SSD – Jupiter Broadcasting

“Two young men from North Carolina have been charged with their alleged connection to the hacking group “Crackas With Attitude.” The group gained notoriety when it hacked into the personal email account of CIA Director John Brennan last year and in the following weeks claimed responsibility for hacking the Department of Justice, email accounts of several senior officials, and other US government systems.”
“Andrew Otto Boggs, 22, who allegedly used the handle Incursio, or IncursioSubter, and Justin Gray Liverman, who is suspected of using the moniker D3f4ult, were arrested on Thursday, according to a press release by the US State’s Attorney’s Office in the Eastern District of Virginia.”
“Crackas With Attitude, or CWA, first sprung on the hacking scene when they broke into Brennan’s AOL email account in October 2015. The group distinguished itself for openly bragging about their exploits and for making fun of their victims online. After hacking into Brennan’s account, one of the members of the group, known as “Cubed,” said it was so easy “a 5 year old could do it.” After Brennan, the group targeted and hacked the accounts of Director Of National Intelligence James Clapper, a White House official, and others.”
“Much of the time, the group would use social engineering to gain access to accounts. In February, one member of the group explained to Motherboard how they broke into a Department of Justice system, by calling up the relevant help desk and pretending to be a new employee. That hack led in the exposure of contact information for 20,000 FBI and 9,000 DHS employees.”
“The group made heavy use of social media, and in particular Twitter, to spread news of the dumps and mock victims. However, according to the affidavit, Boggs allegedly connected to one of the implicated Twitter accounts (@GenuinelySpooky) from an IP address registered to his father, with whom Boggs lived. Much the same mistake led to Liverman’s identification: an IP address used to access the Twitter handle @_D3F4ULT and another account during the relevant time period was registered to an Edith Liverman. According to the affidavit, publicly available information revealed that Justin Liverman lived with Edith at the time.”
“The affidavit also includes several sets of Twitter direct messages between members of the group.”
Which suggests Twitter may have provided the government with that data, probably under a subpoena
“Liverman seemingly logged his conversations: according to the affidavit, law enforcement found copies of chats on his hard drive, including one where Liverman encouraged Cracka to publish the social security number of a senior US government official. These logs make up a large chunk of the affidavit, laying out the groups alleged crimes in detail, and investigators found other forensics data on Liverman’s computer too.”
It really goes to show how unsophisticated these attackers were

Discovering how Dropbox hacks your mac

“If you have Dropbox installed, take a look at System Preferences > Security & Privacy > Accessibility tab (see screenshot above). Notice something? Ever wondered how it got in there? Do you think you might have put that in there yourself after Dropbox asked you for permission to control the computer? No, I can assure you that your memory isn’t faulty. You don’t remember doing that because Dropbox never presented this dialog to you, as it should have”
“That’s the only officially supported way that apps are allowed to appear in that list, but Dropbox never asked you for that permission. I’ll get to why that’s important in a moment, but if you have the time, try this fascinating experiment: try and remove it.”
“That leaves a couple of questions. First, why does it matter, and second, is there any way to keep using Dropbox but stop it having access to control your computer?”
“There’s at least three reasons why it matters. It matters first and foremost because Dropbox didn’t ask for permission to take control of your computer. What does ‘take control’ mean here? It means to literally do what you can do in the desktop: click buttons, menus, launch apps, delete files… . There’s a reason why apps in that list have to ask for permission and why it takes a password and explicit user permission to get in there: it’s a security risk.”
“The list of authorization “rights” used by the system to manage this “policy based system” is held in /var/db/auth.db database, and a backup or default copy is retained in /System/Library/Security/authorization.plist.”
“The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified.”
“In other words, if allow-root isn’t explicitly set, the default is that even a process with root user privileges does not have the right to perform that operation. Since that’s not specified in the default shown above, then even root couldn’t add Dropbox to the list of apps in Accessibility preferences. Is it possible then, that Dropbox had overridden this setting in the auth.db? Let’s go and check!””
Basically, by using sqlite directly, rather than the OS X tcc utility, you can override the policy, and add any apps you want to the whitelist. Or worse, any app running as root can do this without you even knowing
“I tested this with several of my own apps and found it worked reliably. It’ll even work while System Preferences is open, which is exactly the behaviour I saw with Dropbox. It remained to prove, though, that this was indeed the hack that Dropbox was using, and so I started to look at what exactly Dropbox did after being given an admin password on installation or launch. Using DetectX, I was able to see that Dropbox added a new folder to my /Library folder after the password was entered”
“As can be seen, instead of adding something to the PrivilegedHelperTools folder as is standard behaviour for apps on the mac that need elevated privileges for one or two specialist operations, Dropbox installs its own folder containing these interesting items”
“the deliciously named dbaccessperm file, we finally hit gold and the exact proof I was looking for that Dropbox was using a sql attack on the tcc database to circumvent Apple’s authorization policy”
“What I do suspect, especially in light of the fact that there just doesn’t seem to be any need for Dropbox to have Accessibility permissions, is that it’s in there just in case they want that access in the future. If that’s right, it suggests that Dropbox simply want to have access to anything and everything on your mac, whether it’s needed or not.”
“The upshot for me was that I learned a few things about how security and authorisation work on the mac that I didn’t know before investigating what Dropbox was up to. But most of all, I learned that I don’t trust Dropbox at all. Unnecessary privileges and backdooring are what I call untrustworthy behaviour and a clear breach of user trust. With Apple’s recent stance against the FBI and their commitment to privacy in general, I feel moving over to iCloud and dropping Dropbox is a far more sensible way to go for me.”
“For those of you who are stuck with Dropbox but don’t want to allow it access to Accessibility features, you can thwart Dropbox’s hack by following my procedure here”
Previous Article

Proprietors of vDoS, the DDoS for hire service, arrested

“Two young Israeli men alleged to be the co-owners of a popular online attack-for-hire service were reportedly arrested in Israel on Thursday. The pair were arrested around the same time that KrebsOnSecurity published a story naming them as the masterminds behind a service that can be hired to knock Web sites and Internet users offline with powerful blasts of junk data.”
“The pair were reportedly questioned and released Friday on the equivalent of about USD $10,000 bond each. Israeli authorities also seized their passports, placed them under house arrest for 10 days, and forbade them from using the Internet or telecommunications equipment of any kind for 30 days.”
“Huri and Bidani are suspected of running an attack service called vDOS. As I described in this week’s story, vDOS is a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline.”
“The two men’s identities were exposed because vDOS got massively hacked, spilling secrets about tens of thousands of paying customers and their targets. A copy of that database was obtained by KrebsOnSecurity.”
“For most of Friday, KrebsOnSecurity came under a heavy and sustained denial-of-service attack, which spiked at almost 140 Gbps. A single message was buried in each attack packet: “godiefaggot.” For a brief time the site was unavailable, but thankfully it is guarded by DDoS protection firm Prolexic. The attacks against this site are ongoing.”
“At the end of August 2016, the two authored a technical paper (PDF) on DDoS attack methods which was published in the Israeli security e-zine Digital Whisper. In it, Huri signs his real name and says he is 18 years old and about to be drafted into the Israel Defense Forces. Bidani co-authored the paper under the alias “Raziel.b7@gmail.com,” an email address that I pointed out in my previous reporting was assigned to one of the administrators of vDOS.”
“Sometime on Friday, vDOS went offline. It is currently unreachable. According to several automated Twitter feeds that track suspicious large-scale changes to the global Internet routing tables, sometime in the last 24 hours vDOS was apparently the victim of what’s known as a BGP hijack.”
“Reached by phone, Bryant Townsend, founder and CEO of BackConnect Security, confirmed that his company did in fact hijack Verdina/vDOS’s Internet address space. Townsend said the company took the extreme measure in an effort to get out from under a massive attack launched on the company’s network Thursday, and that the company received an email directly from vDOS claiming credit for the attack.”
““For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.””
Krebs also got access to a large log file from the vdos site
“The file lists the vDOS username that ordered and paid for the attack; the target Internet address; the method of attack; the Internet address of the vDOS user at the time; the date and time the attack was executed; and the browser user agent string of the vDOS user.”

Feedback:

Round Up:

The post OpSec for Script Kiddies | TechSNAP 285 first appeared on Jupiter Broadcasting.