Telegram Agrees to Register With Russia to Avoid Ban, But Won't Share User Data

After being threatened with a ban in Russia, end-to-end encrypted Telegram messaging app has finally agreed to register with new Russian Data Protection Laws, but its founder has assured that the company will not comply to share users' confidential data at any cost.

Russia's communications watchdog Roskomnadzor had recently threatened to block Telegram if the service did not hand over information required to put the app on an official government list of information distributors.

The Russian government requirement came following terrorists' suicide bombings that killed 15 people in Saint Petersburg in April in which terrorists allegedly used the Telegram's app to communicate and plot attacks.

    "There is one demand, and it is simple: to fill in a form with information on the company that controls Telegram," said Alexander Zharov, head of Roskomnadzor.

    "And to officially send it to Roskomnadzor to include this data in the registry of organizers of dissemination of information. In case of refusal… Telegram shall be blocked in Russia until we receive the needed information."

Telegram CEO Pavel Durov refused to comply with the country's requirements because he feared that it would weaken the privacy of its over 6 Million Russian users.

Telegram: No Confidential Data of Users will be Shared

However, after facing pressure from the government, Durov agreed on Wednesday to store Russian citizens' information on the country's servers.

The Russian Federal Service for Supervision Of Communications, Information Technology and Mass Media (Roskomnadzor) announced on Wednesday that Telegram had finally presented all the requirements.

Roskomnadzor is a federal executive body in Russia responsible for overseeing the media, including the electronic media, mass communications, information technology and telecommunications; organizing the work of the radio-frequency service; and overseeing compliance with the law protecting the confidentiality of its users' personal data. 

Durov announced his decision via VK.com, the Russian version of Facebook, adding that while he's happy for Telegram to be formally registered in Russia, anything that violates users' privacy will not be served — only basic information about the company will be shared.

    "We will not comply with unconstitutional and technically impossible Yarovaya Package laws—as well as with other laws incompatible with the protection of privacy and Telegram's privacy policy," Durov said.

Telegram is an end-to-end encrypted messaging app, but unlike WhatsApp, Telegram does not offer the end-to-end messaging feature to its users by default. Rather users need to open encrypted chats to communicate securely.

How to Communicate Securely with Telegram

If you are communicating with people on Telegram thinking that your chats are end-to-end encrypted, you are mistaken, because all your chats will be stored in plain text on Russian servers, making it possible for the government to request it with court orders, when required.

So, always make sure that you communicate with people on Telegram using its encrypted chat feature. Here's how to start an end-to-end encrypted chat on Telegram:

    - Open Telegram app
    - Select the contact you want to communicate
    - Click on his/her name
    - Select 'Start Secret Chat' (highlighted in green color)
    - A new, secure chat window will open, where you can communicate securely.

You can also enable other security features offered by Telegram.

These features include Two-Step Verification that allows you to set up an additional passcode for your Telegram account, which is also required to log into your account and Self-Destruct Secret Chats that lets you self-destruct your messages after a specified time (between 1 second and 1 week), leaving no trace on Telegram servers.

Durov announced his decision via VK.com, the Russian version of Facebook, adding that while he's happy for Telegram to be formally registered in Russia, anything that violates users' privacy will not be served — only basic information about the company will be shared.

"We will not comply with unconstitutional and technically impossible Yarovaya Package laws—as well as with other laws incompatible with the protection of privacy and Telegram's privacy policy," Durov said.

Telegram is an end-to-end encrypted messaging app, but unlike WhatsApp, Telegram does not offer the end-to-end messaging feature to its users by default. Rather users need to open encrypted chats to communicate securely.

How to Communicate Securely with Telegram 

If you are communicating with people on Telegram thinking that your chats are end-to-end encrypted, you are mistaken, because all your chats will be stored in plain text on Russian servers, making it possible for the government to request it with court orders, when required.

So, always make sure that you communicate with people on Telegram using its encrypted chat feature. Here's how to start an end-to-end encrypted chat on Telegram:

• Open Telegram app
• Select the contact you want to communicate
• Click on his/her name
• Select 'Start Secret Chat' (highlighted in green color)
• A new, secure chat window will open, where you can communicate securely.

You can also enable other security features offered by Telegram.

These features include Two-Step Verification that allows you to set up an additional passcode for your Telegram account, which is also required to log into your account and Self-Destruct Secret Chats that lets you self-destruct your messages after a specified time (between 1 second and 1 week), leaving no trace on Telegram servers.

After being threatened with a ban in Russia, end-to-end encrypted Telegram messaging app has finally agreed to register with new Russian Data Protection Laws, but its founder has assured that the company will not comply to share users' confidential data at any cost.

Russia's communications watchdog Roskomnadzor had recently threatened to block Telegram if the service did not hand over information required to put the app on an official government list of information distributors.

Read More

Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.

Apart from this, many victims have also informed that Petya ransomware has also infected their patch systems.

    "Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit." Mikko Hypponen confirms, Chief Research Officer at F-Secure.


Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya ransomware replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

 Don't Pay Ransom, You Wouldn’t Get Your Files Back

Infected users are advised not to pay the ransom because hackers behind Petya ransomware can’t get your emails anymore.

Posteo, the German email provider, has suspended the email address i.e. wowsmith123456@posteo.net, which was behind used by the criminals to communicate with victims after getting the ransom to send the decryption keys.

At the time of writing, 23 victims have paid in Bitcoin to '1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX' address for decrypting their files infected by Petya, which total roughly $6775.
 

Petya! Petya! Another Worldwide Ransomware Attack

 

Screenshots of the latest Petya infection, shared on Twitter, shows that the ransomware displays a text, demanding $300 worth of Bitcoins. Here's what the text read:
     
"If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

According to a recent VirusTotal scan, currently, only 16 out of 61 anti-virus services are successfully detecting the Petya ransomware malware.

Petya Ransomware Hits Banks, Telecom, Businesses & Power Companies

Petya ransomware has already infected — Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, "Kyivenergo" and "Ukrenergo," in past few hours.

    "We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine's Security Service (SBU) to switch them back on," Kyivenergo's press service said.

There are reports from several banks, including National Bank of Ukraine (NBU) and Oschadbank, as well as other companies confirming they have been hit by the Petya ransomware attacks.

Maersk, an international logistics company, has also confirmed on Twitter that the latest Petya ransomware attacks have shut down its IT systems at multiple locations and business units.

    "We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently asserting the situation. The safety of our employees, our operations and customers' business is our top priority. We will update when we have more information," the company said.

The ransomware also impacts multiple workstations at Ukrainian branch's mining company Evraz.

The most severe damages reported by Ukrainian businesses also include compromised systems at Ukraine's local metro and Kiev's Boryspil Airport.

Three Ukrainian telecommunication operators, Kyivstar, LifeCell, Ukrtelecom, are also affected in the latest Petya attack.

How Petya Ransomware Spreading So Fast?

Symantec, the cyber security company, has also confirmed that Petya ransomware is exploiting SMBv1 EternalBlue exploit, just like WannaCry, and taking advantage of unpatched Windows machines.

"Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)," security researcher using Twitter handle ‏HackerFantastic tweeted.

EternalBlue is a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits.

Microsoft has since patched the vulnerability for all versions of Windows operating systems, but many users remain vulnerable, and a string of malware variants are exploiting the flaw to deliver ransomware and mine cryptocurrency.

Just three days ago, we reported about the latest WannaCry attack that hit Honda Motor Company and around 55 speed and traffic light cameras in Japan and Australia, respectively.

Well, it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big corporates and companies have not yet implemented proper security measures to defend against such threat.

How to Protect Yourself from Ransomware Attacks

What to do immediately? Go and apply those goddamn patches against EternalBlue (MS17-010) and disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your Windows systems and servers.

Since Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line).

Prevent Infection & Petya Kill-Switch

Researcher finds Petya ransomware encrypt systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.

    "If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine." ‏HackerFantastic tweeted. "Use a LiveCD or external machine to recover files"

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. "C:\Windows\perfc" to prevent ransomware infection.

To safeguard against any ransomware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source.

To always have a tight grip on your valuable data, keep a good back-up routine in place that makes their copies to an external storage device that isn't always connected to your PC.

Moreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.

Apart from this, many victims have also informed that Petya ransomware has also infected their patch systems.

"Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit." Mikko Hypponen confirms, Chief Research Officer at F-Secure.

Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya ransomware replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

Don't Pay Ransom, You Wouldn’t Get Your Files Back 

Infected users are advised not to pay the ransom because hackers behind Petya ransomware can’t get your emails anymore.

Posteo, the German email provider, has suspended the email address i.e. wowsmith123456@posteo.net, which was behind used by the criminals to communicate with victims after getting the ransom to send the decryption keys.

At the time of writing, 23 victims have paid in Bitcoin to '1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX' address for decrypting their files infected by Petya, which total roughly $6775.

Petya! Petya! Another Worldwide Ransomware Attack

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.

Read More

how to delete windows.old folder and files (windows 10)

in this video, i have shown you "how to remove windows.old in windows 10" but this same method will work for "deleting windows.old folder in windows 8.1, windows 7.

Every time you upgrade your PC from an older version of Windows to Windows 10 without first formatting the hard drive, or when you install a new Windows Insider Preview test build, the install wizard will save a copy of the previous version inside of the "Windows.old" folder on your computer.

What is Windows.old?

it’s important to note first that Windows.old isn’t a new feature in Windows 10; it’s been part of the Windows upgrade process since Windows Vista and it serves an important role. The Windows.old folder contains important system and user files that let a user roll back an upgrade or Windows re-install to the previous version, either because something went wrong during the upgrade process or because the user later discovers an incompatibility with their software or hardware in the new version and needs to revert to the old version in order to restore functionality.

The reason that many users are seeing the Windows.old folder for the first time now is because this folder is only created during a true Windows upgrade, and the vast majority of users have not needed to perform such an upgrade in the past. Generally speaking, most users acquire a version of Windows when they buy a new PC, use that version until the PC dies or needs to be replaced, and then acquire a new version of Windows that’s pre-installed on their next PC. Because Windows 10 is a free upgrade for most Windows 7 and Windows 8.1 users, however, many PC owners are performing a complete upgrade of Windows for the first time and discovering Windows.old.

Therefore, due to its importance in helping you roll back a Windows upgrade, don’t delete the Windows.old folder if you’re still testing your hardware and software compatibility with Windows 10, as you won’t be able to easily revert back to Windows 7 or Windows 8.1 if you do. But also note that you don’t have an unlimited amount of time for this process: Windows itself will automatically delete the Windows.old folder about 30 days after the upgrade if no compatibility problems have been detected, so be sure to conduct thorough testing of Windows 10 as quickly as possible after upgrading.

As i just mentioned above, you can let Windows delete the Windows.old folder for you after a month or so, but that’s a long time to wait if you’re sure that your upgrade to Windows 10 completed successfully and your hardware and software are operating normally. This is especially true for users with smaller hard drives, as the Windows.old folder can be quite large.

So, to reiterate, if you’re sure that your Windows 10 upgrade completed successfully and you feel confident that you won’t need to roll back to Windows 7 or Windows 8.1, you can delete the Windows.old folder with the above steps. but in my case i upgraded my pc to the latest version 1703 which is currently available, and you are very sure that you do not want to rollback Windows to an earlier installation, then you may run Disk Cleanup Tool to remove previous Windows installations after the Windows Upgrade and free up disk space.

Read More

Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back

South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them.

According to a blog post published by NAYANA, the web hosting company, this unfortunate event happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files.

However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted.

The hosting company has already paid two installments at the time of writing and would pay the last installment of ransom after recovering data from two-third of its infected servers.

According to the security firm Trend Micro, the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Windows’ User Account Control bypass capabilities.

Since the hosting servers were running on Linux kernel 2.6.24.2, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW; or a local Linux exploits to take over the root access of the system.

“The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack,” researchers note.

“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.”

Erebus, the ransomware primarily targeting users in South Korea, encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with a .ecrypt extension before displaying the ransom note.

“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” researchers say. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2018 algorithm that is also stored in the file.”

The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another randomly generated key.

According to analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.

So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.

Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.

Moreover, ensure that your systems are running the latest version of installed applications.  

Read More

how to draw a line at an angle in autocad

if you want to learn "how to draw a line at angle to another line using Polar Coordinate system in autocad 2018 with an example" then you came to right place because here you will find "AutoCAD line command tutorial with example".

there are basically 4 methods to draw line in autocad and i have already shown two methods in previous tutorial, and i this video i have shown one method to "draw angled line in autocad 2018".
which is:

1) polar coordinate system in autocad

In the polar coordinate system, you define the location of a point by entering two values: distance from the previous point    and angle from the zero degrees. You enter the distance value along with the @ symbol and angle value with the "Greater than"symbol. You have to make a note that AutoCAD measures the angle in anti-clockwise direction.

and in this video you will also learn to measure angle between two lines in autocad 2018.

• Overview of line command of autocad which i have explained in previous tutorial of autocad 2018

Command/Shortcut: LINE / L
Location: Draw - Line

The Line command draws a straight line from one point to another. When you pick the start point of the line, you need to specify the endpoint of the line segment on screen. You can either continue to specify additional line segments or end the line there. If you want to undo a previous line, enter U at the prompt. To end the command, you can press Enter or ESC, or enter C to close a series of line segments.

You can choose to pick the position of your lines by using your mouse to click on the screen. If you want to be more precise, you can use coordinates instead. When you type LINE or L into the command window and press Enter, you’ll be prompted to specify a point location by using coordinates.

Read More

New Fileless Ransomware with Code Injection Ability Detected in the Wild

It is no secret that hackers and cybercriminals are becoming dramatically more adept, innovative, and stealthy with each passing day.

While new forms of cybercrime are on the rise, traditional activities seem to be shifting towards more clandestine techniques that come with limitless attack vectors with low detection rates.

Security researchers have recently discovered a new fileless ransomware, dubbed "Sorebrect," which injects malicious code into a legitimate system process (svchost.exe) on a targeted system and then self-destruct itself in order to evade detection.

Unlike traditional ransomware, Sorebrect has been designed to target enterprise's servers and endpoint. The injected code then initiates the file encryption process on the local machine and connected network shares.

This fileless ransomware first compromises administrator credentials by brute forcing or some other means and then uses Microsoft’s Sysinternals PsExec command-line utility to encrypt files.

"PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive login session, or manually transferring the malware into a remote machine, like in RDPs," Trend Micro says.

Sorebrect Also Encrypts Network Shares

Sorebrect also scans the local network for other connected computers with open shares and locks files available on them as well.

"If the share has been set up such that anyone connected to it has read-and-write access to it, the share will also be encrypted," researchers say.

The nasty ransomware then deletes all event logs (using wevtutil.exe) and shadow copies (using vssadmin) on the infected machine that could provide forensic evidence such as files executed on the system and their timestamps, which makes this threat hard-to-detect.

In addition, Sorebrect uses the Tor network protocol in an attempt to anonymize its communication with its command-and-control (C&C) server, just like almost every other malware.

Sorebrect Ransomware Spreads Worldwide

The Sorebrect fileless ransomware has been designed to target systems from various industries including manufacturing, technology, and telecommunications.

According to Trend Micro, Sorebrect was initially targeting Middle Eastern countries like Kuwait and Lebanon, but from last month, this threat has started infecting people in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.

"Given ransomware’s potential impact and profitability, it wouldn’t be a surprise if SOREBRECT turns up in other parts of the world, or even in the cybercriminal underground where it can be peddled as a service," the researchers note.

This is not the first time when researchers have come across Fileless malware. Two months ago, Talos researchers discovered a DNSMessenger attack that was completely Fileless and used DNS TXT messaging capabilities to compromise systems.

In February, Kaspersky researchers also discovered fileless malware that resided solely in the memory of the compromised computers, which was found targeting banks, telecommunication companies, and government organizations in 40 countries.

Ways to Protect Against Ransomware Attacks

Since the ransomware does not target individuals but organizations, sysadmins and information security professionals can protect themselves by:

• Restricting user write permissions: a significant factor that exposes network shares to ransomware by giving users full permissions.
• Limiting privilege for PsExec: Limit PsExec and provide permission to run them only to system administrators.
• Keeping your system and network up-to-date: Always keep your operating system, software, and other applications updated.
• Backing up your data regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
• Adopting a cyber security-aware workforce: Educating your employees about malware, threat vectors and security measure always plays a major role in any organization.

  

Read More

25-Year-Old Hacker Pleads Guilty to Hacking U.S. Military Satellite Phone System

A British computer hacker who allegedly hacked a United States Department of Defense satellite system in 2014 and accessed the personal information of hundreds of military personnel has pleaded guilty on Thursday.

Sean Caffrey, a 25-year-old resident of Sutton Coldfield in the West Midlands, has admitted to breaking into a US military communications system in June 2014 and stealing usernames and email addresses of over 800 employees and data from 30,000 satellite phones, the UK's National Crime Agency announced on Thursday.

The UK authorities arrested Caffrey in March 2015 after they traced back the hack to his home IP address, which indicates the hacker did not use any anonymity service, such as VPN, proxy or Tor, to hide its track.

The NCA officials also discovered that an online messaging account linked to the Pentagon satellite system attack was opened and operated from Caffrey's computer.

After a forensic examination of his seized computers, the investigators discovered the stolen data related to the United States DoD satellite on the hard drives.

However, the U.S. government did not say exactly how Caffrey successfully carried out the hack.

According to the NCA's March 2014 press release, evidence of the DoD breach was shared on Pastebin (which is still online) along with a text message referencing Lizard Squad, a hacking group that's responsible for many high-profile attacks, including Xbox Live and PlayStation.

"ISIS WARRIORS UNVEIL - We smite the Lizards, LizardSquad your time is near. We're in your bases, we control your satellites," the Pastebin post read. "The missiles shall rein upon thy who claim alliance, watch your heads. TOP THE AIR-STRIKES OR WE WILL DO AS YOU DO! "

Caffrey pleaded guilty at Birmingham Crown Court Thursday to one offense under the Britain's anti-hacking law, the Computer Misuse Act.

According to the U.S. Defence Department, the breach cost the Pentagon about $628,000 to fix the damages caused by the Caffrey's intrusion.

"After strong partnership working between the NCA, the FBI and the DoD's Defense Criminal Investigative Service there was very clear, very compelling evidence against Sean Caffrey," said Janey Young, investigations manager at the NCA. 

"No one should think that cyber crime is victimless or that they can get away with it. The NCA has people with skills like Caffrey's, but they're doing the opposite to him in detecting cyber criminals and bringing them to justice."

The FBI and the Department of Defense collaborated in the investigation with the UK officials.

Caffery is scheduled to appear before the judge for sentencing on 14 August.  

Read More

Dangerous Malware Discovered that Can Take Down Electric Power Grids

Last December, a cyber attack on Ukrainian Electric power grid caused the power outage in the northern part of Kiev — the country's capital — and surrounding areas, causing a blackout for tens of thousands of citizens for an hour and fifteen minutes around midnight.

Now, security researchers have discovered the culprit behind those cyber attacks on the Ukrainian industrial control systems.

Slovakia-based security software maker ESET and US critical infrastructure security firm Dragos Inc. say they have discovered a new dangerous piece of malware in the wild that targets critical industrial control systems and is capable of causing blackouts.

Dubbed "Industroyer" or "CrashOverRide," the grid-sabotaging malware was likely to be used in the December 2016 cyber attack against Ukrainian electric utility Ukrenergo, which the security firms say represents a dangerous advancement in critical infrastructure hacking.

According to the researchers, CrashOverRide is the biggest threat designed to disrupt industrial control systems, after Stuxnet — the first malware allegedly developed by the US and Israel to sabotage the Iranian nuclear facilities in 2009.

This Malware Does Not Exploit Any Software Flaw

 

Unlike Stuxnet worm, the CrashOverRide malware does not exploit any "zero-day" software vulnerabilities to do its malicious activities; instead, it relies on four industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems.

The CrashOverRide malware can control electricity substation' switches and circuit breakers, designed decades ago, allowing an attacker to simply turning off power distribution, cascading failures and causing more severe damage to equipment.

Industroyer malware is a backdoor that first installs four payload components to take control of switches and circuit breakers; and then connects to a remote command-and-control server to receive commands from the attackers.

"Industroyer payloads show the authors' in-depth knowledge and understanding of industrial control systems." ESET researchers explain.

"The malware contains a few more features that are designed to enable it to remain under the radar, to ensure the malware's persistence, and to wipe all traces of itself after it has done its job."

Since there have been four malware discovered in the wild to date that target industrial control systems, including Stuxnet, Havex, BlackEnergy, and CrashOverRide; Stuxnet and CrashOverRide were designed only for sabotage, while BlackEnergy and Havex were meant for conducting espionage.

"The functionality in the CRASHOVERRIDE framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages," reads Dragos analysis [PDF] of the malware.

Malware Can Cause Wider and Longer-Lasting Blackouts

The analysis of the malware suggests CrashOverRide could cause power outages far more widespread, sophisticated and longer lasting than the one Ukraine suffered last December.

Dragos CEO Robert M. Lee said the CrashOverRide malware is capable of causing power outages that can last up to a few days in portions of a country's electric grid, but it is not capable enough to bring down the entire grid of a nation.

  

The malware includes interchangeable, plug-in components that could allow CrashOverRide to be altered to different electric power utilities or even launched simultaneous attacks on multiple targets.

"CrashOverRide is not unique to any particular vendor or configuration and instead leverages knowledge of grid operations and network communications to cause impact; in that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia," Dragos' paper reads. 

"CrashOverRide is extensible and with a small amount of tailoring such as the inclusion of a DNP3 [Distributed Network Protocol 3] protocol stack would also be effective in the North American grid."

According to the researchers, the malware can be modified to target other types of critical infrastructure, like transportation, gas lines, or water facilities, as well with additional protocol modules.

The security firms have already alerted government authorities and power grid companies about the dangerous threat, along with some advises that could help them to defend against this threat.

The security firms already argued that the 2016 power outage was likely caused by the same group of hackers who caused 2015 blackout — Sandworm, a state-sponsored hacking group believed to be from Russia.

Dragos tracked the perpetrators behind CrashOverRide as Electrum and assessed "with high confidence through confidential sources that Electrum has direct ties to the Sandworm team."

The security firms have already alerted government authorities and power grid companies about the dangerous threat, along with some advises that could help them to defend against this threat. 

Read More

how to install all drivers on windows 10 / windows 8 / windows 7 without cd after formatting with offline driver installer software on a new pc 2017

if  you just formatted your windows 7, windows 8.1 & windows 10 laptop/pc and within the format you lost all your drivers. Now you realise that you dont even have the basic network drivers to get internet access onto the laptop/pc. The laptop also has no optimal drive so using a CD is out of the question as well. then you must be in big trouble,but do not worry because i gave solution of this problem in this video

you can get driver pack from https://drp.su/download.htm

DriverPack Solution Offline is a program that automates the process of installing hardware drivers. No longer do you have to deal with any more problems regarding searching for the right drivers and then installing them as this software will allow you to install all the required drivers on any Windows-based computer (from XP onwards) with just a few clicks of the mouse. It also supports 64 bit systems. The program is designed to be used by anyone from home users to system administrators, offering you an easy, quick and efficient way of installing the correct drivers for the devices attached to your computer and then keeping them up to date. This software also has the widest range of support, covering all sorts of devices including USB devices, PCI, ACPI, PNP and much more. When you start using the software, the driver installation process will be fully automated, and since it already contains a comprehensive database of drivers, you don't even need to be connected to the Internet at the time.

- overview of DriverPack Offline driver installer setup:

• Driver Installation: Automatically install all the drivers on any computer.

• Driver updates: Update the existing drivers to the newest versions.

• Drivers around the world: Once downloaded and no longer waste time. All drivers in your pocket!

• DriverPack Solution Offline is suitable for all models of computers and laptops:Asus, Acer, Sony,

Samsung, HP, Lenovo, Toshiba, Fujitsu-Siemens, DELL, eMachines, MSI...

• DriverPack Solution Offline contains the drivers for all devices:Motherboard, Sound Card, Video Card, Network Card, Wi-Fi, Chipset, Controller, Bluetooth, Modem, Web-camera, Card Reader, CPU, Input Device, Monitor, Printer, Scanner, USB, Other...

Note: The file you download is .torrent file that you can use with any torrent client (uTorrent, qBitTorrent, Deluge or Tixati) to download the whole file that is a little over 10GB. and it is completely legal to download driver from torrent.

• How Outdated Drivers Can Lead to Poor PC Performance:-

There are all kinds of computer jargon getting thrown around: RAM, beta, gigabytes, drivers and many, many more. Of these, drivers often get overlooked. They are an indispensible part of your computer and everything you plug into it. For your PC and hardware devices, such as your sound card, webcam or digital video recorder, to work at their best, you need to have the correct drivers.

• What are drivers?

:- Whether classified as device drivers or software drivers, they are small software programs. Drivers are crucial to the communication between your hardware devices, software and operating system. Hardware, such as scanners, requires specialized commands, but software sends more generic instructions. When you hit print in Microsoft Word, the command is translated by the driver into a command that the printer understands.

If you do not have the correct drivers, then the communication between your devices, the software and operating system can be non-existent or muddled. Some devices might function in what is called "generic mode" without drivers. For example, your display might perform only in low resolution mode. This means you are not getting your money's worth out of the investment you made in your hardware.

Each driver is specific to a certain piece of hardware or even a certain model of it. You need to have a driver for almost everything you plug into your computer. If you upgrade your operating systems, purchase a new computer or if your hard drive crashes, you will need to install the correct drivers. There are a variety of ways to do this, however often the easiest method is to invest in software that will help you identify which drivers you need and help you locate them.

• Why you need the latest drivers?

There are a number of reasons why it is important to download the latest drivers available for your hardware devices or software. For one, they will help ensure your system continues to be stable and operate smoothly. Like everything else on your system, drivers are susceptible to corruption. If this occurs, to your modem driver for example, your internet connection will not work properly.

Brian Vizina of Gecko Technologies Consulting Ltd. in Victoria, B.C., says updating drivers typically fixes known conflicts with other drivers. He has found that the driver is the culprit of computer problems at least 50 per cent of the time.

Companies often update their drivers more than once a year. A major reason for an updated driver to be released is to fix a bug. This obviously will enhance your equipment's performance. As well, updated drivers can bring with them new features.

While drivers might not be the most glamorous parts of your computer, they are absolutely vital. By ensuring you have the most up-to-date drivers, you can be sure to get the most out of your PC.

Read More

22 Apple Distributors Arrested for Selling Customers’ Data in $7.4 Million

Chinese authorities have announced the arrest of around 22 distributors working as Apple distributors as part of a $7 million operation, who stole customers’ personal information from an internal Apple database and illegally sold it to Chinese black market vendors.

According to a report from Chinese media, this underground network reportedly consisted of employees working in direct Apple suppliers, and other outsource firms in the Zhejiang, a province in eastern China.

These employees had access to Apple databases along with other tools containing sensitive information about its customers.

They allegedly used their company's internal computer system to gather data includes usernames, email addresses, phone numbers, and Apple IDs, and then sold it in the underground market for between 10 yuan ($1.47) and 80 yuan ($11.78) per data point.

So far, the network has made a total of 50 million yuan (around $7.36 million). However, it is unclear if the data sold by the suspects belonged to only Chinese Apple users or users elsewhere as well.

Much details about the arrest have not been revealed by the Chinese authorities at this moment, though the police statement suggests the Chinese authorities across four provinces, including Guangdong, Jiangsu, Zhejiang, and Fujian, arrested 22 suspects over the weekend, following a few months of investigation.

The authorities dismantled their online network and seized all "criminal tools," and announced Thursday that the suspects have been "detained on suspicion of infringing individuals’ privacy and illegally obtaining their digital personal information."

Wondering how this spamming operation can affect you?

As I mentioned above, your personal data is profitable both for marketing companies to deliver targeted advertisements to you, and for hackers to carry out malicious hacking campaigns, including phishing attacks and other email scams.

Police are trying to capture and destroy the scammers' network, but users are advised to be vigilant while opening attachments in emails, clicking links in messages from unknown numbers and giving out any details on phone calls.   

Read More

First Android-Rooting Trojan With Code Injection Ability Found On Google Play Store

A new Android-rooting malware with an ability to disable device’ security settings in an effort to perform malicious tasks in the background has been detected on the official Play Store.

What's interesting? The app was smart enough to fool Google security mechanism by first pretending itself to be a clean app and then temporarily replacing it with a malicious version.

Security researchers at Kaspersky Lab discovered a new piece of Android rooting malware that was being distributed as gaming apps on the Google Play Store, hiding behind puzzle game "colourblock," which was being downloaded at least 50,000 times prior to its removal.

Dubbed Dvmap, the Android rooting malware disables device's security settings to install another malicious app from a third-party source and also injects malicious code into the device system runtime libraries to gain root access and stay persistent.

"To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time," the researchers said. 

"Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May."

Here's How Dvmap Malware Works

 

Dvmap Trojan works on both 32-bit and 64-bit versions of Android, which once installed, attempts to gain root access on the device and tries to install several modules on the system including a few written in Chinese, along with a malicious app called "com.qualcmm.timeservices."

To make sure the malicious module gets executed with system rights, the malware overwrites system's runtime libraries depending on which Android version the device is running.

To complete the installation of the above-mentioned malicious app, the Trojan with system rights turns off "Verify Apps," feature and modify system setting to allow app installation from 3rd party app stores.

"Furthermore, it can grant the "com.qualcmm.timeservices" app Device Administrator rights without any interaction with the user, just by running commands. It is a very unusual way to get Device Administrator rights," the researchers said.

This malicious 3rd party app is responsible for connecting the infected device to the attacker's command-and-control server, giving out full control of the device into the hands of attackers.

However, the researchers said, they haven't noticed any commands received by the infected Android devices so far, so it's unclear "what kind of files will be executed, but they could be malicious or advertising files."

How to Protect Yourself Against Dvmap Malware

Researchers are still testing the Dvmap malware, but meanwhile, advise users who installed the puzzle game in question to back up their device's data and perform a full factory data reset in an effort to mitigate the malware.

To prevent yourself from being targeted by such apps, always beware of fishy apps, even when downloading from Google Play Store, and try to stick to the trusted brands only. Moreover, always look at the comments left by other users.

Always verify app permissions before installing any app and grant only those permissions which have relevant context for the app's purpose.

Last but not the least, always keep a good antivirus app on your device that can detect and block such malware before it can infect your device and keep it up-to-date. 

Read More

Hard-coded Passwords Make Hacking Foscam ‘IP Cameras’ Much Easier

Security researchers have discovered over a dozen of vulnerabilities in tens of thousands of web-connected cameras that can not be protected just by changing their default credentials.

Vulnerabilities found in two models of IP cameras from China-based manufacturer Foscam allow attackers to take over the camera, view video feeds, and, in some cases, even gain access to other devices connected to a local network.

Researchers at security firm F-Secure discovered 18 vulnerabilities in two camera models — one sold under the Foscam C2 and other under Opticam i5 HD brand — that are still unpatched despite the company was informed several months ago.

In addition to the Foscam and Opticam brands, F-Secure also said the vulnerabilities were likely to exist in 14 other brands that use Foscam internals, including Chacon, 7links, Netis, Turbox, Thomson, Novodio, Nexxt, Ambientcam, Technaxx, Qcam, Ivue, Ebode and Sab.

The flaws discovered in the IP cameras includes:

• Insecure default credentials
• Hard-coded credentials
• Hidden and undocumented Telnet functionality
• Remote Command Injections
• Incorrect permissions assigned to programming scripts
• Firewall leaking details about the validity of credentials
• Persistent cross-site scripting
• Stack-based Buffer overflow attack

Changing Default Credentials Won't Help You

 Usually, users are always advised to change the default credentials on their smart devices, but in this case, Foscan is using hard-coded credentials in cameras, so attackers could bypass passwords even if users set a unique one.

"Credentials that have been hard-coded by the manufacturer cannot be changed by the user. If the password is discovered and published on the internet (which often happens) attackers can gain access to the device. And as all devices have the same password, malware attacks such as worms can easily spread between devices," reads a report [PDF] released Wednesday by F-Secure.

These issues could allow an attacker to perform a wide range of attacks, which includes gaining unauthorized access to a camera, accessing private videos, performing remote command injection attacks, using compromised IP cameras for DDoS or other malicious activities, and compromising other devices in the same network.

Hidden and undocumented Telnet functionality could help attackers use Telnet to discover "additional vulnerabilities in the device and within the surrounding network."

Gaining Persistent Remote Access to the Affected Camera

Three vulnerabilities, including built-in file transfer protocol server that contains an empty password that can't be changed by the user, a hidden telnet function and incorrect permissions assigned to programming scripts, could be exploited by attackers to gain persistent remote access to the device.

"The empty password on the FTP user account can be used to log in. The hidden Telnet functionality can then be activated. After this, the attacker can access the world-writable (non-restricted) file that controls which programs run on boot, and the attacker may add his own to the list," F-Secure researchers says. 

"This allows the attacker persistent access, even if the device is rebooted. In fact, the attack requires the device to be rebooted, but there is a way to force a reboot as well."

No Patch Despite being Alerted Several Months Ago

The security firm said it notified of the vulnerabilities to Foscam several months ago, but received no response. Since the security camera maker has not fixed any of the vulnerabilities to date, F-Secure has not released proof-of-concept (PoC) exploits for them.

According to F-Secure, these type of insecure implementation of devices and ignorance of security allowed the Mirai malware to infect hundreds of thousands of vulnerable IoT devices to cause vast internet outage last year by launching massive DDoS attacks against Dyn DNS provider.

In order to protect yourself, you need to be more vigilant about the security of your Internet-of-Thing (IoT) devices because they are dumber than one can ever be.

Researchers advised users who are running one of these devices to strongly consider running the device inside a dedicated local network that's unable to be reached from the outside Internet and isolate from other connected devices.

As a best practice, if you've got any internet-connected device at home or work, change its credentials if it still uses default ones. But changing default passwords won't help you in this case, because Foscam IP cameras are using hard-coded credentials.   

Read More

Over 8,600 Vulnerabilities Found in Pacemakers

"If you want to keep living, Pay a ransom, or die." This could happen, as researchers have found thousands of vulnerabilities in Pacemakers that hackers could exploit.

Millions of people that rely on pacemakers to keep their hearts beating are at risk of software glitches and hackers, which could eventually take their lives.

A pacemaker is a small electrical battery-operated device that's surgically implanted in the chest to help control the heartbeats. This device uses low-energy electrical pulses to stimulate the heart to beat at a normal rate.

While cyber security firms are continually improving software and security systems to protect systems from hackers, medical devices such as insulin pumps or pacemakers are also vulnerable to life-threatening hacks.

In a recent study, researchers from security firm White Scope analysed seven pacemaker products from four different vendors and discovered that they use more than 300 third-party libraries, 174 of which are known to have over 8,600 vulnerabilities that hackers could exploit in pacemaker programmers.

"Despite efforts from the FDA to streamline routine cyber security updates, all programmers we examined had outdated software with known vulnerabilities," the researchers wrote in a blog post about the study.

"We believe that this statistic shows that the pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date. No one vendor really stood out as having a better/worse update story when compared to their competitors."

The White Scope analysis covered implantable cardiac devices, home monitoring equipment, pacemaker programmers, and cloud-based systems to send patient's vital data over the Internet to doctors for examining.

  

All of the programmers examined by the security firm had outdated software with known vulnerabilities, many of which run Windows XP.

What's even more frightening? Researchers discovered that the Pacemaker devices do not authenticate these programmers, which means anyone who gets their hands on an external monitoring device could potentially harm heart patients with an implanted pacemaker that could harm or kill them.

Another troubling discovery by researchers is with the distribution of pacemaker programmers.

Although the distribution of pacemaker programmers is supposed to be carefully controlled by the manufacturers of pacemaker devices, the researchers bought all of the equipment they tested on eBay.

So, any working tool sold on eBay has the potential to harm patients with the implant. Yikes!

"All manufacturers have devices that are available on auction websites," the researchers said. "Programmers can cost anywhere from $500-$3000, home monitoring equipment from $15-$300, and pacemaker devices $200-$3000."

What's more? In some cases, researchers discovered unencrypted patients' data stored on the pacemaker programmers, including names, phone numbers, medical information and Social Security numbers (SSNs), leaving them wide open for hackers to steal.

Another issue discovered in the pacemaker systems is the lack of the most basic authentication process: login name and password, allowing the physicians to authenticate a programmer or cardiac implant devices without even have to enter a password.

This means anyone within range of the devices or systems can change the pacemaker's settings of a patient using a programmer from the same manufacturer.

Matthew Green, a computer science assistant professor at Johns Hopkins, pointed out on Twitter that doctors are not willing to let security systems block patient care. In other words, the medical staff shouldn't be forced to log in with credentials during an emergency situation.

"If you require doctors to log into a device with a password, you will end up with a post-it note on the device listing the password," Green said.

The list of security vulnerabilities the researchers discovered in devices made by four vendors includes hardcoded credentials, unsecured external USB connections, the failure to map the firmware to protected memory, lack of encrypted pacemaker firmware updates, and using universal authentication tokens for pairing with the implanted device.

White Scope has already contacted the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), so the manufacturers of the tested devices can address the flaws.  

Read More