Wednesday, February 18, 2015

Bank Hackers Steal Millions via Malware

PALO ALTO, Calif. — In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.
But when a Russian cybersecurity firm, Kaspersky Lab, was called to Ukraine to investigate, it discovered that the errant machine was the least of the bank’s problems.
The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.
Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.
Continue reading the main story

How Hackers Infiltrated Banks

Since late 2013, an unknown group of hackers has reportedly stolen $300 million ­— possibly as much as triple that amount — from banks across the world, with the majority of the victims in Russia. The attacks continue, all using roughly the same modus operandi:
BANK COMPUTERS
Hackers send email containing a malware program called Carbanak to hundreds of bank employees, hoping to infect a bank’s administrative computer.
HACKER
ADMIN PC
Programs installed by the malware record keystrokes and take screen shots of the bank’s computers, so that hackers can learn bank procedures. They also enable hackers to control the banks’ computers remotely.
ADMIN PC
HACKER
By mimicking the bank procedures they have learned, hackers direct the banks’ computers to steal money in a variety of ways:
Transferring money into hackers’ fraudulent
bank accounts
Using e-payment systems to send money to
fraudulent accounts overseas
Directing A.T.M.s to dispense money at set
times and locations
In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says that the scope of this attack on more than 100 banks and other financial institutions in 30 nations could make it one of the largest bank thefts ever — and one conducted without the usual signs of robbery.
The Moscow-based firm says that because of nondisclosure agreements with the banks that were hit, it cannot name them. Officials at the White House and the F.B.I. have been briefed on the findings, but say that it will take time to confirm them and assess the losses.
Kaspersky Lab says it has seen evidence of $300 million in theft through clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.
The majority of the targets were in Russia, but many were in Japan, the United States and Europe.
No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information.
But the industry consortium that alerts banks to malicious activity, the Financial Services Information Sharing and Analysis Center, said in a statement that “our members are aware of this activity. We have disseminated intelligence on this attack to the members,” and that “some briefings were also provided by law enforcement entities.”
The American Bankers Association declined to comment, and an executive there, Douglas Johnson, said the group would let the financial services center’s statement serve as the only comment. Investigators at Interpol said their digital crimes specialists in Singapore were coordinating an investigation with law enforcement in affected countries. In the Netherlands, the Dutch High Tech Crime Unit, a division of the Dutch National Police that investigates some of the world’s most advanced financial cybercrime, has also been briefed.
The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing.
The managing director of the Kaspersky North America office in Boston, Chris Doggett, argued that the “Carbanak cybergang,” named for the malware it deployed, represents an increase in the sophistication of cyberattacks on financial firms.
“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert,” Mr. Doggett said.
As in the recent attack on Sony Pictures, which Mr. Obama said again on Friday had been conducted by North Korea, the intruders in the bank thefts were enormously patient, placing surveillance software in the computers of system administrators and watching their moves for months. The evidence suggests this was not a nation state, but a specialized group of cybercriminals.
But the question remains how a fraud of this scale could have proceeded for nearly two years without banks, regulators or law enforcement catching on. Investigators say the answers may lie in the hackers’ technique.
In many ways, this hack began like any other. The cybercriminals sent their victims infected emails — a news clip or message that appeared to come from a colleague — as bait. When the bank employees clicked on the email, they inadvertently downloaded malicious code. That allowed the hackers to crawl across a bank’s network until they found employees who administered the cash transfer systems or remotely connected A.T.M.s.
Then, Kaspersky’s investigators said, the thieves installed a “RAT”— remote access tool — that could capture video and screenshots of the employees’ computers.
“The goal was to mimic their activities,” said Sergey Golovanov, who conducted the inquiry for Kaspersky Lab. “That way, everything would look like a normal, everyday transaction,” he said in a telephone interview from Russia.
The attackers took great pains to learn each bank’s particular system, while they set up fake accounts at banks in the United States and China that could serve as the destination for transfers. Two people briefed on the investigation said that the accounts were set up at J.P. Morgan Chase and the Agricultural Bank of China. Neither bank returned requests for comment.
Kaspersky Lab was founded in 1997 and has become one of Russia’s most recognized high-tech exports, but its market share in the United States has been hampered by its origins. Its founder, Eugene Kaspersky, studied cryptography at a high school that was co-sponsored by the K.G.B. and Russia’s Defense Ministry, and he worked for the Russian military before starting his firm.
When the time came to cash in on their activities — a period investigators say ranged from two to four months — the criminals pursued multiple routes. In some cases, they used online banking systems to transfer money to their accounts. In other cases, they ordered the banks’ A.T.M.s to dispense cash to terminals where one of their associates would be waiting.
But the largest sums were stolen by hacking into a bank’s accounting systems and briefly manipulating account balances. Using the access gained by impersonating the banking officers, the criminals first would inflate a balance — for example, an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what had happened.  
“We found that many banks only check the accounts every 10 hours or so,” Mr. Golovanov of Kaspersky Lab said. “So in the interim, you could change the numbers and transfer the money.”
The hackers’ success rate was impressive. One Kaspersky client lost $7.3 million through A.T.M. withdrawals alone, the firm says in its report. Another lost $10 million from the exploitation of its accounting system. In some cases, transfers were run through the system operated by the Society for Worldwide Interbank Financial Telecommunication, or Swift, which banks use to transfer funds across borders. It has long been a target for hackers — and long been monitored by intelligence agencies.
Mr. Doggett likened most cyberthefts to “Bonnie and Clyde” operations, in which attackers break in, take whatever they can grab, and run. In this case, Mr. Doggett said, the heist was “much more ‘Ocean’s Eleven.’ ”

Saturday, February 7, 2015

Using your own router in tandem with the Actiontec V1000H Router and Telus Optik TV


In the ideal big-brother world of Telus they would have you only use their supplied hardware for networking - ie the Actiontec V1000H Router. For advanced users this is a serious pain, when your own router probably has a much richer feature set. For others you may just want complete control of your network and its hardware.

The solution? Log in as root, set the Actiontec to "bridged mode", essentially turning it into a standard modem. Now you can use your own router connected directly to the WAN. If you call Telus tech support, they won't have a clue what you're talking about when you mention bridging or just tell you it's not possible. I understand that it's more difficult for the Telus support people to read from their script when every customer could have a different router, but I, like many others, never call Telus tech support unless there is something broken on their side, like my service has dropped completely. You may be better off talking to brick wall for anything else.

If you don't enable bridging on the Actiontec and you use it with your router, you'll get a double NAT situation. While it may work, it will be a pain to configure and may result in some peculiar networking problems. This is exacerbated by the fact that you don't have access to fully configure the Actiontec router to work properly in this situation - like disabling DHCP. Check out this explanation of double NAT for more info.

The below instructions work flawlessly with my DDWRT54G v3 running Tomato Firmware v1.28.7633 .3-Toastman-VLAN-IPT-ND ND VPN


To start - knowing your logins:


There are a set of logins for the Actiontec - the one that you're given is a crippled account with limited access to settings.

default customer login is (can be changed after first login)
username: admin
password: telus

"poweruser" login - some options are still locked
username: tech
password: t3lu5tv

root login - all features are unlocked and configurable
(old firmware 31.30L.48)
username: root
password: m3di@r00m!

(new firmware 31.30L.55)
username: root
password: Thr33scr33n!


Bridged Mode - so you can use your third party router:


Before enabling bridged mode you may want to turn off wireless if you're going to use it on your own router. I've had some problems turning it off after enabling bridged mode. Also, you can unscrew the attached antennas, you don't need them if you've turned off wireless.

On your third party router change the default LAN subnet to something outside of the Actiontec's default subnet 192.168.1.0 255.255.255.0 - 10.0.0.0 255.0.0.0 should work fine.

To enable transparent bridging mode:
  1. log in as root
  2. go to "Advanced Setup"
  3. WAN IP Addressing
  4. 2. Select the ISP protocol below
  5. select "RFC 1483 Transparent Bridging"
Plug your own router (WAN port) into the actiontec router (LAN port), now your own router should transparently pass through the actiontec getting a DHCP assigned IP address directly from Telus. Some additional config may be necessary on your router.

To connect to the Actiontec router while in bridging mode:

Directly connect a computer to the actiontec router and change the adapter address to a static IP in the actiontec's default IP range.

192.168.1.1 should work.
Then connect to the router as usual - http://192.168.1.254

With bridging enabled, some strange behaviour is exhibited when logging in - you'll see below the log in section that it says you're already logged in as admin although you won't be able to view any of the configuration pages. When you log in as root you won't see any confirmation of a log in, you'll just get bumped back to the home page. You should be able to go to config pages once logged in though.

Alternatively you can log in using telnet if you want to enable it:
  1. Advanced Setup
  2. Remote
  3. Remote Telnet
  4. 1. Set the remote telnet state below.
  5. Local Telnet -> enable
  6. Set the user name and password for login
Use putty or some other terminal client and login using the username and password you've set.
Once logged in, you have a crippled shell - like the command "ls" and "cd" won't work.
To get a slightly more functional shell type "sh" to get a busybox shell.


To get Optik TV working with a third party router, you must enable multicasting:


If you don't have multicasting enabled on your third party router, TV channels will work for a few seconds then drop out.

For the tomato firmware this option is:
Advanced -> Firewall -> Multicast
Enable IGMPproxy
Check off the LAN segment you want to enable multicasting on - default should be LAN


Troubleshooting:


If you find you've locked yourself out of the router, or want to reset all the settings back to the defaults - do a factory reset.

Take a pen and press the reset button down (the button is recessed in a hole marked with a red circle around it) for a few seconds until the power light turns red, then unplug the power and plug it back in. The router will take around 30 seconds to reboot with the default settings.

If you need to do a factory reset or want to do other types of fiddling after being in bridged mode for awhile, disconnect the phone cable. Many people are reporting that their firmware gets updated immediately after a factory reset with the phone cable plugged in (ie being connected to the Internet) and the root password has been changed (unconfirmed) on newer versions of the firmware.


Friday, February 6, 2015

Track anyone in the UK via SMS

By using one of the many mobile phone location tracking services aimed at businesses or concerned parents, and some trickery it is possibly to get almost anyone’s mobile phone position without their agreement. All that is required is their mobile phone number, and carrier.
Over the past year a number sites have popped up offering web based mobile phone tracking services. To use their services you purchase a monthly subscription or set number of credits, and enter in the targets phone number. The target then receives an SMS message asking them to confirm they consent to the tracking. After the target replies, the tracker can then request their position online and receive a street address, post code, and map of their location with an accuracy of around 250 meters.
Source: Rootsecure
  • Although it is possible to get the location of a phone the target will receive the various SMS confirmation messages, alerting them to the fact they are being tracked.
  • Malicious use can be traced back to the tracker via credit card records / the trackers registered phone.
More:
For the past week I’ve been tracking my girlfriend through her mobile phone. I can see exactly where she is, at any time of day or night, within 150 yards, as long as her phone is on. It has been very interesting to find out about her day. Now I’m going to tell you how I did it.
The Guardian
A service has launched in the UK which allows you to track any mobile phone around the globe and follow its movements from your own computer. The Guardian ran a feature on it yesterday called ‘How I stalked my girlfriend’. It painted a scary picture.
The service is run by World-Tracker, a company based on the Isle of Man. When a mobile number is entered onto the World-Tracker website, a text message is sent to that phone, to ask if the person carrying the phone wishes to be tracked.
The Register

LinEnum – Linux Enumeration & Privilege Escalation Tool

LinEnum will automate many Local Linux Enumeration & Privilege Escalation checks documented in this cheat sheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.
An additional ‘extra’ feature is that the script will also use a provided keyword to search through *.conf and *.log files. Any matches will be displayed along with the full file path and line number on which the keyword was identified.
LinEnum - Linux Enumeration & Privilege Escalation Tool
After the scan has completed (please be aware that it make take some time) you’ll be presented with (possibly quite extensive) output, to which any key findings will be highlighted in yellow with everything else documented under the relevant headings.
Usage
Checks/Tasks Performed
  • Kernel and distribution release details
  • System Information:
    • Hostname
    • Networking details:
    • Current IP
    • Default route details
    • DNS server information
  • User Information:
    • Current user details
    • Last logged on users
    • List all users including uid/gid information
    • List root accounts
    • Extracts password policies and hash storage method information
    • Checks umask value
    • Checks if password hashes are stored in /etc/passwd
    • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
    • Attempt to read restricted files i.e. /etc/shadow
    • List current users history files (i.e .bash_history, .nano_history etc.)
    • Basic SSH checks
  • Privileged access:
    • Determine if /etc/sudoers is accessible
    • Determine if the current user has Sudo access without a password
    • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
    • Is root’s home directory accessible
    • List permissions for /home/
  • Environmental:
    • Display current $PATH
  • Jobs/Tasks:
    • List all cron jobs
    • Locate all world-writable cron jobs
    • Locate cron jobs owned by other users of the system
  • Services:
    • List network connections (TCP & UDP)
    • List running processes
    • Lookup and list process binaries and associated permissions
    • List inetd.conf/xined.conf contents and associated binary file permissions
    • List init.d binary permissions
  • Version Information (of the following):
    • Sudo
    • MYSQL
    • Postgres
    • Apache
    • Checks user config
  • Default/Weak Credentials:
    • Checks for default/weak Postgres accounts
    • Checks for default/weak MYSQL accounts
  • Searches:
    • Locate all SUID/GUID files
    • Locate all world-writable SUID/GUID files
    • Locate all SUID/GUID files owned by root
    • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
    • List all world-writable files
    • Find/list all accessible *.plan files and display contents
    • Find/list all accessible *.rhosts files and display contents
    • Show NFS server details
    • Locate *.conf and *.log files containing keyword supplied at script runtime
    • List all *.conf files located in /etc
    • Locate mail
You can download LinEnum v0.5 here:
master.zip

SniffPass – Simple Password Sniffer

SniffPass is small password monitoring software (basically a password sniffer) that listens to your network, capture the passwords that pass through your network adapter, and display them on the screen instantly. SniffPass can capture the passwords of the following Protocols: POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication passwords).
You can use this utility to recover lost Web/FTP/Email passwords via your own network adapter.
SniffPass - Simple Password Sniffer

Requirements

SniffPass can capture passwords on any 32-bit Windows operating system (Windows 98/ME/NT/2000/XP/2003/Vista) as long as WinPcap capture driver is installed and works properly with your network adapter. You can also use SniffPass with the capture driver of Microsoft Network Monitor, if it’s installed on your system.
Under Windows 2000/XP (or greater), SniffPass also allows you to capture TCP/IP packets without installing any capture driver, by using ‘Raw Sockets’ method. However, this capture method has the following limitation:
  • On Windows XP/SP1 passwords cannot be captured at all – Thanks to Microsoft’s bug that appeared in SP1 update…
  • On Windows Vista with SP1, only UDP packets are captured. TCP packets are not captured at all.
  • On Windows 7, it seems that ‘Raw Sockets’ method works properly again, at least for now…
Do note, this software is NOT designed to grab passwords from other machines on the network, and could do so but only if the computers were connected via a simple hub or unecrypted Wireless networks.
You can download SniffPass v1.13 here:
sniffpass.zip

ATM Hacked Using Samsung Galaxy S4 & USB Port

A pretty interesting black box daughter board attack on ATM via USB, the crowd cry ATM Hacked! Yah it was, and it was triggered using a mobile phone to actually activate the attack, showing it’s fairly complex and also abstracting the actual attacker from being physically there.
ATM Hacked Using Samsung Galaxy S4 & USB Port
The guy carrying the black box can’t actually perform the attack without whoever has the phone trigger letting it lose.
Carders have jackpotted an ATM by inserting a circuit board into the USB ports of an ATM, tricking it into spitting out cash.
The technique was thought to have emulated the cash dispenser of the ATM so the brains of the machine thought everything was normal, buying additional time for the brazen crooks to make off with the cash.
A Samsung Galaxy S4 was then used by a remote attacker to issue commands to the dispenser, cybercrime scribe Brian Krebs reported.
NCR global security manager Charlie Harrow said the circuit board gives crime lords control, but the folks who install it are not necessarily the real perps.
“… you have the Mr. Big back at the hideout who’s sending the commands, and the mules are the ones at the ATMs,” Harrow said.
“So the mule who has the black box is unable to activate the attack unless he gets the command from the Mr. Big, and the mobile phone is the best way to do that.”
It really reads like something from the movies, some lacky with a black box and a mysterious Dr. Evil somewhere on a desert island triggering the attack from his mobile phone causing the ATM to endlessly spit out $100 bills.
I doubt it was so obvious, but it would be fun wouldn’t it? The black box basically fooled the ATM into thinking the cash dispenser was still attached, pretty clever stuff.
The amount of cash stolen was not revealed.
The mobile phone component also made it difficult for investigators to piece together how the attackers pushed commands through to the cash dispenser.
Investigators were unsure what commands were sent to the dispenser only that they were funneled through the phone.
The type of attacks were increasing, NCR said. Most logical USB port attacks involved malware and only one other had used the type of black box equipment used here.
ATM owners have been urged to avoid stand alone machines where possible, as they are more easily attacked. NCR has updated its encryption scheme so that a key is exchanged between the brains and dispenser after a specific authentication sequence, and hardened firmware preventing thieves from downgrading.
I’m assuming this happened in the US as NCR is quoted (formerly National Cash Register) a US-based computer hardware/software company that provides ATMs and the like.
More details in Krebs article here: Thieves Jackpot ATMs With ‘Black Box’ Attack
Interesting stuff, will have to see if they manage to pop any more ATMs with this technique (if it gets reported that is).
Source: The Register

BlueScan – A Bluetooth Device Scanner

BlueScan is a BASH script that acts as a Bluetooth device scanner. It’s a tool designed to detect Bluetooth devices within the radio range of your system and extract as much information as possible from the devices without the requirement to pair.
BlueScan - A Bluetooth Device Scanner
The tool works unobtrusively, ie without establishing a connection to the devices found and undetected. No superuser privileges are required to run it.
Requirements
  • A GNU / Linux operating system
  • A kernel version 2.4.6 or higher with the Bluetooth protocol stack implemented
  • A Bluetooth adapter that provides the system with HCI interface
  • Libraries – libbluetooth2 & bluez-utils
Features
Currently it is able to detect:
  • BD device address (is equivalent to the MAC of a network card)
  • Device Name
  • Manufacturer (in most cases)
  • Active services on the device
  • Open channels on the device
One caveat, it’s in Spanish, so yah – you’ll have to figure that out.
You can download BlueScan here:
bluescan_1.0.6.zip