Tag Archives: scanning

[ISN] Hacker Claims Feds Hit Him With 44 Felonies When He Refused to Be an FBI Spy

http://www.wired.com/2015/02/hacker-claims-feds-hit-44-felonies-refused-fbi-spy/ By Andy Greenberg Threat Level Wired.com 02.18.15 A year ago, the Department of Justice threatened to put Fidel Salinas in prison for the rest of his life for hacking crimes. But before the federal government brought those charges against him, Salinas now says, it tried a different tactic: recruiting him. A Southern District of Texas judge sentenced Salinas earlier this month to six months in prison and a $10,600 fine after he pleaded guilty to a misdemeanor count of computer fraud and abuse. The charge stemmed from his repeatedly scanning the local Hidalgo County website for vulnerabilities in early 2012. But just months before he took that plea, the 28-year-old with ties to the hacktivist group Anonymous instead faced 44 felony hacking and cyberstalking charges, all of which were later dismissed. And now that his case is over, Salinas is willing to say why he believes he faced that overwhelming list of empty charges. As he tells it, two FBI agents asked him to hack targets on the bureau’s behalf, and he refused. Over the course of a six-hour FBI interrogation in May, 2013, months after his arrest, Salinas says two agents from the FBI’s Southern District of Texas office asked him to use his skills to gather information on Mexican drug cartels and local government figures accepting bribes from drug traffickers. “They asked me to gather information on elected officials, cartel members, anyone I could get data from that would help them out,” Salinas told WIRED in a phone interview before his sentencing. “I told them no.” “Fundamentally this represents the FBI trying to recruit by indictment,” says Salinas’ lawyer Tor Ekeland, who took the case pro bono last year. “The message was clear: If he had agreed to help them, they would have dropped the charges in a second.” […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The Security Setup – HD Moore

http://www.thesecuritysetup.com/home/2014/10/1/hd-moore [Interesting website I found while following someone else who was profiled earlier, Uri with @redteamsblog, the idea here is ‘what setup do folks in security use to attack, defend, build, break, hack, crack, secure, etc.’ which should make for some interesting reading. – WK] H D Moore OCTOBER 1, 2014 Who are you, and what do you do? My name is H D Moore (since the day I was born, it doesn’t stand for anything). I am a security researcher and the chief research officer for Rapid7. Some folks may be familiar with my work on Metasploit, but these days I also spend a lot of time scanning the internet as part of Project Sonar. My servers send friendly greetings to your servers at least once a week. Howdy! What hardware & operating systems do you use? Lots. My normal workload involves crunching a billion records at a time, running a dozen different operating systems, and still handling corporate stuff via Outlook and PowerPoint. As of 2009, I finally made the switch to Windows as my primary OS after being a die-hard Linux user since 1995. That doesn’t mean that I use Windows itself all that much, but I find it to be a useful environment to run virtual machines and access the rest of my hardware with SSH and X11. The tipping point was the need to quickly respond to corporate email and edit Office documents without using a dedicated virtual machine or mangling the contents in the process. The second benefit to using Windows is on the laptop front; Suspend, resume, and full hardware support don’t involve weeks of tuning just to have a portable machine. Finally, I tend to play a lot of video games as well, which work best on overspecced Windows hardware. All that said, Windows as productivity platform isn’t great, and almost all of my real work occurs in web browsers (Chrome), virtual machines (VMWare for Intel/AMD64 and QEmu for RISC), and SSH-forwarded XFCE4 tabbed-terminals. The laptop I currently use started life as a banged up ASUS ROG G750 (17″) bought as the display model from a Best Buy. The drives, video card, and memory were swapped out bringing the total specs up to 32Gb RAM, a 512Gb SSD boot disk, a 1Tb backup disk, and a GeForce GTX 770 GPU. This runs the most loathed operating system of all, Windows 8.1 (Update 1) Enterprise, but it has a huge screen, was relatively cheap, and can run my development virtual machines without falling over. It also runs Borderlands2 and Skyrim at maximum settings, critical features for any mobile system. Given that the total cost was under $1,500, it is a great machine for working on the road and blocking automatic weapons fire (as its weighs about 20 Lbs with accessories). I carry this beast around in a converted ammunition bag, sans the grenade pouches. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Thousands Of People Oblivious To Fact That Anyone On The Internet Can Access Their Computers

http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/ By Kashmir Hill Forbes Staff 8/13/2014 There are technologists who specialize in “scanning the Internet.” They are like a search team making its way through a neighborhood, but instead of checking the knob of every door, they check Internet entrances to online devices to see which ones are open. These people have been screaming for some time that there is a lot of stuff exposed on the Internet that shouldn’t be: medical devices, power plants, surveillance cameras, street lights, home monitoring systems, and on and on. But incredibly, their message doesn’t seem to get through, because their scans keep on picking up new devices. While talking about the issue at hacker conference Defcon on Sunday, security engineer Paul McMillan sent his winged monkey scanners out looking for computers that have remote access software on them, but no password. In just that short hour, the results came pouring in: thousands of computers on port 5900 using a program called VNC for remote access. The total number is likely over 30,000. Those using the program failed to password-protect it, meaning anyone who comes looking can see what they’re doing, and manipulate their computers. McMillan set a scanner to take a screenshot of every exposed computer it came across. I went through the screens captured Sunday and saw people checking Facebook, playing video games, watching Ender’s Game, reading Reddit, Skyping, reviewing surveillance cameras, shopping on Amazon, reading email, editing price lists and bills, and, of course, watching porn. I saw access screens for pharmacies, point of sale systems, power companies, gas stations, tech and media companies, a cattle-tracking company, and hundreds of cabs in Korea. This isn’t just about watching people use their computers; the fact that the scanner got in means anyone could manipulate the devices, changing the power company’s settings, pausing the porn stream, going through a company’s records, or reviewing the prescriptions for a pharmacy’s patients. There is no need for hackers to go to great lengths to compromise these computers; their owners have built in backdoors with no locks. “It’s like leaving your computer open, unlocked and ready to rock in a crowded bus terminal and walking away,” says security engineer Dan Tentler, who presented with McMillan. Increasingly, everything is connected to the Internet, and unfortunately, people don’t always know how to connect their things securely. “It’s important to remember that this scan only scratches the very surface of the problem,” says McMillan. “We can’t legally scan for default passwords, but I’m certain if we did, the results would be orders of magnitude worse.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Antivirus pioneer Symantec declares AV “dead” and “doomed to failure”

http://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/ By Dan Goodin Ars Technica May 5, 2014 Commercial antivirus pioneer Symantec has finally admitted publicly what critics have been saying for years: the growing inability of the scanning software to detect the majority of malware attacks makes it “dead” and “doomed to failure,” according to a published report. Over the past two reported quarters, Symantec has watched revenue fall, and sales are expected to flag again in the most recent period when the company releases financial results later this week, an article published Monday by The Wall Street Journal reported. The declines come as Juniper Networks, FireEye, and other companies have rolled out products and services that take a decidedly different approach to securing computers and networks. Rather than scan for files that are categorized as malicious, these newer techniques aim to detect, minimize, and contain the damage that attackers can do in the event that they penetrate a customer’s defenses. Citing Symantec Senior President Brian Dye, the WSJ said: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] New Clues in the Target Breach

http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ By Brian Krebs krebsonsecurity.com Jan 29, 2014 An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internal network. As I noted in Jan. 15′s story – A First Look at the Target Intrusion, Malware – the attackers were able to infect Target’s point-of-sale registers with a malware strain that stole credit and debit card data. The intruders also set up a control server within Target’s internal network that served as a central repository for data hoovered up from all of the infected registers. That analysis looked at a malware component used in Target breach that was uploaded to Symantec’s ThreatExpert scanning service on Dec. 18 but which was later deleted (a local PDF copy of it is here). The ThreatExpert writeup suggests that the malware was responsible for moving stolen data from the compromised cash registers to that shared central repository, which had the internal address of 10.116.240.31. The “ttcopscli3acs” bit is the Windows domain name used on Target’s network. The user account “Best1_user” and password “BackupU$r” were used to log in to the shared drive (indicated by the “S:” under the “Resource Type” heading in the image above. That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called “Best1_user.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 5 Protocols That Should Be Closely Watched

http://www.darkreading.com/monitoring/5-protocols-that-should-be-closely-watch/240164357 By Robert Lemos Dark Reading November 30, 2013 For decades, opportunistic attackers have scanned the Internet for open ports through which they can compromise vulnerable applications. Such scanning has only gotten easier: The Shodan search engine regularly scans the Internet and stores the results for anyone to search; researchers from the University of Michigan have refined techniques to allow for fast, comprehensive scans of a single port across the Internet; and programs, such as NMap, allow anyone to scan for open, and potentially vulnerable, ports. While the most commonly attacked ports are those used by Secure Shell (SSH), the file transfer protocol (FTP), the remote desktop protocol (RDP), and Web servers (HTTP), companies need to monitor network activity aimed at less common protocols and ports, say security experts. Attackers will likely increasingly look for vulnerabilities in less common ports, says HD Moore, chief research officer for vulnerability-management firm Rapid7, which has made a name for itself scanning the Internet for just those ports. “This stuff is not in the top bucket, in terms of priority, but it tends to bite people because they are not keeping an eye on it,” he says. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] An IT superpower, India has just 556 cyber security experts

http://www.thehindu.com/news/national/an-it-superpower-india-has-just-556-cyber-security-experts/article4827644.ece By SANDEEP JOSHI The Hindu June 19, 2013 The world may acknowledge India as an information technology superpower, but its very own official cyber security workforce comprises a mere 556 experts deployed in various government agencies. How “grossly inadequate” is India’s cyber security manpower can be gauged by the fact that China has 1.25 lakh experts, the U.S. 91,080 and Russia 7,300. “The existing combined strength of cyber security experts in all organisations in the government domain is 556, which is grossly inadequate to handle cyber security activities in a meaningful and effective manner,” says a secret note prepared by the National Security Council Secretariat (NSCS), which is engaged in creating an elaborate ‘cyber security architecture’. Waking up from a deep slumber, the government has decided to recruit 4,446 experts to be deployed in six organisations that would take care of India’s cyber security infrastructure. These are the Department of Electronics and Information Technology (DEITy), which includes Indian- Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC); the Department of Telecom (DoT); the National Technical Research Organisation (NTRO); the Ministry of Defence; the Intelligence Bureau (IB); and the Defence Research and Development Organisation (DRDO). Of the 4,446 posts, the armed forces will get a majority of the experts (1,887), followed by NTRO (695), DEITy (590), IB (565), DoT (459) and DRDO (250). The experts will take care of traffic scanning and mitigation, system audit and forensics, assurance and certification, research and development, and coordination. An internal study conducted by the NSCS revealed that all major countries have established mechanism and organisations dedicated to cyber security, a field where India has fared poorly. […] _______________________________________________ ISN mailing list ISN@lists.infosecnews.org http://lists.infosecnews.org/mailman/listinfo/isn_lists.infosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Guerilla researcher created epic botnet to scan billions of IP addresses

http://arstechnica.com/security/2013/03/guerilla-researcher-created-epic-botnet-to-scan-billions-of-ip-addresses/ By Dan Goodin Ars Technica March 20 2013 In one of the more audacious and ethically questionable research projects in recent memory, an anonymous hacker built a botnet of more than 420,000 Internet-connected devices and used it to perform one of the most comprehensive surveys ever to measure the insecurity of the global network. In all, the nine-month scanning project found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open. A large percentage of the unsecured devices bore the hallmarks of broadband modems, network routers, and other devices with embedded operating systems that typically aren’t intended to be exposed to the outside world. The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. There were no signs of life from the remaining 2.3 billion IPv4 addresses. Continually scanning almost 4 billion addresses for nine months is a big job. In true guerilla research fashion, the unknown hacker developed a small scanning program that scoured the Internet for devices that could be logged into using no account credentials at all or the usernames and passwords of either “root” or “admin.” When the program encountered unsecured devices, it installed itself on them and used them to conduct additional scans. The viral growth of the botnet allowed it to infect about 100,000 devices within a day of the program’s release. The critical mass allowed the hacker to scan the Internet quickly and cheaply. With about 4,000 clients, it could scan one port on all 3.6 billion addresses in a single day. Because the project ran 1,000 unique probes on 742 separate ports, and possibly because the binary was uninstalled each time an infected device was restarted, the hacker commandeered a total of 420,000 devices to perform the survey. […] ______________________________________________ Attend #HITB2013AMS April 8th – 11th in Amsterdam. Featuring over 42 international speakers and keynotes by Bob Lord and Edward Schwartz http://conference.hitb.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail