Almost three years after the massive leakage of high-profile celebrities’ nude photos—well known as “The Fappening” or “Celebgate” scandal—a fourth hacker has been charged with hacking into over 250 Apple iCloud accounts belonged to Hollywood celebrities.
A federal court has accused George Garofano, 26, of North Branford, of violating the Computer Fraud and Abuse Act, who had been arrested by the FBI.
Garofano has admitted to illegally obtaining credentials for his victims’ iCloud accounts using a phishing scheme, which eventually allowed him to steal personal information on his victims, including sensitive and private photographs and videos.
Among celebrities whose nude photographs were posted online back in 2014 are Jennifer Lawrence, Kim Kardashian, Kirsten Dunst, and Kate Upton. Also, female victims also include American Olympic gold medallist Misty May Treanor and actors Alexandra Chando, Kelli Garner and Lauren O’Neil.
Between April 2013 to October 2014, Garofano engaged in sending phishing emails pretended to be from Apple security team to several celebrities, tricking them into providing their iCloud account credentials, which they stole to access their accounts illegally.
“Garofano admitted that he sent emails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them,” the Justice Department said.
Besides stealing victims’ personal information, including sensitive and private photographs and videos, from their iCloud accounts using stolen credentials, Garofano, in some instances, also traded the stolen credentials, along with the materials he stole from the victims’ accounts, with other individuals.
In a plea agreement signed Thursday in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorised access to a protected computer to obtain information, facing up to 5 years in prison.
Garofano is the fourth hacker charged in connection with the Celebgate incident. Emilio Herrera, 32, Edward Majerczyk, 28, and Ryan Collins, 36, pleaded guilty last year to being involved in the celebrity photo hack.
While Herrera is waiting for sentencing next month, Majerczyk was sentenced to nine months in prison and Collins was sentenced to 18 months last year.
The investigation into the Celebgate scandal is being conducted by the U.S. Federal Bureau of Investigation.
Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers.
Not just announcement, but the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive—a significant backend component the agency used to remotely control its malware covertly.
In April this year, WikiLeaks disclosed a brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target machines.
Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.
Hive’s infrastructure has been specially designed to prevent attribution, which includes a public facing fake website following multi-stage communication over a Virtual Private Network (VPN).
“Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet,” WikiLeaks says.
As shown in the diagram, the malware implants directly communicate with a fake website, running over commercial VPS (Virtual Private Server), which looks innocent when opened directly into the web browser.
However, in the background, after authentication, the malware implant can communicate with the web server (hosting fake website), which then forwards malware-related traffic to a “hidden” CIA server called ‘Blot’ over a secure VPN connection.
The Blot server then forwards the traffic to an implant operator management gateway called ‘Honeycomb.’
In order to evade detection by the network administrators, the malware implants use fake digital certificates for Kaspersky Lab.
“Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities,” WikiLeaks says.
“The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town.”
The whistleblowing organisation has released the source code for Project Hive which is now available for anyone, including investigative journalists and forensic experts, to download and dig into its functionalities.
The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks assures that the organisation will not release any zero-day or similar security vulnerabilities which could be abused by others.
However, security researchers from security firm Check Point Software Technologies have discovered a potential security issue with the WSL feature that could allow malware families designed for Linux target Windows computers—undetected by all current security software.
The researchers devised a new attack technique, dubbed Bashware, that takes advantage of Windows’ built-in WSL feature, which is now out of beta and is set to arrive in the Windows 10 Fall Creators Update in October 2017.
Bashware Attack Undetectable by All Anti-Virus & Security Solutions
According to CheckPoint researchers, the Bashware attack technique could be abused even by a known Linux malware family, because security solutions for Windows are not designed to detect such threats.
This new attack could allow an attacker to hide any Linux malware from even the most common security solutions, including next generation anti-virus software, malware inspection tools, anti-ransomware solution and other tools.
But why so? Researchers argue that existing security software packages for Windows systems have not yet been modified to monitor processes of Linux executables running on Windows operating system.
“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time,” Check Point researchers say.
“This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”
Who is the Culprit? Microsoft or Security Vendors?
In order to run the target Linux application in an isolated environment, Microsoft introduced “Pico processes“—containers that allow running of ELF binaries on the Windows operating system.
During their tests, the Check Point researchers were able to test the Bashware attack on “most of the leading antivirus and security products on the market,” and successfully bypass all of them.
It is because no security product monitors Pico processes, even when Microsoft already provides Pico API, a special application programming interface that can be used by security companies to monitor such processes.
“Bashware does not leverage any logic or implementation flaws in WSL’s design. In fact, WSL seems to be well designed,” the researchers concluded.
“What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system.”
Bashware Attackers Requires Admin Rights—Is that Hard on Windows PC?
Yes, Bashware requires administrator access on the target computers, but gaining admin privileges on Windows PCs via phishing attacks and/or stolen admin credentials is not a difficult task for a motivated attacker.
However, these additional attacks could also alert antivirus and security products, subverting the attack before the actual Bashware attack can be executed to hide malware.
Since WSL is not turned on by default, and users are required to manually activate “development mode” on their computer systems in order to use it and reboot the system, the risks posed by the feature are mitigated to some extent.
However, the Check Point researchers say it is a little-known fact that the developer mode can be enabled by modifying a few registry keys, which can be done silently in the background by the attackers with the right privileges.
The Bashware attack technique automates the required procedures by silently loading the WSL components, enabling developer mode, even downloading and extracting the Linux file system from Microsoft’s servers, and running malware.
No Need to Write Separate Malware Programs
What’s interesting about Bashware? Hackers using Bashware are not required to write malware programs for Linux to run them through WSL on Windows computers.
This extra effort is saved by the Bashware technique which installs a program called Wine inside the downloaded Ubuntu user-space environment, and then launches known Windows malware through it.
The malware then initiates into Windows as pico processes, which will hide it from security software.
400 Million Computers Potentially Exposed to Bashware
The newly discovered attack technique does not leverage any implementation of WSL vulnerability, but is due to the lack of interest and awareness by various security vendors towards WSL.
Since the Linux shell is now available to Windows users, researchers believe that Bashware can potentially affect any of the 400 million PCs currently running Windows 10 across the world.
Check Point researchers said their company had already upgraded its security solutions to combat such attacks and are urging other security vendors to modify and update their next-generation anti-virus and security solutions accordingly.
Almost half a million people in the United States are highly recommended to get their pacemakers updated, as they are vulnerable to hacking.
The Food and Drug Administration (FDA) has recalled 465,000 pacemakers after discovering security flaws that could allow hackers to reprogram the devices to run the batteries down or even modify the patient’s heartbeat, potentially putting half a million patients lives at risk.
A pacemaker is a small electrical battery-operated device that’s surgically implanted in the chest of patients to help control their heartbeats. The device uses low-energy electrical pulses to stimulate the heart to beat at a normal rate.
Six types of pacemakers, all manufactured by health-tech firm Abbott (formerly of St. Jude Medical) are affected by the recall, which includes the Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure.
All the affected models are radio-frequency enabled cardiac devices—typically fitted to patients with irregular heartbeats and patients recovering from heart failure—and were manufactured before August 28th.
In May, researchers from security firm White Scope also analysed seven pacemaker products from four different vendors and discovered that pacemaker programmers could intercept the device using “commercially available” equipment that cost between $15 to $3,000.
“Many medical devices—including St. Jude Medical’s implantable cardiac pacemakers—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” the FDA said in a security advisory.
“As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”
To protect against these critical vulnerabilities, the pacemakers must be given a firmware update. The good news is that those affected by the recall do not require to have their pacemakers removed and replaced.
Instead, patients with these implanted, vulnerable device must visit their healthcare provider to receive a firmware update—something that would take just 3 minutes or so to complete—that can fix the vulnerabilities.
In the U.S., the pacemaker devices to which the firmware update applies include Accent SR RF, Accent MRI, Assurity, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, and Quadra Allure MP RF.
Outside of the U.S., the pacemaker devices to which this update applies include Accent SR RF, Accent ST, Accent MRI, Accent ST MRI, Assurity, Assurity +, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, Quadra Allure MP RF, Quadra Allure, and Quadra Allure MP.
As a result of the firmware update, any external device trying to communicate with the pacemaker will require authorization.
Moreover, the software update also introduces data encryption, operating system fixes, the ability to disable network connectivity features, according to Abbott’s press release published on Tuesday, August 29.
Any pacemaker device manufactured beginning August 28, 2017, will have the firmware update pre-installed and will not need the update.
The FDA recall of devices does not apply to implantable cardiac defibrillators (ICDs) and cardiac resynchronization ICDs.
Abbott is working with the FDA, the U.S. Department of Homeland Security (DHS), global regulators, and leading independent security experts, in efforts to “strengthen protections against unauthorized access to its devices.”
Although there are no reports of compromised pacemakers yet, the threat is enough to potentially harm heart patients with an implanted pacemaker that could even put their lives at great risk.
By this time, almost every one of you owns at least one internet-connected device—better known as the “Internet of things“—at your home, but how secure is your device?
We have recently seen Car hacking that could risk anyone’s life, Hoverboard hacking, even hacking of a so-called smart Gun and also the widespread hacks of insecure CCTV cameras, routers and other internet-connected home appliances.
But this did not stop vendors from selling unsecured Internet-connected smart devices, and customers are buying them without giving a sh*t about the security of their smart devices.
However, the massive cyber attack on a popular DNS service provider that shut down a large portion of the Internet last year made us all fear about the innocent-looking IoT devices, which surround us every day, but actually, poses a threat to global cyber security.
A bipartisan group of senators have now introduced a new bill aimed at securing internet-connected devices by setting industry-wide security standards for the government’s purchase and use of IoT devices, including computers, routers and security cameras.
The bill would require suppliers that provide wearables, sensors and other web-connected smart devices to the United States government to adhere to some new industry-wide security practices.
The security standards prohibit the suppliers from including hard-coded (unchangeable) usernames and passwords in their devices, which is a primary vector for hackers and malware to break into the devices and hijack them.
Last year’s cyber attack on Dyn DNS provider also involved the use of default credentials to break into hundreds of thousands of internet-connected smart devices and then used them to launch distributed denial of service (DDoS) attacks on Dyn, causing a significant outage to a ton of websites such as Twitter, GitHub, PayPal, Amazon, and Netflix for several hours.
The legislation would also require vendors to ensure that their devices are patchable and are free from already known vulnerabilities when sold.
The bill was drafted with input from technology experts at the Atlantic Council and Harvard University.
The lawmakers are trying to “take the lightest touch possible” to address an “obvious market failure” that has left device manufacturers with little incentive to build with security in mind, Sen. Warner told Reuters.
The legislation would direct the White House Office of Management and Budget (OMB) for permission to buy devices if their network-level security requirements are in place.
It’s been almost four weeks since the outcry of WannaCry ransomware, but the hackers behind the self-spread ransomware threat have not been identified yet.
However, two weeks ago researchers at Google, Kaspersky Lab, Intezer and Symantec linked WannaCry to ‘Lazarus Group,’ a state-sponsored hacking group believed to work for the North Korean government.
Now, new research from dark web intelligence firm Flashpoint indicates the perpetrators may be Chinese, based on its own linguistic analysis.
Flashpoint researchers Jon Condra and John Costello analyzed each of WannaCry’s localized ransom notes, which is available in 28 languages, for content, accuracy, and style, and discovered that all the notes, except English and Chinese versions (Simplified and Traditional), had been translated via Google Translate.
According to the research, Chinese and English versions of the ransomware notes were most likely written by a human.
On further analysis, researchers discovered that the English ransom note contains a “glaring” grammatical error, which suggests the ransomware author may be a non-native English speaker.
“Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.”
And since Google Translate does not work good at translating Chinese to English and English to Chinese, and often produces inaccurate results, the English version could be written for translating the ransom note into other languages.
“Comparisons between the Google translated versions of the English ransomware note to the corresponding WannaCry ransom note yielded nearly identical results, producing a 96% or above match.”
According to the Flashpoint report, the Chinese ransom notes contain “substantial content not present in any other version of the note,” and they are longer than and formatted differently from the English one.
The Chinese ransom notes also use proper grammar, punctuation, syntax, and character choice – indicating that the ransomware writer is fluent in the Chinese language.
“A typo in the note, bang zu (幫組) instead of bang zhu (幫助), which means ‘help,’ strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version,” the researchers explain.
“The text uses certain terms that further narrow down a geographic location. One term, libai ( 禮拜 ) for ‘week,’ is more common in southern China, Hong Kong, Taiwan, and Singapore…The other “杀毒软件” for “anti-virus” is more common in the Chinese mainland.”
All these clues made Flashpoint researchers into believing with high confidence that the unknown author or authors of WannaCry ransomware are fluent Chinese speaker and that the Chinese are the source of the English version of the ransom note.
However, Flashpoint researchers say it’s hard to speculate the nationality of the WannaCry hackers as they may be affiliated to any Asian (China, Hong Kong, Taiwan, or Singapore).
WannaCry epidemic hit more than 300,000 PCs in more than 150 countries within just 72 hours, using self-spreading capabilities to infect vulnerable Windows PCs, particularly those using older versions of the operating system.
While most of the affected organisations have now returned to normal, law enforcement agencies across the world are on the hunt.