If you are following what’s happening with hackers
attacking misconfigured MongoDB databases, wiping the data, and then demanding
ransom for its return, then you’ll know that although this problem seemed
to start on or around December 21 with an actor known as “Harak1r1,” within
days of it garnering media attention, we saw almost identical warning messages
from another actor “0wn3d” with a different bitcoin wallet.
By this morning there was a third actor,
“0704341626asdf,” with yet a third bitcoin wallet
… This third
actor, who Victor reports had struck 221 databases by early this morning,
took the opportunity to educate and insult victims:
Your database has been pwned
because it was publicly accessible at port 27017 with no authentication (wtf
were you thinking?)
The full warning, more verbose than the other two
warnings, and written in upper and lowercase with proper grammar and spelling,
gives victims 72 hours to email the attacker(s) that the ransom has
been sent to the bitcoin wallet. The
ransom amount is .15BTC
So are the second and third actors copycats or just
different aliases of one attacker or group? And if they are copycats, as they seem to be,
how many more will we see? The problem
seems to be rapidly escalating.
Of note, since these MongoDB installations are often backup
or test environments, how many victims will not even notice that they’ve been
attacked before the 72-hour window expires?
As of the time of this posting, there have been 18
payments to the first bitcoin wallet, but none (yet) to the second and third
bitcoin wallets.
Expect to see a lot more on this type of attack as word
spreads.
Interesting
‘not-the-best practices’ for my Computer Forensics students.
R. Scott Moxley writes:
FBI agents and prosecutors
usually strut inside Santa Ana’s Ronald Reagan Federal Courthouse, knowing
they’ve focused the wrath of the criminal-justice system on a particular
criminal. But an unusual
child-pornography-possession case has placed officials on the defensive for
nearly 26 months. Questions linger about
law-enforcement honesty, unconstitutional searches, underhanded use of
informants and twisted logic. Given that
a judge recently ruled against government demands to derail a defense lawyer’s
dogged inquiry into the mess, United States of America v. Mark A. Rettenmaier
is likely to produce additional courthouse embarrassments in 2017.
Read more on OC
Weekly.
(Related). Is this normal?
The FBI Never Asked For Access To Hacked Computer Servers
The FBI did not examine the servers of the Democratic
National Committee before issuing a report attributing the sweeping
cyberintrusion to Russia-backed hackers, BuzzFeed News has learned.
Six months after the FBI first said it was investigating
the hack of the Democratic National Committee’s computer network, the bureau
has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent
forensic analysis on the system, one US intelligence official told BuzzFeed
News.
“The DNC had several meetings with representatives of the
FBI’s Cyber Division and its Washington (DC) Field Office, the Department of
Justice’s National Security Division, and U.S. Attorney’s Offices, and it
responded to a variety of requests for cooperation, but the FBI never
requested access to the DNC’s computer servers,” Eric Walker, the DNC’s
deputy communications director, told BuzzFeed News in an email.
The FBI has
instead relied on computer forensics from a third-party tech security company,
CrowdStrike, which first determined in May
of last year that the DNC’s servers had been infiltrated by Russia-linked
hackers, the U.S. intelligence official told BuzzFeed News.
… It’s unclear why the FBI didn’t
request access to the DNC servers, and whether it’s common practice when the
bureau investigates the cyberattacks against private entities by state actors,
like when the Sony Corporation was hacked by North Korea in 2014.
BuzzFeed News spoke to three cybersecurity companies who
have worked on major breaches in the last 15 months, who said that it was “par
for the course” for the FBI to do their own forensic research into the hacks.
What
were they (not) thinking? Free power for
my Ethical hacking students?
Smart Meters Pose Security Risks to Consumers, Utilities:
Researcher
… Between 2010 and 2012, several
experts detailed
the security
and privacy
implications of using smart meters, and SecureState even released an open
source framework designed for finding vulnerabilities in such
devices.
However, according to Netanel Rubin, who recently founded
Vaultra, a company that develops security solutions for the smart industry,
smart meters continue to lack proper security mechanism, allowing malicious
actors to use these devices to target both consumers and utilities.
… The protocols used by smart meters
include ZigBee, which is used for communicating with smart appliances in the
consumer’s home, and GSM, which is used for communications between the meter
and the electric utility. Both ZigBee
and GSM
have been known to contain serious vulnerabilities, and they have been poorly
implemented in smart meters.
In the case of GSM, many electric utilities still haven’t implemented any form of encryption,
despite being warned of the risks several years ago. Those that do use encryption, rely on the A5 algorithm,
which is known to be vulnerable to attacks.
… According to the expert, a malicious
actor who manages to hack a smart meter could obtain information on the
targeted user’s power consumption and potentially determine when the victim is
at home, or they could inflate [Or
deflate? Bob] the electricity bill.
The expert pointed to an incident in
Puerto Rico, where an
electric utility reported hundreds of millions of dollars in losses
due to smart meter fraud conducted via hacking and other methods.
Much
ado about something? Guidance for my
Ethical Hacking students?
On Thursday, Senator McCain will hold hearings of the
Armed Services Committee on the Russian election hacking. Several aspects of Russia’s election
interference raise issues involving the international law of cyber operations. For a quick tutorial, I recommend most highly
an earlier Just Security post by Sean Watts, “International
Law and Proposed U.S. Responses to the D.N.C. Hack.” I thought to provide readers with a few
additional points in light of more recent developments.
An
interesting question for the technical age…
Are Congressional ‘selfies’ illegal?
GOP approves new fines for livestreaming protests on House
floor
Republicans barreled ahead with a plan to fine members who
use their phones to broadcast future floor protests, approving rules for the
new Congress Tuesday that codify the penalties despite last-minute objections
from Democrats.
(Related). How
about Tweets from the White house?
When Donald Trump Tweets, It Is News to Sean Spicer
Donald Trump’s incoming White House press secretary said
Wednesday the president-elect would continue his prolific use of Twitter when in office, adding that even
he and other communication advisers aren’t consulted before a tweet is sent
out.
Perhaps other tech companies could spend some pocket change for
the same reason? (Do they really care
that mich?)
Amazon's rumored bid for American Apparel could solve its
Trump problem in one master stroke
The rumored deal immediately raised speculation about
Amazon's growing ambitions in the fashion business.
But an acquisition of the struggling clothing retailer
could also help Amazon by solving one of the biggest problems it currently
faces: tension with president-elect Donald Trump.
Trump, who frequently
criticized Amazon during his campaign, won his way to the White House in
large part by promising to keep US manufacturing jobs in the country. He claims some of his recent deals with
Carrier and Ford helped save thousands of jobs from moving overseas.
American Apparel, best known for its "Made in the
U.S.A" slogan, says it's the largest
clothing manufacturer in North America.
With 4,500 workers employed, it also calls itself the "largest sewing
facility in North America."
That means by acquiring American Apparel, Amazon would get
to save thousands of US manufacturing jobs, while helping Trump continue
to play up the "keep jobs in the US" rhetoric — and also
win Trump's support in one master stroke.
And given that the starting price to buy part of American
Apparel is currently $66 million, according to Reuters, Amazon could score a big win by spending a relative
pittance (Amazon had roughly $12 billion in cash on its balance
sheet at the end of the last quarter).
Useful tool or major distraction? Will my car offer me ‘bargains’ as I
drive?
Amazon's Alexa is officially coming to Ford cars
… The integration
will let Ford users with SYNC 3 access Alexa, Amazon's cloud-based voice
service, inside the car to do things like check the weather, play audiobooks,
add items to shopping lists, and even control Alexa enabled smart home devices.
For example, you could tell Alexa to set your smart
thermometer to a certain temperature or turn on the lights at your house while
you're driving.
(Related). Yeah, it
needs a bit of work.
Alexa can now order takeaway from Amazon Restaurants
We’re only five days into 2017, but Amazon is on a tear
with new updates and support for its digital assistant Alexa. The latest lets you order
food through the retailer’s own takeaway service Amazon Restaurants, which
itself launched
all the way back in 2014.
… Unfortunately,
voice commands are terrible for ordering takeaway. Abysmal, even. No one wants to listen to a list of dishes and
prices, and so Amazon, sensibly enough, only lets
you reorder meals you’ve had in the past.
“ZUCK 2020?” (Copyright that T-shirt NOW!)
Zuckerberg could run Facebook while serving in government
forever
Mark Zuckerberg is not limited to just two years working
in the government while still controlling Facebook, as has been widely
misreported. A closer examination of SEC documents reveals Zuck only needs to still own enough
Facebook stock or have the board’s approval to be allowed to serve in
government indefinitely.
Combined with Zuckerberg’s announcement yesterday that his
2017 personal challenge is to meet and listen to people in all
50 states, this fact lends weight to the idea that Zuckerberg may be
serious about diving into politics.
A resource for my geeks.
No comments:
Post a Comment