CategoriesHackingTechnology

NSA Hoards Zero Days; Doesn’t Disclose Them all to Vendors

The NSA does not always disclose the zero day vulnerabilities it finds to unprotected vendors. Some security flaws are kept secret “when they can be used to serve a clear national security or law enforcement need” (Wired).

The US National Security Agency (NSA) was hacked by a suspected Russian hacker group and many of their exploits and hacking tools were archived. Leaked information was made public that showed the NSA collects exploits and does not always disclose them to vulnerable vendors. When vulnerabilities are not disclosed, problems do not get fixed. The NSA appears to operate “on the premise that secrets will never get out. That no one will ever discover the same bug. That no one will ever use the same bug. That there will never be a leak” (Business Insider).

Unfortunately, as we are currently witnessing with this recent leak, other types of hackers are able to find the same bugs and those hackers could have more malicious intent than the NSA. When hackers obtain a trove of U.S. secrets, that could put the government and corporations worldwide in a susceptible position. For example, the leaked data includes information on breaching popular commercial firewalls. Emergency service providers, governments, financial systems and many businesses all rely on these firewall technologies.

Global networking company, Cisco Systems, confirmed last week that the NSA exploited an undetected severe vulnerability that allows remote attackers “who have already gained a foothold in a targeted network to gain full control over a firewall” (Ars Technica). The NSA knew about this vulnerability since 2013 and did nothing to stop it. Now that the data is leaked, Cisco fears that the information “could be used to breach its Adaptive Security Appliance (ASA) software used in its firewalls. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system”. It can be argued that these exploits would have been patched had the NSA disclosed the vulnerabilities instead of collecting them for their own use.

(Watch – Snowden discusses NSA hack, Cisco to cut 5,500 jobs, NASA preps an asteroid rocket):

CategoriesHackingNewsSocial Media

Anonymous Hacker Brings Harambe Back to Life on Twitter

On Saturday, the Cincinnati Zoo director, Thane Maynard’s Twitter account was breached. The hacker changed Maynard’s profile photo to a pic of Harambe.

harambe hacker

Harambe was a silver-backed gorilla who was shot and killed at the Cincinnati Zoo when a 3 year old boy fell into the gorilla’s enclosure. Many people online had strong opinions about this story ranging from believing the parents of the child should be held accountable for Harambe’s death to supporting the killing of the gorilla because the child was in danger. Some even believed the child was in no danger and that both lives could have been spared. Anthropologist and UN Messenger of Peace, Jane Goodall says that the Harambe story “highlighted the danger of zoo animals in close proximity to humans and the need for better standards of care.” (Wikipedia)

The hacker who took over the Cincinnati Zoo director’s account also tweeted Harambe sympathizing hashtags such as #JusticeForHarambe and #DsOutForHarambe. The hack continues on through Sunday – the hacker telling the zoo employees to beg for their account back. Twitter user @prom has taken responsibility for the hack and says he doesn’t “worry about legal consequences at all.” (Cincinnati.com)

harambe hack prom

harambe hack

WATCH VIDEO – Gorilla zoo boy: did Harambe at Cincinnati Zoo deserve to die?:

Photo Credit: Julia Koefender – Flickr Creative Commons

CategoriesHackingInternetPrivacy

Fans of Hello Kitty Experience Data Breach

3.3 million people could be affected by a recent data breach of Hello Kitty fans’ information from the website SanrioTown.com. The data included usernames passwords hints, email addresses and other sensitive information like names, birth dates and more.

The breached data was publicly available, there was no actual hacking done to obtain this information. A security researcher, Chris Vickery, notified Sanrio about the hole in their database and it has since been patched. Sanrio has made a statement that there is no evidence that any data was actually stolen. Vickery has gone to the press about this because he believes companies too easily have the ‘Oh, it won’t happen to me’ mentality”. This may bring to mind the case of the grey-hat hacker, Andrew Auernheimer (weev), who found similar flaw that displayed personal information on AT&T iPad users on public URLs. Auernheimer was later brought up on charges for conspiracy to access a computer without authorization.

Another concern about this breach is whether or not children’s information was exposed.

“Sanrio said it doesn’t create accounts for children under 13. However, the leaked information, which came from users all over the world, appears to include accounts for those under age 18.” –CNET

Sanrio hosts popular children’s games such as Hello Kitty Online.

CategoriesHackingSuggested Media

The Hacker Wars Movie: An Overview

“The Hacker Wars” Movie Trailer:

What motivates someone to hack? What is a hacker’s life like? These are the questions the documentary “The Hacker Wars” seeks to answer and present to the viewer. In addition to these questions, the documentary seeks to show the viewer the battle over the internet, privacy, and freedom. At one side is the government and large corporations. At the other there are hackers who seek to disrupt their operations.

“The Hacker Wars” (available on Amazon) is a documentary that was released in 2014 that follows several hackers and hacker community leaders. Their crimes, arrests, and outcomes are followed, along with providing details on the background and political beliefs of the hackers. As explained by the documentary, the hackers depicted seek to expose security flaws in governments and large corporations’ information systems. By exposing their flaws, lies and deceits – their ultimate aim is to start social and political movements that will result in a government that better serves the people.

The documentary begins following Andrew “Weev” Auernheimer. Auernheimer headed an organization called “Goatse Security” which exposed an AT&T flaw. This flaw allowed Auernheimer to gather over 100,000 iPad users’ data. The data included high officials in government and celebrities. In short, he was able to gather this data from publicly accessible sources. This means that he did not illegally hack into anything. However, after AT&T refused to fix the problem, he released this data to the public by sending the data to a media outlet called Gawker Media. This ended with him being arrested and sent to prison where he served over a year out of a 41 month sentence. His time was cut short when the conviction was overturned in April 2014 by the Third Circuit.

The documentary allowed a pathway into his political views. Auernheimer is a self-titled internet troll. However, viewers get another viewpoint on what trolling means. In his view, trolling doesn’t mean causing havoc for the sake of causing havoc and anarchy. Rather, trolling meant getting others to show who they really were once the curtain of public niceties went away. By exposing flaws in companies’ securities, he could force people to see organizations as they really were. He felt the government further impeded this by consistently creating laws that limit the constitutional right of free speech.

The film moves out and pushes focus on Barrett Brown. While not a hacker, he is a journalist who focused on facilitating and distributing publications on internet security. He is linked to the Stratfor hack in 2012. Stratfor is an intelligence consulting firm with many ties to the government. Brown was arrested on the charge that he shared a link to the leaked data over the internet. Charges were added after he was accused of threatening a federal officer.

Brown’s political motives were focused on the cyber-military-industrial complex. The film explained how trillions of dollars flow into the complex. He believes that this complex and other related industries help to eat away at human rights, privacy, and democracy. As a result of this, he founded a wiki and collaboration effort called “Project PM” that aimed at collecting data on this complex. By studying the data, he hoped to track how the government used these private corporations to collect data on citizens.

The film also explains that Brown had links to the hacktivists called “Anonymous”. He was even considered by some to be a spokesperson for them. The film also went to explain a portion of his motives were linked to his childhood. His family was brought down by the FBI and forced into a lower standard of living after his father was left broke after fighting charges that were later dropped.

The Stratfor leak was really caused by Jeremy Hammond who the film also profiles. He was convicted in November 2013 for 10 years for hacking and leaking the information to WikiLeaks. The film explains that Brown played his part by disseminating this information. The film presents footage from a 2004 DEF CON where he pushed the idea of electronic civil disobedience and called for action against those who sought to control and manipulate others.

The film really climaxes over the history of Sabu and his link to Anonymous. Hector Xavier Monsegur, also known as Sabu, helped found the group LulzSec. However, it was later found out the Sabu was turned by the FBI into an informant in 2011. Inside, he helped provide information on the groups Anonymous, LulzSec and Antisec. The film goes on to explain and further imply that by controlling Sabu, the FBI was really able to hack into Stratfor. In short, the FBI, in some ways, controlled Anonymous or the hacking community to gain access to the intelligence Stratfor had.

The film also gives insight to a project called TrapWire. This technology, through surveillance, was able to gather information and report incidents to police and law enforcement. The film follows Auernheimer’s group as they simulated suspicious activity in front of cameras that were linked into this system. They later found out that they were actually reported to law enforcement. The film goes on to imply that this system was being used more prominently in the US more than what the government wanted the public to know.

The film goes on to tackle some really tough issues. For one, is it morally wrong to hack into a site? The hacktivists presented were of the opinion that people had the right to hack into these sites. Their actions were justified by the hope and aim of making people more aware of what the government was doing. They were also of the opinion that to really get corporations and governments to really change was to expose these weaknesses. To expose these weaknesses, they had to hack into the site.

Another issue the film sought to address is the idea of free speech. These hackers supported the idea that government no longer wanted to allow the right of free speech. Some of these weaknesses in information security were not accessed by hacking. Rather, the information came from public resources. By charging the hackers with publishing this information, the government was infringing upon their right to free speech. In short, the film implied that today’s hackers fight for free speech and putting government back to where it belongs, which is taking care of us rather than controlling and surveying us.

Watch “Hacker Wars” on Amazon by clicking here.