Hacking news

Former Microsoft employee who stole and leaked Microsoft’s trade secrets sentenced to three months in prison

Alex Kibkalo, a former Microsoft employee was sentenced to three months in prison by a U.S. district court judge for stealing and leaking Microsoft’s trade secrets.

Former Microsoft employee who stole and leaked Microsoft's trade secrets sentenced to three months in prison

Kibkalo who is a Russian national who worked with the Microsoft for more than 7 years was arrested by the FBI agents in March 2014 on charges that he stole the company’s trade secrets related to pre-release software updates for Windows 8 and Microsoft’s “Activation Server Software Development Kit” (SDK), and leaked the information to a tech blogger in France with mala fide intent.

Although Kibkalo faced upto 10 years in prison and a fine as high as $250,000, however he entered into a plea bargain agreement with federal prosecutors which resulted in his sentence being reduced in April 2014 to three months in prison and a fine of $22,500.

As of Thursday, Kibkalo had already served 86 days in federal custody, he will be credited with time served, and thus should be released early next week. 

Kibkalo said in a letter to the judge, included in the court documents “For sure, I got my lesson not to discuss my work projects with external parties.” He also said that when he returns home, he hopes to look for “another interesting full time job, preferably in software security again” and that he is “thinking about publishing a book about my mistakes and the result, which might make more people think on this topic.”

Microsoft itself was criticized a lot for the way it took on to investigate into the leak. In order to find out the culprit behind leaking of the code, Microsoft allegedly tapped  into the blogger’s Hotmail account without his consent. Later on due to the furore raised by the online community against illegal snooping,  the company has since changed its policy.  As per the new Microsoft ToS, if  such circumstances occur in the future, the company will call in law enforcement agencies to look into the matter, rather than investigating the matter themselves.

read more

TweetDeck hack compromises Thousands of twitter Accounts including White House, BBC and CNN Accounts

A Tweetdeck vulnerability was discovered this Wednesday which may have compromised thousands of Twitter accounts including that account of  BBC News, CNN, a senior White House official, and several other verified accounts.

TweetDeck hack compromises Thousands of twitter Accounts including White House, BBC and CNN Accounts

The vulnerability was noticed when the compromised accounts started RETWEETING a tweet with a “?” symbol that was followed by a string of code/Parameter.

TweetDeck is a popular social media dashboard application for management of Twitter accounts used by many user. and is owned by the NYSE listed Twitter Inc.

So how did it happen?
It all started with a vulnerability in the Google Chrome TweetDeck plugin, discovered by 19 year old Austrian programmer Florian AKA Firo.

I was tweeting about the HTML-heart-symbol (♥), because I didn’t knew, that this is possible. Florian said. 

TweetDeck is not supposed to display this as an image. Because it’s simple Text, which should be escapted to “♥”. But in my Tweet I used the Unicode-character of the heart as a reference for my followers.

this whole things looked like this:there were 2 hearts. One was black (at the position where the ♥ was supposed to be) and one was red (this one was the Unicode-char and got replaced by TweetDeck)

Wer wusste, dass es das HTML Zeichen ♥ für ? gibt?
— Firo Xl (@firoxl) June 11, 2014

So, I started to played around, and discovered, that the Unicode-Heart (which gets replaced with an image by TweetDeck) somehow prevents the Tweet from being HTML-escaped. So I used a strong-HTML-tag to verify this (That’s that famous “I wounder if this works”-Tweet). It worked.
So I wrote a little Script which displays a Popup and then blocks it self. It worked.

Ob das wohl funktioniert: <strong>Test</strong> ?
— Firo Xl (@firoxl) June 11, 2014

This is called XSS (Cross-Site-Scripting) and is very dangerous. No web developer should ever make this possible. TweetDeck did.
I didn’t know that there is such a big problem. So I experimented with this in a public environment, there was no reason not to do so.

<script>if (!a) alert(“hihihi”);var a=true:</script> ?
— Firo Xl (@firoxl) June 11, 2014

And that was the point where I reported this to TweetDeck.
TweetDeck actually did not react in any way. Their next Tweet was saying that there is a security-issue and the users should log in again. 

The vulnerability which now known to all via the news wires made it easier for other hackers who soon took advantage of it, including @derGeruhn who used the Vulnerability and tweeted a self Retweeting script which was Retweeted for more than 80K users.

<script class=”xss”>$(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data-action=retweet]’).click();alert(‘XSS in Tweetdeck’)</script>?
— *andy (@derGeruhn) June 11, 2014

The tweet also appeared on thousands of verified accounts which used TweetDeck application including the Twitter account of Katherine Vargas, the White House director of Hispanic media., BBC and CNN’s Twitter Accounts.

Tweetdeck’s response albeit late, came after the incident.  It tweeted that the vulnerability has been fixed and the users need to logout of their tweetdeck account and login again to fully apply the fix. The problem still persisted because TweetDeck had to take down the service for an hour to apply the fix and recheck if its working..

A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.
— TweetDeck (@TweetDeck) June 11, 2014

We’ve temporarily taken TweetDeck services down to assess today’s earlier security issue. We’ll update when services are back up.
— TweetDeck (@TweetDeck) June 11, 2014

We’ve verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.
— TweetDeck (@TweetDeck) June 11, 2014

While the whole story made Florian popular,some people also believed it was Florian who was behind the attack and he made the tweetdeck service unavailable. though it was TweetDeck themeselves who made the service down to fix the exploit..  

Florian himself stated that ‘all this was a big accident’ and as of now, he was trying to help TweetDeck.  It was he who reported the bug and said that he does not want any bounty for it.  

The Tweetdeck service is working fine as of now and as reported by them, the patch has been applied for all.  

read more

Evernote hit by DDoS attack, brought down for several hours

“Evernote” The Popular note making and archiving service was inaccessible for many of its 100+Million users on Tuesday.

Evernote hit by DDoS attack, brought down for several hours

Murmurs of something going wrong hit the social media and forums as users were not able to synchronise their notes.  Some users were worried that they may loose all their EverNotes.

Evernote hit by DDoS attack, brought down for several hours

The Company took to Twitter account after hearing a lots of buzz and questions from their users to assuage their fears.

Evernote service is currently unavailable. We are working to resolve the issue. Updates to follow. Thanks for your patience.
— evernote (@evernote) June 10, 2014

However what seemed to a technical problem soon snowballed into a cyber attack on Evernote.  A hour after the above tweet, they confirmed that they were struggling with a distributed denial of service (DDoS) attack

We’re actively working to neutralize a denial of service attack. You may experience problems accessing your Evernote while we resolve this.
— evernote (@evernote) June 10, 2014

A Distributed Denial of Service or (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users by flooding too much traffic on the server that it fails to cope up with the data requests.

Evernote spokesperson Ronda Scott, told BBC that the denial-of-service attack began at 14:25 PST on Tuesday and had not yet ended.

“We continue to mitigate the effects of the attack, but have successfully returned Evernote to service. As is the nature of DDoS attacks, there was no data loss, and no accounts were compromised.”

The Company was able to resume its service after 4 hours from the start of the attack, however they also informed the users that the service may take 24 hours to completely come back to normal.

Evernote is up and running. There may be a hiccup or two for the next 24 hours. We appreciate your patience.
— evernote (@evernote) June 11, 2014

The DDOS attack  has become more and more common these days for the cyber criminals and hactivists, but what is still unknown is that why the hackers targeted the Evernote.  Was it any kind of dispute between the hackers and the company or was it a competitior’s plan? 

Update: The Popular news aggregator application (RSS Reader) “Feedly” was also struck by a similar DDOS attack, and they are working to bring their services back to Normal.

CEO of Feedly, Edwin Khodabakchian said in a blog post that,

Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can.

The Company is working with law enforcement agencies, and the Network provider to mitigate the attack.

User’s data is safe and they will be soon able to re-access their feedly as soon as the attack is neutralized. said Edwin Khodabakchian.

Looking over the Feedly’s story it is possible that Evernote was also attacked for Ransom.

read more

US security firm Crowdstrike accuses another Chinese military unit of hacking US and European Industries.

In May 2014, the US Department of Justice charged five Chinese military hackers for economic cyber espionage against US businesses.  It was believed at that time by the authorities that these hackers were officers in 3rd Department, 12th Bureau of Unit 61398 of the Chinese People’s Liberation Army (PLA). When the State Department raised the issue, the, the Chinese government stated on record, that the claims were “absurd” and based on “fabricated facts.” China also said “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.”

US security firm Crowdstrike accuses another Chinese military unit of hacking US and European Industries.
Now Crowdstrike,  a US security firm has published a blog post accusing the Chinese government of conducting a sophisticated cyber espionage campaign against US and European businesses. This revelation will further strain the already strained relations between the two nations. The report published by Crowdstrike reveals its research into a malware called ‘Putter Panda’ that was found spying on high-tech firms involved in space, aerospace and communications industries.

Crowdstrike has traced the Putter Panda malware right in a building in Shanghai in the heart of China.  Crowdstrike has said that this facility was most likely being run by the Chinese People’s Liberation Army (PLA) 3rd Department 12th Bureau Unit 61486. Crowdstrike further identified a man named Chen Ping, aka ‘cpyy’, who Crowdstrike claims is a member of the Chinese People’s Liberation Army (PLA).  Crowdstrike has said that Cpyy was responsible for buying domains associated with Putter Panda.

Crowdstrike said that the hackers attacked the US and European businesses through popular business tools such as Adobe Readers and Microsoft Office to deploy customised malware via email. Crowdstrike CEO George Kurtz says that US was right to file charges against the Chinese government based on its above findings.

“China’s decade-long economic espionage campaign is massive and unrelenting. Through widespread espionage campaigns, Chinese threat actors are targeting companies and governments in every part of the globe,” he said.  He added that, “Targeted economic espionage campaigns compromise technological advantage, diminish global competition, and ultimately have no geographic borders.”

China’s foreign ministry dismissed the Crowdstrike’s allegations and repeated the line that the US is far more guilty of cyber hacking than China.

“The United States cannot pretend that it is the victim. They are a hacker empire. I think everyone in the world knows this,” spokeswoman Hua Chunying said.
read more

14 Year Old Kids hack Bank of Montreal ATM and report the vulnerability to the Bank.

A couple of 14-year-old kids of Winnipeg high school students were able to hack into a Bank of Montreal ATM using an old operators manual found online.

14 Year Old Kids hacks the ATM, Reports the Vulnerability to the Bank.
Caleb Turon (left) and Matthew Hewlett (Right)

Matthew Hewlett and Caleb Turon both Grade 9 students chanced upon a old operators manual  for the BMO ATM while surfing on the net.  Having found the manual,. while they were not even sure if they’d actually be able to put the ATM into “operators mode” they thought of giving it a whiz. 

“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett told The Sun. “When it did, it asked for a password.”

They were surprised to find out that their first random guess of a six-digit password happened to be correct. This random password, which is commonly used as “default password” for any electronic/technological gadget was correctly guessed by the lads. The password has not been revealed by the Bank but experts do believe it to be “123456”.

The boys immediately went to BMO Charleswood Centre Branch on Grant Avenue to notify the Bank of the loop hole.  When they informed the staff about a security problem with an ATM, the bank officials assumed one of their PIN numbers had been stolen, Hewlett said.

“I said: ‘No, no, no. We hacked your ATM. We got into the operator mode,'” Hewlett said.

“He (the bank official) said, that wasn’t really possible and we don’t have any proof that we did it.”

“I asked them: ‘Is it all right for us to get proof?’

“He (the bank official) said: ‘Yeah, sure, but you’ll never be able to get anything out of it.’

“So we both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much the ATM collected for different surcharges.

“Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.” Hewlett said.

As further proof, Hewlett playfully changed the ATM’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”

They returned to BMO with six printed documents and naturally this time the bank officials took them seriously.

“They brought the branch manager out to talk to us,” he said. “He was quite concerned and said he would have to contact head security.”

After calling head office to report the security flaw, the branch manager even wrote a note on Turon’s request, a letter to the school management explaining why the students were late returning to the school after the lunch.

“Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security,” the note began, according to the Sun.

BMO spokesperson confirmed that no customer information was exposed when Turon and Hewlett probed the ATM’s system. 

Luckily for Bank of Montreal,  these kids did not have any evil intention in their mind or all hell would have broke loose for the bank.  It would be seeming to visualise a situation where hackers and cyber criminals would have chanced upon this manual instead of these school going kids.

read more

Manhattan company driven into bankruptcy after it was hacked by its competitior to steal its clients

A Manhattan Company was was driven into bankruptcy when a subsidiary of multibillion-dollar French company hacked into its private business, pricing and patent data with a aim to obtain its client’s contacts.

Manhattan company driven into bankruptcy after it was hacked by its competitior to steal its clients

Genergy Inc. which was found in 2000, filed for Chapter 11 Bankruptcy in October 2010. The company claimed that the plot began soon after its former COO Giuseppe Giammo left the company in 2006 to join a job at its main competitior SourceOne Inc which is a U.S.-based subsidiary of Veolia Environment, a French company.

Genergy has charged SourceOne of asking hackers to access its file so that SourceOne could gain Genergy client information and contacts.  Genergy says that acting on SourceOne’s request hackers, hacked Genergy on about 5,588 separate occasions in between June 24, 2006 and Dec. 11, 2012 and stole confidential client information.

Genergy’s Attorney charged SourceOne for unauthorized access to the Genergy’s files and using it to steal the company’s business model and clients list. Genergy also says that SourceOne then backed by the insider information, started undercutting its prices and swiping its customers.

The lawsuit is expected to be filled by the company this Monday in Manhattan Federal Court.

read more

Anonymous Brasil commence #OpHackingCup against the extravagant spending by Brazil on World Cup 2014

With the World Cup due to start on 12th, the hacktivist collective Anonymous is threatening World Cup sponsors as its next hacking target. The threat has been given to the World Cup organisers as Anonymous say that the money is being spent extravagantly on building stadiums and other world cup related expenses instead of spending it on much need local infrastructure, transport systems and poverty alleviation programs. 

Anonymous Brasil commence #OpHackingCup against the extravagant spending by Brazil on World Cup 2014
Anonymous Brasil member Hacker Che Commodore made the threat in solidarity with protests going on in Rio de Janeiro against the World Cup. Brazilians have been protesting against the wasteful expenditure in the World Cup for past three months now. 

“We have already conducted late-night tests to see which of the sites are more vulnerable,” Commodore told Reuters. “We have a plan of attack.”

“This time we are targeting the sponsors of the World Cup,” he added in a Skype conversation from an undisclosed location in Brazil with the news agency. The potential hacker targets include the sponsors like as Adidas, the Emirates airline, the Coca-Cola Co and Budweiser but Anonymous Brasil has confirmed that as of now they dont have any specific targets in mind.

@AnonBRNews @Anon_Ibero We have many users and db’s of pages “.Br” we can give. Greetings Brazilian anons 😉
— Anonymous Juventud (@AnonymousJuvent) June 5, 2014

In a paste made on Pastebin, the Anonymous have said that they are against the extravagant expenditure incurred on World Cup 2014 when Brasil is going through a economic slow down.

How many billions of dollars from public funds were spent to build and reform the stadiums that will host the Cup, aside other builds that will bring very little or no legacy to the population. What does justify, for example, to build a new stadium at Manaus city, at state of Amazonas? In which ways were executed the fiscalization of how the public money is being used on these builds, principally the ones that need to be finished in matter of urgency due to delays – many times resulted by increase of costs (it’s estimated that the cost of the stadiums have increased 163% compared to the initial prevision). It is valid to remember that the promess included the private initiative would take the outgoing of building the stadiums.

Jason Hart, VP Cloud Solutions at SafeNet has said that all the sponsor will have to wisen up to potential security threats in the period of the world starting today. 

“This World Cup will be the most connected, technology-driven World Cup ever and therefore, will also be the subject of more hacks, security threats and data breaches than any sporting event since London 2012. Brazil’s ability to host a sporting event has been questioned and the readiness of its physical infrastructure, the IT and network infrastructure will also be tested to extreme degrees.” While another Tweet confirmed that over 450 Brazilian government emails and passwords were hacked and leaked.  The Paste in the tweet has since been removed.

#OpHackingCup #Brasil 450 Brazilian Government Email + Password Hacked By XhackerTN –
— Niño Orsino (@hispahack) June 9, 2014

Here is a video posted by Anonymous Brasil to bring the worlds attention to the ongoing protests in Brazil.

read more

Doctor in New Zealand loses $300,000 to Nigerian fraudsters who hacked his dad’s email

The New Zealand Herald has reported a hacking by Nigerian scammers which has cost  a Auckland Doctor $300,000 and he is fighting to get it back.  As per the news, an Auckland doctor lost $300,000 after a Nigeria-based scammers hacked into his father’s email account and then posing as the father transferred $300,000 from his account.
Doctor in New Zealand loses $300,000 to Nigerian fraudsters who hacked his dad's email
The doctor who wished to remain anonymous, works in emergency section at a Auckland hospital is fighting to get the money back and has also warned other users to be vigilant against the Nigerian fraudsters.  The doctor said that the father and son duo were holding over @300,000 of family money in a bank in New Zealand. They had earmarked this money to buy  a property in Auckland or England.  His parents stay in Britain and they had been zeroing on a deal before this scam happened.  The doctor said that they had arrived at a decision to make an offer on a property in England and the doctor spoke to his father on the phone about transferring the money to a UK account.

“He told me verbally to send the money over, but later sent an email saying not to do it as the offer had been rejected,” the doctor told the Herald.

“Twelve hours later I got another email sounding like it was continuing on from that conversation. It said good news, the offer has been accepted so send the money through. I had an ongoing conversation with who I thought was my father.”

The doctor transferred the money to a bank account that appeared to have been set up in his father’s name. As he was communicating with his father from his legitimate email address, he had no reason to suspect anything was amiss. When he spoke to his father days later he realised he had been scammed.

He now believes the fraudster used a phishing technique to gain access to his father’s email account in which a fake password prompt was sent to “confirm” the user’s personal details.

The fraudster who the Auckland police think is a Nigerian, then used those details to access the email account and monitor the father and son’s conversation before stepping in and pretended to be the older man. The doctor contacted both his bank and the one that he transferred the money to, as well as the police. He is waiting to find out if there is any way he can recoup his loss.

“My main error was that I didn’t make the telephone call to my dad for confirmation. But I’m pretty busy, I don’t have the time to speak to my parents on the phone all the time. I think I should have though,” he said.

“We are all frustrated, it’s a massive chunk of money. I feel somewhat stupid, but when I go and read back through the email chain [the scammer] was pretty convincing.”

The Nigerian fraudster gangs are always on look out for phishing victims and their way of scamming is called 419 scams.  In fact they are so good at it that unsuspecting victims always fall prey to their scams world over.

read more

Eleven electronic road signs compromised in 3 states of United States from 30th May to 1st June

As per a blog report posted on Multi-State Information Sharing & Analysis Centre, a cyber criminal who appears to be from Saudi Arabia, hacked and compromised eleven electronic road signs aka dynamic message signs in 3 states of the United States of America in three days spanning 30th May to 1st June. The hacker posted messages on the road signs stating the road signs have been hacked.  In once case he invited drivers who were driving along the road sign to interact with him through Twitter.
Eleven electronic road signs compromised in 3 states of United States from 30th May to 1st June
MS-ISAC said that these hacking have been confirmed by The Centre for Internet Security (CIS) a internet watchdog of USA.  In a detailed report the MS-ISAC stated that 
  • Investigators in one state believe the compromise may be in part due to the use of weak Simple Network Management Protocol (SNMP) community strings. Investigators in another state believe the malicious actor (read hacker) used Telnet port 23 and a simple password cracker to gain remote access.
  • In one state the malicious actor changed the modem passwords, forcing technicians to restore to factory default settings to regain access.
  • The malicious actor targeted Daktronics controllers in at least two of the states.

As per the authorities the hacker appears to be  a Saudi Arabian citizen, who is also responsible for a couple of structured query language (SQL) injection (SQLi) compromises of databases in foreign countries over the past several years and has demonstrated an interest in the “Internet of Things” by posting compromises/instructions on compromising light bulbs and car radios, in addition to the road signs. The authorities however dont think that he is affiliated with any know hacktivist or cyber criminal group.

It may be noted that many instances of modifications to electronic road signs have taken place and they are done for ‘Lulz’ or to entertain the drivers.  Signs such as “zombies ahead” are most common hacked messages. in mid may a San Francisco Traffic sign was hacked to warn travellers of Godzilla Attack. But if a hacker can do the above hacking with such a ease, it could create a public safety nighmare for authorities.  In case the hacker had used the electronic sign to lead the drivers to a hazardous/accident prone road it would have lead to serious issues.  Posting signs also cause the drivers to stop and take pictures which can cause a pileup leading to injuries/damages. 
CIS has noted that this hacking may be directly co-related to recent release of a video game “Watch Dogs,” in which game play revolves around “hacking,” with a focus on hacking critical infrastructure-based electronic devices in particular.  CIS thinks that a small percentage of Watch Dog players may experiment into compromising computers and electronic systems outside of game play, and this activity will likely affect SLTT government systems and Department of Transportation (DOT) systems in particular.

read more

Hacker ‘Guccifer’ who hacked emails of former U.S. president George W. Bush and the head of the Romanian secret service sentenced for 4 Years in jail

Notorious Hacker ‘Guccifer’ AKA “Small Fume” was sentenced for 4 years in jail by a Romanian Court on Friday.

Guccifer was charged for series of hacks including hacking into emails of former U.S. president George W. Bush and his family members, former US Secretary of State Colin Powel, the head of the Romanian secret service, Pulitzer Prize-winning author Diane McWhorter, comedian Steve Martin, Oceanographer Robert Ballard and several other politicians and celebrities from the U.S and Romania.

While this may look a big list of charges, this is forms only a small part of his actual list of victims and target.

The Hacker behind the aliases “Guccifer” and “Small Fume”:

40 Year old Marcel Lazar Lehel, a cab driver by profession is behind the Name Guccifer, Lehel was arrested in January by the Romanian authority and could serve a total of 7 years behind the bars as he also carries a previous 3 years suspended sentencing.

Victims and Targets:

Guccifer’s list of targets is pretty huge. In addition to the above mentioned targets, he also hacked into the accounts of a U.S. senator, members of the Rockefeller family,  former FBI and Secret Service agents, a senior U.N. official, Sidney Blumenthal, an aide to Bill Clinton and members of the Council on Foreign Relations.  

While he loved to target politicians and Government agencies, he also hacked accounts of several hollywood celebrities. In May 2013 he leaked the original unpublished manuscript of Sex And City by hacking into the author Candace Bushnell’s account. Earlier, he also posted the original script for the finale of “Downtown Abey” Season 4, that he accessed from the email account of the show’s creator Jullian Fellowes, 6 months before the show was supposed to be broadcasted.  

There are several documents, that Guccifer compromised and leaked.  Most prime of them all was a spreadsheet that contained  phone numbers, email addresses, social security numbers, passwords for various websites, along with drawings, documents – such as doodles by Bill Clinton, self-portrait that George W. Bush painted of himself taking shower. 

Whilst many of the readers may think that all the hacks were hitech but in reality its not entirely true. Guccifer used Social Engineering tricks mostly by guessing the Security question of the victim’s Account after reviewing Wikipedia pages, names of their relative or the pet’s name correctly.

read more