Interview With A Blackhat

May 25th, 2013

Fascinating interview with a (former) blackhat:

One ‘blackhat,’ who asked to be called Adam, that I have spoken to a lot has recently says he’s decided to go legit. During this life-changing transition, he offered to give an interview so that the rest of the security community could learn from his point of view. Not every blackhat wants to talk, for obvious reasons, so this is a rare opportunity to see the world through his eyes, even if we’re unable to verify any of the claims made. [...]

“I like to watch the news; especially the financial side of it. Say if a target just started up and it suddenly sky rocketed in online sales that’ll become a target. Most of these websites have admins behind them who have no practical experience of being the bad guy and how the bad guys think. This leaves them hugely vulnerable.”

“One thing that did hugely affect bot infection rates was the mass removal of Java. When news of a java 0-day gets published people panic (rightly so) and un-install it or patch but as we all know java never stays secure for long.”

“It’s super hard to gather evidence for the crime, and even so the money is impossible to find. Ten or eleven mil over 10-13 years for a 10-15 year sentence. I can’t really say what it’d be like without freedom as I’ve always had it so I can’t imagine losing it.”

Interview With A Blackhat (Part 1)
Interview With A Blackhat (Part 2)
Interview With A Blackhat (Part 3)

When spammers go to war: Behind the Spamhaus DDoS:

Over the last ten days, a series of massive denial-of-service attacks has been aimed at Spamhaus, a not-for-profit organization that describes its purpose as “track[ing] the Internet’s spam operations and sources, to provide dependable realtime anti-spam protection for Internet networks.

Background article about the biggest DDoS so far. Two more interesting articles below.

The largest DDoS attack didn’t break the internet, but it did try:

A 300Gbps distributed denial-of-service attack thought to be the largest in the world has put key internet infrastructure to the test, and, so far, the attack has failed.

The DDoS That Almost Broke the Internet:

On Monday, March 18, 2013 Spamhaus contacted CloudFlare regarding an attack they were seeing against their website spamhaus.org. They signed up for CloudFlare and we quickly mitigated the attack.

Just when we thought that DDoS is business as usual ;-)

Going Bright: Wiretapping without Weakening Communications Infrastructure:

Mobile IP-based communications and changes in technologies have been a subject of concern for law enforcement, which seeks to extend current wiretap design requirements for digital voice networks. Such an extension would create considerable security risks as well as seriously harm innovation. Exploitation of naturally occurring bugs in the platforms being used by targets may be a better alternative.

Apparently VoIP implementations are so buggy that there’s no need for vendors to include backdoors!

Drink hackers take home carbonators to the limit:

It seems inevitable that if a product specifically advises against certain activities that some people are going to push the limit.

Oh those hackers…

The “Red October” Campaign

January 15th, 2013

The “Red October” Campaign – An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies

During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.

Kaspersky Lab’s researchers have spent several months analyzing this malware, which targets specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.

Tip of the iceberg… I’m sure we’ll hear about more attacks like these.

Def Con XX: twenty years of hacker evolution:

Twenty years ago, the world of consumer technology was a very different place. In the early 1990′s, cell phones were still expensive devices slowly making their way out of Gordon Gekko’s high-rise office and into the hands of well-heeled customers like, for example, Zach Morris.

Ah the good old times!

Amazon Has Another Huge Security Hole:

You may recall that Amazon was implicated as the weak link in the Mat Honan iCloud hack, wherein a gadget blogger had his entire online identity nuked from orbit because Amazon gave up the secondary identifying information necessary to issue a password reset over at Apple.

Not a good thing for Amazon, after they just closed the Epic Hacking problem.

Following up from the Epic Hack, here’s an interesting piece about the guy who supposedly pioneered some of the new social engineering hacks.

I wonder how much of everything else Cosmo has told me is true. The only thing I am certain of is that online security is an illusion. But I think he is being honest now. I think he’s genuinely remorseful and just wants all these gaping account holes, many of which he found or helped publicize, closed at last before anyone else has their identity stolen, or the SWAT team sent to their door. That’s what I believe, at least.

via Cosmo, the Hacker ‘God’ Who Fell to Earth.

Epic Hacking

August 10th, 2012

Why can’t I get rid of the nagging feeling that this guy asked the hacker himself to do it, to get a great story into Wired and everywhere? Staged like this, the story is much better than if he simply reported that it was theoretically possible to remote wipe somebody’s iDevices just by abusing Amazon’s and Apple’s flawed password reset routines.

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

via How Apple and Amazon Security Flaws Led to My Epic Hacking.

Maybe it’s because of a flood of recent stories where journalist’s ethics were less than questionable?

Brain Hacking: Scientists Extract Personal Secrets With Commercial Hardware:

Chalk this up to super-creepy: scientists have discovered a way to mind-read personal secrets, such as bank PIN numbers and personal associations, using a cheap headset.

Scary!