thread starts below....

DigitalChaos
05-12-2017, 02:09 PM
So, there is a mega ransomware worm spreading over every country right now, extremely quickly. Hospitals are being shut down by it and many other big orgs. It looks like it is spreading using one of the leaked NSA tools from a month ago. Microsoft did supply a patch, but lots of people are behind on patches.

But I was thinking... Trump fired the White House infosec chief a few months back and I don't believe that seat was ever replaced. Sure would be a shame of a whole lot of evidence surrounding this Russia investigation were suddenly destroyed with something like this... (I have no reason to even slightly suspect this... it's just one of those "people would sure lose their shit if" type thoughts.

Louie_Cypher
05-12-2017, 04:09 PM
So, there is a mega ransomware worm spreading over every country right now, extremely quickly. Hospitals are being shut down by it and many other big orgs. It looks like it is spreading using one of the leaked NSA tools from a month ago. Microsoft did supply a patch, but lots of people are behind on patches.

But I was thinking... Trump fired the White House infosec chief a few months back and I don't believe that seat was ever replaced. Sure would be a shame of a whole lot of evidence surrounding this Russia investigation were suddenly destroyed with something like this... (I have no reason to even slightly suspect this... it's just one of those "people would sure lose their shit if" type thoughts. calling bullshit unless you have a link to a CVE or reliable source in just got done with a job for a major national medical group that starts with an"A" there was no ransome-ware worm or anything else only findings were some anonymous ports left open that is all
-Louie

DigitalChaos
05-12-2017, 04:10 PM
Open twitter and search for WannaCry. Also, check the news about NHS. There are others. Even Russian Ministry was hit.

https://motherboard.vice.com/en_us/article/a-massive-ransomware-explosion-is-hitting-targets-all-over-the-world

https://www.theregister.co.uk/2017/05/12/nhs_hospital_shut_down_due_to_cyber_attack/?mt=1494623587590


It's using a few vectors, and the NSA eternalblue (smb and rdp) is the worming vector.

ziltoid
05-12-2017, 04:25 PM
So, there is a mega ransomware worm spreading over every country right now, extremely quickly. Hospitals are being shut down by it and many other big orgs. It looks like it is spreading using one of the leaked NSA tools from a month ago. Microsoft did supply a patch, but lots of people are behind on patches.

That's not how it works. It seems like wherever you read that from is a sensationalism piece that has no factual basis.
I implore you to check out this video:

https://www.youtube.com/watch?v=z8_Tc_DnJy0

Now I highly doubt it but it is possible that they haven't updated and gotten those patches, but even if they didn't; that environment for Windows 10 LTSB (Long Term Servicing Branch) is usually self contained and doesn't get access to internet.
It's usually used for an intranet that is a database with only callback functions and archiving.
Read here for more information on W10LTSB: https://www.howtogeek.com/273824/windows-10-without-the-cruft-windows-10-ltsb-explained/

DigitalChaos
05-12-2017, 04:31 PM
That's not how it works. It seems like wherever you read that from is a sensationalism piece that has no factual basis.
I implore you to check out this video:

https://www.youtube.com/watch?v=z8_Tc_DnJy0

Now I highly doubt it but it is possible that they haven't updated and gotten those patches, but even if they didn't; that environment for Windows 10 LTSB (Long Term Servicing Branch) is usually self contained and doesn't get access to internet.
It's usually used for an intranet that is a database with only callback functions and archiving.
Read here for more information on W10LTSB: https://www.howtogeek.com/273824/windows-10-without-the-cruft-windows-10-ltsb-explained/

It was an abbreviation as my point was to convey a hypothetical insanity that connects to Trump.

But as to your tech focused commentary: "It's fine if not public facing" is exactly what is allowing a huge portion of WannaCry to spread. Your firewall means shit when a single person in your network infects themselves with an email dropper (which has been seen) and then the ransomware worms via the SMB & RDP exploit. I doubt any of the infected machines are Win10.


Also, even the public facing scans showed huge numbers of unpatched machines. Hundreds of thousands. So, naturally, there are many more behind a firewall that can be attacked with something like an email dropper vector.


Edit: that dude fucked up within the first minute of his video

ziltoid
05-12-2017, 05:27 PM
It was an abbreviation as my point was to convey a hypothetical insanity that connects to Trump.

But as to your tech focused commentary: "It's fine if not public facing" is exactly what is allowing a huge portion of WannaCry to spread. Your firewall means shit when a single person in your network infects themselves with an email dropper (which has been seen) and then the ransomware worms via the SMB & RDP exploit. I doubt any of the infected machines are Win10.

Also, even the public facing scans showed huge numbers of unpatched machines. Hundreds of thousands. So, naturally, there are many more behind a firewall that can be attacked with something like an email dropper vector.


Edit: that dude fucked up within the first minute of his video

It's an old video that was made when the news broke out about the Shadow Broker NSA thing, if you are talking about how old it is.

It took me a while to understand what it is you were saying because I was skeptical about what you posted and I assumed it was just a rehash of the old Shadow Broker news, my bad.
Yeah it's stupid of them to not update all their platforms to the latest version for exactly this reason, whatever their reason is for not updating I bet they feel really stupid especially since it is easily avoidable.
This is purely speculation on my part until we learn more about the behaviors of the worm; Now, if they have any knowledgeable I.T. person with networking skills in their employment they can rollback all servers that are infected. Depending on how bad the infection is and how modern the equipment is it can be somewhat easily fixed (for servers with back-ups) but they will most likely lose any of the new data that was inputted. Again only for servers, not with desktop environments, which would be another different process (most extreme way would be to do a fresh install). Also it is possible to set global settings to block all traffic in a network and slowly check which systems are infected, this process would be very tedious way to see how far infected a network and its nodes are but it is doable. Also, I predict that those infected serves and computers are being turned into zombies for a possible DDOS attack sometime in the near future.


calling bullshit unless you have a link to a CVE or reliable source in just got done with a job for a major national medical group that starts with an"A" there was no ransome-ware worm or anything else only findings were some anonymous ports left open that is all
-Louie
Took me a bit to track down some reliable sources but here you go:
https://www.theregister.co.uk/2017/05/12/nhs_hospital_shut_down_due_to_cyber_attack/
https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/

Also this subreddit shows which updates you pc should have to make sure you can't get infected:
https://www.reddit.com/r/netsec/comments/6atfkl/wanacrypt0r_ransomware_hits_it_big_just_before/

DigitalChaos
05-12-2017, 05:31 PM
If you want the most complete breakdown on the tech, go here: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

More is still being worked out of course.

DigitalChaos
05-12-2017, 05:37 PM
And yeah, the vast majority of "critical infrastructure" doesn't get properly maintained. Shit like this will continue to happen. All the typical recovery mechanisms for ransomware tend to be asking too much of an organization who can't keep their shit patched as a start.

Louie_Cypher
05-12-2017, 05:41 PM
remind me to never question anyone in an internet message board no sooner did I hit reply then my phone started ringing now it's going to be a long evening and a long weekend my apologies for calling bs
-louie

DigitalChaos
05-12-2017, 05:46 PM
Haha. Well, that's what I get for skipping over the technical aspect with the intent of not going too off topic. If you happen to find a screenshot of one of the infection emails please send my way. It's the last piece of the puzzle for me.


But yeah, imagine if this Ransomware worm were to decimate all the Trump/Russia evidence. It would just top off the insanity of this week.

ziltoid
05-12-2017, 05:51 PM
And yeah, the vast majority of "critical infrastructure" doesn't get properly maintained. Shit like this will continue to happen. All the typical recovery mechanisms for ransomware tend to be asking too much of an organization who can't keep their shit patched as a start.

Funny how all this reminds me of this: http://www.csoonline.com/article/3132360/mobile-security/researcher-unveils-second-samsung-pay-vulnerability.html (http://www.csoonline.com/article/3132360/mobile-security/researcher-unveils-second-samsung-pay-vulnerability.html)
and this: https://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/


And this is why I take issue with Artificial Intelligence, Organizations, Companies, and Internet of All Things if they can't maintain their security and they don't take the necessary steps with redundancies then anyone can have their information stolen and sold, but that is a discussions for another time, perhaps in a thread about Cyber Security.

Edit: Make a new thread and have a moderator move the pertinent posts in there.
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

DigitalChaos
05-12-2017, 05:56 PM
Totally down with a "info sec headlines" thread. Maybe "The Cybers" ?? I dunno. We can figure out later.


I'll clone these last few posts over there when I get home if someone doesn't beat me.

I've been shitting up this thread with almost all of it. Luckily, most of the big stories have been tied to politics! (Legitimately though... not like my weak ass attempt today)

allegro
05-12-2017, 10:58 PM
Totally down with a "info sec headlines" thread. Maybe "The Cybers" ?? I dunno. We can figure out later.


I'll clone these last few posts over there when I get home if someone doesn't beat me.

I've been shitting up this thread with almost all of it. Luckily, most of the big stories have been tied to politics! (Legitimately though... not like my weak ass attempt today)

Are we talking about this from General Headlines?

http://www.echoingthesound.org/community/threads/255-Random-General-Headlines?p=349546#post349546

Jesus this is crazy shit:
https://mobile.twitter.com/i/moments/863117044161536000?m=1

DigitalChaos
05-12-2017, 11:22 PM
alright, we officially have a thread dedicated to info sec! I'll manage to fuck this one up too... :o

DigitalChaos
05-13-2017, 12:07 AM
Are we talking about this from General Headlines?

http://www.echoingthesound.org/community/threads/255-Random-General-Headlines?p=349546#post349546

Jesus this is crazy shit:
https://mobile.twitter.com/i/moments/863117044161536000?m=1

Yeah, it is related to the first link there. Someone basically used the leaked NSA weapon to spread ransomware that spread to ~100 different countries in a few hours. It's what took down NHS and lots of other entities.

Now that we are in the infosec thread, i'll give a quick rundown of how we got here and what's next.


- A hacking group called ShadowBrokers managed to get their hands on these NSA tools. They released a small amount as a sample and then claimed to be trying to sell the rest to the highest bidder. Nobody ended up paying and many doubt ShadowBrokers really wanted to sell them.

- Mid march, Microsoft released a patch for 6 serious Windows vulnerabilities. Nobody noticed much at the time. Looking back, everyone assumes the NSA worked with Microsoft to get these patches out, as they were for exploits in the NSA tools that would leak a month later.

- Mid April, ShadowBrokers releases the rest of the NSA tools. In the tool set were exploits for the 6 serious Windows vulnerabilities. These were nasty vulnerabilities that required no user interaction. You just point the tool at the IP address and instantly get complete access to the machine and its permanent. ETERNALBLUE is the exploit name and DOUBLEPULSAR is the backdoor that gets installed. A lot of people are now saying "fucking apply those Microsoft patches from March ASAP!!" and other say "Yes, patch, but chill with the hyperbole... this exploit only works on machines that are not behind a firewall." Using this tool on its own, yes, you can only infect machines that have been exposed directly to the internet, or machines that you happen to share a local network with. But that's a pretty narrow view of a tool's potential... which we will see a month later.

- Scans are repeatedly done of every public facing machine. Roughly 1 million machines, last I saw a week ago, were either vulnerable (aka still unpatched) or actively infected with this vulnerability. The vulnerabilities that ETERNALBLUE goes after live inside the network file sharing and/or remote desktop connections. It's pretty stupid to put that stuff directly on the internet like that, but we are surrounded in horribly insecure setups like this.

- Today, the ransomware worm called WannaCry hits the internet. Each machine that gets hit demands $300-600 in bitcoin to unlock. Phishing emails were sent out with a dropper (code is executed when you click the link) that launched a ransomware infection. Then, the ETERNALBLUE exploit code was used to infect other vulnerable machines on the local network and public internet. So much for "unpatched machines are safe behind a firewall"!! All it took was one person inside the network to get infected and then they attack the rest of the internal network. This infection very well may have also gone after the many public facing machines too.

- WannaCry spread amazingly fast. A dozen countries in just a couple hours. I think we broke 100 countries by the time the infection was blocked (seemingly). It could have spread much farther, but someone found a way to kill it or at least heavily neuter it. The code behind WannaCry was actually really crappy according to many. Even the ransomware was amateur as fuck, requiring manual redemption for the payment & unlock. As such, they had an accidental kill switch built into the infection code. Basically, if a specific URL suddenly became live, then any new infection would fail to execute. Someone noticed this and brought a website up a this URL. The subsequent infections around the world slowed to a crawl after that.

- The attack was halted after a few hours. Europe and Asia were hit during the day. The USA lucked out and woke up to it being mostly finished. This is important because it requires user intervention to kick off on a network. This could have been MUCH worse. And it still could be if they release an improved version.


So here we are. 2 months after the MS Windows patch was issue and 1 month after the critical "holy shit its bad fucking patch" and we have all these environments who failed to do so and are suffering. Sadly, this is common to see. It's also very common to see in a lot of the environments we consider "critical infrastructure" like hospitals, public utilities, etc. We also still have a ton of these machines unpatched because it's not like, after 2 months of not patching, they are going to suddenly fix their shit in a few hours on a friday. This exact ransomware worm code could be reenabled with a single modification. And shit, this is just for ONE type of vulnerability. There are new types of vulnerabilities all the time. Hospitals were getting saturated in ransomware all the time, we just haven't seen any of it spread as a worm before.

It's also worth considering the overall public benefit vs damage from the NSA on this. It's very likely that people are going to die as a result of the NHS closures. And do we really trust that these people are going to keep things like "crypto backdoors" secure? lol...

DigitalChaos
05-13-2017, 12:20 AM
jesus christ what a fucking wall of text. I promise its worth it though. It's a better summary than you'll find in any news article thus far AND you'll understand how precarious our critical infrastructure is. This will continue to get worse.

Happy to answer any questions on this whole cluster fuck.

here is a picture to make up for the text. It's my favorite WannaCry image. It shows the infection spreading around a classroom/lab.

http://i.imgur.com/5lB5RTg.jpg

DigitalChaos
05-13-2017, 01:04 AM
If anyone remembers the Conficker worm from 2008... well that thing spread everywhere and its STILL active and one of the more common pieces of malware that is alive. But Conficker was/is slightly more than an annoyance. WannaCry completely fucks your shit up.

https://en.wikipedia.org/wiki/Conficker

allegro
05-13-2017, 10:04 AM
So was the Win patch an auto update? I have Win 7 (my Win computer is from 2006, too old to install Win 10), is there a patch for older Win machines?

Did the NHS have backups?

Obviously the perp is from a country where English is not their first language; the post-hack message shows it.

Louie_Cypher
05-13-2017, 10:12 AM
i feel it's being reactive instead of pro-active even when you give a list of libraries need to be updated and patched to much trouble when it's so easy today single line bash scripts and cron-jobs especially with things like pip and apt-get it boggles my mind, i find it very lazy and very why bother until their infra structure is compromised
-louie

allegro
05-13-2017, 11:25 AM
Well, and I did some research and found THIS (https://www.forbes.com/sites/gordonkelly/2017/01/17/microsoft-windows-7-security-hardware-support-problems/#364c9ae1ecdb).

From JANUARY of 2017. Hmmm ...

I still have one Windows machine (a Dell) because my boss and my Mom run Windows 7 and sometimes they use me as a Help Desk and I can't help them fix their computer unless I get ON my Win machine and tell them what to do. However, at some point I'm going to ditch the Dell and just get a Mac Mini for my basement office. Or, I'm gonna just use my MacBook Pro in both offices. (My 2009 24" iMac is croaking.)

Louie_Cypher, yes, very true.

DigitalChaos
05-13-2017, 01:40 PM
allegro - if you are on a supported version of windows, it should be getting rolled out via autoupdate. No harm in manually checking though.

Louie_Cypher
05-13-2017, 01:46 PM
Well, and I did some research and found THIS (https://www.forbes.com/sites/gordonkelly/2017/01/17/microsoft-windows-7-security-hardware-support-problems/#364c9ae1ecdb).

From JANUARY of 2017. Hmmm ...

I still have one Windows machine (a Dell) because my boss and my Mom run Windows 7 and sometimes they use me as a Help Desk and I can't help them fix their computer unless I get ON my Win machine and tell them what to do. However, at some point I'm going to ditch the Dell and just get a Mac Mini for my basement office. Or, I'm gonna just use my MacBook Pro in both offices. (My 2007 iMac is croaking.)

@Louie_Cypher (http://www.echoingthesound.org/community/member.php?u=775) , yes, very true. I'll tell you what I tell most people pick up a few raspberry pi's, it's secure it's powerful cheap and can do pretty much anything a mac mini can do peripheral's are cheap most apps are open source and free
-Louie

DigitalChaos
05-13-2017, 02:01 PM
few updates:

MS actually just rolled out patches for several of their unsupported versions: XP, 2003, 8.
https://krebsonsecurity.com/2017/05/microsoft-issues-wanacrypt-patch-for-windows-8-xp/
not sure if they autoupdate or are manual. You'd think it would be auto if they went through the trouble to head this thing off.


I have to retract my statement that there was an initial email phishing infection pathway. Despite that being widely reported by credible sources, there has been absolutely zero evidence to support it. We are far enough along that it should be redacted. So the good news is that this has the opportunity to get much worse in the future versions! :D


The worm is still very much alive. People are putting honey pots on the internet and are seeing infections happen in under 3min. A lot of network security products (palo alto, avast, etc) have started blocking access to the URL that serves as an inadvertent kill switch... thus activating the worm for machines protected by those security products. Fucking DERP. Even some ISPs have started doing this, some as a security measure... some (like in the UK) as part of their stupid censorship stuff.

Meanwhile, the one random dude (https://twitter.com/MalwareTechBlog) who spun up a the server that is acting as a kill switch is the only thing keeping this worm mostly contained. This one dude with a shitty server on his own money that can barely handle the load... that's what is keeping the entire internet alive, oh and huge portions of the vital global infrastructure. What's up 2017! How someone hasn't DDoS'd this already is beyond me.

allegro
05-13-2017, 02:16 PM
Whoa this is some awesome and fascinating shit:

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

allegro
05-13-2017, 02:26 PM
I'll tell you what I tell most people pick up a few raspberry pi's, it's secure it's powerful cheap and can do pretty much anything a mac mini can do peripheral's are cheap most apps are open source and free
-Louie

I have to use MS Office Suite and I have to scan docs and shit. But thanks. My MacBook Pro is actually screaming fast and does everything I need right now if my other machines fail.

DigitalChaos
05-13-2017, 02:44 PM
Whoa this is some awesome and fascinating shit:

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

I was just reading that too. I like his interpretation that the URL was a shitty anti-sandbox attempt. Others were theorizing that it was a sloppy throttle to slow down the worm by inserting a bit of a delay in execution based on how stressed the network is. DNS resolution takes a bit of time. It's very important to throttle a global worm else it implodes. Sadly, lots of the media covering this are saying that this was an intentional kill-switch installed so that the author could kill the worm in the future... which makes very little sense.

Louie_Cypher
05-13-2017, 02:55 PM
don't worry it's secure #with a few exceptions
-Louie

DigitalChaos
05-13-2017, 04:58 PM
So far, the initial infection has only pulled in $25k USD worth of BTC. They could have had so much more if thy didn't engineer the redemption process like it were the first ransomware ever created. I'm betting the decryption routine is so shitty that there will be a decryption tool released soon. So just keeping the infected machines on ice will be a smart move, if you need data recovery without paying.

Louie_Cypher
05-13-2017, 09:13 PM
So far, the initial infection has only pulled in $25k USD worth of BTC. They could have had so much more if thy didn't engineer the redemption process like it were the first ransomware ever created. I'm betting the decryption routine is so shitty that there will be a decryption tool released soon. So just keeping the infected machines on ice will be a smart move, if you need data recovery without paying. this is starting to look like a script kiddie level of attack so who supplied the script and why? could this be tied back to trump the Commey thing blew up in his face so we have obstruction of justice tampering publicly threatening a witness maybe my tinfoil fedora is on to tight there is something not so fresh in Denmark
-Louie

DigitalChaos
05-13-2017, 10:51 PM
The NSA did, basically. lol.
It's basically copy/paste of the NSA code plus really shitty ransomware and worm code. It will be unsurprising if we learn that a 15yo did this.

But it doesn't matter. There will almost certainly be variants rolled out. I'm surprised someone hasn't already rolled out a copy with the "kill switch" removed and point it at their bitcoin wallet. Guaranteed money with no effort.

Jinsai
05-13-2017, 11:22 PM
this is part of the reason I'm glad that the Mac computing market is shrinking back out of the mainstream market... It's a bummer to see the industry I'm working in make a shift that will exclude me if I stay on the mac ship (even as it heads towards its own iceberg), but at least its flagging popularity makes it less of a target for compromise.

allegro
05-13-2017, 11:38 PM
this is part of the reason I'm glad that the Mac computing market is shrinking back out of the mainstream market... It's a bummer to see the industry I'm working in make a shift that will exclude me if I stay on the mac ship (even as it heads towards its own iceberg), but at least its flagging popularity makes it less of a target for compromise.
It isn't as vulnerable to hacking -- not because it isn't and never has been "mainstream" (mostly due to cost and the target market being people and academia that can afford it) -- due to this:

https://www.lifewire.com/mac-os-x-is-not-linux-distribution-2204744

Jinsai
05-13-2017, 11:39 PM
It isn't as vulnerable to hacking -- not because it isn't and never has been "mainstream" (mostly due to cost and the target market being people and academia that can afford it) -- due to this:

https://www.lifewire.com/mac-os-x-is-not-linux-distribution-2204744

It's a combination of both of these things, and a variety of other factors. The unix base separates it from the core code of its more mainstream competition, but the whole "why would I bother writing a virus for this?" logic is a strong factor. We could say it's untested, but it was recently tested... and as we saw the beginnings of Mac's reemergence into mainstream computer markets (and a brief dominance in the laptop world), it's no coincidence that we saw the emergence of the "first Mac viruses."

Any system is potentially vulnerable, especially one that relies upon keychains as convenience, or updates that are so comprehensive that they simultaneously introduce new security flaws as they become incompatible with newer programs that cannot run on previous iterations.

I'm always glad to hear that the Mac computer market is taking a backseat in popular usage... no matter what it means for my stock investments

allegro
05-13-2017, 11:43 PM
The difference is that UNIX viruses without root access to revise file permissions don't get very far.

Macs have never been computer hobbyist machines and they've never been affordable. They never targeted the corporate markets. They have a niche market.

Jinsai
05-13-2017, 11:46 PM
The difference is that UNIX viruses without root access to revise file permissions don't get very far.

I've been assured that this is more of a "yet/why?" situation than anything else.

And that Apple has been pretty much about including anti-virus protections into its OS more than relying on 3rd party protection.

allegro
05-13-2017, 11:53 PM
I've been assured that this is more of a "yet/why?" situation than anything else.

And that Apple has been pretty much about including anti-virus protections into its OS more than relying on 3rd party protection.

The UNIX infrastructure is far more stable than Windows anything. Particularly with viruses.

Windows only needs 3rd party because 3rd parties constantly update all of the viruses in the protection.

But avoiding Trojan horses, time bombs, etc. is the same as avoiding viruses: watch your behavior, only use secure networks, etc.

See this: https://unix.stackexchange.com/questions/2751/the-myths-about-malware-in-unix-linux

DigitalChaos
05-14-2017, 01:59 AM
The 3rd party windows antivirus recently stopped being a thing. The built in is far superior to 3rd party now. So it's a lot like OS X in that sense. I'm actually having the 3rd party stuff removed from all the windows machines at my company. I'm a bit behind on that curve because I had to get my head over the historical idea. It still feels really weird.


Also, Win10 is a big jump for security (let's ignore the privacy issues for this discussion). This current worm doesn't impact win10 at all.


But I'm still going to be using OS X as my daily driver for the foreseeable future at work and home.

allegro
05-14-2017, 02:14 AM
I wish I could upgrade to Win 10, ugh.

WorzelG
05-14-2017, 03:14 AM
My husband always whines when Windows 10 updates because it takes a while to boot up. This has shut him up on that front, take as long as you want windows. I'm also relieved I upgraded my mum's old laptop to Windows 10 a while back. It was so slow I was up till 2am waiting but it was worth it in the end

DigitalChaos
05-14-2017, 03:41 PM
lmao. This manual redemption process is so fucked. Goddamned amateurs. After the victim pays they have to sit around and wait for a human (the attacker) to initiate the decryption process. No wonder these idiots have made so little money despite getting such rapid spread. These guys are so bad.


Meanwhile, there are new variants being seen. It's all really shitty adjustments of the original. Stuff like one letter be changed in the "kill switch" URL. The one that managed to fully remove that "kill switch" managed to corrupt the chain so it resulted in a functioning worm but the ransom process would never initiate. It sure feels like random researchers editing the worm with a hex editor. Then running it in a lab and forgetting to keep the lab fully isolated from the internet.

DigitalChaos
05-14-2017, 03:44 PM
Picture time!

Russian transit system being hit. Sounds like Russia got some of the brunt of this worm so far.
https://uploads.tapatalk-cdn.com/20170514/3956522723de72c86c8779b21c45966a.png


Meanwhile, the Sophos marketing team decided it was time to stop exaggerating the capabilities of their product.

They went from this:
https://uploads.tapatalk-cdn.com/20170514/7e2e7a29b91a276a2d5b4be2fb0d7c56.jpg


To this:
https://uploads.tapatalk-cdn.com/20170514/8b6d99cc560d44e3697bf9a958b88168.jpg

Louie_Cypher
05-14-2017, 06:14 PM
if patch is unavialable download to usb https://www.renditioninfosec.com/2017/05/wanacry-because-your-organization-is-slow-to-patch-stop-the-tears-with-tearst0pper/
-louie

allegro
05-14-2017, 07:22 PM
So Ed Snowden shared this via Twitter:

https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.00001xkkdrrdpldh0tvdd5kmffuqa\

From the Microsoft Memo:


Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.

We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part.

Louie_Cypher
05-14-2017, 08:59 PM
metasploit cheat sheet if your curious about this sort of thing https://blogs.sans.org/pen-testing/files/2017/02/MetasploitCheatsheet2.0.pdf
-Louie

DigitalChaos
05-14-2017, 11:12 PM
So Ed Snowden shared this via Twitter:

https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.00001xkkdrrdpldh0tvdd5kmffuqa
yeah, Snowden has been a big proponent of "NSA should have informed microsoft when they found the vulnerability instead of when they lost control of it"
like... that's a nice concept but it doesn't really make sense. If the NSA shares that stuff it hamstrings their SIGINT work. It runs counter to their goals. Now, there is something to be said about having the NSA work much more on defense. As in, their job would be primarily to look for these kinds of vulns and get them patched. I'm not sure a setup like that could ever really pan out within govt though. Both from a general pragmatic approach of "would it work" and from an incentive/corruption angle where you would expect various vulns to be suppressed so they can be weaponized. Google's Project Zero operates in a way that is purely about finding vulns and they are always producing amazing results. Could govt do that too??

I am going back and forth with an ex-sigint guy about this who think's the "inform the public about vulns" push is just crazy.



metasploit cheat sheet if your curious about this sort of thing https://blogs.sans.org/pen-testing/files/2017/02/MetasploitCheatsheet2.0.pdf
-Louie
probably of little value for ETS... buuut since you posted this ill raise you a shitload of infosec related cheatsheets:
https://www.peerlyst.com/posts/the-complete-list-of-infosec-related-cheat-sheets-claus-cramon

allegro
05-14-2017, 11:22 PM
yeah, Snowden has been a big proponent of "NSA should have informed microsoft when they found the vulnerability instead of when they lost control of it"
like... that's a nice concept but it doesn't really make sense. If the NSA shares that stuff it hamstrings their SIGINT work. It runs counter to their goals. Now, there is something to be said about having the NSA work much more on defense. As in, their job would be primarily to look for these kinds of vulns and get them patched. I'm not sure a setup like that could ever really pan out within govt though. Both from a general pragmatic approach of "would it work" and from an incentive/corruption angle where you would expect various vulns to be suppressed so they can be weaponized. Google's Project Zero operates in a way that is purely about finding vulns and they are always producing amazing results. Could govt do that too??


The paragraph I quoted above is FROM MICROSOFT. They are blaming the NSA for developing this "tool" and then not securing it (and other "tools") enough and these "tools" get out there to be used by criminals, leaving Microsoft and the business world, etc., to scramble to undo the NSA's MESS. Microsoft (quoted above) likens it to the Government losing a few Tomahawk missiles. Microsoft is blaming the U.S. GOVERNMENT for this ENTIRE MESS.

"An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action." - See notice posted May 14, 2017 by Brad Smith - President and Chief Legal Officer of Microsoft (https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.000113hzkb985ekb10xvkes5zv0tl)

They aren't saying "inform the public." They're saying IF YOU'RE GONNA DEVELOP THESE CYBER WEAPONS, THEN SECURE THE FUCKING THINGS. And inform the VENDORS so that they can prevent these "tools" from affecting users should the NSA fuck up and get hacked.

I don't think that's an unreasonable request.

DigitalChaos
05-14-2017, 11:31 PM
The paragraph I quoted above is FROM MICROSOFT. They are blaming the NSA for developing this "tool" and then not securing it (and other "tools") enough and these "tools" get out there to be used by criminals, leaving Microsoft and the business world, etc., to scramble to undo the NSA's MESS. Microsoft (quoted above) likens it to the Government losing a few Tomahawk warheads.

They aren't saying "inform the public." They're saying IF YOU'RE GONNA DEVELOP THESE CYBER WEAPONS, THEN SECURE THE FUCKING THINGS.

I don't think that's an unreasonable request.

I was focusing on this bit:
"This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. "

But yes, the request that the gov actually secures their goddamned weapons is totally correct. It's just MUCH harder to do. Actual munitions blow up on impact, destroying the weapon. With "cyber weapons" they go out to the internet and it's impossible to ensure destruction. Most of them actually live in dormancy in the public. It's a recipe for leaks. That's actually why the CIA's kind of fucked themselves because they had to declassify all their cyber weapons to actually be allowed to deploy them.

meanwhile, United just exposed the cockpit access codes to all their flights. http://www.cbsnews.com/news/united-airlines-says-cockpit-door-access-information-may-have-been-made-public/
nobody can keep any secret these days, doesn't even matter if it's associated with a computer.

DigitalChaos
05-15-2017, 10:31 AM
Man. The British press are a bunch of shitbags. They doxed the guy who stopped the first wave of WannaCry. For absolutely no reason. https://thenextweb.com/insider/2017/05/15/doxing-hero-stopped-wannacry-irresponsible-dumb/#.tnw_9gxn6d5g

Haysey
05-15-2017, 10:50 AM
Man. The British press are a bunch of shitbags. They doxed the guy who stopped the first wave of WannaCry. For absolutely no reason. https://thenextweb.com/insider/2017/05/15/doxing-hero-stopped-wannacry-irresponsible-dumb/#.tnw_9gxn6d5g

Can confirm the British press, for the most part, are complete bum nuggets! The sooner printed media goes under over here the better (with any luck the people with actual morals working at these places will have left long before then)

allegro
05-15-2017, 11:15 AM
Man. The British press are a bunch of shitbags. They doxed the guy who stopped the first wave of WannaCry. For absolutely no reason. https://thenextweb.com/insider/2017/05/15/doxing-hero-stopped-wannacry-irresponsible-dumb/#.tnw_9gxn6d5g

Wtf. I have seen so much crazy Chicken Little shit in ALL the press, lately, I now think they ALL suck. Unbiased journalism in this corporate age of profits is gone.

And THIS?? Dangerous and criminally irresponsible.

Louie_Cypher
05-15-2017, 11:27 AM
when news became entertainment and we had 24 hour news cycles all bets were off I feel very skeptical theses days i research and read a lot during a day and I would say only trust out 10% of what I take in unless I can do or see it myself
-Louie

DigitalChaos
05-15-2017, 02:15 PM
Interesting. An older version of this worm has some identical code in this compared to some malware that DPRK (LazarusGroup) released. Lots more digging must happen, but I'm sure the press will run with "North Korea behind biggest ransomware attack in history" as soon as they catch wind of it.


Edit: Andy Greenberg kicks it off via Wired: https://www.wired.com/2017/05/wannacry-ransomware-link-suspected-north-korean-hackers/

Andy rarely get tech wrong. We gotta wait for the general press for that.

DigitalChaos
05-15-2017, 04:22 PM
... and then Trump nukes NK after seeing it on FoxNews

allegate
05-16-2017, 11:26 AM
"So I know there's this ransomware thing floating around, what could we do - security-wise - to make things safer?"

"I know! Let's block all of the online email services."

"Genius."

That would be our IT team last night.

DigitalChaos
05-16-2017, 01:17 PM
"So I know there's this ransomware thing floating around, what could we do - security-wise - to make things safer?"

"I know! Let's block all of the online email services."

"Genius."

That would be our IT team last night.

man, SO many were focusing on the completely nonexistent "email phishing delivery" and ignoring the worming aspect of this.

Everyone who helped save us from this was an independent researcher. A huge amount of the entities in charge of our safety were the ones fucking things up more than if they just stayed the fuck out.

The guy who setup the "kill switch" sites got multiple law enforcement takedown requests too. Luckily, he know how to obey the requests while maintaining uptime of the sites. Add that on top of all the antivirus, security vendors, ISPs, and governments who were outright blocking access to this site... <this is where I would normally inject something about why I lean anarchist & libertarian... lol>


Anyway, here is a graph of the spread. This was detected infection attempts by anything running Symantec Endpoint Protection (so the left column only represents a fractional sampling)
You can see exactly where the "kill switch" site was spun up and how the exponential growth was massively cut to a plateau. This would have continued to rise otherwise.
http://i.imgur.com/EpXewoD.jpg

The recently updated the graph. You can see how monday rolled around and infections started spiking for 2 reasons: 1- people started bringing their infected machines into company networks and infecting them. 2 - some new variants started coming out with new kill switches that were able to spread a bit before being caught.
http://i.imgur.com/Y6vmNjj.png

DigitalChaos
05-16-2017, 01:20 PM
Meanwhile, ShadowBrokers (the ones who leaked these NSA tools... NOT wikileaks as many incorrectly are saying) is active again. They are saying (https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition) that they will be leaking more tools next month. Stuff that will even impact Windows 10.

ziltoid
05-18-2017, 06:56 AM
Change your passwords frequently: https://lifehacker.com/change-your-passwords-right-now-560-million-email-cred-1795291120?rev=1495035518455&utm_campaign=socialflow_lifehacker_facebook&utm_source=lifehacker_facebook&utm_medium=socialflow

DigitalChaos
06-15-2017, 01:35 AM
NSA linked WannaCry to North Korea. It's actually believable considering how incredibly amateur and buggy the implementation was. There has been hints at the NK connection for weeks, so it's interesting seeing the NSA throw in.

https://www.washingtonpost.com/world/national-security/the-nsa-has-linked-the-wannacry-computer-worm-to-north-korea/2017/06/14/101395a2-508e-11e7-be25-3a519335381c_story.html?utm_term=.8d0c4f2fb959

ziltoid
06-23-2017, 05:08 PM
I should have stayed on Windows 7 :(.

Internal builds and source code for Windows 10 revealed in massive 32TB leak. (https://www.neowin.net/news/internal-builds-and-source-code-for-windows-10-revealed-in-massive-32tb-leak)

miss k bee
06-28-2017, 08:31 AM
Second day off work due to cyberattack!

http://www.adweek.com/agencies/an-international-cyberattack-has-disabled-wpps-computer-network/

DigitalChaos
06-28-2017, 11:16 AM
Second day off work due to cyberattack!

http://www.adweek.com/agencies/an-international-cyberattack-has-disabled-wpps-computer-network/

This is kind of a rehash of WannaCry. But with added mechanisms. But the big thing is that this isn't *really* ransomware. It's just made to look like it, from how it all looks. It's very likely an attack on Ukraine by Russia. Everyone else is probably just collateral.

On the surface, this is a Petya Ransomware variant with some really great infection capabilities. Someone watched 5k computers get taken over in 10min. It's good. But the payment channel is busted as shit. It required the attackers to maintain access to an email account. That account got shut down within hours.

Also, last I looked, I was hearing about a suspiciously miraculous recovery from an infection of not-Petya by a Russian group. I haven't had a chance to validate this though. I'm busy interviewing for a job with some Ukrainians... lol


edit:
The Guardian just posted a story that backs up the first half of my post: https://www.theguardian.com/technology/2017/jun/28/notpetya-ransomware-attack-ukraine-russia
This post by the gruq does the same, but also talks about the suspicious Russian infections (scroll to "The immaculate infection" for that part): https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4

allegro
06-28-2017, 11:51 AM
I received an email this morning from Bitdefender:

https://www.bitdefender.com/news/massive-goldeneye-ransomware-attack-affects-users-worldwide-3330.html?cid=emm|c|rp|goldeneye|com&rp_mid=EMM_ENG_GOLDENEYE&rp_rid=374876995

DigitalChaos
06-28-2017, 12:01 PM
heh, NotPetya is not even ransomware! The changes it makes to your data aren't even reversible (at least by the infection software). So even if you could still pay the attacker, it seems there is no "decryption" mechanism.

https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b

"2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas, 2017 Petya does permanent and irreversible damages to the disk."

allegro
06-28-2017, 12:23 PM
It hit DLA Piper (giant law firm)? LOL crazy shit

http://abovethelaw.com/2017/06/global-biglaw-firm-paralyzed-by-new-ransomware-attack/


(One of the original DLA Piper firms was Rudnick & Wolfe (https://en.wikipedia.org/wiki/DLA_Piper#Piper_Rudnick) here in Chicago)

allegro
06-28-2017, 12:51 PM
Tax-accounting software?

https://www.webmasterworld.com/foo/4855462.htm?platform=hootsuite

DigitalChaos
06-28-2017, 07:41 PM
allegro - Yeah, MeDoc is very popular accounting software in Ukraine. MeDoc is denying it, but the current evidence shows that it was one of the infection vectors. Basically, their software update mechanism isn't the most secure so it was probably compromised by the attacker and used to push the "ransomware" to everyone who used it. This pathway has been utilized quite a few times in popular software, and it will continue to grow more common.

Another vector seems to be a Ukrainian City's website. It was likely hacked and then used to serve up the infection to anyone visiting it.

Another pathway that is suspected, but unproven, is your typical email phishing.

Unlike WannaCry, this didn't worm over the internet. It only used the worm capability (the leaked NSA tool) to propagate to the entire internal network. An hour after infection, the machine shuts down. There are still ways for it to spread accidentally to other networks, but it allows for much more targeted delivery.



As for DLA... yeah, this was the whiteboard that greeted all the employees in the DC office:
http://i.imgur.com/CF3nmtF.jpg

DigitalChaos
07-23-2017, 09:35 PM
Louie_Cypher - still doing defcon? I'll be there. I'm flying out weds. PM me some contact info if you want to cross paths still.

I just accepted a gig at an AI startup with a heavy Ukrainian presence. Shits gonna be silly.

allegro
07-25-2017, 11:27 AM
Okay, DigitalChaos and Louie_Cypher, what the fuck is this FRUITFLY2 shit (http://www.zdnet.com/article/new-analysis-fruitfly-mac-malwware-almost-undetectable-backdoor/)?

edit: See also (https://www.laptopmag.com/articles/mac-malware-fruitfly-2).

DigitalChaos
07-25-2017, 11:50 AM
Okay, DigitalChaos and Louie_Cypher, what the fuck is this FRUITFLY2 shit (http://www.zdnet.com/article/new-analysis-fruitfly-mac-malwware-almost-undetectable-backdoor/)?

edit: See also (https://www.laptopmag.com/articles/mac-malware-fruitfly-2).

Not enough is known, but it seems like a fairly small number of computers have been infected. So its probably very targeted. This is the 2nd known variant, the first was found on biomed machines like a year or two back, as your edit reflects.

The guy who found this is actual doing a presentation tomorrow. Maybe we will hear more. But it sounds like he has restrictions on what he can say, probably due to an active investigation. Also, he seems to know very little about infection path. But he was able to spin up a fake "command and control" server to interface with the infected machines.

In short: there should be enough info for AV vendors to block known variants. OS X has built in anti-malware that will likely be the first to get pattern definitions added though, so keep your OS updated. But I wouldn't worry too much about this specific malware as it seems very targeted and on a small number of machines.

Sadly, this is usually how it looks. Malware goes undetected for quite some time until it happens to catch the eye of someone capable of finding it.

allegro
07-30-2017, 10:02 AM
Hackers take over electronic voting machines in under two hours (http://www.nydailynews.com/news/national/hackers-electronic-voting-machines-hours-article-1.3367172).

Louie_Cypher
07-30-2017, 11:58 AM
this is always the case but never gets much press same thing happened with Tesla, was supposed to be there but friends illness prevented the trek this year sad:(, was suppose to meet up with digital chaos too, which i was looking forward to, oh well hopefully next year
-Louie

allegate
07-31-2017, 04:04 PM
WikiLeaks publishes searchable archive of Macron campaign emails (http://www.reuters.com/article/us-france-politics-wikileaks-idUSKBN1AG1TZ)

https://media.giphy.com/media/1M9fmo1WAFVK0/giphy.gif

Louie_Cypher
07-31-2017, 04:44 PM
more Russian shenanigans
-Louie

allegro
08-03-2017, 06:39 PM
WHAT THE FUCK??!?!?!

HACKER WHO STOPPED WANNACRY CHARGED WITH WRITING BANKING MALWARE (https://www.wired.com/story/wannacry-malwaretech-arrest/)

Haysey
08-04-2017, 03:09 AM
Was just about to link that as well.

According to the BBC (http://www.bbc.co.uk/news/uk-england-40820837), he was moved before visiting hours and nobody (other the the US law enforcement, who aren't saying anything) knows where he is being held, nobody has been able to speak to him since his arrest 2 days ago...

Something feels off about this.

allegro
08-04-2017, 11:11 AM
Was just about to link that as well.

According to the BBC (http://www.bbc.co.uk/news/uk-england-40820837), he was moved before visiting hours and nobody (other the the US law enforcement, who aren't saying anything) knows where he is being held, nobody has been able to speak to him since his arrest 2 days ago...

Something feels off about this.

They're probably trying to take media heat off of him, then they'll offer him a deal to work for the U.S. Government. Which NEEDS guys like him.

Louie_Cypher
08-04-2017, 11:20 AM
this is why i donate and continue to donate to https://www.eff.org/about
-Louie

Louie_Cypher
08-04-2017, 01:16 PM
no one one is worried about sessions talking about media subpoena's, their shutting down the press and doesn't seem make anyone a little nervous, in case you don't know what that means it means our guilty by association A.G.can go to a newspaper and demand under court subpoena that reporters give the government their sources or face prosecution, this is the latest response from the white-house over "leaked" telephone transcripts of conversations with foreign leaders that made Trump, look stupid, claiming the old stand by"national" interest,and "classified", inching slowly towards a dictatorship
-Louie

thelastdisciple
08-10-2017, 02:11 AM
https://techcrunch.com/2017/08/09/malicous-code-written-into-dna-infects-the-computer-that-reads-it/

Malicous code written into DNA infects the computer that reads it

WTF?

Jinsai
08-10-2017, 04:03 AM
WHAT THE FUCK??!?!?!

HACKER WHO STOPPED WANNACRY CHARGED WITH WRITING BANKING MALWARE (https://www.wired.com/story/wannacry-malwaretech-arrest/)

lecture he missed


https://www.youtube.com/watch?v=glSN4qvjt2E

DigitalChaos
08-17-2017, 02:01 PM
WHAT THE FUCK??!?!?!

HACKER WHO STOPPED WANNACRY CHARGED WITH WRITING BANKING MALWARE (https://www.wired.com/story/wannacry-malwaretech-arrest/)

He's in Milwaukee now. The grabbed him in Vegas on his way out of defcon. I don't want to provide a lot of detail because fuck the Feds. But just about everyone in security would be screwed if the law found our online activity from when we were teens. Marcus is only 23 so it wouldn't be that long ago. Who knows what the Feds have though.

The prosecution are pieces of shit. They tried blocking bail by claiming he was a risk to public safety. They said he was a foreign national who discharged a firearm within the country. .... he went to a NV tourist firing range and fired guns. Jesus Christ. The judge laughed at that claim, luckily. Is that kind of thing normal from the prosecution?

Anyway. It could be as simple as some malware author reusing code that Marcus wrote. Even if Marcus did write malware, it seems to come down to intent, especially in relation to profit. It's clear from the indictment that Marcus is not the primary target. The other person, who is still at large, took up almost all the charges listed while Marcus occupied a single charge.

Considering the above, and the fact that the court has now allowed Marcus to access the internet again while on bail... I'm guessing they just want his help. Probably in tracking down the primary name in the indictment. That sure is a pretty horrible way to go about it though. Why not work with the UK? Why choose the worst possible time to intercept him?

allegro
08-18-2017, 01:39 AM
Normal for Federal prosecutors, yes: they play dirty. And they use what we call "fishing expeditions." Try to scare and intimidate people to fish for info.

DigitalChaos
08-18-2017, 12:43 PM
Normal for Federal prosecutors, yes: they play dirty. And they use what we call "fishing expeditions." Try to scare and intimidate people to fish for info.

Figured. They held him for 2 or 3 days without a lawyer, from what I remember. That's also when they got him to admit to writing some of the code found in the malware. Which means nothing, but it's sufficient for the prosecution. That would be a long time to keep your mouth shut for most people, especially when no friends or family know where you are and you are in a foreign country. Worse is that Marcus is very helpful and probably too young to be sufficiently jaded against helping Feds.

These assholes could have just asked for help and hinted at having possible dirt on him if they needed cooperation. Going dicks-out with a huge show of force just reinforces why so many of us in this industry are fearful of helping the Feds and dislike the idea of being one of them.

allegro
08-18-2017, 06:00 PM
You know how I feel about them but I'll say it again: I fucking hate the FBI and Feds, they're incompetent and they are evil and they suck.

They have no plans, zero loyalty, and they only care about anything to the extent that it will put a notch in their belt.

Louie_Cypher
08-18-2017, 06:45 PM
kind of like police officers some people get involved in it or the right reasons some for the power like it all depends
-Louie

DigitalChaos
08-18-2017, 07:05 PM
Cops and Feds are very different animals. With cops, I at least have a 50/50 experience. Some a great.
allegro- I don't remember if I mentioned it here. But the FBI recently wanted to talk with me, but didn't have my identity. They were going through a 3rd party. I had evidence of a pretty severe crime against public infrastructure by a foreign entity. I had no legal representation. Some of the chats you and I had flashed before my eyes. I couldn't think of any way this would hurt me, but I know that's naive. So I refused and only worked through the 3rd party as a proxy. The Feds got their evidence and I kept my distance. It was still a bit risky as that proxy was a weak point, but hey... It pisses me off that even in this situation I can't trust them :(

allegro
08-18-2017, 11:48 PM
DigitalChaos, we've had our run-ins for many years here on ETS but I ALWAYS consider you an online friend. We get pissed off at each other, mostly due to Admin and Mod principles, but I just gotta say: I still respect you, we always know our mutual respect, and if G and I are out your way we hope to meet up with you and your lovely wife and kids.

Bless.

Edit: And ... no ... you can't trust them. I sure wish they were not like that. It's sad. It makes things so much more difficult and complicated.

DigitalChaos
08-18-2017, 11:55 PM
Fuck yeah! Hit me up if you find yourself in my area. I'm actually in south eastern WI at the moment. Haven't been for years. I miss it. Flying back to CA in a day though. There's a mild chance we end up moving out here actually. If that ends up happening I'll make a point to meet up and bring you a bottle of wine or something. :)

allegro
08-19-2017, 01:36 AM
You got a deal man. No wine, my addiction is Diet Coke!

Sitting here in SE WI, I'm not sure this area is ready for you but whatever, good luck, dude. This place is like TrumpLand these days. G and I have to hold our tongues, not really into arguing where it could get nasty.

You know, the Feds doing what they do and especially this situation with this kid who they could use, it's no wonder they have such shitty cyber abilities compared to other countries. They're making it worse for us citizens. It's just so damned frustrating. But it does give you and Louie job security heh.

Edit: now there's this: https://arstechnica.com/information-technology/2017/08/code-chunk-in-kronos-malware-used-long-before-malwaretech-published-it/

DigitalChaos
09-07-2017, 05:04 PM
hahahaha

Equifax just lost 173million identities. Thats HALF the fucking US population. HAAAALLLFFFFF

Name, DOB, credit card numbers, SSNs, Drivers licenses, etc

https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html

DigitalChaos
09-07-2017, 05:06 PM
Oh, and they are offering the Equifax security monitoring service for anyone who was impacted by this. Jesus christ go fuck yourselves equifax.

http://i.imgur.com/aaFvKCQ.jpg

ziltoid
09-07-2017, 05:41 PM
hahahaha

Equifax just lost 173million identities. Thats HALF the fucking US population. HAAAALLLFFFFF

Name, DOB, credit card numbers, SSNs, Drivers licenses, etc

https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html
FUCK ME!!! That's horrible, goddamit I'm most likely one of the people that will be affected by this shit.

DigitalChaos
09-07-2017, 06:20 PM
I am SO FUCKING HAPPY that we are all using SSN's as a national ID. Never mind the fact that I probably won't collect a penny of Social Security... but I have to still carry that bullshit number around for my entire life. All because of some poorly constructed govt program that rode the slippery slope all the way to the bottom. A national ID would have constitutional issues? Oh... well we will all just sort of *voluntarily* start using this random that makes no sense to use as a form of ID. Nevermind the fact that the SSN card itself used to have a nice big "NOT FOR IDENTIFICATION" right on it... well up until 1972 because thats how the slippery slope works.

Why don't we just dismantle Social Security and be done with all this shit? I'm sure that won't ever be the popular solution though. Everyone will just want a national ID and some president will push it through with an Executive Order. Because fuck the constitution guys!

allegro
09-07-2017, 07:33 PM
hahahaha

Equifax just lost 173million identities. Thats HALF the fucking US population. HAAAALLLFFFFF

Name, DOB, credit card numbers, SSNs, Drivers licenses, etc

https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html

I'm so fucking pissed off at this, I could scream. This isn't the first time they've been hit, either.

I already have a credit freeze at all the credit reporting agencies because my data was hacked during the OPM Fed hack, but now these assholes can't securely maintain data, either?

I've been really pissed about EVERYBODY ... the fucking cable company, the electric company, EVERYBODY ... using our Soc number, it's BULLSHIT. There should be a separate credit number that can be easily changed if necessary, TOTALLY SEPARATE from the SS Number. The Government should issue A NEW SOCIAL SECURITY NUMBER TO EVERYONE and force creditors to use a separate credit number.

Now these hackers STEAL YOUR TAX REFUND by using your stolen data to file an early tax return and steal your money.

And if your identity is stolen and you need a new SSN, you start with NO credit history.

We need Social Security but a whole new system must be started.

This is just FUCKING BULLSHIT.

allegro
09-07-2017, 07:36 PM
FUCK ME!!! That's horrible, goddamit I'm most likely one of the people that will be affected by this shit.

EVERYBODY has a chance of being affected. This happened MONTHS ago and we are just now finding out. And those "credit monitoring" services ARE FOR SHIT because they alert you when YOUR DATA HAS ALREADY BEEN STOLEN and you're already fucked. The people affected probably won't get this "email notice" for months.

Lock up (freeze) your credit file with all three agencies, is the safest route. It costs about $10 per agency (free in some states) and you can temporarily unfreeze it if you're taking out a loan or something. It won't prevent a thief from using your existing accounts or from stealing your tax refund.

DigitalChaos
09-07-2017, 07:45 PM
Their site is still embarrassingly open and broken. I won't post details here because *legal reasons*. But people are having fun turning things inside out.

Separately, they just took down the site used to contest credit reports. I'm guessing they are finally fixing the hole that was reported back in march.


Also, they have multiple domains setup for people to check if they were impacted. They look like phishing sites. And then you enter your info and it either says "probably not" or "hrmm... come back in X days and I can give you info about that request". Fuck these assholes.



3 senior execs sold $1.8mil in stock 3 days after the breach was detected.
https://www.bloomberg.com/amp/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack



Fuck them.




https://uploads.tapatalk-cdn.com/20170908/a3a5adb5ab38697e94c0a3fa5b46550b.png

ziltoid
09-07-2017, 07:51 PM
EVERYBODY has a chance of being affected. This happened MONTHS ago and we are just now finding out. And those "credit monitoring" services ARE FOR SHIT because they alert you when YOUR DATA HAS ALREADY BEEN STOLEN and you're already fucked. The people affected probably won't get this "email notice" for months.

Lock up (freeze) your credit file with all three agencies, is the safest route. It costs about $10 per agency (free in some states) and you can temporarily unfreeze it if you're taking out a loan or something. It won't prevent a thief from using your existing accounts or from stealing your tax refund.

The fucked up thing is that I applied for a credit card today and I found out literally about this minutes after.

allegro
09-07-2017, 07:52 PM
The fucked up thing is that I applied for a credit card today and I found out literally about this minutes after.

The break happened back in July so ...

DigitalChaos
09-07-2017, 07:56 PM
Lock up (freeze) your credit file with all three agencies, is the safest route. It costs about $10 per agency (free in some states) and you can temporarily unfreeze it if you're taking out a loan or something. It won't prevent a thief from using your existing accounts or from stealing your tax refund.

Freezes are some of the best action you can take in the age of your info always being leaked. You may find value in blocking electronic access to your SSN: https://secure.ssa.gov/acu/IPS_INTR/blockaccess

allegro
09-07-2017, 07:56 PM
These fuckers. The Government needs to hand them a fine SO PUNITIVE it'll bankrupt them.

We can't even keep them from having the data, they have all of it against our will. We should be able to opt out from these ASSHOLES.

allegro
09-07-2017, 07:57 PM
Freezes are some of the best action you can take in the age of your info always being leaked. You may find value in blocking electronic access to your SSN: https://secure.ssa.gov/acu/IPS_INTR/blockaccess

OH MY GOD awesome THANK YOU!! DOING THAT NOW!!!!!

Edit: Done. I guess this means I can't log into SS to check future benefits status but I just did that a few weeks ago and I won't need it for several years, blocking more important.

DigitalChaos
09-07-2017, 11:17 PM
Hahahaha. OpenDNS just blocked one of their domains as a phishing site. It was so fucked up looking that even the experts thought it was a phishing site. I'm laughing so hard I can't breath. I have never seen a company handle a security issue this horribly. If they don't get severely harmed, nothing will fix this shit besides Project Mayhem.


https://uploads.tapatalk-cdn.com/20170908/c44fc509f96801d294e437edc3006eb1.png

DigitalChaos
09-08-2017, 09:59 AM
Last night we figured out who their Incident Response team is. Like everyone, we were like "Equifax? more like equihax amirite?" And then tried to register equihax.com. Turns out someone registered it 3 days before the news broke. The owner is someone who started working at FireEye (Mandiant) this year in their IR team. lmao


Ah well Equifax stock is down 15-20%. I guess that's a very mild start :/

allegate
09-08-2017, 11:51 AM
3 senior execs sold $1.8mil in stock 3 days after the breach was detected.
https://www.bloomberg.com/amp/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack


I think this got lost in the middle of your post.

https://twitter.com/ByRosenberg/status/905924051373355009

Conan The Barbarian
09-08-2017, 01:11 PM
Does this breach affect me if I never came in contact with equifax? I opened a card back in march, but it was through a bank.

DigitalChaos
09-08-2017, 01:15 PM
Depends on what was actually leaked. Equifax isn't giving sufficient info about what happened.
For the most part, you have no choice. The credit agencies have all your info by default. So yeah, you may very well be impacted.

Louie_Cypher
09-08-2017, 03:36 PM
seems to be some discussion on if the info they are providing is true: https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/
-Louie

eskimo
09-08-2017, 03:49 PM
https://www.facebook.com/ginandtacos/posts/10155536851371677

theimage13
09-08-2017, 04:44 PM
Debating how much lower to let their stock drop before buying. It's one of the largest financial institutions in this country...you can't expect me to believe that the stock won't eventually be right back up to where it was a few weeks ago.

DigitalChaos
09-08-2017, 05:46 PM
https://www.facebook.com/ginandtacos/posts/10155536851371677
as much as I want to pour gasoline on the fire to damage equifax, nobody with any legal background agrees with that interpretation.

Louie_Cypher
09-08-2017, 06:44 PM
it's being challenged my understanding was part of the terms of service for checking to see if your your account was breached was that you can not be part of a class action, everything about this is shady, from the numbers when it happened it could also be "solar flares"
-Louie

DigitalChaos
09-13-2017, 10:03 AM
Equifax's Argentinian employee portal was a nice pile of trash until yesterday. Now it's offline.

You could get in with admin/admin. From there you could see all employee user/pass. All their passwords were the same as their username. You could also look up every complaint and dispute by Argentinians. Looots of DNIs (Argentinian SSN equivalent).

Who would have thought that Project Mayhem would have been run entirely on the negligence of the machine itself.

Maybe we will wake up next week and learn that this was just an elaborate promo for Mr Robot season 3.

allegro
09-13-2017, 12:04 PM
you could get in with admin/admin.

lol
omg
wtf
lmao
smdh

theimage13
09-13-2017, 02:20 PM
U.S. bans use of Kaspersky software in federal agencies amid concerns of Russian espionage (https://www.washingtonpost.com/world/national-security/us-to-ban-use-of-kaspersky-software-in-federal-agencies-amid-concerns-of-russian-espionage/2017/09/13/36b717d0-989e-11e7-82e4-f1076f6d6152_story.html?utm_term=.9f19e6f139c1)

Well then.

(Also, that's a link - not sure why it didn't format to blue)

skullboy0
09-13-2017, 03:27 PM
U.S. bans use of Kaspersky software in federal agencies amid concerns of Russian espionage (https://www.washingtonpost.com/world/national-security/us-to-ban-use-of-kaspersky-software-in-federal-agencies-amid-concerns-of-russian-espionage/2017/09/13/36b717d0-989e-11e7-82e4-f1076f6d6152_story.html?utm_term=.9f19e6f139c1)

(Also, that's a link - not sure why it didn't format to blue)

I've found if you copy/paste formatted text, the pasted text retains the formatting.

A quick paste in Notepad & recopy will strip the formatting.

DigitalChaos
09-13-2017, 03:52 PM
lol
omg
wtf
lmao
smdh
That's basically what it feels like most every day now. Some asshole will come out and tell the world that it was a "sophisticated attacker" and maybe even throw in "nation state" if they can. Since they pulled in mandiant/fireeye they will probably get a "china did it" report too. Shit just kills me.


And honestly, this level of simplicity is really what 95% of hacking is these days. Try the default passwords and see if that really old exploit (that has been patched forever) works. Add in some phishing to get people to just straight up let you in.

DigitalChaos
09-20-2017, 05:04 PM
jesus christ.


Equifax has been sending customers straight into a hacker’s trap for weeks
http://www.rawstory.com/2017/09/equifax-has-been-sending-customers-straight-into-a-hackers-trap-for-weeks/

allegro
09-25-2017, 09:58 AM
insuring there is no shortage of stupidity in America, i saw a commercial, that said , "we scan the dark web to protect your" identity"

“Scan the dark web” - lol wut

theimage13
09-25-2017, 12:51 PM
jesus christ.


Equifax has been sending customers straight into a hacker’s trap for weeks
http://www.rawstory.com/2017/09/equifax-has-been-sending-customers-straight-into-a-hackers-trap-for-weeks/

I fucking hate clickbait headlines. "A hacker's trap"? Please. It was a white hat hacker (the good guys) making a point that they're being absolutely idiotic with their handling of the situation, and his own fake site takes you to the right place. You and I are smart enough to know that, but 95% of people out there see a headline like that and think "oh shit, we just got hacked again" and click on the article in a panic.

DigitalChaos
09-25-2017, 02:40 PM
Welcome to basically all infosec "journalism" being obnoxious. There are really only a few journos who i trust to write sanely. That said, the the "white hat hacker" didn't anticipate Equifax would use this. He thought scammers would. It's really crazy to think about how they could have possibly managed this.

DigitalChaos
10-04-2017, 12:07 AM
IRS awards multimillion-dollar fraud-prevention contract to Equifax

http://www.politico.com/story/2017/10/03/equifax-irs-fraud-protection-contract-243419




what the FUUUUUUCK!
Where are the people who say we just need more powerful government to put the evil corporations in their place? I want to laugh in their face right now. After that, I'll move back to watching all this bullshit burn down. This is complete bullshit.