OurMine hijacks Netflix’s US Twitter account

By Narinder Purba

Netflix has become the latest big name brand to have one of its social media accounts hijacked by OurMine.

The hacking collective was briefly able to take over Netflix’s US Twitter account yesterday (December 21st), posting numerous tweets that were indicative of its signature style.

This included: “Hey, it’s OurMine, Don’t worry we are just testing your security, contact us to tell you more about that…”

There was some initial confusion about whether Netflix, which describes itself as the world’s leading internet television network, had regained full control over its account.

However, this has since been resolved. At the time of writing, no further details have been made as to how OurMine was able to gain access.

OurMine has built of a reputation of compromising high-profile individuals and organizations.

This includes Facebook’s CEO, Mark Zuckerberg, whose Twitter, LinkedIn and Pinterest accounts were hijacked in June.

It was revealed at the time that his password for all three accounts were the same. It was “dadada”.

Other victims include Variety, which had its content management system compromised in September.

Reporting on the incident at the time, the print and online publisher said: “In contrast to many other hackers, OurMine doesn’t typically attempt to shut down websites or abscond with data.

“The anonymous group positions itself as cybersecurity outfit that raises awareness for its services by hacking into prominent people and brands.”

Year-end cybercrime update 2016: an avalanche of good news?

By Stephen Cobb

Cybersecurity can at times be a strange career, one in which good news is sometimes defined as no news, as in: Hooray! We haven’t been hacked today! And some of cybersecurity’s good news is bad news for other people, for example: “Teen behind Titanium DDoS Stresser pleads guilty in London”. Yet even some of this good news is hard to enjoy. I would not use “happy” to describe my reaction to that headline; more like “sad” because a young man made some bad choices and recovering from the consequences of those choices will be difficult for him.

Then again, you can also say that one less bad actor active in cyberspace is always good news for all those who spend their time defending information systems. So, at this time of the year, when word of good tidings is either on our minds, or on the radio, or both, I decided to highlight some wins for the good people who are working to keep the bad people in check.

Below you will find 20 success stories in the struggle against cybercrime. They range from indictments to arrests, extraditions to sentencing. These reports are not placed in any particular order or ranking and I have probably missed some cases. I made the URLs explicit so you can see the range of publications now covering these events, and I decided not to comment on each case individually in order to stress their cumulative impact. Taken together they demonstrate the extent to which cybercrime has become a part of modern life and, in turn, an increase in resources devoted to deterring it.

Looking at this list I get the sense that law enforcement efforts in cyberspace bore more fruit in 2016 than in any other year, and that is good news. Here’s hoping for an even better year in 2017!

1.     Hacker Gets 4 Years in Prison for Selling Stolen Bank Accounts on the Dark Web – https://www.bleepingcomputer.com/news/security/hacker-gets-4-years-in-prison-for-selling-stolen-bank-accounts-on-the-dark-web/

2.     Russian Hacker Suspected in Massive LinkedIn Breach Arrested Overseas – http://abcnews.go.com/US/russian-hacker-suspected-massive-linkedin-breach-arrested-overseas/story?id=42912836

3.     Joint Cyber Operation Takes Down Avalanche Criminal Network Servers Enabled Nefarious Activity Worldwide – https://www.fbi.gov/news/stories/joint-cyber-operation-takes-down-avalanche-criminal-network

4.     Feds Accuse Two 19-Year-Olds Of Hacking For Lizard Squad and PoodleCorp – http://motherboard.vice.com/read/feds-accuse-two-19-year-olds-of-hacking-for-lizard-squad-and-poodlecorp

5.     2 Israelis arrested for major hacking operation after FBI tip-off – http://www.timesofisrael.com/2-israelis-arrested-for-major-hacking-operation-after-fbi-tip-off/

6.     The hacker behind world’s largest-ever bank hack arrested in Russia – http://www.techworm.net/2016/10/hacker-behind-worlds-largest-ever-bank-hack-arrested-russia.html

7.     North Carolina men arrested, charged with hacking senior U.S. officials (Crackas with Attitude) – http://www.cbsnews.com/news/north-carolina-men-arrested-charged-hacking-senior-us-officials/

8.     Teen Behind Titanium DDoS Stresser Pleads Guilty in London: used to launch over 1.7 million DDoS attacks – http://news.softpedia.com/news/teen-behind-titanium-ddos-stresser-pleads-guilty-in-london-509811.shtml

9.     Global authorities arrest 34 in DDoS bust; suspects mostly teenagers – https://www.scmagazine.com/global-authorities-arrest-34-in-ddos-bust-suspects-mostly-teenagers/article/578671/

10.   Police arrested a hacker who allegedly triggered a DDoS attack on the 911 emergency call system – http://www.theverge.com/2016/10/30/13471128/meetkumar-hiteshbhai-desai-arrest-911-exploit

11.   Accused Pippa Middleton hacker arrested by London police – http://www.today.com/video/accused-pippa-middleton-hacker-arrested-by-london-police-772772931547

12.   NSA contractor arrested in hacking plot – http://nypost.com/2016/10/05/nsa-contractor-arrested-in-hacking-plot/

13.   Kennesaw State Student Arrested for Hacking School Computer: Faces up to 15 years in jail – http://www.teenvogue.com/story/kennesaw-state-student-arrested-for-hacking-school-computer

14.   Three men arrested in connection with mobile handset upgrade fraud enabled by unauthorised access to customer data – http://www.computerweekly.com/news/450403170/Hackers-arrested-in-Three-mobile-upgrade-scam

15.   Florida Computer Programmer Arrested For Hacking Linux Kernel Organization and the Linux Foundation – https://www.justice.gov/usao-ndca/pr/florida-computer-programmer-arrested-hacking

16.   FBI Arrests Customer of Xtreme Stresser DDoS-for-Hire Service – https://www.bleepingcomputer.com/news/security/fbi-arrests-customer-of-xtreme-stresser-ddos-for-hire-service/

17.   Three Romanians indicted in $4 million cyber fraud ring – http://www.cleveland.com/metro/index.ssf/2016/12/three_romanians_indicted_in_va.html (not to be confused with the 3 Romanians extradited to the US in 2013 – https://archives.fbi.gov/archives/newyork/press-releases/2013/three-members-of-international-cyber-fraud-ring-extradited-from-romania-to-the-united-states)

18.   Suspected JP Morgan hacker arrested after returning from Moscow – http://www.cbsnews.com/news/joshua-samuel-aaron-suspected-jp-morgan-hacker-arrested-after-returning-from-moscow/

19.   Hacker known as Guccifer sentenced to 52 months in prison – https://www.washingtonpost.com/local/public-safety/guccifer-hacker-who-revealed-clintons-use-of-a-private-email-address-sentenced-to-52-months/2016/09/01/4f42dc62-6f91-11e6-8365-b19e428a975e_story.html

20.   British booter bandit walks free after pleading guilty to malware sales – http://www.theregister.co.uk/2016/04/11/grant_manser_sold_50k_in_stressers_sidesteps_slammer/

Notes on cybercrime and “the cyber”

The US will inaugurate a new president in January amid an unprecedented level of controversy and concern about what the president-elect once referred to as “the cyber”. Amidst all the talk, there is a worrying tendency to bundle cybercrime with other unwelcome activities in cyberspace. Allow me to explain.

As a presidential candidate Mr. Trump talked about the need to make cybersecurity “a major priority for both the government and the private sector” (those words come from the official text of candidate Trump’s speech on cybersecurity, as “prepared for delivery” and archived on the wonderful WayBack Machine). He went on to say:

“Cyber-attacks from foreign governments, especially China, Russia, and North Korea along with non-state terrorist actors and organized criminal groups, constitute one of our most critical national security concerns.” [emphasis added]

Unfortunately, while this sounds good, it is not entirely accurate: the three different threats enumerated in that sentence are not one and the same thing, and not all cybercrimes are a matter of national security. To be clear, Mr. Trump is not alone in his conflation of these things, we hear it a lot when government contractors, especially defense contractors, talk about cybersecurity. I agree that all three threats are real, but the response to each needs to be very different, and fighting cybercrime as though it is a matter of national defense makes no sense.

To Mr. Trump’s credit, some of those prepared remarks do specifically call for a law enforcement pursuit of criminals in addition to a militaristic response to terrorist and nation state activity in cyberspace. Unfortunately, other remarks return to conflated thinking, lapsing into dogma with which a lot of security professionals would disagree, such as: “We should turn cyber warfare into one of our greatest weapons against the terrorists.” Frankly, I don’t think that is a good idea, and I’d be happy to explain to the new administration why I think that.

 http://www.welivesecurity.com/2016/12/20/year-end-cybercrime-update-2016-avalanche-good-news/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

IoT attacks: 10 things you need to know

By Editor

Something major happened in October. Internet of Things (IoT) devices were exploited by cybercriminals and turned into a rogue and malevolent army. A series of distributed denial of service (DDoS) attacks affected websites connected to the cloud-based internet performance management company Dyn, including Amazon, Twitter, Reddit, Spotify and PayPal. It’s possibly a watershed moment.

“We have been shown just how vulnerable the internet – which is now an integral part of the critical infrastructure of the US and many other countries – is too disruptive abuse conducted at scale, by persons whose identity is not immediately ascertainable,” ESET’s Stephen Cobb concluded in his analysis of the event.

Now, with Christmas upon us and the increasingly volatile world markets never more dependent upon online transactions, everyone is desperate to stop repeat attacks.

1.     Wait, what’s IoT?

Definitions vary, but the ‘Internet of Things’ refers to ‘smart devices’ like refrigerators that will tell us when we’re out of milk. But also, many smaller less outlandishly smart objects, such thermostats, coffee machines and cars. These gadgets are embedded with electronics, software, sensors and network connectivity so that they can connect to the internet.

2.     So, what’s the problem?

Anything that connects to the internet, even if it doesn’t contain your medical records, poses a risk. The October 21st attacks were made possible by the large number of unsecured internet-connected digital devices, such as home routers and surveillance cameras.

The attackers infected thousands of them with malicious code to form a botnet. Now, this is not a sophisticated means of attack, but there is strength in numbers. They can be used to swamp targeted servers, especially if they march in all at once.

3.     How did the attacks actually happen?

Remember that bit in the instruction manual where it told you to change the default password? Well, if you didn’t, then chances are your IoT device could spring to life as a cyber zombie. The DDoS-attackers know the default passwords for many IoT devices and used them to get in. It’s a bit like leaving your house keys under a flowerpot for anyone to find.

Anyone putting an IoT router, camera, TV or even refrigerator online without first changing the default password is enabling attacks of this type. Recent ESET research suggests at least 15% of home routers are unsecured – that’s an estimated 105 million potentially rogue routers.

4.     Wait, do I need IoT devices?

Some people dismiss IoT devices as gimmicky; others believe that in a few years we’ll all have smart cupboards that tell us what we can have for dinner. But there are numerous discernible benefits, such as the sensors in smartphones and smartwatches that provide real information about our health. Or the “blackbox” telematics in cars which can prove how safe or unsafe our driving is and thus help with insurance claims.

5.     So, this is a new problem?

Nope. The possibility for exploitation of this kind has been common knowledge since, well, the dawn of IoTs. But, we didn’t realize quite how vulnerable we were until October. Malicious code infecting routers is nothing new, as this ESET research clearly demonstrates.

The advice to change the default passwords on these devices is definitely not new and has been reiterated many times. Yet you can lead a horse to water, but there’s no making them drink. Two years ago WeLiveSecurity reported on the existence of 73,000 security cameras with default passwords.

6.     How far does it go back?

The IoT actually goes way back as far as the 1980s. But in a slightly Back to the Future iteration. Researchers at Carnegie Mellon University first came up with an internet-connected Coke vending machine in 1982.

7.     Surely, internet giants have the power to stop this?

Sure they do. But that doesn’t mean some of them haven’t left gaping holes available for malicious exploitation. At the Black Hat security conference last year, security research students from University of Central Florida demonstrated how they could compromise Google’s Nest thermostat within 15 seconds.

Daniel Buentello, one of the team members, was quoted as saying in 2014: “This is a computer that the user can’t put an antivirus on. Worse yet, there’s a secret backdoor that a bad person could use and stay there forever. It’s a literal fly on the wall.”

8.     What can I personally do to stop this?

Look at IoT devices like any other computer. Immediately change the default password and check regularly for security patches, and always use the HTTPS interface when possible. When you’re not using the device, turn it off. If the device has other connection protocols that are not in use, disable them.

These things might sound simple, but you’d be alarmed by how easy it is to opt for convenience over good sense. Only half of respondents to this ESET survey indicated that they’d changed their router passwords.

9.     What can companies do to stop this?

You might think, ‘What’s the point? If an attacker can breach Amazon, then what hope does my firm have?’ Well, don’t give up hope. Organizations can defend against DDoS attacks in a range of ways including boosting the infrastructure of their networks and ensuring complete visibility of the traffic entering or exiting their networks. This can help detect DDoS attacks, while ensuring they’ve sufficient DDoS mitigation capacity and capabilities. Finally, have in place a DDoS defense plan, which is kept updated and is rehearsed on a regular basis.

Think of it like a fire drill for your network. Also, watch out for Telnet servers. These are the dinosaurs of the digital universe and as such should be extinct, because they’re so easily exploited. Never connect one to a public-facing device.

10.   But … and this is a big but …

The tech might have been around for a while but these kinds of attacks are brand new. As such there are no agreed best practice protection methods for stopping an IoT from turning against you.

At least, not ones that the experts can agree on. Some believe you should apply a firewall in your home or business and to regulate control of them to authorized users. However, another method would be to apply a certification approach: allowing only users with the right security certificate to control the devices and automatically barring any unauthorized profiles. If in doubt, unplug it.

http://www.welivesecurity.com/2016/12/19/iot-attacks-10-things-you-need-to-know/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29