Monthly Archives: December 2017

Alleged “Call of Duty” swatter arrested in LA after fatal shooting

A 25-year-old man has been arrested in Los Angeles in connection with a recent swatting incident in Wichita, Kansas.

According to investigative cybersecurity journalist Brian Krebs, who has been the victim of swatting attacks himself from crooks he has outed on his blog, this incident “reportedly originated over a $1.50 wagered match in the online game Call of Duty.”

“Swatting” involves calling the emergency services and quite deliberately making a false report of a violent incident at someone else’s address so that armed police turn up and storm the place, believing that a serious crime is in progress.

The word comes from the abbreviation SWAT, short for Special Weapons And Tactics, the name given to law enforcement teams that are dispatched to respond to this sort of incident.

At the very best, the outcome of a hoax “swat” call is that the victim suffers a traumatic experience from being confronted by armed police.

Sadly, however, the result was much worse in the recent Kansas incident: a man at the property was shot and killed by mistake in the course of the raid.

As Krebs explains it:

It appears that the dispute and subsequent taunting originated on Twitter. One of the parties to that dispute — allegedly using the Twitter handle “SWauTistic” — threatened to swat another user who goes by the nickname “7aLeNT“. @7aLeNT dared someone to swat him, but then tweeted an address that was not his own.

Swautistic responded by falsely reporting to the Kansas police a domestic dispute at the address 7aLenT posted, telling the authorities that one person had already been murdered there and that several family members were being held hostage.

Police in Wichita, Kansas, have published the audio of the swatting call, during which a male voice can be heard saying:

(Caller) There was an argument with my mom and dad [. . .] They were arguing and I shot him in the head and he’s not breathing any more [. . .] (Dispatcher) Do you have any weapons on you? […] (Caller) Yeah, I do […] a handgun.

Later on, the caller claims to be pointing the gun at his mother and his little brother “to make sure they stay in the closet.”

When the dispatcher asks if he’ll give up the gun, he replies that “if you guys are going to send someone round here, I’m definitely not going to put it away,” and warns the dispatcher that he’s doused the house with gasoline (petrol) and might set it on fire.

Krebs goes on to describe how someone claiming to be the perpetrator made online contact with him shortly after the incident; Krebs ascertained that his anonymous contact semed to have a history of making fake bomb threats and falsely calling armed police to other people’s houses.

According to Krebs, this person told him that “bomb threats are more fun and cooler than swats in my opinion and I should have just stuck to that.”

If the suspect arrested in LA, turns out to be the guilty party in this tragic escalation of a Twitter argument, he may have cause to change his mind about how “cool” such behaviour really is.

Our thoughts go out to the family of the innocent victim in this sordid saga.


from Naked Security – Sophos http://bit.ly/2CdF2tm
via IFTTT

Browser data leakage bug – Mozilla to delete info just in case

Mozilla published an unexpected security patch this week, bumping Firefox up to version 57.0.3.

(You probably weren’t expecting a browser update between Christmas and New Year, but it’s good to know that security fixes don’t take second place in holiday season.)

Officially numbered Bug 1427111, the good news is that this wasn’t a vulnerability that gave crooks the ability to launch an attack, implant malware, or rootle around for personal data on your hard disk.

It was, however, an ironic bug: if Firefox hit a bug and crashed, it could then hit another bug and upload crash report data even if you’d told it not to.

Technically, this counts as data leakage, but because the data was sent directly from your browser to Mozilla’s servers, rather than to somewhere unknown or unpredicatable, we’ll accept that the risk was modest:

Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in

As bugs go, this one doesn’t sound terribly serious – not least because many users have Mozilla’s crash reporting turned on anyway, as a way of helping the development team.

You can check your own settings on the about:preferences#privacy page, in the section about data collection:

However, as Mozilla notes, there is a small risk of personal data escaping in a crash report, not least because the information uploaded comes from the memory space of a program that has already misbehaved by crashing in the first place:

[W]e need to be mindful that crash dumps contain the contents of the crashing tab. With low frequency they may contain private or identifying information.

That’s why some users (we’re amongst that number) err on the side of caution and deliberately turn off crash reporting, for all that it might benefit the community to have it enabled.

And therein lies a dilemma for Mozilla: the organisation may already have collected data that wasn’t supposed to be uploaded, something that this update can’t reach back in time and fix.

Worse still for Mozilla, it can’t now tell which crash dump data was collected on account of the bug, and which of it was collected with consent.

Mozilla has therefore said it aims to get rid of information it’s not sure it ought to have collected, writing that “[o]ur goal is to have this data deleted in the next ten days”.

We think that’s a silver lining to this bug.

After all, we’ve seen mailing lists ask for ten days to remove us from their address database when we’ve unsubscribed – and that includes mailing lists that didn’t ask for permission to add us in the first place – without even offering to remove any else they might know about us at the same time.

What to do?

  • To check that Firefox is up to date, and to trigger an update if it isn’t, just go to the About Firefox menu option.
  • To revisit your chosen settings for crash reports, put the special URL about:preferences#privacy into the address bar.


from Naked Security – Sophos http://bit.ly/2q3vU57
via IFTTT

Kansas Man Killed In ‘SWATting’ Attack


A 28-year-old Kansas man was shot and killed by police officers on the evening of Dec. 28 after someone fraudulently reported a hostage situation ongoing at his home. The false report was the latest in a dangerous hoax known as “swatting,” wherein the perpetrator falsely reports a dangerous situation at an address with the goal of prompting authorities to respond to that address with deadly force. This particular swatting reportedly originated over a $1.50 wagered match in the online game Call of Duty. Compounding the tragedy is that the man killed was an innocent party who had no part in the dispute.

The following is an analysis of what is known so far about the incident, as well as a brief interview with the alleged and self-professed perpetrator of this crime.

It appears that the dispute and subsequent taunting originated on Twitter. One of the parties to that dispute — allegedly using the Twitter handle “SWauTistic” — threatened to swat another user who goes by the nickname “7aLeNT“. @7aLeNT dared someone to swat him, but then tweeted an address that was not his own.

Swautistic responded by falsely reporting to the Kansas police a domestic dispute at the address 7aLenT posted, telling the authorities that one person had already been murdered there and that several family members were being held hostage.

Image courtesey @mattcarries

A story in the Wichita Eagle says officers responded the 1000 block of McCormick and got into position, preparing for a hostage situation.

“A male came to the front door,” Livingston said. “As he came to the front door, one of our officers discharged his weapon.”

“Livingston didn’t say if the man, who was 28, had a weapon when he came to the door, or what caused the officer to shoot the man. Police don’t think the man fired at officers, but the incident is still under investigation, he said. The man, who has not been identified by police, died at a local hospital.

“A family member identified that man who was shot by police as Andrew Finch. One of Finch’s cousins said Finch didn’t play video games.”

Not long after that, Swautistic could be seen on Twitter saying he could see on television that the police had fallen for his swatting attack. When it became apparent that a man had been killed as a result of the swatting, Swautistic tweeted that he didn’t get anyone killed because he didn’t pull the trigger (see image above).

Swautistic soon changed his Twitter handle to @GoredTutor36, but KrebsOnSecurity managed to obtain several weeks’ worth of tweets from Swautistic before his account was renamed. Those tweets indicate that Swautistic is a serial swatter — meaning he has claimed responsibility for a number of other recent false reports to the police.

Among the recent hoaxes he’s taken credit for include a false report of a bomb threat at the U.S. Federal Communications Commission (FCC) that disrupted a high-profile public meeting on the net neutrality debate. Swautistic also has claimed responsibility for a hoax bomb threat that forced the evacuation of the Dallas Convention Center, and another bomb threat at a high school in Panama City, Fla, among others.

After tweeting about the incident extensively this afternoon, KrebsOnSecurity was contacted by someone in control of the @GoredTutor36 Twitter account. GoredTutor36 said he’s been the victim of swatting attempts himself, and that this was the reason he decided to start swatting others.

He said the thrill of it “comes from having to hide from police via net connections.” Asked about the FCC incident, @GoredTutor36 acknowledged it was his bomb threat. “Yep. Raped em,” he wrote.

“Bomb threats are more fun and cooler than swats in my opinion and I should have just stuck to that,” he wrote. “But I began making $ doing some swat requests.”

Asked whether he feels remorse about the Kansas man’s death, he responded “of course I do.”

But evidently not enough to make him turn himself in.

“I won’t disclose my identity until it happens on its own,” the user said in a long series of direct messages on Twitter. “People will eventually (most likely those who know me) tell me to turn myself in or something. I can’t do that; though I know its [sic] morally right. I’m too scared admittedly.”

ANALYSIS

As a victim of my own swatting attack back in 2013, I’ve been horrified to watch these crimes only increase in frequency ever since — usually with little or no repercussions on the part of the person or persons involved in setting the schemes in motion. Given that the apparent perpetrator of this crime seems eager for media attention, it seems likely he will be apprehended soon. My guess is that he is a minor and will be treated with kid gloves as a result, although I hope I’m wrong on both counts.

Let me be crystal clear on a couple of points. First off, there is no question that police officers and first responders across the country need a great deal more training to bring the number of police shootings way down. That is undoubtedly a giant contributor to the swatting epidemic.

Also, all police officers and dispatchers need to be trained on what swatting is, how to spot the signs of a hoax, and how to minimize the risk of anyone getting harmed when responding to reports about hostage situations or bomb threats. Finally, officers of the peace who are sworn to protect and serve should use deadly force only in situations where there is a clear and immediate threat. Those who jump the gun need to be held accountable as well.

But that kind of reform isn’t going to happen overnight. Meanwhile, knowingly and falsely making a police report that results in a SWAT unit or else heavily armed police response at an address is an invitation for someone to get badly hurt or killed. These are high-pressure situations and in most cases — as in this incident — the person opening the door has no idea what’s going on. Heaven protect everyone at the scene if the object of the swatting attack is someone who is already heavily armed and confused enough about the situation to shoot anything that comes near his door.

In some states, filing a false police report is just a misdemeanor and is mainly punishable by fines. However, in other jurisdictions filing a false police report is a felony, and I’m afraid it’s long past time for these false reports about dangerous situations to become a felony offense in every state. Here’s why.

If making a fraudulent report about a hostage situation or bomb threat is a felony, then if anyone dies as a result of that phony report they can legally then be charged with felony murder. Under the doctrine of felony murder, when an offender causes the death of another (regardless of intent) in the commission of a dangerous crime, he or she is guilty of murder.

Too often, however, the perpetrators of these crimes are minors, and even when they’re caught they are frequently given a slap on the wrist. Swatting needs to stop, and unfortunately as long as there are few consequences for swatting someone, it will continue to be a potentially deadly means for gaining e-fame and for settling childish and pointless ego squabbles.









Tags: , ,


from Krebs on Security http://bit.ly/2Dw7dA3
via IFTTT

Fancy a T-shirt? Try our New Year’s #sophospuzzle crossword…

Are you working over the New Year?

Well, whatever you’re up to – but especially if you’re on sysadmin or tech support duty while the rest of us are partying – here’s a bit of fun that looks just like real work but isn’t. (Don’t let on that we said so.)

Presenting the NYE 2017 #sophospuzzle crossword:

This interactive crossword puzzle requires JavaScript and any recent web browser, including Windows Internet Explorer, Mozilla Firefox, Google Chrome, or Apple Safari. If you have disabled web page scripting, please re-enable it and refresh the page. If this web page is saved on your computer, you may need to click the yellow Information Bar at the top or bottom of the page to allow the puzzle to load.

Welcome!

Click a word in the puzzle to get started.

Congratulations!

You have completed this crossword puzzle. Don’t forget to take a screenshot and send it to tips@sophos.com if you want to try to win a T-shirt!

Check puzzle

There’s a Sophos T-shirt for the for the first correct solution received, and a T-shirt for a one other successful solver chosen from the rest of the correct answers received in time.

The cutoff for entries to be eligible for a T-shirt is 2018-01-02T12:00T-10 (that’s noon in Hawaii on the day after New Year’s Day).

If you get stuck, try a search engine; if you’re still stuck after that, try following @NakedSecurity on Twitter, and keep your eye on the hashtag #sophospuzzle.

(All we ask is that you don’t spoil it for other people – public hints and teasers are fine, but please don’t blurt out complete answers.)

You are also welcome to email us for hints on tips@sophos.com if you don’t use Twitter, or if you want to keep your hints to yourself.

To try for a T-shirt, take a screenshot when you have finished the puzzle, and email it to us.

Please put the text SOLUTION at the start of the subject line, and let us know in the email if you’re OK with being named amongst the solvers.

You can tell us some or all of: your name, nickname, city, country and Twitter handle – or choose to stay anonymous. (We’ll only use your email address to contact you if you win a shirt – we won’t add you to any mailing lists, honest)

Good luck with your puzzling, and, from the Naked Security team, Happy New Year!


from Naked Security – Sophos http://bit.ly/2BU19kB
via IFTTT

21st Century Oncology Faces $2.3M HIPAA Settlement Cost after Breach

21st Century Oncology Faces $2.3M HIPAA Settlement Cost after Breach

Company to pay US Department of Health and Human Services over potential HIPAA violations after patient medical data was stolen by cyberthieves.

21st Century Oncology and the US Department of Health and Human Services Office for Civil Rights reached a $2.3 million settlement agreement, following a breach of the company’s network SQL database and theft of the medical data and Social Security numbers of millions of patients.

The breach at the company, which provides cancer care and radiation oncology services, is believed to have occurred as early as October 3, 2015, when attackers gained access to a remote desktop protocol from an exchange server within the company’s network. The attackers were then able to access 2.2 million patient medical records and Social Security numbers, according to the Health and Human Services (HHS) department.

The Federal Bureau of Investigation (FBI) notified 21st Century Oncology of the breach in 2015, after an FBI informant had illegally obtained the patient data from an unauthorized third party.

An investigation by the HHS Office of Civil Rights (OCR) determined that 21st Century Oncology did the following:

  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information.
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • Failed to have a written business associate agreement before disclosing protected health information to third-party vendors.

As part of the company’s settlement agreement, which is designed to address potential violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules, 21st Century Oncology will develop a comprehensive correction action plan that will include risk analysis and risk management, workforce education on policies and procedures, and an internal monitoring plan, HHS announced. The company, which filed for Chapter 11 bankruptcy protection in May, received approval of the HHS OCR settlement from the bankruptcy court on December 11.

Read more about the settlement here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2EdRoiv
via IFTTT

Holiday Fun #3: It’s (never) too late to learn long multiplication!

So far this week we’ve looked at Question 1 and Question 2 in our holiday-fun suggestions for technodiversions you might like:

  1. Install a non-mainstream operating system. Because you can.
  2. Fool around with software you used to love. No one will know.
  3. Rewrite a well-known algorithm from scratch. Prove you can still code.

Today, it’s time to consider Question 3:

You settle down to rewrite a well-known algorithm from scratch, to prove you can still code. Which do you choose?

Modular exponentiation
Quicksort
Conway’s Game of Life

Let’s start at the beginning…

Modular exponentiation

One good reason to learn about modular exponentiation is that it’s a very handy algorithm in cryptography.

Indeed, modular exponentiation can be used to agree on a secure, secret encryption key with someone else, even if you have to use a public, insecure network for your communication. (Look for Diffie-Hellman-Merkle, also abbreviated to Diffie-Hellman or just DH.)

The trick is that modular exponents are easy – or, at least, fairly easy – to calculate, but as good as impossible to reverse.

If you remember your school mathematics, exponentiation is repeated multiplication; the inverse (the operation that gets you back where you started) is a logarithm, or log for short.

For example, 2 to the power 3 is 2×2×2, and works out to be 8 (23 = 8, for short); going backwards, we say that the logarithm to the base 2 of 8 is 3 (log28 = 3).

In general, if bE = Y, then logbY = E.

(The base is the number at the bottom – the value than gets multiplied by itself over and over – and the exponent it’s raised to is the elevated number above the base – the number of repeated multiplications you need to do.)

Calculating 23 in your head is easy, but working out log28 is much trickier.

In fact, it’s easiest to start the other way around and use approximation: keep on multiplying 2 by itself until you hit, or get close to, the answer you’re looking for.

In cryptography, modular exponentiation complicates things still further by dividing the result after each repeated multiplication by a specially-chosen prime number, and taking the remainder, known as the modulus, like this:

Once you add the “take the remainder” step into the exponentiation process, it becomes as good as impossible to reverse the process algebraically: there’s no formula to compute a modular logarithm, so you pretty much have to try every possible input until you hit upon the solution by chance.

In general, if bX mod P = Y, then you can quickly calculate Y given X, but there is no shortcut by which you can solve the equation backwards for X if you are given Y.

How quick is “quick”?

We glibly said above that “you can quickly calculate Y given X“, but just how quick is “quick”?

Let’s ignore the modulus part for now, and just consider the repeated multiplications, given that in cryptographic calculations we aren’t usually multiplying single-digit numbers like 2×2, but dealing with numbers that have hundreds or even thousands of digits.

Most modern computers can only multiply 64-bit values in one go, and typical IoT computers or smartcards may only be able to do calculations 32 bits or 16 bits at a time.

We need to break the multiplication down into chunks we can compute, just as you do in the old-school process of long multiplication.

Long multiplication lets you multiply big numbers such as 745×368 one digit at a time, because:

745 x 368 = 745 x (3x100 + 6x10 + 8x1)
          = 745x3x100 + 745x6x10 + 745x8x1
          = (7x100 + 4x10 + 5x1) x (3x100) + (7x100 + 4x10 + 5x1) x (6x10) + . . .
          = (7x3 x100x100 + 4x3 x10x100 + 5x3 x1x100) + . . . etc.

Multiplying by 10, 100, 1000 and so on is easy (just add the correct number of zeros onto the end), so long multiplication means you replace a single 3-digit by 3-digit multiply with nine 1-digit by 1-digit multiplies.

Here’s how to do long multiplication with pen and paper, if you’ve never seen it before:

That’s approach quick enough for numbers that you might call “biggish”, but you get bogged down fast when the numbers become huge.

For example, using this algorithm to multiply together two 2048-bit prime numbers so you only work on 64 bits at a time means splitting each number into 32 chunks of 64 bits each, and therefore needs 32×32 = 1024 multiplies.

If you have a 32-bit CPU, you’ll need to do 64×64 = 4096 multiplies to produce all the intermediate results, and then do all the necessary addition operations to combine them into a multi-precision result.

In general, the complexity goes up as a the square of the number of digits, which is OK for small numbers but gets sluggish quickly.

Cutting down the work

Multiplication quickly becomes computationally expensive, given that doubling the lengths of the numbers involved (for example, going from 1024-bit cryptographic keys to 2048-bit keys to stay ahead of crackers) will typically quadruple the workload.

Of course, exponentiation with huge powers means lots of multiplying, so anything we can do to reduce the number of individual multiplies will help enormously.

Handily, when it comes to exponentiation, there’s a shortcut based on the fact that we aren’t multiplying together two arbitrary numbers each time – we’re multiplying by the same number (the base) over and over again.

So, we can repeatedly multiply the result of each previous multiplication with itself, instead of multiplying by the base each time:

And that’s the trick known as exponentiation-by-squaring: after N-1 loops, you reach your base to the power of 2N-1, rather than just to the power of N. (Above, after 4 loops we get to 516 on the right but only to 55 on the left.)

And with all the powers of 2 up to 2N-1, you can represent any number up to 20 + 21 + … 2N-1, which just happens to be 2N−1, so you can represent any exponent up to 2N−1, and therefore you can compute your base raised the power 2N−1 with at most N multiplies.

Actually, you need at most 2N multiplies, because you need N multiplies to do all the squaring, plus up to another N multiplies more to combine the various powers to get the result.

But if your exponent has 2048 bits, that means you’ll need at most 2 x log22048 multiplies to get the job done, instead of naively looping round naively 2047 times – that’s a workload of 12/2047, or well under 1% of the effort.

What next?

Unfortunately, there just wasn’t time in this article to deal with the other two algorithms in today’s quiz question, so we’ll have to ask you to wait for us to cover them some time in the New Year.

In the meantime, why not take our Holiday Fun quiz (and watch out for our New Year’s #sophospuzzle crossword, coming soon to Naked Security)?


from Naked Security – Sophos http://bit.ly/2ljkogT
via IFTTT

Sublist3r – Fast Python Subdomain Enumeration Tool

Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.

Sublist3r - Fast Python Subdomain Enumeration Tool



Features of Sublist3r Subdomain Enumeration Tool

It enumerates subdomains using many search engines such as:

  • Google
  • Yahoo
  • Bing
  • Baidu
  • Ask

The tool also enumerates subdomains using:

  • Netcraft
  • Virustotal
  • ThreatCrowd
  • DNSdumpster
  • ReverseDNS

Requirements of Sublist3r Subdomain Search

It currently supports Python 2 and Python 3.

– The recommended version for Python 2 is 2.7.x
– The recommended version for Python 3 is 3.4.x

The tool depends on the requests, dnspython, and argparse Python modules.

Usage of Sublist3r Subdomain Brute Force Tool





Examples

To list all the basic options and switches use -h switch:




To enumerate subdomains of specific domain:



To enumerate subdomains of specific domain and show only subdomains which have open ports 80 and 443 :



To enumerate subdomains of specific domain and show the results in realtime:



To enumerate subdomains and enable the bruteforce module:



To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines



It’s also possible to use Sublist3r as a Python module in your own scripts.

Other tools to check out are:

SubBrute – Subdomain Brute-forcing Tool
Knock v1.3b – Subdomain Enumeration/Brute-Forcing Tool
DNSRecon – DNS Enumeration Script
InstaRecon – Automated Subdomain Discovery Tool

You can download Sublist3r here:

Sublist3r-master.zip

Or read more here.

from Darknet – The Darkside http://bit.ly/2CkJhQF
via IFTTT