Power failure Across India, Hit by Malware Attack

India’s Northern power grid crashed on Monday morning wreaking havoc at airports, railway and metro stations, hospitals and across traffic congested roads, its worst power outage in a decade.

Indian power infrastructure under attack: India losing out millions in just hours same snag developed within just 24 hours of recovery reports say the system is infected by sophisticated malware.
Malware is spreading; today more than 67 crore people are without power. Cyber analysts suspect "PAK"- CHINA nexus behind this attack.


 Hundreds of millions of people have been left without electricity in northern and eastern India after a massive power breakdown.

There are some analyst saying that it is cyber Attack by a Malware but no Indian Authorities confirmed it yet. Authorities are restoring the service suggest the whole thing is out of their skills, meanwhile mainstream media has been barred from reporting as this could bring disgrace to security services of India.

Since the first power trip up on Monday, there have been discussions within the security establishment about the possibility of entities trying to carry out a sophisticated cyber-attack to cripple the grids.

Officials who carried out an audit of critical information infrastructure admit it is "theoretically possible" to cripple India's power grids through a cyber-attack.


Despite such a possibility, the shutdown did not seem to have led to a crisis management procedure that aimed at ruling out or confirming a cyber-attack.

"Given the fact that our grids are vulnerable to a cyber-attack, those responsible for managing grids should have a proactive policy to rule out cyber-attack as part of their crisis management procedures," a senior official said. "But none of it was visible," he added.

Sources aware of contacts among power ministry, power grid authorities and those in both CERT-IN ( Computer Emergency Response Team-India) and NTRO (National Technical Research Organisation) say there was no proactive effort by those responsible for power grids.

However, both CERT-IN and NTRO are believed to have established their own procedures to ensure the shutdowns were not a cyber-attack, having been brought on by massive over-the-limit withdrawals by states to supply electricity for pumps tapping groundwater in the absence of rainfall during this monsoon.

Officials said the government is now discussing possible ways to speed up the setting up of National Critical Information Infrastructure Protection Centre (NCIPC), which would act as the command and control centre for monitoring the critical information infrastructure of the country. NCIPC was recently approved by the National Security Council headed by the Prime Minster.

Sources said the government is also planning to hold a national consultation of all stakeholders involved in critical information infrastructure.

The government is already setting up dedicated CERT-INs for various critical sectors such as power and civil aviation.

Officials point out to breaches reported from power grids in the US, cyber intrusion into the Iranian nuclear network and other such incidents around the world to warn that India needs to have a more robust crisis management procedure that includes proactive ruling out of cyber-attacks.

16 Arrested for hacking Globe Telecom system


MANILA, Philippines – Sixteen people, including several South Korean nationals, have been arrested by police for allegedly hacking into the Globe Telecom’s system to make unbilled international calls.

Director Samuel Pagdilao, Chief of the Criminal Investigation and Detection Group (CIDG), said in a statement Tuesday that nine Koreans and several Filipino suspects have been apprehended through successive raids in Pasig, Manila, and Mandaluyong cities.


He said they belong to a cybercrime group that has been placed under police surveillance for several weeks.

The Koreans were identified as Eun Young Bae, Kwang Ming Song, 27, Junggyn Yang, 30, Kim Tae Hyung alias Martin Kim, Sehun Park, a certain Choi, Jong-Seok alias Edward Choi, Jung Dongchan alias Kevin Jeong, Jinwan Kim alias Liam Jin.

The other suspects were identified as Marcela Dela Paz, Chachin La Evidia Bornales, Christine Joy Gicale Carondoy alias Joya, 18, Joan Gicale Turno alias Queennie, 19, Jazzy Romero de la Cruz, 20, Jessa Grande Llaguno, 18, and Michelle Cambe Nacional, 26.

The suspects will be charged with violation of Republic Act No. 8484 or “Access Devices Regulation Act of 1998,” Pagdilao said.

Senior Superintendent Gilbert Sosa, CIDG’s Anti-Transnational and Cyber Crime Division (AFCCD) Chief, said that Globe had complained about the alleged hacking being done by the suspects through International Simple Resale (ISR) of international calls.

“ISR is an illegal act in the country because it deprives government of unrealized revenues and to the prejudice of Globe Telecom, where unbilled international calls were being charged and rerouted as mere local calls,” Sosa said.

Authorities confiscated computers, network hubs, GSM Modems, and bundles of unused SIM cards of Globe and Touch Mobile that were used to hack into Globe’s networks.

Two vehicles—a black Hyundai Tucson and silver Toyota Camry have also been confiscated by authorities in the raids.

The separate raids were conducted in Tower A, Renaissance 3000 building, Meralco Avenue, Ortigas, Pasig City, Pearl of the Orient Tower, Roxas Boulevard, Ermita, Manila, North Tower, Lee Garden Condominium, Laurel St. Mandaluyong City, and Royal Plaza, Twin Towers, Malate, Manila

Pagdilao said that “the arrests of Korean and Filipino suspects demonstrate the need for a tougher law to deal with new challenges in the fight against cybercrime.”

Last week, CIDG anti-fraud operatives have arrested Hak Mo Kim in Mandaluyong City for hacking into SMART Communications networks.

European Cyber Security at the Mercy of Chinese Hackers


Europe is “Under the watchful eye of Chinese pirates”, writes Libération,which picks up on a Bloomberg feature report on computer security breaches. The American press agency reveals that a group of Chinese cyberspies – which has been tracked by an American collective (that includes academics, companies that have been targeted by Chinese espionage and computer security experts) – succeeded in infiltrating a large number of institutions and companies last year.


The group  linked to the Chinese military, which has been named “Byzantine Candor” by American secret services, notably managed to infiltrate European institutions, reports the French daily –

    At a critical moment in the euro crisis in July, a group of Chinese spies remotely infiltrated the computers of the European Council, not once but five times. Launching their attacks from China, the hackers stole data including email correspondence with Herman Van Rompuy [...] Along with the European Council, the networks of at least 20 European businesses have fallen victim to Byzantine Candor [...] According to Bloomberg, most of the breached corporate networks were characterised by the fact that they contained information on innovation that could be economically advantageous to Chinese firms.

Libération adds that a decade ago –

    … the usual targets for these kinds of attacks were American arms manufacturers [...] However, no one is safe today.

As a result, the drive to combat cyber-espionage is now a critical priority for Europe: notably in Spain, which, according to El País –

    … is one of the countries that has been worst affected by hacking attacks, with tens of thousands of incidents every year.

The Madrid daily explains that a new national cybersecurity centre of excellence, financed by the European Commission and headquartered at the Autonomous University of Madrid, will be inaugurated in September. In the wake of the establishment of similar centres in Montpellier (France) and Dublin (Ireland), it will be the third of its kind in the EU.

However, the daily regrets that one of the companies tasked with the creation of the centre, CFLabs, is directed by Matías Bevilacqua –

    … an IT expert who was arrested and charged in connection with purchase and sale of confidential data [...] and in particular sensitive information sourced from virtually all of the institutions of the Spanish state.

In conclusion El País wonders about the wisdom of appointing “a hacker to play a key role in such a sensitive project”.

NullCrew Breaches Yale DataBases


A hacker group known as NullCrew claims it obtained the personal information of 1,200 Yale students and staff members from University databases.

University spokeswoman Elizabeth Stauderman ’83 LAW ’04 confirmed that hackers obtained files containing personal information from participants in the Yale Initiative to Strengthen Teaching in Public Schools on July 17, but she said only 450 accounts were affected. NullCrew claims it gained access to social security numbers, names, addresses and phone numbers, though only usernames, passwords and email addresses were published by the collective, which claims its only intention was to prove the security faults in institutional databases.



“In fact, the governmental and educational sites are the least secure in the experience we’ve had with .edu and .gov websites,” the hackers said in a message alongside the published data.

Stauderman said Yale has taken immediate action to secure the breached computer and is in the process of notifying the authorities and the affected participants. She added that the University will offer identity protection services to those affected.

The NullCrew breach was the largest known breach of Yale databases since late 2010, when the names and Social Security numbers of 43,000 people affiliated with the University were hacked and then made searchable online. The University announced that breach 10 months later, in August 2011.

Cell phone battery catches fire, burns hacker's tail at Defcon

Freak incident leads to cell phone battery lighting a real fire under a man's backside. Hotel room key-card saves him.
LAS VEGAS -- A cell phone battery spontaneously caught fire today, burned through a Defcon attendee's back pants pocket, and fell on the floor, creating burn spots on a carpet and leaving a burn-hole in the attendee's chair.

The man, who asked not to be identified, was not harmed but his trousers were ruined. He told CNET that he was sitting in a session at Defcon around 11:30 a.m. PT when he started to smell something burning and felt some heat underneath him on his seat. He stood up to find that his back left pocket was on fire.

"I smelled the burn, the smoke, and I stood up and could literally see flames," he said. "I tried to tap it out (with a hand) and it fell to the floor. It burned right through the backside."

The battery, which he said goes with a Droid Bionic smartphone that was not in the pocket, was still burning on the ground. He kicked it and it rolled and burned another spot into the carpet. He then left the room to get help as people around him began taking photos.

His derriere probably would have been scorched as well if he hadn't had his plastic hotel room key-card in between him and the battery. "My hotel key saved my butt," he said, laughing.

A woman who was taking video of the event for Defcon was seated on a platform about 20 feet away and had a good view of what happened. "I saw something glowing out of the corner of my eye," she said. "A guy's butt was in flames."

The rest of the session was canceled and the room was evacuated. The man said he had nothing else in his pocket but the battery and the hotel card key, and that he had no idea why the battery would have started to heat up.





CNET did not see the phone and was unable to confirm its make and model.

A Motorola representative provided this statement when asked for comment: "Motorola Mobility's priority is the safety of our customers. All Motorola products are designed, manufactured, and tested to meet or exceed international and local standards for consumer safety and performance. We will will look into this matter immediately."

The cause of the overheating remains a mystery.

Don Bailey, a mobile expert at Capitol Hill Consultants, said batteries can heat up if the metal leads touch something conductive. "Something as simple as steel wool can cause a short between the leads on a cell phone battery," he said.

It could been a bad battery, or the man could have damaged the battery somehow. But if there was no metal in the pocket at the time, it's likely the culprit was some conductive material, such as steel wool from a brush used to clean metal, that had somehow worked its way into the fibers of his pocket, Bailey said. "It's rare for manufactured batteries like these to have that kind of a failure."


8.7 million mobile customers hacked in South Korea


SEOUL — South Korean police have arrested two hackers who stole personal data of 8.7 million customers of the nation’s second-biggest mobile operator, the company said.

KT said the hackers — formally arrested on Sunday — had stolen data such as customers’ names, phone numbers and residential registration numbers for five months since February and sold the information to telemarketing firms.

“The number of affected people account for nearly a half of about 17 million customers of ours,” a KT spokesman told AFP, adding the company had alerted police on July 13 after detecting traces of hacking attacks.


Yonhap news agency, citing police, said the duo — including a former veteran programmer at a local IT company — had earned at least 1 billion won (about $880,000) by selling the stolen data.

Seven other people were also booked for buying the leaked data for telemarketing purposes, Yonhap said.

“We deeply bow our head in apology for having your precious personal information leaked… we’ll try our best to make such things never happen again,” KT said in a statement to customers.

Hacking attacks on major companies aimed to gain access to the personal data of their customers is a frequent occurence in South Korea, one of the world’s most-wired nations.

Seoul authorities said in July last year hackers using an Internet address registered in China had gained access to South Korean major websites including web portal Nate.com and may have stolen the private data of 35 million users.

In November 2011, Seoul’s top games developer Nexon saw personal information of 13 million users of its popular online game MapleStory stolen by hackers.

In March 2010, authorities launched a probe into the security systems of major retailer Shinsegae and 24 other companies after private data on 20 million customers was leaked.

Official fb Accounts of Garanti Bankası, Denizbank, Renault Turkey, Ülker, Nokia Turkey, Burger King and Acun.com Hacked

The official Facebook accounts of several companies were hacked on Thursday night by a group of hackers trying to promote the terrorist Kurdistan Workers' Party (PKK).

The pro-PKK hackers changed the Facebook profile pictures of the following companies: Garanti Bankası, Denizbank, Renault Turkey, Ülker, Nokia Turkey, Burger King and Acun.com. They placed the picture of Abdullah Öcalan, the jailed leader of the terrorist PKK organization, on the profiles instead.



The digital marketing agency 41? 29!, which manages the Facebook accounts of these companies, reported on Thursday night that most of the accounts had been restored to their original state.

The head of the agency, Alemşah Öztürk, said on Twitter on Thursday night that they were working to restore the Facebook accounts in cooperation with Facebook, Inc.

The agency also stated on its Facebook account that as soon as it discovered the attack, it notified Facebook, which immediately deactivated the hacked accounts.

Stating that this situation did not constitute a security risk for the followers of the accounts in question, the agency also added that there has been no loss of data from the companies' accounts.


Hacker who swindled $3m held in Dubai hotel

According to media reports, the incident came to light when a UAE trader who lost $3million filed a complaint with Dubai Police. The victim, who had business connections with the said Chinese firm, received an email from the company requesting him to transfer $3million to its account.



He duly transferred the amount because he was used to dealing with huge sums of money with the company. He never confirmed with the officials in China if they received the amount because such transactions were common between them, he told investigating officials.

However, a few days later he learnt that the email he received was not sent by the company.

He immediately filed a complaint and investigations by the anti-crimes department of Dubai Police revealed that the company website had been hacked by the suspect. He not only obtained important data but also used the offical email id to contact its clients and defraud millions.

The suspect was tracked down and arrested from a Dubai hotel. His bank accounts are frozen and he is referred to Public Prosecution.


Statement From Jeremy Hammond, Alleged Hacker


I remember maybe a few months before I was locked up I went to a few noise demonstrations a the federal jail MCC Chicago in support of all those locked up there. Prisoners moved in front of the windows, turned the lights on and off, and dropped playing cards through the cracks in the windows. I had no idea I would soon be in that same jail facing multiple trumped up computer hacking “conspiracies.”

Now at New York MCC, the other day I was playing chess when another prisoner excitedly cam e up as was like, “Yo, there are like 50 people outside the window and they are carrying banners with your name!” Sure enough, there you all were with lights, banners, and bucket drums just below our 11th floor window. Though you may not have been able to here us or see us, over one hundred of us in this unit saw you all and wanted to know who those people were, what they were about, rejuvenated knowing people on the outside got there back.

As prisoners in this police state – over 2.5 million of us – we are silenced, marginalized, exploited, forgotten, and dehumanized. First we are judged and sentenced by the “justice” system, then treated as second class citizens by mainstream society. But even the warden of MCC New York has in surprising honesty admitted that “the only difference between us officers here and you prisoners is we just haven’t been caught.”

The call us robbers and fraudsters when the big banks get billion dollar bailouts and kick us out of our homes.

They call us gun runners and drug dealers when pharmaceutical corporations and defense contractors profit from trafficking armaments and drugs on a far greater scale.

They call us “terrorists” when NATO and the US military murder millions of innocents around the world and employ drones and torture tactics.

And they call us cyber criminals when they themselves develop viruses to spy on and wage war against infrastructure and populations in other countries.

Yes, I am one of several dozen around the world accused of Anonymous-affiliated computer hacking charges.

One of many here at MCCC New York facing trumped up “conspiracy” charges based on the cooperation of government informants who will say anything and sell out anyone to save themselves.

And this jail is one of several thousand other jails, prisons, and immigrant detention centers – lockups which one day will be reduced to rubble and grass will grow between the cracks of the concrete.

So don’t let fear of imprisonment deter you from speaking up and fighting back. Silencing our movement is exactly what they hope to accomplish with these targeted, politically motivated prosecutions. They can try to stop a few of us but they can never stop us all.

2 Million OS X Mountain Lion Copies Sold in 48 Hours


Apple’s latest Mac platform release, the OS X 10.8 Mountain Lion, has seen great response from users right from the start.

The Cupertino-based company managed to sell two million copies of the new OS X in only 48 hours after the official launch, in line with the success last year’s Lion platform registered.

The new platform release comes with an appealing price tag, namely $19.99, which has certainly contributed to its success.


Moreover, the platform was offered for free to all those who purchased a new Mac machine after June 11th, 2012.

However, it should be noted that Apple hasn’t yet provided official numbers on Mountain Lion sales, but that the info comes from Chitika, which estimates 2.11 million copies of the OS being sold in the first two days of availability.

The new operating system comes with a wide range of enhancements when compared to the OS X Lion release, Apple counting no less than 200 of them.

Download Link From Sofpedia http://mac.softpedia.com/get/System-Utilities/OS-X-Mountain-Lion.shtml

Chitika Insights also notes that there are over 45 percent of Mac users still running OS X 10.6 Snow Leopard, but that all those using 10.6.6 or higher could upgrade their systems to 10.8.

Carly Rae Jepsen Hacked, Naked Photos Stolen


On Wednesday, the “Call Me Maybe” hit-maker told the police that the hacker stole her nude photos and tried to sell them to the media.

These are not the fake ones that have surfaced the internet few months ago; these are actually the real ones that have never seen before.. and the Canadian-born singer is desperately trying to secure it down.



TMZ reports that Jepsen’s camp received an anonymous tip about the photos back in March… and immediately called the Vancouver Police Department to report the cyber crime.

For more Carly Rae Jepsen news and updates, bookmark our homepage, follow us on Twitter, like us on Facebook and we will keep you posted directly on your news feeds.

Anonymous Rattles A Chinese Web Giant

Anonymous may be best known for knocking websites offline or stealing data, but one faction of the movement is subverting figures of power in a more circumspect way — by trawling through documents and computer code.

The sub group Anonymous Analytics released a damning report yesterday about Qihoo, the Chinese web giant that claims to be the No. 1 provider of Internet and mobile security products and services in China, as measured by its user base.


Qihoo distributes antivirus software called 360 Safeguard and has a browser called 360 Secure Browser, but in recent years has restructured it business to focus on selling online advertising space, in particular from a single directory page, hao.360.cn. The company claims to get approximately 90% of its advertising revenue “directly or indirectly” from this page and its sub pages; advertising accounted for 73% of the company’s total revenue in 2011 of $22.9 million.

That figure marked an increase of 136% from the year before, meaning hao.360.cn is a serious money-maker for Qihoo. Qihoo recently said that it charged, on average, 1 million yuan  ($156,000) per month, per link on the “Famous Sites” section of its directory page — a breed of e-commerce widely known to have dwindled in Western cyberspace.

Anonymous Analytics says there’s something fishy about Qihoo’s directory page. Qihoo recently claimed on its fourth quarter conference call that the page was getting 20% more web traffic than dominant-player Baidu’s similar page and its sub pages, hao123.com. Qihoo confirmed this with me, citing a table of figures from iResearch.

But the Anonymous group claims that Qihoo is “grotesquely exaggerating” its traffic advantage, and their evidence comes in the form of a recent change in the source code of hao.360.cn. Having been monitoring the site since last year, the group noticed that a comScore tag had been added to Qihoo’s HTML source code. (ComScore is the best-known, third-party verifier of a web site’s traffic.)

This seemed fine, until the tag was removed on or around June 20, 2012. Why? Anonymous Analytics thinks that Qihoo didn’t like the figures it was seeing. The group then managed to get what it claims are the actual comScore figures through unnamed third parties — “people we trust,” according to the group’s representative — who had bought them from comScore. The figures show that in the months of February, March and April 2012, Qihoo’s all-important directory page had 56%, 51% and 52% less traffic than Baidu’s.

Anonymous Analytics provided me with what appears to be a legitimate document from comScore showing web traffic figures for Baidu and Qihoo’s main directory pages in April 2012. It states that Baidu’s directory page had 84.689 million unique visitors from China, while Qihoo’s had 40.877 million.

The activist group believes that before Qihoo balked at the figures, it had added the comScore tag to appease analysts, investors and critics, “who have called for management to provide independent verification of Qihoo’s traffic claims.”

The group further believes that management installed the tag with a view figuring out how to manipulate comScore’s traffic analytics. “We are so certain of this that we invite engineers at comScore to analyze data coming out of hao.360.cn since the beginning of the year,” Anonymous Analytics says.

NSA Turns To Hackers To Make Internet Secure From Cyber Attackers


The National Security Agency has sought the help of professional hackers to render the World Wide Web more secure.

Reports from the PCWorld and Reuters indicate that General Keith B Alexander, Director, National Security Agency sought the help of hackers while addressing the Defcon hacker conference in Las Vegas July 27.



Speaking at the conference, General Alexander said: “This is the world’s best cybersecurity community. In this room right here is the talent our nation needs to secure cyberspace,” PCWorld reported.

Urging a collaborative approach to secure the cyberspace, Gen. Alexander, who also head of the U.S. Cyber Command and Central Security Service, urged hackers to partner with government and industry to realize the objective.

Stating that hackers can educate others who do not understand cybersecurity, the NSA Chief said: “You know that we can protect networks and have civil liberties and privacy and you can help us get there.”

The rare courtship of NSA Chief and hackers seems to have come on the heels of increased cyberattacks against U.S. cyber infrastructure. ThePCWorld report cited a 17-fold increase in cyberattacks reported against the Federal Government between 2009 and 2011.

Gen. Alexander urged the hacker community to continue building better tools that were needed to protect the cyberspace citing examples of Metasploit and other penetration testing tools, PCWorld added.

Seeking hackers support in defending the nation against cyberattacks, Gen. Alexander rued: “The issue is that if you don’t see a cyberattack you can’t defend against it and at the moment, the NSA has no insight if Wall Street is going to be attacked, for (an) example.”

Urging cooperation from the industry, Alexander called on the corporate to share at least limited pieces of information from their intrusion detection systems in real-time so that NSA could follow up such instances of aberration.

Gen. Alexander stressed on joint evolution of standards post-information sharing as the key to secure critical infrastructure and sensitive networks.

Gen. Alexander’s presence at the Defcon was hailed as a rare occurrence as Jeff Moss, Founder, Defcon, revealed

Anonymous Australia Leak Partial Data From AAPT for #OpAustralia

Anonymous Australia Leak Partial Data From AAPT for #OpAustralia

They have leaked 3 bits of this data which comes as a very partial leak compared to the main data they are said to have. So far they have leaked 128 accounts with data such as usernames, passwords, emails and other personal information. The leak also has other information from a 137 business accounts which data contains abns, acns, company names, employee counts and other information such as spending.



The leak was just announced via twitter and uploaded to pastebin.com under a guest account. The tweet came from twitter user @nas1gnal

The leak was also announced and retweeted by various other people.

Pastiebin Links :

http://pastebin.com/Ldgb3UVB

 


http://pastebin.com/SJ8gyzGs
 

Ice Cream Sandwich now on one in 10 Android devices


Ice Cream Sandwich is now installed on more than 10 percent of Android devices, according to Google.

Data collected by the search-turned-mobile giant during the 14-day period that ended yesterday shows that version 4.0 of Google’s mobile operating system is now present on 10.9 percent of all devices. The data was collected from Android devices that accessed Google Play, the Android application store, during the two-week period.


The latest stats, which come less than a week after Android 4.1 Jelly Bean was announced at Google I/O, show a significant jump for Ice Cream Sandwich: a week ago, the OS was around the 7 percent mark.

The increase of 4 percentage points could be put down to a sharp rise in device sales during the past month, which can be largely attributed to the launch of Samsung’s Galaxy S III and HTC’s One X.

All in all, it’s taken more than eight months for Google to reach 10 percent of the total Android base with Ice Cream Sandwich, after the OS was announced in 2011.

And while Ice Cream Sandwich is on the rise, it’s the opposite story for Android 2.3 Gingerbread: the OS fell for the first time, dropping from 65 percent to 64 percent over the same two-week period.

Nonetheless, Gingerbread, first released in December 2010, remains the most popular Android version to date.

Turkey’s Foreign Ministry official website fell victim to a cyber-attack


Turkey’s Foreign Ministry said on July 3 that its official website fell victim to a cyber-attack, as a local hacker group published what it said were the identities of foreign diplomats serving in Turkey on the internet, reports AP.
State-run TRT television identified the group as RedHack, which staged similar attacks on several other government websites earlier this year. The TV station reported that the group obtained and published the images of ID cards issued by the ministry for the diplomats, and also signalled it might publish more “sensitive information” in the coming days.


RedHack has highlighted Turkey’s ties with Syrian President Bashar Assad, posting a link on its twitter account to a screen grab of the ministry’s website that read: “brothers yesterday, enemies today.” The message had later been removed.

BackTrack 5 R3 Release on Aug 13th, 2012


The BackTrack Development team will be releasing an R3 revision of our Penetration Testing distribution in 2 weeks. This release focuses on bugfixes and over 50 new tool additions – making it the most potent revision yet. We have released a BT5 R3 preview in BlackHat Vegas for the enjoyment of conference attendees, which can be found in their delegate bags.  T

he DVD contains a BT5 R3 Gnome, 32 bit edition – burnt as an ISO (as opposed to an image). We will be taking in our last bug reports and tool suggestions from the BH / Defcon crowds for our upcoming official release, which will be on August 13th, 2012.


Current BT5 users can simply upgrade to the latest release using the regular update commands. More details will be released along with the full listing of new tools on the 13th of August. We hope you enjoy this fine release as much as we do!


Skype co-operating closely with Intelligence Agency to help them spy on users

Skype is co-operating more closely with  Intelligence Agency to help them spy on users. This is also red alert for hacker and companies private plans.  They all are under monitoring.

The online phone service, used by friends and families to keep in touch but also favoured by political dissidents and criminals, is making online chat and other user information available to police, according to The Washington Post.

Surveillance of the audio and video feeds remains impractical, even when courts issue warrants, industry officials told the newspaper.

But the changes, apparently in effect since late last year, allow police surveillance of online chats, Skype's instant messaging feature, as well as access to addresses and credit card numbers of users.

The Washington Post said U.S. officials have long pushed for greater access to online conversations to resolve what the FBI labels the 'going dark' problem.

They complain that Skype's encryption and other features made tracking drug lords, pedophiles and terrorists more difficult and police listening to traditional wiretaps have even heard suspects suggest 'let's talk on Skype' because it is more secure, The Post reports.

Law enforcement are thrilled by the changes to Skype, which was acquired by Microsoft, an organisation known for working closely with authorities, in May 2011 for $8.5 million, but activists are wary.

'The issue is, to what extent are our communications being purpose-built to make surveillance easy?' Lauren Weinstein, co-founder of People for Internet Responsibility, told The Post.

'When you make it easy to do, law enforcement is going to want to use it more and more. If you build it, they will come.'

                          

Skype, which has 600 million users worldwide, said in a statement: 'As was true before the Microsoft acquisition, Skype cooperates with law enforcement agencies as is legally required and technically feasible.'

Skype calls connect computers directly rather than routing data through central servers, as many other Internet-based communication systems do, which makes it more difficult for police to intercept the call.

Some claim Skype loses its competitive edge in the crowded world of Internet-based communication if users no longer see it as more private than rivals.

'Skype used to be very special because it really was locked up,' an industry official told The Post. 'Now it’s like Superman without his powers.'

Twitter Down reported hours after Google Talk crash


Hours into a global Google Talk outage that left users unable to use the instant messaging client, it appears Twitter has gone down as well.


In a message to users, the company said: "Howdy folks, looks like we're experiencing a small interruption of Twitter.com and some mobile clients."


It is not yet known what caused the fault. Users that could access the service reported that shortened URL links included in tweets were not working properly.

The micro-blogging site appears to be experiencing a service disruption, with users in both Europe, Asia and the US saying they were unable to load the site.


Crowd-powered web service monitoring site Down Right Now has said there is “likely a service disruption,” based on user feedback.

Affected users are unable access the site at all - even the site’s iconic Fail Whale image is not loading for some Tweeters.
“Users may be experiencing issues accessing Twitter. Our engineers are currently working to resolve the issue,” Twitter has written on its Status page. No details beyond that have been revealed.

Microsoft Names Two Zeus Botnet Operators


Three months after initially disrupting the Zeus botnet, Microsoft officials have named two of the people who they think are behind the malware network, a pair of Ukrainians who already are sitting in jail in the UK.
From the beginning of the anti-Zeus operation, which became public in March, Microsoft officials and lawyers from other organizations, including NACHA, have been trying to identify the dozens of John Does named in the initial legal complaint. Those efforts hadn’t met with any success, until last week when Microsoft named Yevhen Kulibaba and Yuriy Konovalenko as two of the John Does behind the Zeus botnet. The company has told both the FBI and the authorities in the UK of their findings, and also included the men’s names in the amended legal complaint.


“In an amended complaint, filed last week, Microsoft named Yevhen Kulibaba and Yuriy Konovalenko as defendants. Microsoft has learned that these particular defendants were already serving jail time in the United Kingdom for other Zeus malware related charges. Microsoft has advised the U.K. government of the criminal referral to the FBI. By referring this case to the FBI, as we did in September 2011 with our case against the operators of the Rustock botnet, we are affirming our commitment to coordinating our efforts with law enforcement. Our goal is always to work in ways that are complementary to law enforcement. Our hope is that the evidence we provided to the FBI in this case will lead to a criminal investigation that brings the perpetrators to justice,” Richard Boscovich, a senior attorney in Microsoft’s Digital Crimes Unit, said in an analysis of the operation.
The anti-Zeus operation is the latest in a line of botnet takedowns and anti-cybercrime actions undertaken by the Microsoft DCU, a relatively new gorup inside the company that’s devoted to investigating and helping stem cybercrime. The DCU also was involved in the takedown of the Rustock botnet, as well as operations against the Kelihos and Waledac botnets.The Zeus takedown hs been unique for a couple of reasons, chief among them the use of the civil section of the RICO anti-racketeering statute to aid in the investigation.
“In criminal court cases, the RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets. By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the ‘organization’ were not necessarily part of the core enterprise,” Boscovich said at the time of the initial Zeus takedown.
Microsoft is working with ISPs to help them identify Zeus-infected machines and alert the users about the infection.

Facebook offer Bug bounty To hackers, who find flaws in its systems

Several companies already reward 'white hat' hackers who responsibly report flaws in their web services, but Facebook is apparently going a step further with payments to those who find vulnerabilities in their internal systems


Facebook and Google have for some time offered bounties to hackers who find vulnerabilities in their public-facing systems, but now the social network has gone a step further by offering to reward hackers who find and report flaws in Facebook's corporate network.

According to a Bloomberg report on Thursday morning, the move will be announced at the DefCon hacking conference. "If there's a million-dollar bug, we will pay it out," Facebook security response chief Ryan McGeehan was quoted as saying.

The idea of a company paying so-called 'white hat' hackers to probe their sites and report flaws — rather than exploiting them — is rare, but far from new. Google and Facebook do it, as do Mozilla, HP and, as of last month, PayPal.

However, rewarding people for breaking into internal systems is an even riskier proposition. According to the Bloomberg piece, Facebook was moved to introduce the new bounty scheme after an external researcher informed the company of a flaw that meant outsiders could listen in to their internal conversations.

Facebook's bug bounty page says the company will pay a minimum of $500 for each responsible disclosure, as long as the bug could "compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within Facebook's infrastructure".

The only kinds of bugs that Facebook won't pay out for are those in third-party apps or websites, denial-of-service vulnerabilities, and spam or social engineering techniques, none of which Facebook has any control over.

Anonymous could be criminals hiding in plain sight


'Anonymous could be criminals hiding in plain sight' - security expert

Hostile governmenns could be posing as Anonymous - expert

Users could give data to criminals under hacktivism guise

Time for people to go "old school" to make a difference

Anonymous hack it again: steals ISP user data from AAPT

THE people claiming to be from Anonymous could be wolves in sheeps clothing - but not in the way you think, an Australian internet security expert has warned.


Photo Credits: Tim Pierce Image

Phil Kernick, Chief Technology Officer of CQR Consulting, told news.com.au that cyber criminals and hostile governments could be using the publicly acceptable alias of the hacktivist group to trick people into handing over their data.

“Imagine that Anonymous encouraged users to help bring down the Australian Government by downloading software and told them on to press a button on a specific date, bombard a website and take it offline, but instead of getting a real version of the software you are pointed to a website which has an embedded banking Trojan (virus),” he said.

“This kind of behaviour is perfect for people who want to attack you.

“Attacking the government is just a side effect. It may not even work but it doesn’t matter. It’s not what they’re trying to achieve.“

Mr Kernick said this kind of behaviour was called “hiding in plain sight” - a classic misdirection technique practised by magicians since time immemorial.

Because Anonymous are a group of loosely affiliated activists and hackers, almost anyone can claim to belong to the group – including hostile governments.

He emphasised that he did not think the recent attacks on Australian government websites and ISPs were the work of cyber criminals or nation states but the group’s popularity was making the possibility of this easier.

He said that the recent hack on Syrian President Bashar al-Assad’s email account was a perfect example: “The question is who benefits from this. Yes, it could be random teen hacktivists getting bored but I would have thought the email of the Syrian President would be a bit above the skill set of your average spotty hacker, but maybe not past the level nation states could get past.

“So why not embarrass them publicly and expose details, to the benefit of your own nation state and blame it on Anonymous?”

Perpetrating cyber fraud under the guise of activism is the future of the internet, Mr Kernick said.

“We’ve moved past attacking systems and websites to attacking people to gain their credentials,” he said.

“If you're a nation state it's about attacking people because they have access to stuff and they can get people to do things for them.

“It’s much easier than attacking people.”

So what is the solution? Going old school.

Mr Kernick said education campaigns have failed largely because people live in denial that they could ever be the subject of cyber criminals or nation states and that security companies need to stop trying the same old awareness campaign expecting a different result.

“I would suggest if you want to protest, go write a placard, get manual, get real world about it,” he said.

“Write a letter to your MP, write a letter to News Ltd, get it published the paper.

“I’m not a fan of this ‘anonymous’ sniping.”

However the cyber security expert acknowledged that it’s unlikely people would take this route because it’s always easier to click on a link than pen a letter they might have to put some thought into.

Apple appeared at Black Hat Security conference


Apple will give the hacking community a peek under the hood of iOS this week, with the company’s first-ever presentation at the Black Hat security conference.

Bloombergs Jordan Robinson first reported the Apple appearance, which is scheduled for Thursday. Dallas De Atley, manager of Apples platform security team, will give the presentation.


Black Hats website describes the session: Apple designed the iOS platform with security at its core. In this talk, Dallas De Atley … will discuss key security technologies in iOS.

De Atleys appearance, however, would come when iOS security has been increasingly challenged. Earlier this month, a Russian hacker exploited a flaw in the operating system, letting the public make in-app purchases for free. A week before that, the Find and Call app was revealed to be a Trojan horse that uploaded a users contacts and SMS messages to a remote server. And the forthcoming release of iOS 6 is expected to contain numerous security improvements.

Black Hat general manager Trey Ford suggested to Bloomberg that De Atleys appearance is a coup for the conference. Bottom lineno one at Apple speaks without marketing approval, Ford told the news service. Apple will be at Black Hat 2012, and marketing is on board.

References: Link1

Defcon 20: Skillz, Thrillz & got Feelz for the whole Hacker Family


You might not think that a hacker conference in Sin City in the summer is the best place to take the kids. But if you want them to learn some skills, know their digital rights and have some fun, I can’t think of any place better. Oh, and there’s some stuff for us big kids too.

Defcon, which turns 20 this year, runs Friday through Sunday, following the more corporate Black Hat conference, the newsy parts of which are tomorrow and Thursday.




Black Hat organizers had a rocky start to their week with a security issue of their own. One of their volunteers sent 7,500 attendees a suspicious e-mail that appeared to be a phishing scam. The message asked recipients to confirm a new password that supposedly had been requested and directed them to a dicey-looking URL. “We have reviewed the server logs, we know the user, host, and have spoken with the volunteer who has emailed each of you this morning,” Trey Ford, general manager of Black Hat, wrote in a blog post, without saying exactly why it happened. “The email this morning wasn an abuse of functionality by a volunteer who has been spoken to.”

And in a first, Apple is hosting a talk at Black Hat to discuss security for its iOS mobile operating system. It’s a timely appearance: just last week, the iPad and iPhone maker offered developers a way to protect themselves from a high-profile exploit that targeted Apple’s in-app purchase system.

Defcon, meanwhile, will no doubt have plenty of hair-raising sessions about scary security holes in software and hardware we use every day and the tools released to help exploit them. But there also will be Defcon Kids, at which security researchers of the future will hone their chops on protecting data in a digital age.

The Defcon Kids program, which runs concurrently with Defcon and is now in its second year, looks seriously interesting. There will be sessions on how to break crypto code and how to work with electronics and circuit boards. There’s a panel on location data tracking in cell phones, a zero-day contest for finding previously unknown vulnerabilities, a lockpicking race, a Q&A session on drones and 3D printing, and a session on “The Art of the Con” with a live con game.

Attendees of Defcon Kids also will learn about liability and other issues related to design problems that allow locks and safes to be opened in seconds, and there’s a session called “Hacking your School’s Network” in which sci-fi author and Internet thinker Cory Doctorow will tell the kids that “the best way to hack the network is to study it, document the ways in which it interferes with your schooling, use Freedom of Information requests to find out what your school is paying for this junk, and publish and present that material.” The ACLU is holding a session on the NSA and the Constitution, and in the Department of Defense Crime Scene Investigation session, kids will confront a simulated crime that they have to solve in 15 minutes. Heady stuff for minors.

And there’s plenty of fun for the over-21 crowd too, including sessions on all manner of security topics like backdoors in hardware and industrial control software, hacking aircraft tracking systems, “human augmentation” using medicine and technology and how to hack a nation’s transportation networks. There are also plenty of privacy-related sessions and deep dives into the security architectures of iOS, Android, and Win 8.

For people who want a more hands-on experience, there’s an exploit-coding contest, a tamper-proof packaging contest, a Defcon art contest, capture the packet, lockpicking, social engineering contest and a beverage cooling contraption contest. For pure pleasure and good deeds you have the beard championship, along with bone marrow and blood drives. The winners of the Defcon short story contest will be announced, and people will be sharing anecdotes for the Defcon documentary that’s in the making. And if you just want to get out of town, there’s a two-hour bike ride in the desert being organized.

Things kick into another gear at night. After hours there will be the usual shmoozing over drinks, goth dance parties, and DJs from nerdcore rappers Duo Core and Dale Chase to MC Frontalot and local boys gone big, The Crystal Method.

There is also a separate event, B-Sides, that runs tomorrow and Thursday and features some interesting sessions like “How I Managed to Break into the InfoSec World with Only a Tweet and an Email” and “Dropping an Intelligent F-BOMB.”

Reference: Link1

‎400+ site Got Hacked and Defaced by 8lack 3y3s

3xp1r3 Cyber Army back again with fresh attack. This hacking group is really active in these days and already hack about 1,500+ sites in this month.
Bangladeshi hacking Group name as "3xp1r3 Cyber Army" hacked 400+ sites by 8lack 3y3s of different countries include lot of amount of Australian sites. These kind of attacks are clearly showing how much awareness about security is need in cyber world. 3xp1r3 Cyber Army already hack a 7,000+  sites and we can see all info of hacked sites on there zone-h.


The list of impacted sites was published on Pastebin yesterday, but at press time, most of them still weren’t restored.

"w3 ar3 3xp1r3

w3 n3v3r g1v3 uP...any lamers"


While these mass defacements may not seem to have devastating effects, many website owners complain that it takes quite an effort to fully recover after such a hack. Few days ago they also hack 860+ Sites Defaced By 3xp1r3 Cyber Army & 200+ Site Got Hacked by 8lack 3y3s

Hacked Site List:
http://pastebin.com/M6VzfR8a 

Zone-H Mirror:
http://zone-h.org/archive/notifier=3xp1r3

Zone-HACK Mirror:
http://www.zone-hack.com/notifier/3xp1r3/

Hack-DB Mirror:
http://hack-db.com/team/3xp1r3_Cyber_Army/all.html

z-z0ne Mirror:
http://z-z0ne.net/notifier/3xp1r3/


Australian Death Threat Text Scam under Investigation

Thousands of Australians have received a "death threat" text, demanding they pay 5,000 Australian dollars ($5,140, £3,311) or face being murdered.

The scale of the scam has surprised the police authorities.

At a press conference in Queensland, Det Supt Brian Hay said: "Do not respond. Delete it immediately and don't panic... because that's what they prey upon."

The fraud is believed to be the work of an organised crime gang.
Huge scale




The message, which began to hit people's phones on Monday, reads: "Sum1 paid me to kill you. Get spared, 48hrs to pay $5000. If you inform the police or anybody, death is promised."

It directs people to a Yahoo email account which police have now disabled.

Mr Hay told reporters that enquiries were ongoing as to whether the criminals were based in Australia.

Some people had already fallen for the scam, mainly those with little experience of text messaging, he revealed.

He said that the scale of the scam was "unprecedented".

"We've never see this anything like this before - to have so many people contacted at the same time."

"There is an extraordinary amount of Australian consumer data that they are exploiting," he added.

He added that the scam was likely to be the work of organised criminals rather than an individual.

Hackers force Iranian nuclear facilities to blast AC/DC after Cyber Attack


A person inside the Atomic Energy Organization of Iran (AEOI) claimed this week in an email to a security researcher that a fresh hack is affecting two facilities, causing vital equipment to shut down and then playing AC/DC’s “Thunderstruck” on lab computers at maximum volume “during the middle of the night.”

Mikko H. Hypponen, chief research officer for the cybersecurity firm F-Secure, explained on the company’s website that he received an email from an unknown person within the AEOI who wanted to publicize details of the latest problems they’ve been running into.


“I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom,” the tipster wrote.

“According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used,” he continued. “The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert. ”

The email concluded: “There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing ‘Thunderstruck’ by AC/DC.”

While the identity of whomever sent the email has not been confirmed, reports in recent months have pointed to the U.S. and Israel as leading cyber-sabotage efforts against Iran’s nuclear program.

Reporters cited unnamed administration officials who claimed that the creation of the “Stuxnet” cyber weapon was authorized by President George W. Bush and sped up by President Barack Obama, who also allegedly initiated other lines of attack against the same facilities cited by Hyppone’s mystery tipster.


200+ Site Got Hacked by 8lack 3y3s

Bangladeshi hacking Group name as "3xp1r3 Cyber Army" hacked 200+ sites by 8lack 3y3s of different countries include lot of amount of Australian sites. These kind of attacks are clearly showing how much awareness about security is need in cyber world. 3xp1r3 Cyber Army already hack a 7,000+  sites and we can see all info of hacked sites on there zone-h.



The list of impacted sites was published on Pastebin yesterday, but at press time, most of them still weren’t restored.

 While these mass defacements may not seem to have devastating effects, many website owners complain that it takes quite an effort to fully recover after such a hack. Few days ago they also hack 860+ Sites Defaced By 3xp1r3 Cyber Army

Hacked Site List:
http://www.paste.to/NzU3MjE4

Zone-H Mirror:
http://zone-h.org/archive/notifier=3xp1r3

Zone-HACK Mirror:
http://www.zone-hack.com/notifier/3xp1r3/

Hack-DB Mirror:
http://hack-db.com/team/3xp1r3_Cyber_Army/all.html

z-z0ne Mirror:
http://z-z0ne.net/notifier/3xp1r3/

Hollowood Hacker to be sentenced


The Jacksonville man who hacked into the emails of Hollywood celebrities could face up to six years in prison for his crimes and pay more thousands of dollars to his victims.

The victims who were hacked include Scarlett Johanson and Christina Aguilera, just to name a few.

His nickname has become The Hollywood Hacker. 35-year-old Christopher Chaney admitted to being sorry for hacking into the online accounts of stars like Christina Aguilera and Scarlett Johanson.



But despite the fact that Chaney has shown remorse for his online crimes, the Jacksonville man may have to pay $150,000 in fines and spend 71 months behind bars.

In court Chaney was asked, “What do you want to tell your family. Do you really think that’s right?” After this question, Chaney apologized.

“It’s not that we’re retreating from this. but we can’t wholly embrace it either, because the case is becoming more convoluted and more convoluted,” Chaney’s lawyer Mark Chestnutt said.

Chaney’s lawyers said it was an adrenaline rush that fueled his online criminal behavior. He even sent nude photos of the stars to celebrity websites and other hackers.

Prosecutors want Chaney to compensate his victims.

They said Scarlett Johanson is owed more than $66,000, Christina Aguilera $7,500, Renee Olstead $76,000 and an undisclosed amount to Mila Kunis.

In addition to the hollywood starlets, a search warrant of Chaney’s hard drive revealed that it was used to conduct Internet searches for an underage Connecticut woman. She complained to police that Chaney had been chatting with her online since she was 13. She alleged the hacker stole private transmissions as well, but his lawyer claims the opposite.

“He says man, I”ve never heard of her,” Chestnutt said. “Listen, this guy’s never been on a plane! Never been to Connecticut. Never met this young lady. Hedoesn’t know her, doesn’t recall talking with her on the Internet.”

Chaney is scheduled to be sentenced Monday morning in Los Angeles federal court on his guilty plea to nine felony counts of hacking into the email accounts of several actresses. Prosecutors have recommended 6 years in prison.

Hacker Will Expose Potential Security Flaw In Four Million Hotel Room Keycard Locks

The next time you stay in a hotel room, run your fingers under the keycard lock outside your door. If you find a DC power port there, take note: With a few hacker tricks and a handful of cheap hardware, that tiny round hole might offer access to your room just as completely as your keycard.



At the Black Hat security conference Tuesday evening, a Mozilla software developer and 24-year old security researcher named Cody Brocious plans to present a pair of vulnerabilities he’s discovered in hotel room locks from the manufacturer Onity, whose devices are installed on the doors of between four and five million hotel rooms around the world according to the company’s figures. Using an open-source hardware gadget Brocious built for less than $50, he can insert a plug into that DC port and sometimes, albeit unreliably, open the lock in a matter of seconds. “I plug it in, power it up, and the lock opens,” he says simply.

In fact, Brocious’s break-in trick isn’t quite so straightforward. Testing a standard Onity lock he ordered online, he’s able to easily bypass the card reader and trigger the opening mechanism every time. But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed: Only one of the three opened, and even that one only worked on the second try, with Brocious taking a break to tweak his software between tests.

Even with an unreliable method, however, Brocious’s work–and his ability to open one out of the three doors we tested without a key–suggests real flaws in Onity’s security architecture. And Brocious says he plans to release all his research in a paper as well as source code through his website following his talk, potentially enabling others to perfect his methods.

Brocious’s exploit works by spoofing a portable programming device that hotel staff use to control a facility’s locks and set which master keys open which doors. The portable programmer, which plugs into the DC port under the locks, can also open any door, even providing power through that port to trigger the mechanism of a door lock in which the battery has run out.

The system’s vulnerability arises, Brocious says, from the fact that every lock’s memory is entirely exposed to whatever device attempts to read it through that port. Though each lock has a cryptographic key that’s required to trigger its “open” mechanism, that string of data is also stored in the lock’s memory, like a spare key hidden under the welcome mat. So it can be immediately accessed by Brocious’s own spoofed portable device and used to open the door a fraction of a second later.

Brocious believes that the unreliability of his method stems from timing issues in how his hacked-together unlocking device communicates with Onity’s locks. He doesn’t plan to complete the development and debugging of the technique himself, due to what he says are time constraints and concerns about what a universally effective exploit would mean for the security of millions of hotel guests. But he believes that with more experimentation and tweaking, someone could easily access a significant fraction of hotel rooms around the country without leaving a trace.

In fact, Brocious isn’t the only one who knows his tricks. His former employer, a startup that sought to reverse engineer Onity’s hotel front desk system and offer a cheaper and more interoperable product, sold the intellectual property behind Brocious’s hack to the locksmith training company the Locksmith Institute (LSI) for $20,000 last year. LSI students, who often include law enforcement, may already have the ability to open Onity doors at will.

“With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” says Brocious. “An intern at the NSA could find this in five minutes.”

The ability to access the devices’ memory is just one of the two vulnerabilities Brocious says he found in Onity’s locks. He says the company also uses a weak encryption scheme that allows him to derive the “site code”–a unique numerical key for every facility–from two cards encoded one after another for the same room. By reading the encrypted data off of two cards and testing thousands of potential site codes against both cards until the decoded data displays a predictable interval between the two, he can find the site code and use it to create more card keys with a magnetizing device. But given that he can only create more cards for the same room as the two keys he’s been issued, that security flaw represents a fairly low risk compared with the ability to open any door arbitrarily.

Brocious says he stumbled upon the the flaws in Onity’s locks while working as the chief technology officer for a startup called Unified Platform Management Corporation, which sought to compete with bigger players in the hotel lock industry by creating a universal front end system for hotels that used common lock technologies. Brocious was hired to reverse engineer hotel locks, and Onity was his first target. The discovery of Onity’s security vulnerabilities was entirely unintentional, he says.

UPM failed to find customers or investment and soon folded. With the exception of the sale of his exploit methods to LSI–the biggest sale the startup ever achieved–Brocious kept quiet about his discovery, until now.

“This wasn’t the way we wanted to disrupt the business, exactly,” says Brian Thomason, one of UPM’s founders. “But hey, stuff happens, right?”

In a move that may dismay security practitioners, Brocious never contacted Onity or its parent company United Technologies Corporation to tell the firm about its security flaws, and doesn’t plan to ahead of his talk. But he says that’s because there’s little the company could do: the locks can’t be simply upgraded with new firmware to fix the problem. New circuitboards will have to be installed in every affected lock, a logistical nightmare if millions of locks prove to be vulnerable. “I didn’t want to delay putting this out there any further than I had to. I see no path to mitigate this from Onity’s side,” he says. “The best way to help hotels at this point is educate them about this, not to go through Onity and delay getting the information out longer than I had to.”

When I contacted Onity and provided a detailed description of Brocious’s work, the company responded with this statement: “We have not seen Mr. Brocious’ presentation and cannot comment on the content. Onity places the highest priority on the safety and security provided by its products and works every day to develop and supply the latest security technologies to the marketplace.”

And if Onity’s locks are in fact as insecure and unsecurable as Brocious says, how does he suggest hotels and their guests protect themselves? “Hotels need to come up with a plan to move to more secure locks,” he says.

Related Posts Plugin for WordPress, Blogger...