BBC News: LulzSec Hacker Interview

F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Copyright (c) 2007 F-Secure Corporation. All Rights Reserved. tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002556.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com BBC News has a 13 minute report that's worth a view. <a href="http://www.bbc.co.uk/news/technology-22526025"><img width="538" height="544" border="0" src="http://www.f-secure.com/weblog/archives/BBC_LulzSec_Interview.png" alt="LulzSec hacker: Internet is a world devoid of empathy" /></a> <a href="http://www.bbc.co.uk/news/technology-22526025">LulzSec hacker: 'Internet is a world devoid of empathy'</a> On 17/05/13 At 12:54 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z BBC News: LulzSec Hacker Interview tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002555.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com <img width="540" height="331" border="1" src="http://www.f-secure.com/weblog/archives/lulzsec_tw.PNG" alt="LulzSec Twitter"> LulzSec &ndash; the rockband of hacker groups &ndash; had three of their six members sentenced today in London. LulzSec made headlines during their "50 days of Lulz" in May-June 2011, during which they attacked Fox, PBS, Sony, Nintendo, Sega, Minecraft, Infragard, NHS, US Senate, SOCA and CIA. They also recorded and published a conference call between US and European law enforcement officials, discussing police tactics against LulzSec. LulzSec was different from most other attackers, as they weren't doing their attacks to make money or to protest. They did it for Teh Lulz. Also, they had no sense of self-preservation, which led to taking them down. LulzSec had 6 core members: <ul><li>Topiary aka Jake Davis (<a href="https://twitter.com/aTopiary">@aTopiary</a>), UK <li>T-Flow aka Mustafa Al-Bassam (<a href="https://twitter.com/let_it_tflow">@let_it_tflow</a>), UK <li>Kayla aka Ryan Ackroyd (<a href="https://twitter.com/lolspoon">@lolspoon</a>), UK <li>Sabu aka Hector Monsegur (<a href="https://twitter.com/anonymouSabu">@anonymouSabu</a>), United States <li>Pwnsauce aka Darren Martyn (<a href="https://twitter.com/_pwnsauce">*_pwnsauce</a>) Ireland <li>AVunit (<a href="https://twitter.com/AvunitAnon">@AvunitAnon</a>), identity unknown</ul> The first three were sentenced today. <ul><li>Jake Davis got a 24 month sentence. He will serve 12 months in a young offenders institute <li>Mustafa Al-Bassam got a 20 month sentence, suspended for two years and 300 hours of community work. <li>Ryan Ackroyd got a 30 month sentence. He will serve 15 months.</ul> A botnet master associated with Lulzsec was sentenced at the same time: Ryan Cleary (aka Viral). He got a 32 month sentence. He will serve 16 months. Sabu was arrested in June 2011. He pleaded guilty and has been working with FBI since. He's yet to be sentenced. Darren Martyn was indicted in March 2012. He's yet to be sentenced. So, five of the LulzSec six has been caught. The remaining mystery is the 6th member: Avunit. Who was Avunit? How come none of the other members have given him up? We have no idea who Avunit is. We have no identity. We don't even know which continent he is from. P.S. Obligatory <a href="http://cwacht.github.io/nyancat/">nyan.cat</a>. <hr> On 16/05/13 At 01:32 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z LulzSec Sentencing in UK tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002554.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com The <a href="http://www.oslofreedomforum.com/">Oslo Freedom Forum</a> is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, <a href="https://twitter.com/ioerror">Jacob Appelbaum</a> actually discovered a new and previously unknown backdoor on an African activist's Mac. Our Mac analyst (Brod) is currently investigating the sample. It's signed with an Apple <a href="https://developer.apple.com/resources/developer-id/">Developer ID</a>. <img width="585" height="282" border="0" src="http://www.f-secure.com/weblog/archives/KITM_Apple_Developer_ID.png" alt="Developer ID" /> The launch point: <img width="668" height="504" border="0" src="http://www.f-secure.com/weblog/archives/KITM_launchpoint.png" alt="Launch point" /> It dumps screenshots into a folder called MacApp: <img width="768" height="378" border="0" src="http://www.f-secure.com/weblog/archives/KITM_screenshot_dump_folder.png" alt="Screenshot dump folder" /> Functions: <img width="399" height="534" border="0" src="http://www.f-secure.com/weblog/archives/KITM_Functions.png" alt="Functions" /> There are two C&amp;C servers related to this sample: <img width="535" height="310" border="0" src="http://www.f-secure.com/weblog/archives/KITM_domaintools_securitytable_org.png" alt="DomainTools, securitytable.org" /> securitytable.org <img width="510" height="310" border="0" src="http://www.f-secure.com/weblog/archives/KITM_domaintools_docforum_info.png" alt="DomainTools, docforum.info" /> docsforum.info One C&amp;C doesn't currently resolve, and the other: <img width="510" height="310" border="0" src="http://www.f-secure.com/weblog/archives/KITM_docsforum_info.png" alt="docsforum.info" /> Forbidden Our detection is called: Backdoor: OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e) On 16/05/13 At 12:29 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Mac Spyware Found at Oslo Freedom Forum tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002553.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Our <a href="http://www.f-secure.com/static/doc/labs_global/Research/Mobile_Threat_Report_Q1_2013.pdf">Mobile Threat Report Q1 2013</a> is now publicly available. <img width="580" height="735" border="1" src="http://www.f-secure.com/weblog/archives/Mobile_Threat_Count_Q1_2013jpg.jpg" alt="Mobile Threat Count, Q1 2013" /> All of our <a href="http://www.f-secure.com/en/web/labs_global/whitepapers/reports">past reports</a> are also available in the "<a href="http://www.f-secure.com/en/web/labs_global/">Labs</a>" section of f-secure.com. On 15/05/13 At 12:45 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Download: Mobile Threat Report Q1 2013 tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002552.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com F-Secure Labs Webinar: Mobile Threat Report Q1 2013 <iframe width="720" height="405" src="http://www.youtube.com/embed/7cfR1gPYlV0?rel=0" frameborder="0" allowfullscreen></iframe> On 13/05/13 At 01:51 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Webinar: Embedded tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002551.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com It's time to schedule another F-Secure Labs <a href="http://www.f-secure.com/weblog/archives/00002518.html">webinar</a>! We're trying out Google's "Hangouts On Air" this go-around: <a href="https://plus.google.com/events/caqm7s6qtnjf4g0n4lushl5n0v4"><img width="768px × 427px" height="427" border="0" src="http://www.f-secure.com/weblog/archives/MTR_GoogleHangout_May13.png" alt="Google Hangout Webinar, May13" /></a> Details: <a href="https://plus.google.com/events/caqm7s6qtnjf4g0n4lushl5n0v4">F-Secure Labs Threat Report Preview Webinar</a> Hope to see you there. On 10/05/13 At 05:43 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Webinar: Monday, May 13th tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002550.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Let's say you want to hack <a href="http://en.wikipedia.org/wiki/Jack_Dorsey">Jack Dorsey</a>'s online banking account. Where to start? His username? Challenging&hellip; his online banking username is a secret. But how about his Twitter account? Oh, that's easy. It's @<a href="https://twitter.com/jack">jack</a>. That's the problem with "social" usernames &mdash; they're meant to be known. <img width="539" height="210" border="0" src="http://www.f-secure.com/weblog/archives/Twitter_Password_Jack01.png" alt="Twitter's Password Fails" /> Another problem, Twitter appears to validate e-mail addresses: <img width="610" height="390" border="0" src="http://www.f-secure.com/weblog/archives/Twitter_Password_Jack02.png" alt="Twitter's Password Fails" /> Looks like nobody's home at jackd@twitter.com: <img width="610" height="390" border="0" src="http://www.f-secure.com/weblog/archives/Twitter_Password_Jack03.png" alt="Twitter's Password Fails" /> Twitter's settings include an option to require "personal" infomation such as an e-mail or phone number: <img width="529" height="129" border="0" src="http://www.f-secure.com/weblog/archives/Twitter_Password_Jack04.png" alt="Twitter's Password Fails" /> But that's less than useless if Twitter won't actually let you add your number: <img width="529" height="306" border="0" src="http://www.f-secure.com/weblog/archives/Twitter_Password_Jack05.png" alt="Twitter's Password Fails" /> And just how "personal" is a phone number anyway? <img width="547" height="505" border="0" src="http://www.f-secure.com/weblog/archives/Twitter_Password_Jack06.png" alt="Twitter's Password Fails" /> Two-factor authentication? Sure. But Twitter should first stop validating e-mail addresses. And then maybe it could add an option to disallow logins via the publicly known username. Edited to add: On second thought&hellip; How about this? Twitter should stop validating e-mailing addresses in its password reset form. And then, discriminate between using e-mail and username. If an account is accessed with the username &mdash; don't provide access to the account settings! The e-mail address (alias) could then be used only by account "adminstrators". Example: regular @<a href="https://twitter.com/ap">AP</a> staff could login with "AP" &mdash; no settings for them! They could Tweet, but would be restricted from making changes to the account. But the @AP "admin", some guy in the IT department, that person could login using the "secret" e-mail address and would be able to change account settings (and lockdown the account in case of a breach). Discriminating between e-mail and username &mdash; a way to distinguish between "admins" and "users". On 07/05/13 At 12:51 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Twitter's Password Fails tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002549.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Malaysia's 2013 general elections are scheduled for Sunday, May 5, 2013. Political news coverage is currently inundating all news outlets, including social networking sites, as the country's political parties go into high gear in the final run-up to polling day. The huge media interest creates an opportunity for malware writers to gain new victims using established social engineering techniques &mdash; and sure enough, this week Citizen Lab released <a href="https://citizenlab.org/storage/finfisher/final/fortheireyesonly.pdf">a report</a> indicating that a sample of the sophisticated FinFisher (a.k.a. FinSpy) surveillance malware was discovered in a document crafted specifically for this event. The malware was distributed in a booby-trapped Malay-language Microsoft Word document named "SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.doc" (In English: "List of proposed candidates for 13th General Elections according to states"). <img Width="768" height="628" border="0" src="http://www.f-secure.com/weblog/archives/finspy_malaysia.jpg" alt="SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.doc" /> The report speculates that the attack document is targeting Malaysians looking for more information related to one of the most closely contested elections in the country's history. F-Secure detects the document in question as Trojan:W32/FinSpy.D. Finfisher is produced by an European company called the Gamma Group. As we mentioned in a <a href="http://www.f-secure.com/weblog/archives/00002279.html">previous post</a>, the company was present at the ISS World 2011 gathering hosted in Kuala Lumpur, Malaysia. The ISS event serves as a trade fair for surveillance software (attendance is by "invitation" or if you are a "telco service provider, government employees or law enforcement officer"). <img widht="760"height="485" border="0" src="http://www.f-secure.com/weblog/archives/iss_kul_5.png" alt="ISS World Kuala Lumpur" /> Additionally, there have been reports alleging that multiple news and social media sites, including YouTube, Facebook, and Malaysiakini (a popular Malaysian online news site) have been subjected to various forms of disruption, including defacements, denial of service attacks, and filtering. F-Secure Labs is observing the situation. We saw a rise in malware detections during April 2013 in Malaysia. However, we don't really know if the increase was due to election-related activity or something else. <img width="768" height="233" border="0" src="http://www.f-secure.com/weblog/archives/malaysia_detections.png" alt="Malaysia, detections" /> On 03/05/13 At 11:57 AM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Online Activities Related to Elections in Malaysia tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002548.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Facebook has gradually added different tags to its "Status" updates. Currently, most users have the ability to tag: who, when and where. <img width="433" height="160" border="1" src="http://www.f-secure.com/weblog/archives/Facebook_WhatTag01.png" alt="Facebook, What tags" /> Those options could soon include: what. (Roll out is limited at the moment.) <img width="534" height="176" border="1" src="http://www.f-secure.com/weblog/archives/Facebook_WhatTag02.png" alt="Facebook, What tags" /> And not just what you are doing &mdash; but what you're feeling. <img width="534" height="389" border="1" src="http://www.f-secure.com/weblog/archives/Facebook_WhatTag03.png" alt="Facebook, What tags" /> As long as everybody you're friends with gets the joke&hellip; <img width="534" height="176" border="1" src="http://www.f-secure.com/weblog/archives/Facebook_WhatTag04.png" alt="Facebook, What tags" /> &hellip;you should be safe. <img width="510" height="205" border="1" src="http://www.f-secure.com/weblog/archives/Facebook_WhatTag05.png" alt="Facebook, What tags" /> But let's say your boss mistakes "a pan galactic gargle blaster" for a real drink and reprimands you for drinking alcohol on the job. That could leave you feeling quite annoyed. <img width="533" height="360" border="1" src="http://www.f-secure.com/weblog/archives/Facebook_WhatTag06.png" alt="Facebook, What tags" /> <a href="https://www.facebook.com/help/427780037309149/">How do I share my feelings or what I'm doing in a status update?</a> Carefully. <hr> On 30/04/13 At 12:06 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Facebook is Testing Tags For "What" tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002547.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com <img width="444" height="411" border="1" src="http://www.f-secure.com/weblog/archives/fog_of_cd.jpg" alt="The Fog of Cyber Defence"> The Finnish National Defence University has published a 250-page book called The Fog of Cyber Defence. The book discusses cyber warfare, cyber arms race, and cyber defense from a Nordic viewpoint. The book was written by twenty authors: Insights into Cyberspace, Cyber Security, and Cyberwar in the Nordic Countries - (Jari Rantapelkonen &amp; Harry Kantola) Sovereignty in the Cyber Domain - (Topi Tuukkanen) Cyberspace, the Role of State, and Goal of Digital Finland - (Jari Rantapelkonen &amp; Saara Jantunen) Exercising Power in Social Media - (Margarita Jaitner) Victory in Exceptional War: The Estonian Main Narrative of the Cyber Attacks in 2007 - (Kari Alenius) The Origins and the Future of Cyber Security in the Finnish Defence Forces - (Anssi Kärkkäinen) Norwegian Cyber Security: How to Build a Resilient Cyber Society in a Small Nation - (Kristin Hemmer Mørkestøl) Cyber Security in Sweden from the Past to the Future - (Roland Heickerö) A Rugged Nation - (Simo Huopio) Contaminated Rather than Classified: CIS Design Principles to Support Cyber Incident Response Collaboration - (Erka Koivunen) Cyberwar: Another Revolution in Military Affairs? - (Tero Palokangas) What Can We Say About Cyberwar Based on Cybernetics? - (Sakari Ahvenainen) The Emperor's Digital Clothes: Cyberwar and the Application of Classical Theories of War - (Jan Hanska) Theoretical Offensive Cyber Militia Models - (Rain Ottis) Offensive Cyber Capabilities are Needed Because of Deterrence - (Jarno Limnéll) Threats Concerning the Usability of Satellite Communications in Cyberwarfare Environment - (Jouko Vankka &amp; Tapio Saarelainen) The Care and Maintenance of Cyberweapons - (Timo Kiravuo &amp; Mikko Särelä) The Exploit Marketplace - (Mikko Hyppönen) The Fog of Cyber Defence can be downloaded as a PDF file from <a href="http://www.doria.fi/bitstream/handle/10024/88689/The%20Fog%20of%20Cyber%20Defence%20NDU%202013.pdf?sequence=1">http://urn.fi/URN:ISBN:978-951-25-2431-0</a> On 30/04/13 At 06:53 AM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z The Fog of Cyber Defence tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002546.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com We spotted a new variant of the documents used in the cyber attacks against Uyghur back in <a href="http://www.securelist.com/en/blog/208194116/Cyber_Attacks_Against_Uyghur_Mac_OS_X_Users_Intensify">February</a>. This variant was first submitted to <a href="https://www.virustotal.com/en/file/e7671740298c5af7c38f599f17a8516180681fb48fd4fb9ac977b1257282219d/analysis/">VirusTotal</a> on April 11 from China. This time it uses IUHRDF, which may be a reference to <a href="http://iuhrdf.org/">International Uyghur Human Rights &amp; Democracy Foundation</a>, instead of Captain as the author: <img border="0" src="http://www.f-secure.com/weblog/archives/callme_doc.png" alt="Properties of poadasjkdasuodrr.doc" height="515" width="377"/> The payload is still the same besides using different filenames and command and control server. It uses "alma.apple.cloudns.org" as the command and control server: <img border="1" src="http://www.f-secure.com/weblog/archives/callme_c&amp;c.png" alt="Command and control server name" height="61" width="754" /> It creates the following copy of itself and launch point: ~/Library/Application Support/.realPlayerUpdate ~/library/launchagents/realPlayerUpdate.plist Or it may create the following instead (when executed with <a href="http://www.f-secure.com/weblog/archives/callme_filenames.png">2</a> <a href="http://www.f-secure.com/weblog/archives/callme_launchpoints.png">parameters</a>): /Library/Application Support/.realPlayerUpdate /library/LaunchDaemons/realPlayerUpdate.plist It remains pretty much the same malware and is generically detected as Backdoor:OSX/CallMe.A since February. MD5: ee84c5d626bf8450782f24fd7d2f3ae6 - poadasjkdasuodrr.doc MD5: 544539ea546e88ff462814ba96afef1a - .realPlayerUpdate On 25/04/13 At 01:39 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Another Document Targeting Uyghur Mac Users tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002545.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Fun Fact! Among the trusted root certificates used by Mac OS X, <a href="http://support.apple.com/kb/ht5012">iOS 5 and iOS 6</a>&hellip; <img width="627" height="546" border="0" src="http://www.f-secure.com/weblog/archives/DoD_CLASS_3_Root_CA.png" alt="DoD_CLASS_3_Root_CA" /> <img width="627" height="546" border="0" src="http://www.f-secure.com/weblog/archives/DoD_Root_CA_2.png" alt="DoD_Root_CA_2" /> <img width="655" height="390" border="0" src="http://www.f-secure.com/weblog/archives/iOS_DoD_certs.png" alt="iOS_DoD_certs" /> &hellip;are two from the United States Department of Defense (DoD). Interesting, no? On 24/04/13 At 06:39 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Apple's Root Certs Include the DoD tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002544.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com A few days after Oracle released its critical <a href="http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html">patch for Java</a>, and <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2423">CVE-2013-2423</a> is already being exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening (as of this post): <img border="0" src="http://www.f-secure.com/weblog/archives/url_list.png" alt="url_list (122k image)" height="175" width="768" /> For a closer look, the image below contains a comparison of the classes found in the <a href="http://www.metasploit.com/modules/exploit/multi/browser/java_jre17_reflection_types">Metasploit module</a> and that of the ITW sample: <img border="0" src="http://www.f-secure.com/weblog/archives/Metasploit.png" alt="Metasploit (95k image)" height="330" width="550" /> Interestingly, the Metasploit module was published on the 20th, and as mentioned earlier, the exploit was seen in the wild the day after. Information about the PoC can be found <a href="http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0">here</a>. Files are detected as Exploit:Java/Majava.B. Sample hashes: 1a3386cc00b9d3188aae69c1a0dfe6ef3aa27bfa 23acb0bee1efe17aae75f8138f885724ead1640f Post by &mdash; Karmina and @<a href="http://twitter.com/TimoHirvonen">Timo</a> <hr> On 23/04/13 At 02:36 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z CVE-2013-2423 Java Vulnerability Exploit ITW tag:www.f-secure.com,2013-05-17:%2Fweblog%2Farchives%2F00002543.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com <a href="http://www.infosec.co.uk">Infosecurity Europe 2013</a> opened its doors today. And tomorrow&hellip; Our own <a href="https://twitter.com/mikko">Mikko Hypponen</a> will be inducted into Infosec's <a href="http://www.infosec.co.uk/en/Education-Programme/fame/">Hall of Fame</a>. <img width="650" height="390" border="0" src="http://www.f-secure.com/weblog/archives/InfoSecHallFame2013.png" alt="Infosecurity Europe's Hall of Fame 2013" /> Congratulations Mikko! Session details <a href="http://www.infosec.co.uk/en/Sessions/1258/The-Infosecurity-Europe-Hall-of-Fame-2013">here</a>. On 23/04/13 At 12:42 PM 2013-05-17T12:56:56Z 2013-05-17T12:56:56Z Infosec's Hall of Fame 2013 XML::Atom::SimpleFeed 2013-05-17T12:56:56Z Weblog of F-Secure Antivirus Research Team F-Secure Antivirus Research Weblog