The Hacker News

Mise à jour

Mise à jour de la base de données, veuillez patienter...

NASA HACKED! AnonSec tried to Crash $222 Million Drone into Pacific Ocean

mardi 2 février 2016 à 14:08

Once again the Red Alarm had been long wailed in the Security Desk of the National Aeronautics and Space Administration (NASA).

Yes! This time, a serious hacktivism had been triggered by the Hacking group named "AnonSec" who made their presence in the cyber universe by previous NASA Hacks.

The AnonSec Members had allegedly released 276 GB of sensitive data which includes 631 video feeds from the Aircraft & Weather Radars; 2,143 Flight Logs and credentials of 2,414 NASA employees, including e-mail addresses and contact numbers.

The hacking group has released a self-published paper named "Zine" that explains the magnitude of the major network breach that compromised NASA systems and their motives behind the leak.

Here’s How AnonSec Hacked into NASA

The original cyber attack against NASA was not initially planned by AnonSec Members, but the attack went insidious soon after the Gozi Virus Spread that affected millions of systems a year ago.

After purchasing an "initial foothold" in 2013 from a hacker with the knowledge of NASA Servers, AnonSec group of hackers claimed to pentested the NASA network to figure out how many systems are penetrable, the group told InfoWar.

Bruteforcing Admin's SSH Password only took 0.32 seconds due to the weak password policy, and the group gained further indoor access that allowed it to grab more login information with a hidden packet sniffing tool.

They also claimed to infiltrate successfully into the Goddard Space Flight Center, the Glenn Research Center, and the Dryden Research Center.

Hacker Attempted to Crash $222 Million Drone into the Pacific Ocean

Three NAS Devices (Network Attached Storage) which gathers aircraft flight log backups were also compromised, rapidly opening a new room for the extended hack:

Hacking Global Hawk Drones, specialized in Surveillance Operations.

Hackers have tried to gain the control over the drone by re-routing the flight path (by Man-in-the-Middle or MitM strategy) to crash it in the Pacific Ocean, but…

…the sudden notification of a security glitch in the unusual flight plan made the NASA engineers to take the control manually that saved their $222.7 Million drone from drowning in the ocean.

This hacking attempt had happened due to the trivial routine of drone operators of uploading the drone flight paths for the next fly, soon after a drone session ends.

After this final episode, AnonSec lost their control over the compromised NASA servers and everything was set to normal by NASA engineers as before.

This marked the attack's magnitude at a steep height by infecting into other pipelines of NASA, leading to this nasty situation.

However, in a statement emailed to Forbes, NASA has denied alleged hacking incident, says leaked information could be part of freely available datasets, and there is no proof that a drone was hijacked.

“Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.”

Why Did AnonSec Hack into NASA?

If you are going to point your fingers against the AnonSec Hackers, then Wait! Here's what the group of hackers wants to highlight:

"One of the main purposes of the Operation was to bring awareness to the reality of Chemtrails/CloudSeeding/Geoengineering/Weather Modification, whatever you want to call it, they all represent the same thing."

"NASA even has several missions dedicated to studying Aerosols and their affects (sic) on the environment and weather, so we targeted their systems."

And Here's What NASA was actually doing:

Cloud seeding: A weather alteration method that uses silver iodide to create precipitation in clouds which results to cause more rainfall to fight carbon emission which ultimately manipulates the nature.
Geoengineering: Geoengineering aims to tackle climate change by removing CO2 from the air or limiting the sunlight reaching the planet.

Similar projects are running on behalf of the US Government such as Operation Icebridge [OIB], Aerosol-Cloud-Ecosystem (ACE) which are dedicated to climate modeling.

This security breach would be a black label for the Security Advisory Team of NASA and became a warning bell to beef up the security.

They Named it — Einstein, But $6 Billion Firewall Fails to Detect 94% of Latest Threats

mardi 2 février 2016 à 13:17

The US government's $6 Billion firewall is nothing but a big blunder.

Dubbed EINSTEIN, the nationwide firewall run by the US Department of Homeland Security (DHS) is not as smart as its name suggests.

An audit conducted by the United States Government Accountability Office (GAO) has claimed that the firewall used by US government agencies is failing to fully meet its objectives and leaving the agencies open to zero-day attacks.

EINSTEIN, which is officially known as the US' National Cybersecurity Protection System (NCPS) and has cost $5.7 Billion to develop, detects only 6 percent of today's most common security vulnerabilities and failed to detect the rest 94 percent.

How bad is EINSTEIN Firewall in reality?

In a series of tests conducted last year, Einstein only detected 29 out of 489 vulnerabilities across Flash, Office, Java, IE and Acrobat disclosed via CVE reports published in 2014, according to a report [PDF] released by the GAO late last year.

Among the extraordinary pieces of information revealed are the fact that the system is:

Unable to monitor web traffic for malicious content.
Unable to uncover malware in a system.
Unable to monitor cloud services either.
Only offers signature-based threat and intrusion detection, rather than monitoring for unusual activity.

Yes, Einstein only carries out signature-based threat and intrusion detection, which means the system acts like a dumb terminal that waits for the command what to find, rather than to search itself for unusual activity.

Einstein Uses Outdated Signatures Database

In fact, more than 65 percent of intrusion detection signatures (digital fingerprints of known viruses and exploit code) are outdated, making Einstein wide open to recently discovered zero-day vulnerabilities.

However, in response to this, DHS told the office Einstein was always meant to be a signature-based detection system only. Here's what the department told the auditors:

"It is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy."

Einstein is Effectively Blind

If this wasn't enough to figure out the worth of the $6 Billion firewall, Einstein is effectively Blind.

The Department of Homeland Security (DHS), which is behind the development of Einstein, has not included any feature to measure the system's own performance, so the system doesn't even know if it is doing a good job or not.

So, "until its intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies," reads the report.

Einstein was actually developed in 2003 to automatically monitor agency network traffic, and later in 2009 expanded to offer signature-based detection as well as malware-blocking abilities.

Most of the 23 agencies are actually required to implement the firewall, but the GAO found that only 5 of them were utilising the system to deal with possible intrusions.

Despite having spent $1.2 Billion in 2014 and $5.7 Billion in total project, Einstein still only monitors certain types of network flaws along with no support for monitoring web traffic or cloud services.

Microsoft Starts automatically Pushing Windows 10 to all Windows 7 and 8.1 Users

mardi 2 février 2016 à 10:22

As warned last year, Microsoft is pushing Windows 10 upgrades onto its user's PCs much harder by re-categorizing Windows 10 as a "Recommended Update" in Windows Update, instead of an "optional update."

Microsoft launched Windows 10 earlier last year and offered the free upgrade for Windows 7 and Windows 8 and 8.1 users. While the company has been successful in getting Windows 10 onto more than 200 Million devices, Microsoft wants to go a lot more aggressive this year.

So, If you have enabled Automatic Windows Update on your Window 7, 8 or 8.1 to install critical updates, like Security Patches, you should watch your steps because…

...From Monday, Windows Update will start upgrading your PC to the newest Windows 10 as a recommended update, Microsoft confirmed.

Must Read: How to Stop Windows 7 or 8 from Downloading Windows 10 Automatically.

This means Windows 10 upgrade process will download and start on hundreds of millions of devices automatically.

The move is, of course, the part of Microsoft's goal to get Windows 10 running on 1 Billion devices within 2-3 years of its actual release.

Market Share of Windows 10 is on the rise. It has already grabbed a market share of 11.85% as of January 2016, increasing from 9.96% in December. But, Windows 7 is still running on over 50% of all PCs in the world, so targeting even half of its user base would bring Microsoft very near to its goal.

"As we shared in late October on the Windows Blog, we are committed to making it easy for our Windows 7 and Windows 8.1 customers to upgrade to Windows 10," a Microsoft spokesperson said. "We updated the update experience today to help our clients, who previously reserved their upgrade, schedule a time for their upgrade to take place."

Also Read: If You Haven't yet, Turn Off Windows 10 Keylogger Now.

This means if the 'Give me recommended updates the same way I receive important update' option in Windows Update section is enabled on your PC, the Windows 10 update will not only be downloaded but also, the installation will be started automatically.

You are also required to stay alert because even if you have adopted manual updates you may still end up downloading Windows 10 anyway. As Windows Update is automatically pre-selecting the option for you, without your need to click on the box to get it.

Must Read: Just Like Windows 10, Windows 7 and 8 Also Spy on You – Here's How to Stop Them.

However, the company says that you won't be forced to upgrade the creepy OS as there will still be a prompt window that will require you to click through and confirm the Windows 10 upgrade after the files have silently been downloaded and unpacked in the background.

Even if the Windows 10 upgrade is accidentally completed, there is still a way to opt out of it. Microsoft is offering a 31 day grace period in which you will be able to revert to your old installation after trying Windows 10 and deciding you not like the operating system.

Though we know this revert will also be an aggressive push by Microsoft.

Google Patches Critical Remotely-exploitable Flaws in Latest Android Update

mardi 2 février 2016 à 08:26

Google has released the February Security Update for Android that patches multiple security vulnerabilities discovered in the latest version of Android operating system.

In total, there were five "critical" security vulnerabilities fixed in the release along with four "high" severity and one merely "moderate" issues.

Remote Code Execution Flaw in WiFi

A set of two critical vulnerabilities has been found in the Broadcom WiFi driver that could be exploited by attackers to perform Remote Code Execution (RCE) on affected Android devices when connected to the same network as the attacker.

The vulnerabilities (CVE-2016-0801 and CVE-2016-0802) can be exploited by sending specially crafted wireless control message packets that can corrupt kernel memory, potentially leading to remote code execution at the kernel level.

"These vulnerabilities can be triggered when the attacker and the victim are associated with the same network," reads the advisory. "This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction."

Remote Code Execution Flaw in Mediaserver

Another set of two critical security vulnerabilities were discovered in Mediaserver that was targeted last summer by critical Stagefright vulnerabilities and exploits, allowing anyone to compromise an Android device by sending just a specially crafted MMS message.

The recently discovered flaws (CVE-2016-0803 and CVE-2016-0804) in Mediaserver could enable remote code execution (RCE) on affected Android devices through email, web browsing, or MMS files when processing media files.

Moreover, a separate vulnerability called elevation of privilege (CVE-2016-0810) was also discovered in Mediaserver that could be exploited to gain elevated capabilities, including Signature or SignatureOrSystem permissions privileges, that aren’t accessible to third-party apps.

Two Elevation of Privilege vulnerabilities has also been found in Qualcomm components: the Qualcomm Performance Module (CVE-2016-0805) and the Qualcomm Wi-Fi Driver (CVE-2016-0806). Both the flaws, rated as critical, leveraged an attacker to launch further attacks.

Another critically rated bug (CVE-2016-0807) discovered in the Debuggerd component could open the door to execute arbitrary code within the device's root level. Debuggerd is a software tool used for debugging and analyzing Android crashes.

Other high severity bugs include:

An elevation of privilege vulnerability in the Android Wi-Fi component
A denial-of-service vulnerability in the Minikin library
An information disclosure bug in libmediaplayerservice

The final set of vulnerabilities is an Elevation of Privilege flaw in Setup Wizard that could allow a hacker to bypass the Factory Reset Protection and gain access to the affected device.

All the Security patches are currently made available for Nexus devices only. Google also shared the patches with carrier and manufacturer partners on January 4, but users of other Android devices should have to wait until their devices receive an update.

Nexus device users are advised to patch the flaws by flashing their devices to this new build immediately. Users can also wait for the OTA (Over-the-Air) update that will be out in the next week or so.

Hacking Smartphones Running on MediaTek Processors

lundi 1 février 2016 à 19:17

A dangerous backdoor has been discovered in the MediaTek processor that could be exploited to hack Android devices remotely. MediaTek is a Taiwan-based hardware company that manufacture hardware chips and processor used in the smartphones and tablets. The backdoor was discovered by security researcher Justin Case, who already informed MediaTek about the security issue via Twitter, as