Motherboard US - Hacking UShttps://motherboard.vice.com/en_us/topic/hackingRSS feed for https://motherboard.vice.com/en_us/topic/hackingenFri, 07 Dec 2018 15:11:46 +0000<![CDATA[Someone Defaced Linux.org Website With ‘Goatse’ And Anti-Diversity Tirade]]>https://motherboard.vice.com/en_us/article/59vkq8/linuxorg-website-defacement-goatseFri, 07 Dec 2018 15:11:46 +0000Someone took control of the Linux.org website and replaced its content with a picture of a person stretching their anus—a re-enactment of an obscene historic meme known as “Goatse”—and a tirade against the open source project’s new code of conduct.

Linux.org is not the official website of the Linux Foundation. It described itself as “a friendly community” where people “learn and help solve Linux issues.” The site does not appear to store any code or any sensitive data. This appears to be an act of protest against the recently introduced new code of conduct rules for the Linux community, which include rules against sexual harassment and advocates for more diversity. These rules have sparked some controversy within the community in the last few months.

“G3T 0WNED L1NUX N3RDZ,” read the message posted on the site on Thursday night, according to screenshots shared on Twitter and archived versions of the site.

The message also made a shout out to late developer Terry Davis, whom Motherboard profiled a few years ago, and included a link to a news story on the Linux code of conduct. Finally, the message also linked to the Twitter profile of kitlol5. As of Friday morning, Linux.org redirected to kitlol5’s Twitter profile.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

On Thursday night kitlol5 wrote on Twitter that they had registered the expired Linux.org domain, a message that seemed to imply that they were behind the defacement, and that’s how they may have gotten control of it.

“I hacked it,“ kitlol5 told Motherboard in an online chat. “We didn't register the domain. I posted that tweet to prove it was hijacked and not reregistered.“

Another version of the site included a more explicit anti-diversity message: “FUCK THE [CODE OF CONDUCT] FUCK [SOCIAL JUSTICE WARRIORS].” The message also included the personal information, including alleged home address and social security number, of a transgender Linux developer.

1544194971679-linuxorg-redacted-copy
A screenshot of the defaced Linux.org website.

“Looks like someone is playing a joke on us and our DNS,” the official Linux.org Twitter account wrote after the defacement. “I'm currently at my daughter's christmas concert, but I'll look into it soon. I've shut down our [production environment] to ensure data is safe.”

In September, Linus Torvalds and six other developers published a new code of conduct in an attempt to foster more diversity and more civil discourse. Some Linux developers protested the change, claiming it defied the core values of the popular open source project. For many, however, these complaints were just thinly veiled misogyny and discrimination.

UPDATE: This story has been updated to include kitlol5 comments.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.

]]>
59vkq8Lorenzo Franceschi-BicchieraiHackingopen sourceLGBTQhackersLinuxCulture WarsDefacementLinux Foundationcode of conductLinux.org
<![CDATA[Quora Announces Data Breach of 100 Million Users]]>https://motherboard.vice.com/en_us/article/d3b43x/quora-data-breach-hackers-100-million-usersTue, 04 Dec 2018 16:02:28 +0000 Quora, perhaps the last place on the internet you can ask a question and get a half decent response, has suffered a data breach. On Tuesday, the social media company announced hackers had stolen details on some 100 million accounts, including email addresses, hashed passwords, and non-public information, such as direct messages.

A hash is a cryptographic representation of data, meaning that a company doesn’t need to store your actual password, but a scrambled version of it. Potentially, this means hackers may have a harder time taking that data and actually logging into accounts.

“We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed,” Quora’s announcement reads.

The stolen data also includes a lot of information that was already technically public, such as users’ questions, answers, comments, and upvotes, the announcement adds.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Quora says it discovered the breach last Friday, although it’s not totally clear from the announcement when the hackers actually struck the company.

“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust,” Quora’s announcement reads.

The lesson: Quora has pushed a password reset, so if you’re a member and use a password as your authentication method, rather than, say, logging in via Facebook, you should now be logged out. Fortunately, this is the step that victims should take: change their Quora password, but also on any other sites where they used the same credentials. If a hacker has one of your passwords from one breach, they may then go a try that on your other accounts too.

Subscribe to our new cybersecurity podcast, CYBER.

]]>
d3b43xJoseph CoxJason KoeblerHackingcybersecuritySocial MediahackersBreachdata breachAnother Day Another Hackdata exposuresecurity breachquora
<![CDATA[Someone Is Claiming to Sell a Mass Printer Hijacking Service]]>https://motherboard.vice.com/en_us/article/zmdy7y/someone-is-selling-mass-print-hijacking-hacking-serviceMon, 03 Dec 2018 13:57:46 +0000Internet-facing printers are exposed all over the world, leaving themselves open for hackers to print whatever they fancy. We saw hackers take advantage of unsecured printers last week, when someone bombarded offices and homes around the world with a printout urging them to subscribe to YouTuber PewDiePie.

Accessing printers en masse can still be somewhat technical though, so what if there was an easier way, that anyone could use? Now, someone is advertising printer hijacking as a service. Although it’s not clear whether the advert is more of a troll tactic and not a totally legitimate offer, the news still signals just how exposed many printers around the world are.

“Everyone will see your message,” an advert blasted out to internet-facing printers reads. On Sunday Andrew Morris, CEO of cybersecurity firm GreyNoise tweeted that the company had found someone sending print commands for this advert to the whole internet.

“Contact us [...] to secure your spot in the most viral ad campaign in history,” the advert adds. Although we haven’t seen the advert successfully print, Morris tweeted out what it would have looked like based on the print commands GreyNoise found.

Mass printer hijacking service
Caption: A screenshot of the mass printer hijacking service's website. Image: Motherboard.

A Twitter account claiming to be linked to the campaign tweeted on Sunday “We're currently mostly trying to see if anyone's interested, if people actually want to buy this we'll build a web platform with support for more printing protocols.”

The person in control of the operation's email address told Motherboard that they've had lots of inquiries, but no sales just yet. They're charging $250 for a single worldwide campaign, they added.

"Your message will reach vast amounts of printers all over the world at least once," they wrote in an email.

Hackers have long toyed with printers connected to the wider internet. White supremacist Andrew “Weev” Auernheimer previously commanded a number of devices to print Nazi propaganda. In February last year, a hacker sent out commands to some 150,000 printers. And last week’s PewDiePie print-outs hit tens of thousands of printers, according to the hacker behind the campaign. Typically, a hacker may find vulnerable devices using the computer-search engine Shodan, and then write a script to target those particular printers. Shodan lets users search for printers with particular open ports or other characteristics.

Asked whether they would not print some types of material, such as Nazi propaganda, the person behind the operation said "I would certainly charge more to run such ads."

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

There is some reason to doubt the legitimacy of the service, though. On its website, the hackers say “We have the ability to reach every single printer in the world!” which is not possible because many printers not going to be accessible from the public internet.

At the bottom of the page, the website also links to the site and Instagram of Simon Smith, an Australian linked to the cybersecurity world. Smith denied having anything to do with the printing service.

“I most definitely (naturally) have nothing to do with the printer business. It is not only a negative SEO attempt, but a DDoS attempt on people's fax machines and an attempt to deceive innocent victims as to the originating source,” he told Motherboard in an email on Monday.

The person behind the campaign added "In the past fax spam has been used to market various business services. I believe our advertising service would be especially interesting to companies offering printer paper/toner refills."

Subscribe to our new cybersecurity podcast, CYBER.

]]>
zmdy7yJoseph CoxEmanuel MaibergHackingprivacycybersecuritytrollingvulnerabilityshodanoffice printersInfosecexposedprinters
<![CDATA[Dunkin’ Donuts Loyalty Points Accounts Are Dirt Cheap on the Dark Web]]>https://motherboard.vice.com/en_us/article/59v5d8/dunkin-donuts-loyalty-points-accounts-dark-web-buy-sell-cheapFri, 30 Nov 2018 16:02:25 +0000 On Thursday, Dunkin’ Donuts announced that hackers had likely broken into some customers’ loyalty points accounts.

But why would a hacker want loyalty points at a donut chain? Apart from perhaps fuelling a hacker’s pastry binge, these accounts may end up for sale on the dark web. Plenty of compromised Dunkin’ accounts already appear on dark web marketplaces as part of the booming loyalty points economy. And they’re pretty cheap, too.

“Grab hacked Account Dunkin Donut now with cheap ever price on market!” one listing currently available on Dream Marketplace, likely the largest dark web market at the time of writing, reads. For $10, the seller is offering $25 or more worth of Dunkin’ Donuts loyalty credit, or $12 for $30 worth of credit. Another vendor sells $100 worth of loyalty credit for around $26.

The recent Dunkin’ Donuts announcement concerns the company’s DD Perks program, a mobile app rewards program that customers can use to get free beverages or special discounts. It appears the vendors on Dream Marketplace are selling accounts for that same purpose. “Just login thru the apps on mobile for presenting at cashier for bill payment!” one of the listings adds.

This isn’t to say that the accounts currently for sale are one and the same as the accounts Dunkin’ Donuts recently warned its customers about, but there is a good chance those accounts will face the same fate.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

In its earlier statement, Dunkin’ Donuts said it was not itself the victim of a data breach, but that hackers had used passwords from other compromised sites to then log into customer accounts. This is one of the main ways hackers typically gain access to loyalty point accounts, be those Dunkin’ Donuts, hotel chains, or anything else.

On Dream Marketplace, one vendor is offering a configuration file for Sentry, a piece of software that makes it easier for a hacker to quickly churn through different login credentials to see which ones work. Sentry requires different settings for each service or website that the hacker may want to target, hence the configuration file.

A similar technique was used to obtain Uber login credentials when those appeared for sale on the dark web. The vendor for the Dunkin’ Donuts Sentry file, which costs around $2, also offers support to customers to get it working, according to the seller’s listing.

“100% satisfaction guarantee,” one advertisement reads.

Subscribe to our new cybersecurity podcast, CYBER.

]]>
59v5d8Joseph CoxJordan PearsonHackingcybersecurityDonutsdark webdata breachcybercrimeDunkin Donutsonline fraudcybercriminaldream marketplace
<![CDATA[Marriott Hotels Announces Data Breach of 500 Million Customers]]>https://motherboard.vice.com/en_us/article/kzvgbm/marriott-hotels-500-million-data-breach-hackFri, 30 Nov 2018 13:30:33 +0000 Four years is a long, long time in the world of cybersecurity. But that’s how long hackers have been stealing data out from Marriott Hotels’ servers, according to an announcement from the company on Friday.

The hackers stole a bevy of personal data from customers who stayed at the chain’s Starwood properties on or before September 10. The breach impacted around 500 million guests, and for around 327 million of those, stolen data included the usual name, mailing and email address, and phone number, as well as more hotel-centric information, such as their passport number, reservation date, and arrival and departure information.

The announcement adds that “for some” customers, the stolen data also includes payment card numbers and expiration dates. Marriott’s announcement says that the payment card numbers were encrypted, but the hotel has not been able to rule out the possibility that the information needed to decrypt those was also taken. For the remainder, Marriott says only name, and sometimes mailing and email address address, or “other information” was taken.

“Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts,” Marriott’s announcement reads. “Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

In its investigation, which started on September 8 after an internal security tool found an attempt to access the Starwood guest reservation database, Marriott found that there had been unauthorized access to the Starwood network since 2014, the announcement added.

It is not clear what sort of hackers are behind the breach, be those financially motivated or those who were more interested in the data to monitor people of interest. Previously, cybersecurity researchers found that the Russian government linked hacking group APT28, or Fancy Bear, targeted hotels across Europe and the Middle East.

The lesson: Unfortunately, there is not all that much information for potential victims to act on at the moment, especially around whether your payment card details were stolen. In its announcement, Marriott said it has started sending out emails to people who were in the Starwood reservation database, so that will be the first point of contact to see if you are impacted. This isn’t the sort of breach where you necessarily have to go and change passwords, but it does potentially open up victims to forms of identity theft or fraudulent charges. Marriott is offering customers in the United States, United Kingdom, and Canada free access to a service for one year that monitors sites where personal information is shared, and which will send an alert if it detects the customer's. You'll need to sign up though, so if you're impacted it's best to check the announcement or your email inbox.

]]>
kzvgbmJoseph CoxEmanuel MaibergFraudHackingprivacycybersecurityhotelshoteldata breachidentity theftmarriottAnother Day Another Hack
<![CDATA[Malware Companies Are Finding New Ways to Spy on iPhones]]>https://motherboard.vice.com/en_us/article/mby7kq/malware-to-spy-hack-iphonesTue, 27 Nov 2018 16:38:29 +0000 Thanks to a combination of tight controls and innovative security features, Apple has made the iPhone perhaps the most secure consumer device in the world. But nothing is unhackable, and iOS malware isn’t as rare as many may think.

Earlier this year, Russian cybersecurity firm Kaspersky Lab found evidence that a small government spyware maker called Negg developed a “custom iOS malware that allows GPS tracking and performs audio surveillance activity,” according to a private report the company sent to subscribers. The discovery of Negg’s iOS malware has never been reported outside of Kaspersky.

“We have uncovered an iOS implant,” Kaspersky Lab researcher Alexey Firsh told Motherboard in an email. “We assume that at the moment of discovery it was in a development stage and was not fully adapted to infect potential victims.”

“We have uncovered an iOS implant.”

Malware on iOS has always been rare, thanks to the increasing difficulty of jailbreaking iPhones and Apple’s continuous focus on locking down its devices. This has driven prices for iOS bugs and exploits through the roof. Nowadays, companies are willing to pay around $3 million for software that jailbreaks and hacks iPhones—and researchers are reluctant to report bugs to Apple simply because others pay better.

Governments around the world have been willing to spend a fortune on iOS malware. Saudi Arabia paid $55 million to purchase iPhone malware made by NSO Group, according to a recent report by Israeli newspaper Haaretz. There’s several companies specializing in iOS malware, such as Azimuth, NSO Group, and some more. But despite the appearances, iOS malware isn’t only in the hands of big companies and their government customers.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

Security researcher Zuk Avraham recently wrote on Twitter that iOS jailbreaks, the basis of any kind of malware for iOS, aren’t as rare as people think, and estimated that there are more than 50 groups who have iOS exploits. While most people believe that only powerful government adversaries have access to iPhone exploits, more discoveries are being made that suggest that lesser-known groups have exploits as well.

Now, even relatively smaller companies have iOS malware.

Earlier this year, Kaspersky Lab reported having found a sophisticated spyware for Android dubbed Skygofree. Sources told Forbes at the time that the spyware was made by Italian government surveillance contractor Negg, a small upstart that isn’t as well known as NSO or Azimuth. While investigating Negg’s Android malware, Kaspersky Lab found that one of its command and control servers pointed to a “rogue Apple [Mobile Device Management] server,” according to the company’s private report.

A source who received the report shared details contained in it with Motherboard on condition of staying anonymous since they were not authorized to share the information.

Mobile Device Management or MDM is a feature in iOS that allows companies to manage and monitor devices given to their employees. By installing an MDM profile or certificate on an iPhone, a user gives the MDM owner some control over the device. This mechanism can be used by malware creators. In July, security firm Talos found that a hacking group used MDM to target a few iPhones in India (Mobile Device Management can be turned on for every iPhone.)

Costin Raiu, the head of Kaspersky Lab’s research team, said that Negg’s MDM server is still active. In its private report, Kaspersky Lab researchers wrote that “the code contains many mentions that let us presume that the developer is a small Italian company named Negg.”

Negg did not respond to a message sent to its official information email address. When Motherboard called its office, an employee said she’d refer questions to the company owner, who was not available at the time. Apple did not respond to a request for comment.

It’s unclear how government hackers get the malware on target’s iPhones. Kaspersky Lab researchers speculated it may be via social engineering “using fake mobile operators sites.” In other words, this malware does not leverage any bugs or exploits in iOS, but instead takes advantage of MDM, which is a specific design feature in the operating system. In this way, it relies on a tried-and-tested social hacking technique—tricking users into installing something. For many years, the average user could essentially click on any link, download any app, and otherwise use their iPhone without worrying about targeted surveillance. That may soon no longer be the case.

“You're basically turning over administrative control of your phone to the attacker.”

In May, Motherboard revealed that Italian cell phone providers were helping cops install malware on suspected criminals’ phones.

According to former Cyber Command hacker and now director of cyber solutions at Point3 Ryan Duff, this discovery should not be seen as too much of a worrisome sign.

“As far as MDM as an injection method for malware, it's pretty lame,” Duff told Motherboard in an online chat. “As far as risk goes, it's pretty low. You can't just force an iPhone to connect to an MDM server. You would have to get them to install a device profile onto their phone. You'd need to social engineer them in some way to installing the profile.”

Raiu said that Kaspersky is not sure how Negg—or its customers—get the malware on the target iPhones. It could either be social engineering, Raiu said, or “even physical access.” Kaspersky is unsure if Negg has any zero days or specific iOS exploits.

Even if MDM-based malware is not as sophisticated as malware that gets injected with expensive and unknown vulnerabilities—or zero-days—once it’s on the phone the result is the same: the hackers—be them criminals or government-sponsored—have access to everything on the phone.

“You're basically turning over administrative control of your phone to the attacker,” Duff told me. “So of course they can install malware from there.”

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.

]]>
mby7kqLorenzo Franceschi-BicchieraiEmanuel MaibergJason KoebleritalyAppleHackingcybersecurityiPhonemalwarespywareiosInfosecState of SurveillanceNeggKaspersky Labinformation security
<![CDATA[How Pirated Versions of ‘Super Smash Bros. Ultimate’ Leaked Weeks Before Release]]>https://motherboard.vice.com/en_us/article/kzv7ge/how-pirated-super-smash-bros-ultimate-leaked-nintendo-switchMon, 26 Nov 2018 14:58:59 +0000 A big title game leaking more than a few days before its official release date is something that even people in the Nintendo Switch hacking and piracy scenes take note of. But this may be one of the biggest leaks yet: pirates have dumped the highly anticipated Super Smash Bros. Ultimate around two weeks before it's scheduled to hit stores.

The news highlights Nintendo’s continued problem with piracy. But the specifics of how Smash was released show the internal conflicts within the piracy community, with different groups pushing to be the first to release a game and trying to dictate when a dump should happen.

“As far as [pirated] Switch games go this is the biggest ever,” JJB, the administrator of WarezNX, a popular Switch piracy community that typically uses the gaming chat platform Discord, told Motherboard in an online chat.

Four sources told Motherboard pirates had leaked Smash. JJB provided a video, at Motherboard’s request, of gameplay of a specific character and stage. Another source provided a second video confirming the leak is real.

Motherboard also viewed chat logs of a private chat server discussing the leak, and a thread on a popular piracy forum provides download links for the game. Motherboard granted sources anonymity to speak more candidly about private communities and illegal activity.

JJB also uploaded a video to YouTube that appears to show the game’s startup process. At the time of writing, that video is still online.

Piracy groups and individuals have distributed multiple versions of Smash over the past few days, with varying degrees of success. At least one version ‘bricked’ Switch consoles, according to piracy server chat logs seen by Motherboard.

It appears the Smash leak originated on the WarezNX Discord server. In response, JJB says he told other staff to ban lower level users from the server.

“Point of doing it was I did not agree with Smash leaking as early as it did,” JJB said. “So I decided to remove the easiest source being the server.”

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Switch pirates generally obtain new games in two ways. Either, they use codes leaked by YouTubers or journalists who are reviewing the game to then unlock files downloaded from the Switch’s eShop, or someone in physical possession of a game cartridge dumps the files.

One version of Smash that did work and doesn’t appear to brick systems originated from a game cartridge. Multiple sources said they believe it was a physical cartridge from Mexico.

Switch games often leak one or two days before release, when more review codes and physical cartridges are in circulation. But a leak this early, and for such a high profile game, is unusual.

“2 weeks early for a game like Smash is insane for a public leak,” JJB told Motherboard.

Nintendo did not respond to a request for comment. The company has an aggressive stance towards piracy and use of its intellectual property in general.

“Video game piracy is illegal. Nintendo opposes those who benefit and trade off the creative work of game developers, artists, animators, musicians, motion capture artists and others,” a previously published post on Nintendo’s website reads. Smash is scheduled to be released on December 7.

As Motherboard has previously reported, playing a pirated Switch game is not simple. A wide spanning community of reverse engineers, developers, and hackers are constantly creating software and tools that pirates can use to add features to their Switch and run pirated games. Sometimes leaked material stays within private groups, rather than being publicly shared, but Smash has already hit the some of the more popular piracy sites.

A number of mirror links to download the game already exist, and so it seems unlikely that Nintendo will be able to avoid the game spreading more widely before its release.

“It’s fun,” one member of the Switch piracy community told Motherboard after playing the game.

Subscribe to our new cybersecurity podcast, CYBER.

]]>
kzv7geJoseph CoxJason KoeblerHackingpiracynintendoLeakSwitchtorrentingMariosuper smash brosNintendo SwitchSuper Smash Bros. Ultimate
<![CDATA[The FBI Created a Fake FedEx Website to Unmask a Cybercriminal]]>https://motherboard.vice.com/en_us/article/d3b3xk/the-fbi-created-a-fake-fedex-website-to-unmask-a-cybercriminalMon, 26 Nov 2018 13:00:00 +0000The FBI has started deploying its own hacking techniques to identify financially-driven cybercriminals, according to court documents unearthed by Motherboard. The news signals an expansion of the FBI’s use of tools usually reserved for cases such as child pornography and bomb threats. But it also ushers in a potential normalization of this technologically-driven approach, as criminal suspects continually cover up their digital trail and law enforcement have to turn to more novel solutions.

The two 2017 search warrant applications discovered by Motherboard both deal with a scam where cybercriminals trick a victim company into sending a large amount of funds to the scammers, who are pretending to be someone the company can trust. The search warrants show that, in an attempt to catch these cybercriminals, the FBI set up a fake FedEx website in one case and also created rigged Word documents, both of which were designed reveal the IP address of the fraudsters. The cases were unsealed in October.

“What kinds of criminals mask their location, and for what kinds of crimes? Child pornography, yes; violent threats, yes; but also organized-crime rings engaged in cybercrime. A business email compromise scam, like those at issue in these warrants, falls squarely in that camp,” Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, told Motherboard in an online chat after reviewing the documents.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The first case centers around Gorbel, a cranes and ergonomic lifting manufacturing company headquartered in Fishers, New York, according to court records. Here, the cybercriminals used a long, potentially confusing and official looking email address to pose as the company’s CEO Brian Reh, and emailed the accounts team asking for payment for a new vendor. The fraudsters provided a W9 form of a particular company, and the finance department mailed a check for over $82,000. Gorbel noticed the fraudulent transaction, and brought in the FBI in July. Shortly after, Gorbel received other emails pretending to be Reh, asking for another transfer. This time, the finance department and FBI were ready.

The FBI created a fake FedEx website and sent that to the target, in the hope it would capture the hacker’s IP address, according to court records. The FBI even concocted a fake “Access Denied, This website does not allow proxy connections” page in order to entice the cybercriminal to connect from an identifiable address. (GoDaddy has since repossessed the domain, and the domain did briefly resolve to an IP address in Rochester, New York, where the FBI Special Agent writing the application is based, according to online records).

It is not clear if the FBI sought permission from FedEx to digitally impersonate the company. FedEx did not respond to a request for comment, and the FBI did not provide a response to questions around the specific incident.

Notably, only one other domain has previously resolved to the same IP address as the fake FedEx page; a domain that eludes to a law firm. The site only existed for a short time, is offline at the time of writing, and seems to have a very small digital fingerprint. It appears this law firm domain may also be connected to the FBI.

word_doc_protected_mode
Caption: A section of one of the warrant applications explaining that the target will need to disable protected mode for the NIT to function. Image: Motherboard.

Both NITs were designed to only obtain a target’s IP address and User Agent String, according to the warrant applications. A User Agent String can reveal what operating system a target is using. Although signed by two different FBI Special Agents, both of the NIT warrant applications come out of the Cyber Squad, Buffalo Division, in Rochester, New York.

We don't know how successful either of these NITs were in identifying the suspects. In the Gorbel case, the Justice Department asked for multiple extensions to keep the search warrant application sealed, right up to at least March of this year. Both warrants were returned as executed, according to court records.

"The use of a Network Investigative Technique is lawful and effective," an FBI spokesperson told Motherboard in an email. "They are only employed when necessary, against some of the worst offenders. The technique is time and resource intensive and is not a viable option for most investigations."

Previously, the FBI has deployed NITs on a large, and sometimes indiscriminate scale. When the Bureau targeted dark web hosting provider Freedom Hosting, its NIT also impacted users of a privacy-focused email service not suspected of a crime. In these new warrant applications the FBI emphasises that only the intended target should encounter the NIT.

“The FBI anticipates the target user, and only the target user, will receive the email and attachment after logging in and checking emails,” one of the applications reads. “The general public will be protected from any violation of privacy through careful and direct deployment of the NIT to the specific target email,” another document adds.

Pfefferkorn, the cybersecurity and surveillance expert, said “This shows that the government has learned from the Freedom Hosting case, where the NIT deployed from a website the government had taken over was not carefully targeted enough and ended up infecting the browsers of innocent people.”

This sort of law enforcement hacking is likely to become more common. At the end of 2016, the Justice Department amended Rule 41, one of the rules around search warrants. The change meant that US judges could sign warrants to search computers outside of their district, and in particular, if law enforcement did not know where the suspect was ultimately located—exactly the issue with these two cases.

“Now that Rule 41 has been amended, we can expect to see NIT warrants being used in the investigation of a range of crimes, not just the child pornography Tor Hidden Service busts that pre-dated the amendment,” Pfefferkorn said.

Subscribe to our new cybersecurity podcast, CYBER.

]]>
d3b3xkJoseph CoxJason KoeblerHackingprivacyFedExemail scamnetwork investigative techniqueNetwork Investigative TechniquesmaliciousNITFBI hackingcybercriminal
<![CDATA[The Best Cyber Monday Tips]]>https://motherboard.vice.com/en_us/article/xwjwv3/cyber-monday-shopping-tipsSun, 25 Nov 2018 17:00:00 +0000 One of the most anticipated days of the year on the internet is finally here: Cyber Monday!

We like to think that every Monday is Cyber Monday, but nonetheless, today is a thrilling day of shopping that can be overwhelming. But fear not, we’re here to help you. Alas, we’re really not that good at shopping tips, but we are very good at “the cyber,” which for us means cybersecurity, information security, hacking.

So, instead, we’d like to offer different tips and advice (for free!): basic suggestions on how to make you and your loved ones safer and more secure on the internet.

The internet can seem like a scary place. And it’s undeniable that there are threats out there, even if you are just an average user. Cybercriminals don’t discriminate, and, in fact, go for the lowest hanging fruit: reused passwords, computers with old vulnerable software, and naive people who may click on sketchy links.

But fear not, there’s a lot of simple, easy things you can do to minimize your risks. If you want to learn about them, and you have some time, please read our comprehensive guide on how to stay safe online.

Otherwise, start right here:

USE UP TO DATE SOFTWARE

Old, unpatched software has bugs that could leave the door open for hackers. Exploiting up-to-date apps and operating systems is becoming increasingly hard, so if you keep your computer and cellphones updated, you’re already doing one of the most important things to protect your data.

If you like PCs, you should use Windows 10, which includes modern anti-hacking features and even Microsoft’s own antivirus. If you want to lock down your PC even further, you could use Windows 10 S, a stripped down version of the OS that only runs certain approved apps and has enhanced security features.

If that sounds appealing to you, you may want to get a Chromebook. These are laptops that run a Google-developed operating system based on the internet browser Chrome. Chromebooks severely limit what software you can use (newer Chromebooks support Android apps). But nowadays, how many apps do you actually use outside of your browser? If you can live with that, then Chromebooks are a good choice.

For Mac lovers, Apple offers free operating system upgrades, so there’s no excuse not to be on the latest and greatest OSX. At this time, that’s Mojave.

PUT ALL YOUR PASSWORDS IN A MANAGER

We all live on dozens of sites. Email, Facebook, Instagram, Twitter, your bank, and god know how many more we may even have forgotten about.

In theory, all these should have their own, unique, and strong password. I know that sounds hard, but it really isn’t. Thanks to password managers, apps that securely store all your passwords and even help you type them into websites and apps, you don’t have to remember more than one password—the one that’s used to unlock your password manager.

That will become the password to your digital life and will need to be good. Old advice dies hard and many people still say a good password requires random capital letters, symbols, and numbers. You can use those, but the easiest way to make a secure master password is to make a passphrase: several random but pronounceable—and thus easier to memorize—words. There are sites that can help you craft one.

There’s not that much difference between the major password managers. We recommend 1Password, LastPass, or KeePass.

We’ll be honest, setting one up is a bit of a hassle as you have to log all your passwords into the manager. But once you’ve done that you will be not only safer, but your life will become easier as the app will make it almost automatic to log into sites and you won’t have to remember more than one password.

That’s all for today. It doesn’t take too much effort or money to make it a lot harder for hackers to mess with you. And as we said, for more in-depth, exhaustive advice, please read The Motherboard Guide To Not Getting Hacked.

And if, god forbid, you think you’ve already been targeted and compromised, check our guide on how to tell if your online accounts have been hacked.

CYBER is Motherboard’s new podcast about cybersecurity. Subscribe on Apple Podcasts or any podcast app.

]]>
xwjwv3Lorenzo Franceschi-BicchieraiJason KoeblerAppleHackingcybersecurityblack fridayshoppinghackerswindowsInfoseccybercrimePasswordsCyber Mondayinformation securityLastPass1passwordpatching
<![CDATA[The Most Damaging Election Disinformation Campaign Came From Donald Trump, Not Russia]]>https://motherboard.vice.com/en_us/article/mbyg3x/the-most-damaging-election-disinformation-campaign-came-from-donald-trump-not-russiaMon, 19 Nov 2018 15:26:04 +0000 The Weakest Link is Motherboard's third annual theme week dedicated to the future of hacking and cybersecurity. Follow along.

Listen to Motherboard’s new hacking podcast, CYBER, here.


Henry Farrell is professor of politics and international affairs at George Washington University. Bruce Schneier is a security technologist and the author of fourteen books, including most recently, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World.

On November 4, 2016, the hacker “Guccifer 2.0,” a front for Russia’s military intelligence service, claimed in a blogpost that the Democrats were likely to use vulnerabilities to hack the presidential elections. On November 9, 2018, President Donald Trump started tweeting about the senatorial elections in Florida and Arizona. Without any evidence whatsoever, he said that Democrats were trying to steal the election through “FRAUD.”

Cybersecurity experts would say that posts like Guccifer 2.0’s are intended to undermine public confidence in voting: a cyber-attack against the US democratic system. Yet Donald Trump’s actions are doing far more damage to democracy. So far, his tweets on the topic have been retweeted over 270,000 times, eroding confidence far more effectively than any foreign influence campaign.

We need new ideas to explain how public statements on the Internet can weaken American democracy. Cybersecurity today is not only about computer systems. It’s also about the ways attackers can use computer systems to manipulate and undermine public expectations about democracy. Not only do we need to rethink attacks against democracy; we also need to rethink the attackers as well.

This is one key reason why we wrote a new research paper which uses ideas from computer security to understand the relationship between democracy and information. These ideas help us understand attacks which destabilize confidence in democratic institutions or debate.

Our research implies that insider attacks from within American politics can be more pernicious than attacks from other countries. They are more sophisticated, employ tools that are harder to defend against, and lead to harsh political tradeoffs. The US can threaten charges or impose sanctions when Russian trolling agencies attack its democratic system. But what punishments can it use when the attacker is the US president?

Authoritarians have weaponized information flows

People who think about cybersecurity build on ideas about confrontations between states during the Cold War. Intellectuals such as Thomas Schelling developed deterrence theory, which explained how the US and USSR could maneuver to limit each other’s options without ever actually going to war. Deterrence theory, and related concepts about the relative ease of attack and defense, seemed to explain the tradeoffs that the US and rival states faced, as they started to use cyber techniques to probe and compromise each others’ information networks.

However, these ideas fail to acknowledge one key differences between the Cold War and today. Nearly all states—whether democratic or authoritarian—are entangled on the Internet. This creates both new tensions and new opportunities. The US assumed that the internet would help spread American liberal values, and that this was a good and uncontroversial thing. Illiberal states like Russia and China feared that Internet freedom was a direct threat to their own systems of rule. Opponents of the regime might use social media and online communication to coordinate among themselves, and appeal to the broader public, perhaps toppling their governments, as happened in Tunisia during the Arab Spring.

This led illiberal states to develop new domestic defenses against open information flows. As scholars like Molly Roberts have shown, states like China and Russia discovered how they could “flood” internet discussion with online nonsense and distraction, making it impossible for their opponents to talk to each other, or even to distinguish between truth and falsehood. These flooding techniques stabilized authoritarian regimes, because they demoralized and confused the regime’s opponents. Libertarians often argue that the best antidote to bad speech is more speech. What Vladimir Putin discovered was that the best antidote to more speech was bad speech.

Russia saw the Arab Spring and efforts to encourage democracy in its neighborhood as direct threats, and began experimenting with counter-offensive techniques. When a Russia-friendly government in Ukraine collapsed due to popular protests, Russia tried to destabilize new, democratic elections by hacking the system through which the election results would be announced. The clear intention was to discredit the election results by announcing fake voting numbers that would throw public discussion into disarray.

This attack on public confidence in election results was thwarted at the last moment. Even so, it provided the model for a new kind of attack. Hackers don’t have to secretly alter people’s votes to affect elections. All they need to do is to damage public confidence that the votes were counted fairly. As researchers have argued, “simply put, the attacker might not care who wins; the losing side believing that the election was stolen from them may be equally, if not more, valuable.”

Flooding and confidence attacks can destabilize democracy

These two kinds of attacks—“flooding” attacks aimed at destabilizing public discourse, and “confidence” attacks aimed at undermining public belief in elections—were weaponized against the US in 2016. Russian social media trolls, hired by the “Internet Research Agency,” flooded online political discussions with rumors and counter-rumors in order to create confusion and political division. Peter Pomerantsev describes how in Russia, “one moment [Putin’s media wizard] Surkov would fund civic forums and human rights NGOs, the next he would quietly support nationalist movements that accuse the NGOs of being tools of the West.” Similarly, Russian trolls tried to get Black Lives Matter protesters and anti-Black Lives Matter protesters to march at the same time and place, to create conflict and the appearance of chaos. Guccifer 2.0’s blog post was surely intended to undermine confidence in the vote, preparing the ground for a wider destabilization campaign after Hillary Clinton won the election. Neither Putin nor anyone else anticipated that Trump would win, ushering in chaos on a vastly greater scale.

We do not know how successful these attacks were. A new book by John Sides, Michael Tesler and Lynn Vavreck suggests that Russian efforts had no measurable long-term consequences. Detailed research on the flow of news articles through social media by Yochai Benker, Robert Farris, and Hal Roberts agrees, showing that Fox News was far more influential in the spread of false news stories than any Russian effort.

However, global adversaries like the Russians aren’t the only actors who can use flooding and confidence attacks. US actors can use just the same techniques. Indeed, they can arguably use them better, since they have a better understanding of US politics, more resources, and are far more difficult for the government to counter without raising First Amendment issues.

For example, when the Federal Communication Commission asked for comments on its proposal to get rid of “net neutrality,” it was flooded by fake comments supporting the proposal. Nearly every real person who commented was in favor of net neutrality, but their arguments were drowned out by a flood of spurious comments purportedly made by identities stolen from porn sites, by people whose names and email addresses had been harvested without their permission, and, in some cases, from dead people. This was done not just to generate fake support for the FCC’s controversial proposal. It was to devalue public comments in general, making the general public’s support for net neutrality politically irrelevant. FCC decision making on issues like net neutrality used to be dominated by industry insiders, and many would like to go back to the old regime.

Trump’s efforts to undermine confidence in the Florida and Arizona votes work on a much larger scale. There are clear short-term benefits to asserting fraud where no fraud exists. This may sway judges or other public officials to make concessions to the Republicans to preserve their legitimacy. Yet they also destabilize American democracy in the long term. If Republicans are convinced that Democrats win by cheating, they will feel that their own manipulation of the system (by purging voter rolls, making voting more difficult and so on) are legitimate, and very probably cheat even more flagrantly in the future. This will trash collective institutions and leave everyone worse off.

It is notable that some Arizonan Republicans—including Martha McSally—have so far stayed firm against pressure from the White House and the Republican National Committee to claim that cheating is happening. They presumably see more long term value from preserving existing institutions than undermining them. Very plausibly, Donald Trump has exactly the opposite incentives. By weakening public confidence in the vote today, he makes it easier to claim fraud and perhaps plunge American politics into chaos if he is defeated in 2020.

Trump’s lies about vote counting are a cybersecurity problem

If experts who see Russian flooding and confidence measures as cyberattacks on US democracy are right, then these attacks are just as dangerous—and perhaps more dangerous—when they are used by domestic actors. The risk is that over time they will destabilize American democracy so that it comes closer to Russia’s managed democracy—where nothing is real any more, and ordinary people feel a mixture of paranoia, helplessness and disgust when they think about politics. Paradoxically, Russian interference is far too ineffectual to get us there—but domestically mounted attacks by all-American political actors might.

To protect against that possibility, we need to start thinking more systematically about the relationship between democracy and information. Our paper provides one way to do this, highlighting the vulnerabilities of democracy against certain kinds of information attack. More generally, we need to build levees against flooding while shoring up public confidence in voting and other public information systems that are necessary to democracy.

The first may require radical changes in how we regulate social media companies. Modernization of government commenting platforms to make them robust against flooding
is only a very minimal first step. Up until very recently, companies like Twitter have won market advantage from bot infestations—even when it couldn’t make a profit, it seemed that user numbers were growing. CEOs like Mark Zuckerberg have begun to worry about democracy, but their worries will likely only go so far. It is difficult to get a man to understand something when his business model depends on not understanding it. Sharp—and legally enforceable—limits on automated accounts are a first step. Radical redesign of networks and of trending indicators so that flooding attacks are less effective may be a second.

The second requires general standards for voting at the federal level, and a constitutional guarantee of the right to vote. Technical experts nearly universally favor robust voting systems that would combine paper records with random post-election auditing, to prevent fraud and secure public confidence in voting. Other steps to ensure proper ballot design, and standardize vote counting and reporting will take more time and discussion—yet the record of other countries show that they are not impossible.

The US is nearly unique among major democracies in the persistent flaws of its election machinery. Yet voting is not the only important form of democratic information. Apparent efforts to deliberately skew the US census against counting undocumented immigrants show the need for a more general audit of the political information systems that we need if democracy is to function properly.

It’s easier to respond to Russian hackers through sanctions, counter-attacks and the like than to domestic political attacks that undermine US democracy. To preserve the basic political freedoms of democracy requires recognizing that these freedoms are sometimes going to be abused by politicians such as Donald Trump. The best that we can do is to minimize the possibilities of abuse up to the point where they encroach on basic freedoms and harden the general institutions that secure democratic information against attacks intended to undermine them.

]]>
mbyg3xBruce SchneierHenry FarrellJason Koeblerrussiaelection 2016HackingThe Weakest LinkElection SecurityElection 2018OpinionDonald Trumop