CEO stalked by hacker group, company taken down; free BlackBerry devices loaded with snooping software handed out to rival politicians; New York Stock Exchange, United Airlines and Wall Street Journal go offline all within a few hours of each other; unsurprising revelations about the UK police seeking out spying software and more.
Shock, horror - UK police keen to hack
Italian cyber security firm Hacking Team was hacked recently, throwing a light on the murky waters it operates in.
A bonafide spyware outfit, the company has long been probed by journalists for its record of selling its spyware to repressive regimes.
The company’s controversial technology is sold to governments around the world, enabling them to infect smartphones and computers with malware to covertly record conversations and steal data.
Hackers got into its systems and dumped a massive trove of emails and documents online revealing that some of its clients included organizations from Mexico, Italy, Morocco, Saudi Arabia, Chile, Hungary, Malaysia, UAE and the United States.
Of course it’s embarrassing for Hacking Team and the documents to reveal how the company buys zero day exploits from hackers, paying up to £30,000 in one case and its dealings with outfits that have notorious reputations for being ‘death squads.’
There are also some interesting revelations about its dealings with the UK police. The Metropolitan Police wanted “software that can be covertly introduced to a third party device and will allow us to ‘Look, Listen and Follow’ the third party.”
But the deal was halted in May 2014 following “internal reviews on how we wished to move this area of technology forward.”
Hacking Team tried – and apparently failed – to set up a deal with Staffordshire Police after an officer contacted the company seeking technology to “access Wi-Fi points to check users” and infect devices to covertly collect data.
And in January 2015 it began negotiating with the British National Crime Agency. The meeting was a success, with an officer for the agency telling Hacking Team that a demonstration of the covert surveillance technology “was extremely well received and proved to be a real eye opener for what can be achieved.”
A few months later the NCA police officer requested a quote and Hacking Team discussed internally whether it could sell its technology disguised under a different name, “hiding” its full functionality.
However, it seems that all these approaches by the UK police came to nothing. For instance, a follow up email by the NCA to Hacking Team said it was “unable to arrange” a meeting.
This is a speculative opinion but it would seem that the UK police haven’t pursued the deals to conclusion because they have discovered they might actually be subverting the law by engaging in indiscriminate snooping.
However, the intent is clearly there, for example the officer who wanted to “access Wi-Fi points to check users.”
The danger in Hacking Team’s technology is the lack of accountability and moral responsibility of those who use it. In October 2012, for example, Bloomberg and Citizen Lab revealed the company’s technology had apparently been used to target a pro-democracy activist in the United Arab Emirates, who was tracked down and beaten by suspected agents of the state.
But instead of accepting responsibility and taking firm action against its customer, Hacking Team chose to issue a series of denials.
With customers who have unsavoury reputations we can only guess at the outcome for those being spied upon.
For instance, other documents reveal that a Hacking Team representative travelled to Bangladesh recently to demonstrate the company’s spy technology at the headquarters of a brutal paramilitary security agency known for torture and extrajudicial killings.
Hackers’ bank scam - up to $1 billion.
A security conference in Cancun, Mexico revealed that hackers have had direct access to bank’s infrastructures and collectively have taken part in scams that netted close to $1 billion.
The hackers relied on spear phishing, in which they sent emails from a fake account that looked familiar to bank workers.
Those emails infected computers with a form of malware called Carbanak and gave the gang entry into the internal network, allowing them to mimic the actions of workers responsible for the cash transfer systems.
The hackers then lurked unseen in the systems of more than 100 banks in 30 countries.
Working in stealth for months, the group learnt how each bank operated and used the knowledge to steal up to about $10 million in each raid, a sum just small enough to go nearly undetected in the daily shuffle of money.
The intended targets were mainly in Russia, followed by the United States, Germany, China and Ukraine, Kaspersky says.
One bank lost $7.3 million when its ATMs were programmed to deliver cash at certain times that villains would then collect, while a separate firm had $10 million taken via its online platform.
The attacks remain active two years after the thefts.
This is timely reminder to ensure that you have to up-to-date protection that will help identify and negate spear phishing emails and also keep your personal details safe.
Beware state governors bearing gifts
The fall-out from Hacking Team hack has given the press a field day with lots of righteous baying at the underhand tricks, outrage at the out and out dishonesty and anger at the absolute lack of morality of the company – and quite rightly so.
So we thought we’d find an obscure, quirky story and decidedly non-mainstream about how far, courtesy of Hacking Team, unwarranted snooping has spread.
An online title called Sahara Reporters duly obliged. It ran a story on Seriake Dickson, governor of the Nigerian Bayelsa state, handing out free BlackBerry phones to people who he wanted to spy on.
Apparently Dickson’s targets were “people using the most advanced smartphones and latest Android and iOS, suggesting his targets were his political superiors, peers or associates.”
In theory, Dickson could have spied on Skype traffic, keystrokes, mails, messages, target positioning, files, screenshots, microphone eavesdropped data, and camera snapshots – pretty much everything really.
The tools were provided by Hacking Team.
United Airlines flights were grounded for 2 hours due to a "network connectivity issue"
All US flights on United Airlines were grounded for about two hours early on July 8 due to what the airline calls a "network connectivity issue" that kept airplanes out of the skies.
The airline said it “was recovering from a network connectivity issue [router]… and restoring regular flight operations.”
The glitch was reported to be the result of a computer system that couldn't provide verified passenger lists that are required before… take offs. Some airport passengers were also unable to use check-in kiosks or apps prior to scheduled departure times.
In total, there were about 800 flight delays and 60 cancellations.
A few months earlier American Airlines flights were also delayed due to iPad digital flight bag malfunctions.
Apparently the cause of this delay was due to a duplicate chart for Reagan National Airport in Washington, D.C., which was accidentally included in an IPad app. The app could not reconcile the presence of the duplicate chart, causing the app to become unresponsive for pilots who had 'favorited' National Airport.
Digital flight bags, including flight and airport maps, are a relatively new introduction in aeroplane cockpits. They are taking off, excuse the pun, at quite a pace and there’s a burgeoning software industry dedicated to creating them. Their use makes sense because they negate the need for bulky flight manuals. As such they are the latest addition to airlines networks.
However, as the latest glitch shows nothing is perfect in the world of technology and any belief that systems are infallible leaves all of us vulnerable.
Coincidence? New York Stock Exchange and the Wall Street Journal offline during United Airlines grounded flights
Ironically, suspiciously, or creepily coincidentally, both the New York Stock Exchange and the Wall Street Journal went offline at the same time as United Airlines grounded its flights.
The FBI said there was no connection and all organisations attributed the downtime to ‘glitches.’ The Department of Homeland Security also produced the same line.
If these statements are truthful what does it say about vital transportation, financial, and media companies, that are heavily dependent on technology, experience disrupting ‘glitches’ in their busiest hours?
It seems like something that comes out of a global cyber game scenario.
NYSE President Tom Farley said Securities and Exchange Commission software update that morning could have triggered the outage.
Why would an organisation like the NYSE leave a software update until just before it opens rather than carry out an overnight deployment, with time for testing and reversing the changes if needed?
It took the New York Stock Exchange more than three-and-half hours to resume trading, slowing Wall Street's usually furious pace.
There’s a conspiracy theory doing the rounds that it was a nation-state act of retaliation.
It’s believed the Wall Street Journal's outage was a result of the New York Stock Exchange's problems causing alarmed investors to rush to the WSJ’s website looking for information and consequently it buckled under the unprecedented surge.
Like a hacker – Madonna hacker gets 14 months
Israeli Adi Lederman, 39, an unsuccessful talent show competitor has been handed a 14 month sentence in clink after he was found guilty of breaking into email servers used by Kevin Antunes, Madonna’s musical director, and Guy Oseary, her talent manager.
Access to the email accounts was used to seize control of online storage boxes, allowing him to steal tracks from the Papa Don't Preach (or should that be Papa Don’t Breach?) singer's cloud account.
Lederman then sold the music to two buyers for $300 each.
The pop diva released six songs from her Rebel Heart album early on iTunes as a damage-limitation exercise in the aftermath of the hack.
Lederman was nabbed by Israeli police about a month later. He admitted computer trespassing and copyright infringement and was also fined $4,000.
Madonna thanked the police.
A tale of smouldering cyber bitterness
A member of notorious hacking group Lizard Squad has received a two-year suspended sentence after being convicted of more than 50,000 charges related to hacking, by a Finnish court.
Julius Kivimaki, 17, was accused of playing a central role in the massive distributed denial of service (DDoS) attack in late 2014 that hit Microsoft's Xbox Live and Sony's Playstation Network.
The fact that he didn’t go to prison raised a few hackles, especially in the US. Top of the list of outraged was John Smedley, the former CEO of Sony Entertainment.
He took particular umbrage that Kivimaki wasn’t sentenced to life, shackled, water-boarded and sent to Guantanamo, and in a tweet said:
“and he still has 15 other criminal cases awaiting prosecution in Finland. I may go after his parents in Civil court too. Little dirtbag.”
But then, of all people, Smedley has particular reason for ‘feeling the hate’ towards Kivimaki as he revealed in another tweet:
“that was the piece of garbage that brought my plane down, leaked my information and did all kinds of other crap to me.”
Kivimaki isn’t exactly imbued with humility and once said he was an "untouchable hacker god."
But if you read the following statement from Smedley you’ll understand what “all kinds of crap” actually means. It’s next to impossible not to feel sympathy for him:
“He was the guy that brought down my flight with a bomb threat. I’ve heard the entire recording where he convinced an airline customer service agent there was a bomb on the plane. He is also in conjunction with others has sent me pictures of my father’s grave with nasty stuff on it. I’ve had my entire credit history put out on the internet including my SSN and my families’ info. We’ve had multiple social networks and other things hacked and had my family members called.
“I’ve also been swatted (multiple times) and had over 50 false credit applications submitted in my name and had to deal with the ramifications of what happens to your credit when this kind of thing happens. It’s not good. And to top it all off they decided to submit false tax returns.”
And in another twist in this tale of smouldering bitterness, Smedley’s new company Daybreak Games was hit with a huge DDoS attack that’s left its flagship games in the lurch.
The DDoS attack was a surprise to no one and followed Smedley’s Twitter comments about Kivimaki.
Lizard Squad has previously been blamed for high-profile attacks on Facebook, Tinder, Amazon and the Malaysia Airlines website. The group also claimed responsibility for knocking the whole of North Korea offline for a 24-hour period in 2013.