Hackers continue attack on Pakistani sites, leak sensitive data

A screenshot of the defaced PTV sports website.

ISLAMABAD: A network of hackers claiming to be a part of Anonymous — the global hacktivist network — continued a campaign of hacking, DDOS attacks and defacing websites belonging to the Pakistan government, security forces and the Pakistan Muslim League-Nawaz (PML-N) on Wednesday.

The group, going under the names ASOR Hack Team or Anonymous Op Pakistan, hacked into multiple websites and leaked private data of government employees and security forces, raising serious security and privacy concerns.

  • An unofficial PML-N website http://www.pmln.us was hacked and defaced with political messages related to the handling of the Model Town tragedy. The website was restored.

  • The Faisalabad Police Department website http://www.faisalabadpolice.gov.pk was hacked and private data leaked online, including usernames, passwords and the names/CNICs/addresses/contact information of employees.

  • The T20 section of Pakistan Television’s sport website sports.ptv.com.pk/t20 was defaced with ‘Go Nawaz Go’ messages, only to be restored hours later. Another message on the page read: “The desks that are being thumped on the face of the Pakistani people are a testimony that this gang can only get together to rescue its politics…the poor will continue to die in hunger and load-shedding.”

  • Usernames, passwords and email addresses, allegedly from hacks into the Pakistan Army and other government websites, were leaked onto the internet. The link to the data dumps are currently blocked in Pakistan, but screengrabs circulating online show private data including names, contact information and worryingly, designations of a sensitive nature including arms manufacturers. Messages included with the leaked data said the attacks were taking place because the Pakistan Army was carrying out an operation in North Waziristan.

Two days ago, the group of hackers temporarily brought down numerous government portals in a bid to “remove every vestige of the Pakistan government from the Internet”.

The group also leaked a zip file containing 23,000 bank records allegedly connected to the government. The zip file contained a document that stated the leak was carried out by ASOR Hack Team.

It appears the group is affiliated with the global Anonymous network, given the updates carried out on various official Twitter accounts.

 

‘Anonymous Pakistan’ take down government sites, leak bank records

Screenshot from the hackers' website

KARACHI: In the wake of ongoing anti-government protests in Islamabad, a group of hackers calling themselves ‘Anonymous Op Pakistan’ temporarily brought down numerous government portals in a bid to remove, “every vestige of the Pakistan government from the Internet”.

The group also leaked a zip file containing 23,000 bank records allegedly connected to the government. The zip file contained a document that stated the leak was carried out by ASOR Hack Team.

Claiming to be a part of Anonymous – the global hacktivist network – the hackers attacked over two dozen government websites overnight, a few of which remained inaccessible on Monday. Some of the hacked websites were defaced as well.

In numerous online messages, Anonymous Op Pakistan said it was carrying out the attacks for political reasons, in support of the PTI/PAT protesters:

“We are cataloging the atrocities being committed in Pakistan. We will begin at once assisting the peaceful protesters in Pakistan with every tool and tactic at our disposal. And we will initiate the process of removing every vestige of the Pakistan government from the Internet and shutting down their communications network. And the Pakistani people will then remove this criminal regime from power and lock them in prison where they belong. Prime Minister Nawaz Sharif you are hereby dismissed. You will leave power immediately. For the safety and security of your family we suggest that you depart Pakistan at once. This is your only warning.”

The group also condemned police action against the protesters:

As for the criminal security and military forces who have so barbarically attacked your own people in Pakistan, we will collect evidence of your crimes and deal with you in the time and manner of our choosing. You would do well to….well, you know – expect us. You will either answer to the justice of your people and the international community, or you will be the subject of the rage filled vengeance of Anonymous.

Portals that were hacked included:

  • Pakistan Army (www.joinpakarmy.gov.pk)

  • Pakistan Air Force (www.paf.gov.pk, http://www.joinpaf.gov.pk)

  • Inter Services Public Relations (www.ispr.gov.pk)

  • Federal Investigative Agency (www.fia.gov.pk)

  • Punjab Government (www.punjab.gov.pk)

  • Urban Unit (www.urbanunit.gov.pk)

  • Pakistan Electronic Media Regulatory Authority (www.pemra.gov.pk)

  • Pakistan Electronics Manufacturers Association (www.pema.gov.pk)

  • Provincial Disaster Management Authority (www.pdma.gov.pk/)

  • Press Information Department (www.pid.gov.pk)

  • Pakistan Meteorological Department (www.pmd.gov.pk)

  • National Institute of Electronics (www.nie.gov.pk)

  • Federal Board of Revenue (e.fbr.gov.pk)

Hackers may hvae used PA. company to hit Target

NEW YORK: The hackers who stole millions of customers’ credit and debit card numbers from Target may have used a Pittsburgh-area heating and refrigeration business as the back door to get in.

If that was, in fact, how they pulled it off – and investigators appear to be looking at that theory – it illustrates just how vulnerable big corporations have become as they expand and connect their computer networks to other companies to increase convenience and productivity.

Fazio Mechanical Services, a contractor that does business with Target, said in a statement Thursday that it was the victim of a “sophisticated cyberattack operation,” just as Target was. It said it is cooperating with the Secret Service and Target to figure out what happened.

The statement came days after Internet security bloggers identified the Sharpsburg, Pa., company as the third-party vendor through which hackers penetrated Target’s computer systems.

Target has said it believes hackers broke into its vast network by first infiltrating the computers of one of its vendors. Then the hackers installed malicious software in Target’s checkout system for its estimated 1,800 US stores.

Experts believe the thieves gained access during the busy holiday season to about 40 million credit and debit card numbers and the personal information – including names, email addresses, phone numbers and home addresses – of as many as 70 million customers.

Cybersecurity analysts had speculated that Fazio may have remotely monitored heating, cooling and refrigeration systems for Target, which could have provided a possible entry point for the hackers. But Fazio denied that, saying it uses its electronic connection with Target to submit bills and contract proposals.

The new details illustrate what can go wrong with the far-flung computer networks that big companies increasingly rely on.

“Companies really have to look at the risks associated with that,”said Ken Stasiak, CEO of SecureState, a Cleveland firm that investigates data breaches. Stasiak said industry regulations require companies to keep corporate operations such as contracts and billing separate from consumer financial information.

Stasiak emphasized that the thieves would have still needed to do some serious hacking to move through Target’s network and reach the checkout system.

Chester Wisniewski, an adviser for the computer security firm Sophos, said that while it may seem shocking that Target’s systems are that connected, it is a lot cheaper for a company to manage one network rather than several.

He added that while retailers are supposed to keep consumer information separate, they are not required to house it on a separate network.

Still, he said he was extremely surprised to hear that the hackers may have gotten in via a billing system, saying those kinds of connections are supposed to provide extremely limited access to the other company’s network.

As a result, while the hackers were clearly talented, it’s obvious something went wrong on Target’s end, he said.

“If normal practices were followed, they wouldn’t have been able to get access,” Wisniewski said.

Secret Service spokesman Brian Leary confirmed that investigators are looking into the attack at Fazio Mechanical Services, but wouldn’t provide details. Molly Snyder, spokeswoman for Minneapolis-based Target, would not comment.

Federal prosecutors in Pittsburgh referred calls to their counterparts in Minnesota, who would not discuss the investigation.

In the weeks since Target disclosed the breach, banks, credit unions and other card companies have canceled and reissued cards, closed accounts and refunded credit card holders for transactions made with the stolen data.

The Consumer Bankers Association said that its members have replaced over 17.2 million debit and credit cards as a result of the Target breach, at a cost of over $172 million.

Target has said its customers won’t be responsible for any losses.

Apple says never worked with NSA on iPhone hacks

SAN FRANCISCO: Apple Inc has never worked with the US National Security Agency and is unaware of efforts to target its smartphones, the company said in response to reports that the spy agency had developed a system to hack into and monitor iPhones.

Germany’s Der Spiegel reported this week that a secretive unit of the NSA, which is under fire for the extent and depth of its spying programs around the world, makes specialized gear and software to infiltrate and monitor a plethora of computing devices, including mobile phones.

The report included an NSA graphic dated 2008 that outlined a system in development called DROPOUTJEEP, described as a “software implant” that allows infiltrators to push and pull and retrieve data from iPhones such as contact lists. Der Spiegel referred to it as a “trojan,” or malware that helps hackers get into protected systems.

The report, which surfaced on Sunday, did not suggest that Apple had cooperated with the US spying agency on so-called backdoors.

In a statement issued Tuesday, the NSA did not comment on any specific allegations but said that its interest “in any given technology is driven by the use of that technology by foreign intelligence targets.”

“The United States pursues its intelligence mission with care to ensure that innocent users of those same technologies are not affected,” the agency added.

The iPhone was a relatively innovative gadget in 2008. It hit the market in 2007 and proceeded to help revolutionize the mobile phone industry.

“Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products,” the company said in a statement.

“We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.”

Hacker took over BBC server, tried to ‘sell’ access

London: A hacker secretly took over a computer server at the BBC, Britain’s public broadcaster, and then launched a Christmas Day campaign to convince other cyber criminals to pay him for access to the system.

While it is not known if the hacker found any buyers, the BBC’s security team responded to the issue on Saturday and believes it has secured the site, according to a person familiar with the cleanup effort.

A BBC spokesman declined to discuss the incident. “We do not comment on security issues,” he said.

We could not determine whether the hackers stole data or caused any damage in the attack, which compromised a server that manages an obscure password-protected website.

It was not clear how the BBC, the world’s oldest and largest broadcaster, uses that site, ftp.bbc.co.uk, though ftp systems are typically used to manage the transfer of large data files over the Internet.

The attack was first identified by Hold Security LLC, a cybersecurity firm in Milwaukee that monitors underground cyber-crime forums in search of stolen information.

The firm’s researchers observed a notorious Russian hacker known by the monikers “HASH” and “Rev0lver,” attempting to sell access to the BBC server on December 25, the company’s founder and chief information security officer, Alex Holden, told Reuters.

“HASH” sought to convince high-profile hackers that he had infiltrated the site by showing them files that could only be accessed by somebody who really controlled it, Holden said.

So far Hold Security researchers have found no evidence the conversations led to a deal or that data was stolen from the BBC, Holden said.

It is common for hackers to buy and sell access to compromised servers on underground forums.

Buyers view the access as a commodity that grants them the chance to further penetrate the victim organization. They can also use compromised servers to set up command-and-control centers for cyber-crime operations known as botnets, run spam campaigns or launch denial of service attacks to knock websites off line.

The BBC offer stands out because the media company is such a high-profile organization, Holden said. “It’s definitely a notch in someone’s belt.”

BBC has some 23,000 staff and is funded largely by license fees paid by every British household with a television.

Justin Clarke, a principal consultant for the cybersecurity firm Cylance Inc, said that while “HASH” was only offering access to an obscure ftp server, some buyers might see it as a stepping stone to more prized assets within the BBC.

“Accessing that server establishes a foothold within BBC’s network which may allow an attacker to pivot and gain further access to internal BBC resources,” he said.

Media companies, including the BBC, have repeatedly been targeted by the Syrian Electronic Army, which supports Syrian President Bashar al-Assad, and other hacker activist groups that deface websites and take over Twitter accounts.

Last January the New York Times reported that it had been repeatedly attacked over four months by Chinese hackers who obtained employees’ passwords.

Techies vs. NSA: Encryption arms race escalates

SAN JOSE: Encrypted email, secure instant messaging and other privacy services are booming in the wake of the National Security Agency’s recently revealed surveillance programs. But the flood of new computer security services is of variable quality, and much of it, experts say, can bog down computers and isn’t likely to keep out spies.

In the end, the new geek wars -between tech industry programmers on the one side and government spooks, fraudsters and hacktivists on the other- may leave people’s PCs and businesses’ computer systems encrypted to the teeth but no better protected from hordes of savvy code crackers.

“Every time a situation like this erupts you’re going to have a frenzy of snake oil sellers who are going to throw their products into the street,” says Carson Sweet, CEO of San Francisco-based data storage security firm CloudPassage. “It’s quite a quandary for the consumer.”

Encryption isn’t meant to keep hackers out, but when it’s designed and implemented correctly, it alters the way messages look. Intruders who don’t have a decryption key see only gobbledygook.

A series of disclosures from former intelligence contractor Edward Snowden this year has exposed sweeping U.S. government surveillance programs. The revelations are sparking fury and calls for better encryption from citizens and leaders in France, Germany, Spain and Brazil who were reportedly among those tapped. Both Google and Yahoo, whose data center communications lines were also reportedly tapped, have committed to boosting encryption and online security. Although there’s no indication Facebook was tapped, the social network is also upping its encryption systems.

“Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever,” wrote Yahoo CEO Marissa Mayer in a Nov. 18 post on the company’s Tumblr blog announcing plans to encrypt all of its services by early next year.“There is nothing more important to us than protecting our users’ privacy.”

For those who want to take matters into their own hands, encryption software has been proliferating across the Internet since the Snowden revelations broke. Heml.is – Swedish for “secret” – is marketed as a secure messaging app for your phone. MailPile aims to combine a Gmail-like user friendly interface with a sometimes clunky technique known as public key encryption. Younited hopes to keep spies out of your cloud storage, and Pirate Browser aims to keep spies from seeing your search history. A host of other security-centered programs with names like Silent Circle, RedPhone, Threema, TextSecure, and Wickr all promise privacy.

Many of the people behind these programs are well known for pushing the boundaries of privacy and security online. Heml.is is being developed by Peter Sunde, co-founder of notorious file sharing website The Pirate Bay. Finland’s F-Secure, home of Internet security expert Mikko Hypponen, is behind Younited. Dreadlocked hacker hero Moxie Marlinspike is the brains behind RedPhone, while Phil Zimmerman, one of the biggest names in privacy, is trying to sell the world on Silent Circle. Even flamboyant file sharing kingpin Kim Dotcom is getting in on the secure messaging game with an encrypted email service.

The quality of these new programs and services is uneven, and a few have run into trouble. Nadim Kobeissi, developed encrypted instant messaging service Cryptocat in 2011 as an alternative to services such as Facebook chat and Skype. The Montreal-based programmer received glowing press for Cryptocat’s ease of use, but he suffered embarrassment earlier this year when researchers discovered an error in the program’s code, which may have exposed users’ communications. Kobeissi used the experience to argue that shiny new privacy apps need to be aggressively vetted before users can trust them.

“You need to be vigilant,” he says. “We’re two years old and we’re just starting to reach the kind of maturity I would want.”

Heml.is also encountered difficulties and angered users when its creators said they wouldn’t use open source – or publicly auditable – code. And Silent Circle abruptly dropped its encrypted email service in August, expressing concern that it could not keep the service safe from government intrusion.

“What we found is the encryption services range in quality,” says George Kurtz, CEO of Irvine, Calif.-based CrowdStrike, a big data, security technology company. “I feel safe using some built by people who know what they are doing , but others are Johnny-come-latelies who use a lot of buzzwords but may not be all that useful.”

Even so, private services report thousands of new users, and nonprofit, free encryption services say they have also see sharp upticks in downloads.

And for many users, encryption really isn’t enough to avoid the US government’s prying eyes.

Paris-based Bouygues Telecom told its data storage provider Pogoplug in San Francisco that it needs the data center moved out of the US to get out from under the provisions of US law. So this month, PogoPlug CEO Daniel Putterman is keeping Bouygues as a client by shipping a multi-million dollar data center, from cabinets to cables, from California to France.

“They want French law to apply, not US law,” says Putterman, who is also arranging a similar move for an Israeli client.

Bouygues spokesman Alexandre Andre doesn’t draw a direct connection with the Patriot Act, and says Bouygues’ arrangement with Pogoplug is driven by concerns over performance and privacy. Andre says Bouygues wants the data stored in France, but it was up to Pogoplug to decide whether this would be done on Bouygues’ own servers or Pogoplug’s.

“There is a general worry in France over data security, and storing data in France permits us to reassure our clients,” Andre says. The arrangement also helps improve the service’s performance, Andre says, another reason for the move.

For Pogoplug, business is booming – it’s garnered close to 1 million paid subscribers in its first year – and Putterman says the company is anxious to accommodate concerned clients. And this month, Pogoplug launched a $49 software package called Safeplug that prevents third parties, from the NSA to Google, from learning about a user’s location or browsing habits.

But many warn that encryption offers a false sense of security.

“The fundamental designers of cryptography are in an arms race right now, but there are a series of weaknesses and missing oversights that have nothing to do with encryption that leave people vulnerable,” says Patrick Peterson, CEO of Silicon Valley-based email security firm Agari. And many that do work, bog down or freeze computers, forcing “a trade-off between security and convenience,” he says.

In any case, most attacks don’t happen because some cybercriminal used complicated methods to gain entry into a network, he adds.

“Most attacks occur because someone made a mistake. With phishing emails, it just takes one person to unwittingly open an attachment or click on a malicious link, and from there, cybercriminals are able to get a foothold,” Peterson says.

In addition, experts agree that with enough time and money, any encryption can be broken. And already the NSA has bypassed -or altogether cracked- much of the digital encryption that businesses and everyday Web surfers use, according to reports based on Snowden’s disclosures. The reports describe how the NSA invested billions of dollars, starting in 2000, to make nearly everyone’s secrets available for government consumption.

Meanwhile, the US government’s computing power continues to grow. This fall, the NSA plans to open a $1.7 billion cyber-arsenal – a Utah data center filled with super-powered computers designed to store massive amounts of classified information, including data that awaits decryption.

Microsoft awards hacking expert, repairs browser bug

Boston – Microsoft Corp said on Tuesday it is paying a well-known hacking expert more than $100,000 for finding security holes in its software, one of the largest such bounties awarded to date by a high-tech company.

The software maker also released a much anticipated update to Internet Explorer, which it said fixes a bug that made users of the world’s most popular browser vulnerable to remote attack.

James Forshaw, who heads vulnerability research at London-based security consulting firm Context Information Security, won Microsoft’s first $100,000 bounty for identifying a new “exploitation technique” in Windows, which will allow it to develop defenses against an entire class of attacks, the software maker said on Tuesday.

Forshaw earned another $9,400 for identifying security bugs in a preview release of Microsoft’s Internet Explorer 11 browser, Katie Moussouris, senior security strategist with Microsoft Security Response Center, said in a blog.

Microsoft unveiled the reward programs four months ago to bolster efforts to prevent sophisticated attackers from subverting new security technologies in its software, which runs on the vast majority of the world’s personal computers.

Forshaw has been credited with identifying several dozen software security bugs. He was awarded a large bounty from Hewlett-Packard Co for identifying a way to “pwn,” or take ownership of, Oracle Corp’s Java software in a high-profile contest known as Pwn2Own (pronounced “pown to own”).

Microsoft also released an automatic update to Internet Explorer on Tuesday afternoon to fix a security bug that it first disclosed last month.

Researchers say hackers initially exploited that flaw to launch attacks on companies in Asia in an operation that the cybersecurity firm FireEye has dubbed DeputyDog.

Marc Maiffret, chief technology officer of the cybersecurity firm BeyondTrust, said the vulnerability was later more broadly used after Microsoft’s disclosure of the issue brought it to the attention of cyber criminals.

He is advising computer users to immediately install the update to Internet Explorer, if they do not have their PCs already set to automatically download updates.

“Any time they patch something that has already been used (to launch attacks) in the wild, then it is critical to apply the patch,” Maiffret said.

That vulnerability in Internet Explorer was known as a “zero-day” because Microsoft, the targeted software maker, had zero days notice to fix the hole when the initial attacks exploiting the bug were discovered.

In an active, underground market for “zero day” vulnerabilities, criminal groups and governments sometimes pay $1 million or more to hackers who identify such bugs.