2015-08-31

Free Open Source Ransom Ware

Good news for bad guys, we now have an open source ransomware [Hidden Tear], which can be tweaked and used by anyone with literally basic scripting skills. Features include:
  • Uses AES algorithm to encrypt files.
  • Sends encryption key to a server.
  • Encrypted files can be decrypted in decryption program with encryption key.
  • Creates a text file on Desktop with given message.
  • Small file size (12 KB)
  • Undetectable by antivirus programs

2015-08-30

Ashley Madison Hack Study

A bit late in the day now, but here is my study of the (in)famous hack, of the website with the tagline, "Life is short, have an affair".


12-Jul-15:
The website's parent company called ALM (Avid Life Media) had been hacked. Employees first learned of the intrusion when they arrived at work and powered on their computers, to be presented with the initial message from the "Impact Team" - the hacker group that has claimed responsibility for the breach.

The news broke about, and as expected, there was a wide spread fear, among the impacted ~37M users. The original leak:
Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, companye c bank account data and salary information.
Hackers also claimed that the company had lied, when they sold a service called "Full Delete", which was supposed to purge all user details.
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.” 
The demand from the hackers:
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
Sounds like a "Robin Hood" of hackers, no? A good for the society, with no personal gains - No BTC demands!


18-Aug-15:
The company decided not to give in to the demands. And the hackers leaked what was promised (tech links). So, what happens now?

  1. There are numerous websites now offering services to search for your spouse and friends, to see if they were using the website
  2. We now have bad guys harassing the victims (for a lack of better word), and starting an extortion / blackmail program
  3. We also have two suicides, which could (not confirmed) be due to this disclosure 
  4. The ALM company has been taken to court, by the users, and face a class action law suit
  5. The CEO of the company stepped down, over all this controversy
  6. Some big names got exposed via this hack.

24-Aug-15:
The company announces a $500M bounty, for the person who is able to help find the culprit in this hack. At the same time Kerbs feels a twitter user Thadeus Zu (@deuszu) could be responsible.

15-Sep-15:
The company used all the right protocols for hashing and salting their passwords. However, poor implementation causes over 11M hashes to be cracked.

15-Dec-16:
Ashley Madison settles the lawsuits for $17.5 M. Interestingly at this point of time, it can only afford to pay up about 10% of this. Plus they will have a whopping 20 yrs of govt oversight to ensure network security.





2015-08-10

Introducing Zerodium

As its name suggests, it specializes in acquiring zero-day exploits. And then selling them off.
The start-up is backed by Vupen, the French vulnerability dealer that has often drawn controversy for brokering exploits to the highest bidder
More Info Here ;  Website Here

2015-08-08

BitDefender gets held at ransom for unencrypted passwords

It's a pity to see security companies forgetting basic security measures like hashed passwords!

Win-10 share wifi password 'feature'

Unless you opt out, Windows 10 will by default prompt to you share access to WiFi networks to which you connect with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends.
Full Story