Hacking the Election: Security Flaws Need Fixing, Researchers Say


Hackers could have easily infiltrated US voting machines in 2016 and are likely to try again in light of vulnerabilities in electronic polling systems, a group of researchers said Tuesday.

A report with detailed findings from a July hacker conference which demonstrated how voting machines could be manipulated concluded that numerous vulnerabilities exist, posing a national security threat.

The researchers analyzed the results of the “voting village” hacking contest at the DefCon gathering of hackers in Las Vegas this year, which showed how ballot machines could be compromised within minutes.

“These machines were pretty easy to hack,” said Jeff Moss, the DefCon founder who presented the report at the Atlantic Council in Washington. “The problem is not going away. It’s only going to accelerate.”

The report said the DefCon hack was just the tip of the iceberg — with potential weaknesses in voter databases, tabulating software and other parts of the system.

The researchers said most voting machines examined included at least some foreign-manufactured parts, raising the possibility that malware could be introduced even before the devices are delivered.

“This discovery means that a hacker’s point-of-entry into an entire make or model of voting machine could happen well before that voting machine rolls off the production line,” the report said.

“With an ability to infiltrate voting infrastructure at any point in the supply chain process, then the ability to synchronize and inflict large-scale damage becomes a real possibility.”

– No certainty on 2016 –

Harri Hursti, a researcher with Nordic Innovation Labs and a co-author of the report, said it’s impossible to say with certainty if votes were tampered with in 2016 because many systems “don’t have the capacity” to be audited.

The report said five US states operate entirely on paperless systems which have no paper trail to be reviewed and another nine states are partially paperless.

“The only way to know is if the hacker tells you,” he said, adding that “it can be done without leaving tracks.”

Douglas Lute, former US ambassador to NATO who presented the report, said in a forward to the report that the findings highlight “a serious national security issue that strikes at the core of our democracy.”

Although some researchers in the past have shown individual machines could be breached, this report suggests a range of vulnerabilities across a range of hardware, software and databases.

“What the report shows is that if relative rookies can hack a voting system so quickly, it is difficult to deny that a nefarious actor — like Russia — with unlimited time and resources, could not do much greater damage,” said University of Chicago cybersecurity instructor Jake Braun, another co-author.

The threat becomes all the more grave “when you consider they could hack an entire line of voting machines, remotely and all at once via the supply chain,” he added.

In presenting the findings, the researchers said members of the DefCon hacker community would work with academics and security researchers in a new coalition aimed at improving election security.

 

 

Πηγή : securityweek

Advertisements

Hackers are compromising websites to mine cryptocoins via user’s CPU


For the last couple of weeks, the trend of inserting code in websites that generate cryptocurrency has been growing like never before. What might worry some is that it uses visitor’s computers to start and finish the process.

Recently, Trend Micro, a cybersecurity firm discovered that hackers are compromising charity, school, and file sharing websites with a particular code that allows the site to use visitor’s CPU in order to generate cryptocurrency

By doing so, the code converts the visitor’s computer into a miner. This means the greater the number of computers the quicker will be the process of generating digital currency and in return, the greater the amount of money. In the end, the victim will suffer from expensive electricity bill.

Hackers are compromising websites to mine cryptocoins via user CPU
Gif credit: Bitminer

According to Rik Ferguson, vice-president of security research at Trend Micro “This is absolutely a numbers game. There’s a huge attraction of being able to use other people’s devices in a massively distributed fashion because you then effectively take advantage of a huge amount of computing resources.”

The security firm discovered that hundreds of famous websites are using the code. Some are using “Coin Hive” code, some are using JSE Coin script while some have no idea how the code got onto their websites.

To get rid of it, some site owners have simply removed the code while some have updated their security policies and issued patches. There are those who are still investigating the issue emphasizing on how their site was compromised and how the code ended up on it without triggering any warning.

BBC reported that developers of Coin Hive are also taking action against those misusing their code for malicious purposes. “We had a few early users that implemented the script on sites they previously hacked, without the site owner’s knowledge. We have banned several of these accounts and will continue to do so when we learn about such cases,” Coin Hive told BBC.

In a tweet, FiveM, a modification framework for GTA V said that they had issued a security update just to stop users from adding miners to their code.

CloudFlare, a content delivery network and Internet security service also booted off a torrent website for secretly mining cryptocurrency miner. The company said “mining code without notifying users. … We consider this to be malware.”

Last month, The Pirate Bay website was caught “testing” cryptocurrency miner while two domains owned by CBS Corporation’s premium cable network Showtime’s sites were also found to be mining cryptocoins without informing their visitors.

In another report, Trend Mirco said that hackers are also using smart home devices to generate cryptocurrency. “Trend Micro data shows that more and more home devices are being compromised—we blocked over 90% more home network attacks in September compared to July, and most of the attacks are attempting to mine cryptocurrency,” said Trend Micro.

Although it is a rare practice; if adopted on a long-term basis, it might replace ads for good as advertisements can be malicious and annoying at times. However, the fact that it hijacks computers for crypto mining deeply concerns users, therefore, website owners should allow users to choose whether they want the site to use their CPU for mining or not.

 

 

Πηγή : hackread

WebBreaker – Dynamic Application Security Test Orchestration (DASTO)


 

Build functional security testing, into your software development and release cycles! WebBreaker provides the capabilities to automate and centrally manage Dynamic Application Security Testing (DAST) as part of your DevOps pipeline.
WebBreaker truly enables all members of the Software Security Development Life-Cycle (SDLC), with access to security testing, greater test coverage with increased visibility by providing Dynamic Application Security Test Orchestration (DASTO). Current support is limited to the World’s most popular commercial DAST product, WebInspect.
Supported Features
  • Command-line (CLI) scan administration of WebInspect with Foritfy SSC products.
  • Jenkins Environmental Variable & String Parameter support (i.e. $BUILD_TAG)
  • Docker container v17.x support
  • Custom email alerting or notifications for scan launch and completion.
  • Extensible event logging for scan administration and results.
  • WebInspect REST API support for v9.30 and later.
  • Fortify Software Security Center (SSC) REST API support for v16.10 and later.
  • WebInspect scan cluster support between two (2) or greater WebInspect servers/sensors.
  • Capabilities for extensible scan telemetry with ELK and Splunk.
  • GIT support for centrally managing WebInspect scan configurations.
  • Replaces most functionality of Fortify’s fortifyclient
  • Python compatibility with versions 2.x or 3.x
  • Provides AES 128-bit key management for all secrets from the Fernet encryption Python library.

Quick Local Installation and Configurations
Installing WebBreaker from source:

  1. git clone https://github.com/target/webbreaker
  2. pip install -r requirements.txt
  3. python setup.py install

Configuring WebBreaker:

  1. Point WebBreaker to your WebInspect API server(s) by editing: webbreaker/etc/webinspect.ini
  2. Point WebBreaker to your Fortify SSC URL by editing: webbreaker/etc/fortify.ini
  3. SMTP settings on email notifications and a message template can be edited in webbreaker/etc/email.ini
  4. Mutually exclusive remote GIT repos created by users, are encouraged to persist WebInspect settings, policies, and webmacros. Simply, add the GIT URL to the webinspect.ini and their respective directories.

NOTES:

  • Required: As with any Python application that contains library dependencies, pip is required for installation.
  • Optional: Include your Python site-packages, if they are not already in your $PATH with export PATH=$PATH:$PYTHONPATH.

Usage
WebBreaker is a command-line interface (CLI) client. See our complete WebBreaker Documentation for further configuration, usage, and installation.
The CLI supports upper-level and lower-level commands with respective options to enable interaction with Dynamic Application Security Test (DAST) products. Currently, the two Products supported are WebInspect and Fortfiy (more to come in the future!!)
Below is a Cheatsheet of supported commands to get you started.

List all WebInspect scans:
webbreaker webinspect list --server webinspect-1.example.com:8083

Query WebInspect scans:
webbreaker webinspect list --server webinspect-1.example.com:8083 --scan_name important_site

List with http:
webbreaker webinspect list --server webinspect-1.example.com:8083 --protocol http

Download WebInspect scan from server or sensor:
webbreaker webinspect download --server webinspect-2.example.com:8083 --scan_name important_site_auth

Download WebInspect scan as XML:
webbreaker webinspect download --server webinspect-2.example.com:8083 --scan_name important_site_auth -x xml

Download WebInspect scan with http (no SSL):
webbreaker webinspect download --server webinspect-2.example.com:8083 --scan_name important_site_auth --protocol http

Basic WebInspect scan:
webbreaker webinspect scan --settings important_site_auth

Advanced WebInspect Scan with Scan overrides:
webbreaker webinspect scan --settings important_site_auth --allowed_hosts example.com --allowed_hosts m.example.com

Scan with local WebInspect settings:
webbreaker webinspect scan --settings /Users/Matt/Documents/important_site_auth

Initial Fortify SSC listing with authentication (SSC token is managed for 1-day):
webbreaker fortify list --fortify_user matt --fortify_password abc123

Interactive Listing of all Fortify SSC application versions:
webbreaker fortify list

List Fortify SSC versions by application (case sensitive):
webbreaker fortify list --application WEBINSPECT

Upload to Fortify SSC with command-line authentication:
webbreaker fortify upload --fortify_user $FORT_USER --fortify_password $FORT_PASS --version important_site_auth

Upload to Fortify SSC with interactive authentication & application version configured with fortify.ini:
webbreaker fortify upload --version important_site_auth --scan_name auth_scan

Upload to Fortify SSC with application/project & version name:
webbreaker fortify upload --application my_other_app --version important_site_auth --scan_name auth_scan

WebBreaker Console Output

webbreaker webinspect scan --settings MyCustomWebInspectSetting --scan_policy Application --scan_name some_scan_name
 _       __     __    ____                  __            
| |     / /__  / /_  / __ )________  ____ _/ /_____  _____
| | /| / / _ \/ __ \/ __  / ___/ _ \/ __ `/ //_/ _ \/ ___/
| |/ |/ /  __/ /_/ / /_/ / /  /  __/ /_/ / ,< /  __/ /    
|__/|__/\___/_.___/_____/_/   \___/\__,_/_/|_|\___/_/     

Version 1.2.0

JIT Scheduler has selected endpoint https://some.webinspect.server.com:8083.
WebInspect scan launched on https://some.webinspect.server.com:8083 your scan id: ec72be39-a8fa-46b2-ba79-10adb52f8adb !!

Scan results file is available: some_scan_name.fpr
Scan has finished.
Webbreaker complete.

AWSBucketDump – Security Tool to Look For Interesting Files in S3 Buckets


 

AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It’s similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you’re not afraid to quickly fill up your hard drive.
Pre-Requisites
Non-Standard Python Libraries:
xmltodict
requests
argparse
Created with Python 3.6
General
This is a tool that enumerates Amazon S3 buckets and looks for interesting files.
I have example wordlists but I haven’t put much time into refining them.
https://github.com/danielmiessler/SecLists will have all the word lists you need. If you are targeting a specific company, you will likely want to use jhaddix’s enumall tool which leverages recon-ng and Alt-DNS.
As far as word lists for grepping interesting files, that is completely up to you. The one I provided has some basics and yes, those word lists are based on files that I personally have found with this tool.
Using the download feature might fill your hard drive up, you can provide a max file size for each download at the command line when you run the tool. Keep in mind that it is in bytes.
I honestly don’t know if Amazon rate limits this, I am guessing they do to some point but I haven’t gotten around to figuring out what that limit is. By default there are two threads for checking buckets and two buckets for downloading.
After building this tool, I did find an interesting article from Rapid7 regarding this research: https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets

Usage:
usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]
optional arguments:-h, --help show this help message and exit-D Download files. This requires significant diskspace-d If set to 1 or True, create directories for each host w/ results-t THREADS number of threads-l HOSTLIST-g GREPWORDS Provide a wordlist to grep for-m MAXSIZE Maximum file size to download.
python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1

Πηγή : kitploit

MyEtherWallet Notification – Email scam


MyEtherWallet Notification – Email scam

A new scam.
This time, the hacker tries to steal logging data for the Ethereum wallet.
A site identical to the original was created with the intention of misleading users.

The email comes from an address that is unrelated to the website.*markus.reichenau@t-online.de*Although it could be directly from: myetherwallet.com.

Here you see the differences between the original and the fake websites.

 

And beyond that, the address difference is very clear!!! 

 myetherwallet.com vs myethlerwallet.com

Have fun & Stay safe!!! 

New bitcoin transaction scam!


New bitcoin transaction scam!

Payments made by mistake on your account are already known as scams.
In this case I received an email saying that someone sent me bitcoins to my address and should check my account.

0.54798743 BTC = 1.830 EUR … well… I do not think it bothers such a mistake..

Let’s star: 
1.What does transmitel.com have to do with bitcoin transactions?
Transmite.com- Security systems – Barcelona Owned by TRANSMITEL S.L.
2.Email was sent to 6 addresses, so 6 wrong transactions?
 
 

All the hyperlinks have a hidden secret.

See it? Blockchain.com has become Blockchlain.info!
So.. when you will try to go on blockchain page for login…. you will do it on a diffrent page.
Do not worry, the website is already closed!
 

The consequences are understandable.
If you log in, someone will be in possession of your data and possibly your account.

Have fun & Stay safe!

Hunting Paypal Scammer – Busted 100%


Here’s a new software that promises to increase your revenue.
The point is you do not have to believe in miracles.
Everything looks good, but if you try to log in to your Paypal account, the data will be sent without realizing it.
Data is sent to the email of the person who posted and you have all the chances of losing even the few money you have in your account.

Today i will try to find the ”hacker” for you!
Paypal doubler scam
To have time for account changes, it will ask you to wait 72 hours for the payment.
Paypal doubler scam Paypal doubler scam
Once you’ve added your data, the software logs in to a google account and sends the data.
Paypal doubler scam Paypal doubler scam Paypal doubler scam
Because of Google’s security, I can not log in because does not recognize my device.
Paypal doubler scam 
I have to admit that I have pressed several times to call and send message to the number attached on the account.
I hope I’ve stressed him a little!

If we want to catch the hacker, we just need to send an email identical to the one that comes from Google, where we can attach what we already have:

  • Email  – ***sans@gmail.com
  • Phone number – (…) …_.. 02
  • Password – Nofreewifihere2468

The search on Google and you will find something like that:
***hacker911@gmail.com:Nofreewifihere2468::Pandora
Somewere i’ve that his name is Saif.. ok.
Look who gives good comment on the youtube video:

  • A învăţat la Dr. Phillips High School
  • Trăieşte în Ocoee, Florida



Mission completed!

Have Fun & Stay Safe!