Two serious vulnerabilities in virtual private networks (VPNs) have been discovered by a research team . These vulnerabilities had been dormant since 1996. It is possible to leak and read user traffic, steal information, or even conduct attacks on user devices by exploiting these vulnerabilities, which are present in practically every VPN product across all platforms. TunnelCrack is a combination of two common security flaws found in virtual private networks (VPNs). Even though a virtual private network (VPN) is designed to safeguard all of the data that a user sends, these attacks are able to circumvent this security. An enemy, for example, may take advantage of the security flaws to steal information from users, read their communications, attack their devices, or even just spill it all. Regardless of the security protocol that is utilized by the VPN, the uncovered flaws may be exploited and used maliciously. In other words, even Virtual Private Networks (VPNs) that claim to utilize “military grade encryption” or that use encryption methods that they themselves invented are vulnerable to attack. When a user joins to an unsecured Wi-Fi network, the initial set of vulnerabilities, which they  refer to as LocalNet attacks, is susceptible to being exploited. The second group of vulnerabilities, which are known as ServerIP attacks, are susceptible to being exploited by shady Internet service providers as well as by unsecured wireless networks. Both of these attacks involve manipulating the routing table of the victim in order to deceive the victim into sending traffic outside the secured VPN tunnel. This enables an adversary to read and intercept the data that is being sent.

The video that may be seen below demonstrates three different ways in which an attacker might take advantage of the disclosed vulnerabilities. In the first step of the attack, the LocalNet vulnerability is exploited to force the target to leak communications. This is used to intercept sensitive information that is being transferred to websites that do not have enough security, such as the victim’s account and password being exposed. They also demonstrate how an adversary may determine which websites a user is accessing, which is something that is not generally achievable when utilizing a virtual private network (VPN). Last but not least, a modification of the LocalNet attack is used in order to prevent a surveillance camera from alerting its user to any unexpected motion.

As the demonstration indicates, the vulnerabilities in the VPN may be exploited to trivially leak traffic and identify the websites that an individual is accessing. In addition, any data that is transferred to websites with inappropriate configurations or that is supplied by applications that are not secure may be intercepted.

Users may protect themselves by keeping the software for their VPNs up to date. Additionally, any data that is transferred cannot be stolen if a website is correctly set using HTTP Strict Transport protection (HSTS) to always utilize HTTPS as an additional layer of protection. These days, around 25 percent of websites are built in this manner. In addition, a few of browsers will now display a warning to the user if HTTPS is not being utilized. Last but not least, while they are not always error-free, most current mobile applications employ HTTPS by default and, as a result, also use this additional security.

In addition to being exploited to attack websites, virtual private networks (VPNs) sometimes defend outdated or less secure protocols, which presents an additional danger. These attacks now make it possible for an adversary to circumvent the security provided by a virtual private network (VPN), which means that attackers may target any older or less secure protocols that are used by the victim, such as RDP, POP, FTP, telnet, and so on.

LocalNet Attacks

The adversary in a LocalNet attack pretends to be a hostile Wi-Fi or Ethernet network, and they deceive the victim into joining to their network by using social engineering techniques. Cloning a well-known Wi-Fi hotspot, such as the one offered by “Starbucks,” is a straightforward method for achieving this goal. As soon as a victim establishes a connection to this malicious network, the attacker allots the victim a public IP address as well as a subnet. An illustration of this may be seen in the graphic below; the objective of the opponent in this case is to prevent traffic from reaching the website target.com:
The website target.com, which can be seen in the picture to the right, uses the IP address 1.2.3.4. The adversary will convince the victim that the local network is utilizing the subnet 1.2.3.0/24 in order to intercept traffic that is headed toward this website. The victim is told, in other words, that IP addresses in the range 1.2.3.1-254 are immediately accessible inside the local network. A web request will be sent to the IP address 1.2.3.4 if the victim navigates to target.com at this time. The victim will submit the web request outside the secured VPN tunnel because it believes that this IP address is immediately available inside the local network.

An adversary may potentially leak practically all of the victim’s traffic by assigning bigger subnets to the local network they have access to. In addition, although while the LocalNet attack’s primary objective is to send data outside the VPN tunnel, it may also be exploited in such a way as to prevent some traffic from passing through while the VPN is in operation.

ServerIP Attacks

In order to execute a ServerIP attack, the attacker has to have the ability to spoof DNS responses before the VPN is activated, and they also need to be able to monitor traffic going to the VPN server. Acting as a hostile Wi-Fi or Ethernet network is one way to achieve this goal; in a manner similar to the LocalNet attacks, this may also be done. The attacks may also be carried out via an Internet service provider (ISP) that is hostile or by a core Internet router that has been hacked.

The fundamental premise is that the attacker will attempt to impersonate the VPN server by forging its IP address. An attacker may fake the DNS answer to have a different IP address if, for instance, the VPN server is recognized by the hostname vpn.com but its actual IP address is 2.2.2.2. An illustration of this may be seen in the following image, in which the adversary’s objective is to intercept communication sent towards target.com, which has the IP address 1.2.3.4:

The attacker begins by forging the DNS reply for vpn.com such that it returns the IP address 1.2.3.4. This IP address is identical to the IP address of target.com. To put it another way, if you wish to leak traffic towards a certain IP address, you fake that address. After that, the victim will connect to the VPN server that is located at 1.2.3.4. This traffic is then redirected to the victim’s actual VPN server by the adversary, who does this to ensure that the victim is still able to successfully build a VPN connection. As a consequence of this, the victim is still able to successfully build the VPN tunnel even if they are using the incorrect IP address while connecting to the VPN server. In addition to this, the victim will implement a routing rule that will direct all traffic destined for 1.2.3.4 to be routed outside of the VPN tunnel.

A web request is now made to 1.2.3.4 whenever the victim navigates to target.com on their web browser. This request is routed outside of the secured VPN tunnel because of the routing rule that prevents packets from being re-encrypted when they are submitted to the VPN server. As a direct consequence of this, the web request is exposed.

The built-in VPN clients of Windows, macOS, and iOS were discovered to have security flaws by this study. Android versions 12 and above are not impacted by this issue. A significant portion of Linux-based virtual private networks (VPNs) are also susceptible. In addition, they discovered that the majority of OpenVPN profiles, when used with a VPN client that is susceptible to vulnerabilities, utilize a hostname to identify the VPN server, which may lead to behavior that is susceptible to vulnerabilities.

In order to keep customers safe, they worked together with CERT/CC and a number of other VPN providers to develop and release security upgrades over the course of a coordinated disclosure period of ninety days. Mozilla VPN, Surfshark, Malwarebytes, Windscribe (which can import OpenVPN profiles), and Cloudflare’s WARP are a few examples of VPNs that have been updated with patches. You can protect yourself against the LocalNet attack even if updates for your VPN are not currently available by turning off connection to your local network. You may further reduce the risk of attacks by ensuring that websites utilize HTTPS, a protocol that is supported by the majority of websites today.

The post TunnelCrack: Two serious vulnerabilities in VPNs discovered, had been dormant since 1996 appeared first on Information Security Newspaper | Hacking News.

This vulnerability, which has been assigned the identifier CVE-2023-31710, was discovered after a heap-based buffer overflow bug was discovered in the TP-Link Archer AX21 router’s /usr/lib/libtmpv2.so component. Xiaobye, an adept security researcher, is the one who discovered this security weakness and exposed it in full, which made it possible for TP-Link to quickly devise a solution to the problem. The absence of input sanitization in relation to the variable content_length is at the heart of the problem that we are now facing. A clever adversary might potentially alter this variable, which provides information on the length of the data included in the TMP packet. This vulnerability may be exploited by a  hacker by submitting a request to the router that was painstakingly designed, which would then cause the router to carry out the commands. Archer routers only allow ‘admin’ users, who are endowed with full root access. This exacerbates the severity of the problem. Therefore, in the event that a threat actor is successful in getting command execution, that actor would therefore take control of the router and acquire administrative capabilities.

This security flaw affects particular router versions, including Archer AX21(US)_V3_1.1.4 Build 20230219 and Archer AX21(US)_V3.6_1.1.4 Build 20230219, among others. Nevertheless, TP-Link has released patches for these versions, which may be found under the names Archer AX21(US)_V3.6_230621 and Archer AX21(US)_V3_230621, respectively. It is recommended that consumers who are affected get their routers up to date as soon as they can.

Xiaobye has continued his commendable efforts to shed light on this matter by publishing a compelling video presentation of exploiting the CVE-2023-31710 vulnerability on his Github repository.

In order to strengthen the safety of your router, you should take additional precautions in addition to updating the firmware on it.

The post How to easily hack TP-Link Archer AX21 Wi-Fi router appeared first on Information Security Newspaper | Hacking News.

Many of the world’s largest retailers, wholesalers, and trade groups for the consumer electronics, home appliance, and consumer goods industries have voluntarily committed to improving the level of cybersecurity included in the items they sell. Amazon, Best Buy, Google, LG Electronics USA, Logitech, and Samsung Electronics are among the manufacturers and merchants who have announced their support and commitments to the initiative today. A newly designed “U.S. Cyber Trust Mark” in the form of a distinguishing shield emblem would be attached to items that fulfill defined cybersecurity standards in the event that the new program is implemented as planned. This mark would be visible to customers. The purpose of the program is to provide customers the resources they need to make educated judgments regarding the level of danger posed by the goods they decide to bring into their homes by way of various items.

The Federal Communications Commission (FCC), acting under its responsibilities to regulate wireless communication devices, is scheduled to seek public opinion on the proposed voluntary cybersecurity labeling scheme, which is projected to be up and running in 2024. This will be done in accordance with the FCC’s authorities to regulate wireless communication devices. According to the current plan, the program would make use of efforts led by stakeholders to certify and label products. The certification and labeling would be based on particular cybersecurity criteria published by the National Institute of Standards and Technology (NIST), which, among other things, mandates the use of unique and robust default passwords, data protection, software updates, and incident detection capabilities.

The current administration, including the Cybersecurity and Infrastructure Security Agency, will provide assistance to the Federal Communications Commission (FCC) in its efforts to educate customers to search for the new label when making purchase choices and to encourage large U.S. retailers to prioritize labeled items when putting them on store shelves and making them available online. These initiatives are intended to encourage big retailers to give labeled products more prominence.

The Federal Communications Commission (FCC) plans to offer customers with detailed and similar security information on these smart gadgets via the use of a QR code that links to a national register of approved devices. The Commission intends to implement supervision and enforcement protections to preserve trust and confidence in the program, and they expect to do so in collaboration with other regulatory agencies including the United States Department of Justice.
The National Institute of Standards and Technology (NIST) will immediately begin an endeavor to specify the cybersecurity criteria for consumer-grade routers, which are a higher-risk kind of equipment that, if hacked, may be used to eavesdrop, steal passwords, and target other devices and high-value networks. This work will be finished by NIST by the end of 2023, at which point the Commission will be able to decide whether or not to adopt these standards in order to broaden the scope of the labeling program to include consumer grade routers.
A collaborative endeavor to explore and establish cybersecurity labeling standards for smart meters and power inverters, both key components of the clean, smart grid of the future, was also announced today by the United States Department of Energy (DOE). This work will be carried out in conjunction with National Labs and industry partners. The United States Department of State is dedicated to providing assistance to the Federal Communications Commission (FCC) in order to engage friends and partners in the process of harmonizing standards and achieving mutual acceptance of comparable labeling initiatives on an international scale.

Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Technology Association, Consumer Reports, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qualcomm, Samsung Electronics, UL Solutions, Yale, and August U.S. are among the participants in today’s announcement.

The post US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets appeared first on Information Security Newspaper | Hacking News.

The Digital Shadow team  collated more than 24 billion leaked  credentials from the dark web. That’s a 65 percent increase from 2020, likely caused by an enhanced ability to steal credentials through  new ransomwares, dedicated malware and social engineering sites, plus improved credential sharing. Within this leaked usernames and passwords, approximately 6.7 billion credentials had a unique username-and-password pairing, indicating that the credential combination was not duplicated across other databases. This number was 1.7 billion more than found in 2020, highlighting the rate of data breach  across completely new credential  combinations.

The most common password, 123456, represented 0.46 percent of the total of the 6.7 billion unique passwords. The top 100 most common passwords represented 2.77 percent of this number. Information-stealing malware and ransomware persists as an important threat to your privacy. Some of these malwares can be bought for as little as $50, and some go for thousands, depending on features.

Cybercriminal marketplaces and dark web forums are the best places to buy and sell stolen credentials. Companies whose data has been leaked have been informed but not much can be done at this stage. Several subscription services on the dark web have also been launched, offering cybercriminals a premium service to purchase stolen credentials. The price of credentials depends on the account’s age, the seller and buyer reputation, and the size of the data file on offer.  Some also offer sample data sets to collaborate its uniqueness. Certain account types, like cryptocurrency-related accounts can be more costly.  

Once credentials have been obtained, free, open-source credential stuffing and  password cracking tools can allow cyber criminals  all the functionality required for a sophisticated attack to unlock passwords.  Offline tools usually give the best results for cracking passwords. As per the cyber security awareness training experts 49 of the top 50 most commonly used passwords could be cracked in less than a second. Addition of  a special character to a basic ten-character password adds about 90 minutes to that time. In addition, two special characters boost the offline cracking time to around 2 days and 4 hours, according to  cyber security awareness training experts.

Most of these cyber criminals are Financially motivated, state-sponsored, and ideologically motivated actors (hacktivists like anonymous). All of them have used  have all used ATO as a conduit for their activity in 2022. This includes several attacks by the data extortionists known as Lapsus$ Group. According to cyber security awareness training experts, until passwordless authentication becomes mainstream, the best ways to minimize the likelihood and impact of account takeover  are simple controls and user education like multi-factor authentication, password managers, and complex, unique passwords.

The post 24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022 appeared first on Information Security Newspaper | Hacking News.

According to a recent security report, Chinese government has decided to resort to hacking, cyberwarfare and corporate espionage tactics to boost its ambitious defense program, compromising the systems of firms like Lockheed Martin in order to access classified information useful for their own purposes.

Peter Suciu, a renowned researcher, says China is an actor that should be taken seriously, especially on military issues. This is not the first such report, as since 2019 the Pentagon had accused the Chinese military of resorting to what they defined as “cyber theft” and other methods to achieve great improvements in military terms.

It all went back to 2007, when the firm Lockheed Martin discovered that a Chinese hacking group had been stealing technical documents related to the F-35 program, while a similar theft occurred when cybercriminals working for Beijing managed to compromise a network of an Australian subcontractor to the F-35.

These reports lead experts to believe that the Chinese have acquired a wealth of crucial information and data for these programs, including the development of the Chinese J-20 fighter jet, also known as “Mighty Dragon.” Suciu himself claims that the creation of these aircraft would have been impossible without the information stolen from Lockheed Martin.

In connection with these reports, Business Insider published a report detailing the clear similarities in appearance and engineering between American aircraft and those created by the Chinese government. In addition, the report not only emphasizes the similarity of these aircraft, but also states that the sensor systems used by the Chinese government are virtually identical to the electro-optical guidance employed by Lockheed Martin in the Lightning II model, further evidence of espionage against the company.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO] appeared first on Information Security Newspaper | Hacking News.

Although this was massive news a few years ago, Israeli tech firm NSO Group and its sophisticated spying software Pegasus have once again grabbed headlines after Amnesty International published a report claiming that the governments of dozens of countries around the world had purchased the company’s services in order to maintain strict vigilance against political rivals, journalists, activists and dissidents.

One of the main revelations in this case relates to the leak of a list of 50,000 phone numbers identified as potential targets of Pegasus spyware since 2016. While not all of these users of interest were infected, the information contained in this list shows that countries such as Nigeria, Saudi Arabia, India or Morocco are among NSO Group’s top customers worldwide.

In the past, state intelligence organizations such as the U.S. National Security Agency (NSA) had developed advanced systems to gather information for specific purposes and using all kinds of resources, primarily online search logs and social media activity. Nonetheless, NSO Group raised the bet by developing Pegasus, a powerful spyware capable of extracting all kinds of information from a compromised device, including text messages, documents, images, videos and system information.

This tool had been developed for national security purposes, although this did not prevent the rulers of multiple countries from beginning to use Pegasus for purposes unrelated to national security. In the case of Nigeria, this tool was used for years to compile lists of people upset with the government, going so far as to harass multiple activists and political opponents.

In this regard, the company issued a statement categorically denying that the solutions developed by its teams have the specific purpose of spying on people of interest, adding that these allegations are based on unconfirmed theories and that they come from sources of questionable veracity.

Still, NSO Group seems to enter into a serious contradiction by not denying the possible abuses in this technology and pledging to investigate these allegations: “We will analyze the credible allegations about the abusive use of our solutions and act according to the results obtained. Among the possible consequences is the interruption of access provided to certain customers; we have done this in the past and we will not hesitate to implement it again,” says a brief statement from the company.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Nigeria spends more than any other African country in spying its citizens appeared first on Information Security Newspaper | Hacking News.

According to the different bank websites, voice biometrics is very secure and like the fingerprint, the voice is unique. But threat actors can use voice biometric spoofing attacks also known as voice cloning or deep fake to break into people’s bank accounts.  Using these attacks they use presentation attacks including recorded voice, computer-altered voice and synthetic voice, or voice cloning, to fool voice biometric systems into thinking it hears the real, authorized user and grants access to sensitive information and accounts. In simple words they clone the voice of bank customers by artificially simulating a customer’s voice. 

According to Atul Narula, a cyber security expert, today’s AI systems are capable of generating synthetic speech that closely resembles a targeted human voice. In some cases, the difference between the real and fake voice is imperceptible. Threat actors not only target public figures including celebrities, politicians and business leaders, but the reality is they can target anyone who has a bank account. They can use online videos, speeches, conference calls, phone conversations and social media posts to gather the data needed to train a system to clone a voice.

Cyber Criminals are using a new breed of phishing scams that exploit the fact that a victim believes they are talking to someone they trust. Last year, a UK-based CEO was tricked into transferring more than $240,000 based on a phone call that he believed was from his boss. These cyber criminals, armed with voice clones, are using phone calls and voicemail. And the attacks aren’t just threatening businesses. In a new breed of the “grandma scam” cyber criminals are posing as family members who need emergency funds. 

Cyber criminals have started using deep fake voices to spread misinformation and fake news. Imagine if somebody publishes a fake voice call of some public figure to sway public opinion or consider how manipulated executive or public figure statements could affect the stock market. Recently some people appeared to be using deepfake technology to imitate some members of the Russian political class, mainly from opposition to Vladimir Putin’s government, to make fake video calls to some representatives of European parliaments. 

Deepfakes are also being used to create fake evidence that impacts criminal cases. Or for blackmailing people in cases where manipulated video and audio of people doing or saying things they didn’t do or say.

HOW DEEP FAKE VOICE CLONING IS DONE?

Today, artificial intelligence and deep learning are advancing the quality of synthetic speech. With as little as a few minutes of recorded sample voice, developers can use it to train an AI voice model that can read any text in the target’s voice.

According to Atul Narula, a cyber security expert from International Institute of Cyber Security, there are a variety of AI tools, which enable virtually any voice to be cloned. Some of these are 

SV2TTS Real Time Voice Cloning, Resemblyzer and WaveRNN

There are some good free tools like Real Time Voice Cloning, Resemblyzer and WaveRNN which allow voice cloning with pre-trained models. While these can be used to generate speech using arbitrary text from one of a few hundred voices, it can also be fine-tuned to generate speech in an arbitrary voice using arbitrary text.

Resemble.AI 

Allows custom AI Generated voices from a speech source. It creates realistic text to speech voices with AI with just 5 minutes of sample voice. You can try it for free.

iSpeech 

It is a high quality text to speech and speech recognition tool. You can generate anybody’s voice in 27 languages.

Descript – Overdub – Lyrebird AI 

Allows creating a digital voice that sounds like you just from a small audio sample. It has a free plan that allows generating 3 hours of speech.

Vera Voice

It uses machine-learning technology to create super realistic voice clones of any person. They claim that they need just an hour of audio data to train neural networks to generate a new voice.

Google’s Tacotron – Wavenet

These systems from Google can generate speech which mimics any human voice and which sounds more natural. It needs text and sample voice data to generate a human-like voice.  

Although voice samples are difficult to obtain, cyber criminals use social media to obtain them.

It’s important to note that these tools were not created for the purpose of fraud or deception, mentions Atul Narula. But the reality is that business and consumers need to be aware of new threats associated with online AI voice cloning software.

Banks are forcing customers to activate voice biometrics. Banks use different phrases, like  “my voice is my password”, or “my voice is my signature”. To verify user identity users have to enter their account number or Customer ID or 16 digit card number and their voice authentication phrase. Account number is kind of public as it is on cheque book and threat actors can ask someone their account number to deposit some amount via social engineering and people will happily give their account number.

There are three scenarios that someone can use to hack into a voice authentication system used by many banks.

• In the first scenario Someone calls you to sell something and forces you to use certain words during the call Like: “Yes”, “My Voice”, “Signature”, “Password”, “Username”, “No”, and the name of your bank. And later on creates the phrase using the words and plays the recording during the telephone banking call. 
• In the second scenario someone calls you and asks you to repeat the entire phrase  “my voice is my signature” and later on plays the recording during the telephone banking call.
• Third scenario is someone calls you and records a sample of your voice and by using Deep Fake artificial intelligence tools mentioned before generates the complete phrase or the missing words. These tools are not perfect yet but they can generate a voice similar to your voice, and with just a sample of a few minutes they can generate the phrase.

Using these three scenarios, a cyber security expert from International Institute of Cyber Security recorded a call and later on with the help of audio editing software, created the entire phrase. He then played the recorded audio during a telephonic banking call. Using this technique he was easily able to break into banks telephonic banking sessions.  He used the same technique for generating the English and Spanish phrases. It seems voice authentication systems are vulnerable to voice cloning attacks and threat actors could break into anybody’s account just by having the account number or customer ID and some social engineering to perform any of the scenarios mentioned before. See the video to see the POC.

IS IT POSSIBLE TO DETECT VOICE CLONING?

Mariano Octavio, a cyber security investigator mentions that voice cloning technology is not an evil technology. It has many positive and exciting use cases like.

Education: Cloning the voices of historical figures offers new opportunities for interactive teaching and dynamic storytelling in museums. 

Audiobooks: Celebrity voices can be used to narrate books and historical figures can tell their stories in their own voices. 

Assistive Technology: Voice cloning can be used to assist persons with disabilities or health issues that impact their speech. 

According to Jitender Narula, a cyber security expert from International Institute of Cyber Security, Voice anti-spoofing, also called voice liveness detection, is a technology capable of distinguishing between live voice and voice that is recorded, manipulated or synthetic. 

For advanced voice biometrics, interactive Liveness Detection is used – when a person is asked to say a randomly generated phrase. The current capabilities of neural networks allow bypassing interactive liveness detection. 

Experts understand the risks associated with the biometric systems, and are beginning to resort to a multimodal approach – when several types of biometrics are embedded in the identification system.  Like facial recognition and voice recognition.

But it seems banks don’t have this technology as voice authentication used by many banks can be hacked as shown in the video.

Atul Narula mentions that there are a lot of risks associated with biometric authentication. Companies & Financial institutions need to focus attention on the development of advanced deep fake detection solutions. On the other hand we should focus on raising awareness and educating consumers of social media about the risk associated with the deepfake technology.

The post How to Hack Bank’s Voice Recognition System – Voice Biometrics with DeepFake Voice Cloning appeared first on Information Security Newspaper | Hacking News.

Attacks on ATMs on the street have evolved in great steps, leaving behind the methods of physical engagement of these machines to reach attacks using technology and advanced hacking capabilities. More recent analyses suggest that the most sophisticated method is currently known as “Black Box”, based on the use of a microcomputer with a single board.

This time, cybersecurity awareness specialists at the International Institute of Cyber Security (IICS) will show you the most important features of these attacks, which could lead to million-dollar losses to banking institutions. As usual, we remind you that this article was prepared for informational purposes only, so IICS is not responsible for the misuse that may be given to the information contained herein.

What’s inside an ATM?

Before we begin, it is worth remembering the composition of these machines. A typical ATM is a set of ready-to-use electromechanical components housed in a single enclosure. Manufacturers assemble machines from a banknote dispenser, card reader and other components already developed by third-party vendors. The finished components are housed in an area of the cashier consisting of two compartments: one upper (the service area) and one lower (the safe), mention cybersecurity awareness specialists.

All electromechanical components are connected via USB and COM ports to the system drive, which in this case acts as a host. In older ATM models, you can also find connections via the SDC bus.

On the evolution of attacks, threat actors previously exploited only physical weaknesses at ATMs, using devices known as skimmers to steal data from magnetic stripes, card numbers, or PINs. The transition to the use of hacking techniques came with the technological advancement of the manufacturers of these machines.

According to cybersecurity awareness experts, criminals now use malware variants (banking Trojans, skimmers, backdoors) to enter the target system host via USB drives or through the abuse of a remote access port.

How does an infection occur?

After capturing the XFS subsystem, malware can issue commands on the banknote dispenser or card reader without authorization for a variety of purposes, from reading the information from an entered card to extracting its confidential information stored on the card chip.

PIN Pad Encryption (PPE) deserves special attention. It is generally accepted that the PIN code entered into it cannot be intercepted. However, XFS allows you to use the EPP PIN keyboard in two modes: open (to enter various numeric parameters, such as the amount receivable) and secure (EPP changes to it when you need to enter a PIN or encryption key).

This XFS function allows the card to launch a Man-in-The-Middle (MITM) attack, intercepting the safe mode activation command that is sent from the host to the EPP, and then sending a request to the PPE PIN keyboard that continues in open mode. In response to this message, EPP sends hackers logs in clear text format.

How does the Black Box attack work?

Members of Europol’s cybersecurity awareness team say that, over the past few years, a steady evolution in the development of ATM malware has been detected, so cybercriminals no longer require physical access to an ATM to complete the attack.

Worse, malicious campaigns can be deployed through a vulnerable bank’s own corporate network using the Black Box attack variant. Group-IB figures indicate that, since 2016, multiple such attacks have been detected in at least ten countries in Europe.

Remote access to an ATM

Antivirus solutions, firmware update blocking, USB port blocking, and hard drive encryption protect the ATM from some malware variants to some extent. But what if the card does not attack the host, but connects directly to the peripherals (via RS232 or USB), a card reader, PIN keyboard, or cash dispenser?

First contact with Black Box

Criminals with access to the most advanced hacking resources use these microcomputers with unique boards (such as Raspberry Pi) to empty ATMs, in an attack technique popularly known as jackpotting. In these attacks, criminals connect their devices directly to the cash dispenser to extract all the money stored at the cashier. This attack is able to dodge the security software implemented on the ATM host, cybersecurity awareness specialists say.

Major ATM manufacturers and government intelligence agencies mention that hackers can steal up to forty bills every 20 seconds. Agencies also warn that the main targets of these hackers are found in pharmacies, shopping malls and stores.

At the same time, not to stand out from the cameras, the most cautious criminals turn to the help of a third party known as “mule”, who will collect the stolen money to start distributing it. The BlackBox then connects to a smartphone, which is used as a channel for remote transmission of commands to a simplified Black Box over IP

In cases analyzed and recorded on video, a person can be seen opening the top compartment of the ATM by simply connecting the hacking device to the machine. A little later, several people approach the ATM and withdraw huge amounts of money. The hacker then returns and recovers his little magic device.

Analysis of ATM communications

As noted above, the system drive and peripherals communicate via USB, RS232, or SDC. The card connects directly to the peripheral port and sends you commands, without passing through the host. It’s quite simple because standard interfaces don’t require any specific drivers, cybersecurity awareness specialists mentioned.

On the other hand, proprietary protocols through which the peripheral and host interact do not require authorization, so these unprotected protocols, through which the peripheral and host interact, are easily heard and easily susceptible to a repeat attack.

Card users can use a software or hardware traffic analyzer by connecting it directly to a port on a specific peripheral device to collect the transmitted data. Using the traffic analyzer, the card learns all the technical details of the ATM’s operation, including its non documented functions such as changing firmware on a peripheral device. As a result, the attacker gains full control over the ATM and it is quite difficult to detect the presence of a traffic analyzer.

Direct control over the ticket dispenser means that ATM containers can be jackpotted without any restrictions.

How to address this problem?

ATM providers and subcontractors are developing debugging services to diagnose ATM hardware, including electromechanics responsible for cash withdrawals. These utilities include ATMDesk, RapidFire ATM XFS. The following figure shows some of these diagnostic tools.

Access to such utilities is usually limited to custom tokens and only works when the ATM safe door is open. However, by simply replacing some bytes in the binary utility code, a hacker can try to withdraw cash without going through the checks provided by the utility manufacturer. Thieves install these modified utilities on the single board microcomputer, which then connect directly to a banknote dispenser.

Communications Processing Center

Direct interaction with peripherals without communicating with the host is just one of the most popular ATM hacking techniques. Other techniques are based on the fact that we have a wide variety of network interfaces through which the machine communicates with the outside world, from x.25 to Ethernet and cellular networks.

As if that were not enough, many ATMs can be located using the Shodan IoT search engine, which can be chained to an attack that compromises the security settings of the affected machine.

The “last mile” of communication between the ATM and the processing center involves a wide variety of technologies that can serve as an entry point for threat actors, cybersecurity awareness specialists mention.

There are wired (telephone line or Ethernet) and wireless communication methods (Wi-Fi, cellular: CDMA, GSM, UMTS, LTE). Security mechanisms may include:

• VPN-compatible hardware or software (both standard, integrated into the operating system and third parties);
• SSL/TLS (both specific to a specific ATM model and third-party manufacturers)
• Encryption
• Message authentication

At best, the ATM connects to the VPN server and connects to the processing center within the private network. In addition, even if banks manage to implement the above protection mechanisms, the hacker already has effective attacks against these reactive measures. So even if security complies with PCI DSS, ATMs remain vulnerable.

One of the main requirements of PCI DSS is that all sensitive data must be encrypted when transmitted over a public network. However, many of these networks do not provide sufficient protection, so they don’t actually protect against major hacking variants, cybersecurity awareness experts mention.

Therefore, either in an unsafe communication or in a “private” network, where each ATM transmits over itself to other ATMs, a MiTM attack can be initiated, which will lead the card to take control of the data flows transferred between the ATM and the processing center.

Thousands of ATMs are potentially vulnerable to this attack variant. On the way to a genuine processing center, the hacker inserts his fake. This fake processing center instructs the ATM to deliver the tickets. At the same time, the threat actor configures your processing center in such a way that cash is issued regardless of the card being inserted into the ATM, even if its validity period has expired or your balance is zero.

The main thing is for the fake processing center to “recognize” it. A fake processing center can be crafty or a processing center simulator originally designed to debug network settings. The following figure shows a command dump to issue forty banknotes from the fourth cassette, sent from a fake processing center and stored in ATM software journals. They almost look real.

Conclusions

Cybersecurity awareness specialists often say that a truly protected computer is in an iron box and is not connected to any network, including electrical ones. This is true, as virtually any implementation is vulnerable and bank ownership is no exception.

Recently, the head of ATM Association International (ATMIA) stressed that the BlackBox attack is the most serious threat to ATMs, so manufacturers, banking institutions and researchers need to establish the best way to address this risk. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Step by step process of hacking ATMs using black box. ATM jackpotting appeared first on Information Security Newspaper | Hacking News.

We will tell you how to organize a successful peaceful protest campaign using your phone, some basic stuff, water and a lot of lemons. But how would lemons and water get your voice heard? Watch this video till the end to know how.

Follow these steps before, during, and after a public demonstration to maximize your effectiveness and prevent yourself from getting detained by the police.

BEFORE THE DAY

This process will help you organize the public demonstration with thousands of people together.

• Search for support on the Internet

According to data protection experts, the first step is to get together people who believe in the cause. You can gain followers for the social movement or cause by using online petitioning and crowdfunding platforms like change.org, peticiones.org, mifirma.com etc where users can post their requests in order to achieve high media impact and support.  Also, you can use social media platforms like Twitter, Facebook, TikTok, etc. to spread your message to millions.

• Form groups

With all this in mind, you can form groups in different social media platforms like WhatsApp, or Facebook and discuss the issues that are really important. You also need to reach out to social media influencers who can help spread your voice. You don’t need to worry about government surveillance as of now, since the main aim is to reach the maximum people possible.

• Planning the exact details 

For planning the exact details, routes and date, your group should not be using social media platforms like Facebook, twitter, WhatsApp as they can leave evidence.

From this step onwards we will focus on protecting privacy so that no evidence is left behind. The most effective strategy is to do a flash mob style movement. Where people come together and disappear. The first step here is toprotect your communication channels.

PROTECTING YOUR COMMUNICATION 

Data protection experts mention that you can use the following apps to communicate with fellow trusted members before and during the public demonstration, just make sure your trusted fellow members are not police informers.

•  Telegram

Telegram is a messaging app like WhatsApp but with no government surveillance. You can use a virtual number to register an account. 

• Wickr Me

This app offers encrypted text, voice and video messages. It supports self-destructive messages. It also doesn’t require a phone number or email address to register, so it is a good choice in terms of user anonymity.

• Signal Private Messenger

Signal is the most secure app. Your messages are not stored on the company’s server, so it cannot be intercepted, plus the information also self-destructs itself after a while. It even alerts you when someone takes a screenshot in the app. In 2016 the US government asked details of some accounts from signal,as it limits the user metadata stored on the company’s servers, the only data they were able to provide was “the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.”

• FireChat

This app works without the Internet and helps you connect devices via Bluetooth and WiFi, directly through peer-to-peer connections.

• Bridgefy

Bridgefy is a messaging app similar to Firechat and works without an Internet connection. Using Bluetooth, use rs of this app can send messages to other people, as long as they are within a radius of up to 100 meters. 

• Briar 

Briar app also works without the Internet. It can sync via Bluetooth or Wi-Fi, keeping the information flowing in a crisis. If the internet’s up, Briar can use a Tor network thus protecting from surveillance.

Data protection experts also recommend other apps like Wire Secure Messenger & Threema.

The next step is to protect your phone.

PROTECTING YOUR PHONES

You will need a burner phone or a temporary phone with a prepaid sim card. Normal phone calls and text messages are vulnerable to interception. Watch our video that appears at the top corner of the screen that explains how authorities intercept calls and messages during public demonstrations.

These will help you protect your identity; just make sure you never connect a burner phone to your home WiFi or to the cell phone network from your home. Also, enable Full-disk encryption of your device with a strong 10 character password. It is important to note that encrypting your device will likely not encrypt external storage media such as SD or memory cards. Also Turn off fingerprint unlock and FaceID. A police officer may try to physically force you to unlock your device using biometrics that is why a strong password is advisable. And If your phone is confiscated by authorities, full-disk encryption and a password will protect the data stored in it.

The cybersecurity community and data protection specialists also advise you turn off location services before you travel to the actual location, and leave it off until you return. Make sure that none of the members uses Google Maps to plan the route. Download offline maps like OpenstreetMaps so that they don’t leave any evidence within Google and use public transportation to reach and leave the location.

The next step is to take care of you.

PROTECT YOURSELF 

• Anti-facial recognition mechanisms

You will have to consider how to deal with law enforcement surveillance, like facial recognition analysis cameras, drones and body cams. A pair of conventional sunglasses can’t protect you against facial recognition systems, as they become clear with infrared light.  So for this You can use

• Lasers

Lasers can actually obstruct the vision of a facial recognition camera. Almost any laser, from the most sophisticated to the most basic. 

• Bright lenses

These include infrared LED lights that are invisible to the human eye. The light is strategically designed to illuminate the area around the user’s eyes and nose, making it impossible for cameras to detect the user’s face.

• Reflectacles

‘Reflectacles’, are anti-facial recognition glasses. They  reflect the invisible and infrared lights projected against the face, thus protecting your identity. 

• IRpair glasses

IRpair’s technology prevents practices such as iris scanning, three-dimensional mapping of facial features and infrared lights, making the cameras perceive your face just as an empty space.

• Phantom glasses

Phantom goggles prevent facial recognition by reflecting infrared lights, hence preventing infrared cameras from performing biometric analysis of your face.

• Hyperface Clothing

These prints of clothes with “fake faces”, make the detection faces more difficult and complex or you can dress in dark, monochrome colors. If you have visible tattoos or bright unconventional hair colors, cover them up. Tattoos can be used to identify you later, and may be added to databases for tattoo recognition.

DURING THE PUBLIC DEMONSTRATION 

Don’t forget to carry a backpack.

Your backpack should have a gas mask or normal mask, umbrella, bandana, helmet, snacks, cash and another set of clothes in case you get wet by water cannons. And don’t forget lemons and water bottles. A bandana soaked in lemon water can save you from tear gas. An Umbrella can save you from pepper spray and if you get sprayed upon, you can wash your eyes with water. Look out for trouble makers and have an escape route planned. And make sure to remain peaceful.

AFTER THE PUBLIC DEMONSTRATION 

 If you’re planning on uploading photos from the demonstration to social networks make sure you are not doing it from your personal account. And if you want to share it in your group do it through the Signal app, which automatically strips metadata when sending images. According to data protection experts, Metadata on photos can leak information such as the model of camera the photo was taken on, the exact time and location where the photo was taken, and even your name. You can use FaceShield Tool. This software works as a filter that you apply to your photos. This filter modifies minimal elements in the photo so the faces of the users are way more difficult to detect for sites like Facebook. Or you can use the ObscuraCam app. This app can help you to automatically blur faces before posting them on social media, so you won’t be affecting the anonymity of any other participants.   There is also a useful tool called Image Scrubber that can be used on any mobile device, including iOS or your PC.

THE MOST IMPORTANT QUESTION IS WHAT HAPPENS IF YOU GET ARRESTED

If you are detained and questioned by police, you have a right to remain silent, and to speak with an attorney before and during any questioning. If you answer questions, be sure to tell the truth. It is a crime to lie to the authorities.

If the authorities ask to see your phone, you can tell them that you do not consent to a search of your device. If they ask for the password to unlock your electronic device, you can refuse.  If your device has been confiscated, you may have legal resources to get it back.

Meanwhile you should revoke access for some services like Facebook, Twitter, etc or change their passwords. 

This way, in case you used these apps and tools mentioned before to do a peaceful demonstration they will not have any evidence against you.

You will be free again, looking forward to a new cause to change the world. 

The post HOW TO ORGANIZE A PROTEST ANONYMOUSLY: RAISE YOUR VOICE AGAINST GOVERNMENT AND PROTEST WITHOUT BEING ARRESTED appeared first on Information Security Newspaper | Hacking News.

This marketplace, called Probiv, allows a criminal to find information for sale in order to rob an entire company or a jealous husband to get access to his wife’s cell phone, her location in real time and everything she has in her WhatsApp account.

Imagine this marketplace as the combination of Amazon and Fiverr. It is a site that already has a great established reputation and that anyone can access in order to obtain information, products or gigs at a very affordable price.

Amazon and Fiverr, as you probably know, are two very famous marketplaces in today’s digital world. The former is known for offering a wide variety of items for sale, usually located in different categories. Amazon is to where we go when we want to buy something that arrives directly at our doorstep, with just a few clicks. On the other hand, Fiverr is to where people turn when looking for a fast and cheap service or gig, as mentioned by digital forensics specialists. The gigs offered on Fiverr start at only $5.

Probiv is a combination of both these sites but with all kinds of services or information for sale, with absolutely no restrictions.

You can easily think that Probiv is only for experienced cybercriminals; however, this is not the case. This platform is used by many people, from beginner users to the most common people you can imagine, mainly because it is not in the deep web.

This platform was born in 2014, as a response to a demand of highly specialized sales, information, products and services that are often illegal. 

Probiv, which in Russian is a slang term for “search”, is a platform that currently hosts millions of posts and hundreds of thousands of members.  When it started, it was only a digital forensics and cybercriminal forum dedicated to the sale of specialized information. Today, it has not only grown in offers and categories for sale, but is available to almost anyone who is interested in joining. This is why currently its popularity has grown exponentially and it keeps on growing.

In Probiv you can find products or services listed at different prices. Services that could affect you or your company.

Its sales are basically divided into two categories. There is information or services offerings and product offerings, including products obtained in illegal ways.

Data or Service Offering

Digital forensics specialists mention that data offering on this platform offers up-to-date information that comes directly from the employees or former employees of an organization or company.

Here, prices vary depending on the sensibility of the information requested and the risk that could imply for the same provider, but generally their prices are not tahta high. In Provib, information is sold at prices that begin at only $10 per piece of data. Buyers and sellers usually communicate through private messages within the same forum, through Jabber IDs or Telegram accounts. 

Bank Services

There are cases in which people simply cannot open a bank account because they do not have all the required documents. There are people living illegally in a country or running from the law; however, through this platform they can have a normal bank account, like everyone else. This is possible because at Probiv, service vendors offer to open bank accounts for a fee. They obtain them with documents from other registered citizens or with the help of bank employees who do not mind slipping these accounts in order to obtain an extra income.

Within these services, there are also bank employees willing to sell customer data such as balances, withdrawals, payments, and account statements, digital forensics speciañists stated. Additionally, they offer to do illegal verifications on the banking history of a person or company.

Furthermore, if someone is applying for a loan but the bank has rejected it, sellers on Probiv see to it that it is approved. They do this with the help of bank employees, using a verifiable address from the country required.

Another type of information that is sold within these services is credit card information. The illegal sale of leaked credit card data may not something new; however, unlike other illegal forums in the deep web, the information sold in Probiv does not come from data leaks nor from banks that had suffered a cyberattack, but rather these are obtained by employees or former employees from the bank directly, making this information completely up-to-date.

Telecommunications Services

In this platform, there is also a wide variety of telecommunications service vendors. These are vendors with access to data from cell phone companies. Among the services they offer are providing call details, SMS records and the location of a targeted cell phone number. They obtain these from the client’s records of the companies they work for. Unfortunately, most of the buyers of these services are jealous spouses who want details of the calls and the real-time location of their husbands or wives.

Another service offered here is to get you a SIM card from any country without an official ID.

Some sellers in this section even offer to make ransom calls or fake calls for whatever purpose needed. The criminal who buys this service only has to specify the call he needs and a platform provider does it for a fee.

Just a few years ago, two support employees of a famous telecom company were convicted for photographing data on their phones and sending it to their customers they met within this marketplace.

Government agencies services

In many cases, people who work in government departments do not earn a high salary; however, the digital forensics specialists mention they do earn access to a great deal of important information.

For example, a very popular service in this marketplace comes from the Taxes department. Probiv sellers offer tax evasion services, which means they can modify your tax details in the system so that you don’t have to pay taxes anymore. They also sell details about companies and important people, mainly to competitors interested. Of course, these services are more expensive than others. As if that weren’t enough, some employees in these departments even offer financial secrets of companies for sale.

Another service is clearing criminal records

The HR department of a company will usually request you a criminal background check when you’re applying for a new job. At Probiv, vendors take care of erasing criminal records. There are even corrupt police officers who offer their services on this platform. In addition, some government employees offer their help in order to solve legal problems within a government department.

Other government vendors offer information from passport departments, personal information that can be found on driver’s licenses, real estate purchase records, etc. Digital forensics specialists mention that there are even advertisements on how to get free electricity. Apparently there are vendors willing to give courses on how to modify electricity meters.

Insider trading

At Probiv, business secrets are also for sale. This is because there are many companies interested in the secrets of their competitors, information such as what are their products under development, their new marketing strategies or even information about personal scandals that involve a company owner and that could affect the stock prices. This last piece of information can be used to buy or sell stocks before everyone knows it, thus obtaining great monetary benefits, as told by digital forensics specialists.

Independent services

There are also vendors on this marketplace who offer online votes, to win a popularity contest within a social network, for example. Another service that many people would be interested in is helping you clear online tests or telephone interviews. At Probiv, a vendor can clear the exam or interview you have to take over the phone or online, hence getting you the job or career of your dreams.

Product Offering

Product offering here is very similar to other illegal forums but accessible to anyone interested. Of course, prices will vary depending on the product, from hundreds to thousands of dollars. These products are mainly offered by employees working in specific companies or even at government departments.

Identification documents and illegal money exchange

This section includes the sale of passports, driver’s licenses and university degrees from different countries. They offer a wide variety of degrees, from bachelor’s to master’s degrees, as mentioned by digital forensics specialists. These have been purchased from employees working at different universities in many countries.

Recommendation letters

There are also vendors offering recommendation letters you can use to apply for a new job or in the process of entering a new school. Generally, sellers are insiders, working in different companies, who can give you a letter of recommendation with the original format of their company or institution.

Airline tickets and hotels reservations

There are many sellers of air tickets and hotel reservations at very low prices. These are regularly purchased using stolen mileage accounts or by taking advantage of vulnerabilities in booking sites. 

Medical devices and Supplements

In Probiv, you can also find access to illegal medicines, medical devices and health supplements for sale. Most of the vendors offering them are government hospital employees.

Additionally, stolen phones, supermarket products, clothing, computers, designer products and imitations are also sold.

Who provides all these services?

In this illegal marketplace, there are even job offers advertised. At Probiv they have an attractive job offer list that is meant for people looking for a second job, people who already have positions in banks, telecommunications companies, pharmaceutical companies and government departments such as immigration, etc. The typical person who would take a job offer in this marketplace is a young man or woman, working in a low position but in an important department or company, regularly with a low income and looking for an additional part-time job.

Those who have been caught selling illegal information in this type of marketplaces have been sales assistants, managers, employees of cell phone companies or banks, with easily available data, digital forensics experts mention.

Due to the nature of their work and the services being sold, they do not handle a large number of requests at once, which keeps them relatively safe. After all, the entire existence and process of Probiv is based on employees willing to risk their positions within an organization or company.

Payments

Payments at Probiv are generally made through escrows. According to digital forensics specialists, these are third-party intermediaries, who receive and disburse the money for the parties that carry out the transaction.

The deal regularly works this way, after a sale, service or job has been agreed upon, the buyer sends their funds to the neutral third party known as an escrow. Then, after the buyer has confirmed that the information, product or work received from the seller is what was agreed upon, the custodian delivers the money to the seller. The escrow also charges a percentage for the services rendered. This payment system helps to create guarantees and reduce the chances of a scam.

Now, knowing that this marketplace exists and that there are employees of the companies with which we work and hire services that we cannot trust, we must be very careful when protecting our data. We must also never be part of these sales systems. We should never, under no circumstances, use services or products that are offered in illegal forums or marketplaces like this, even if they are available to anyone, as there is always the possibility of getting into serious troubles.

Furthermore, we must demand the closure of these types of marketplaces to prevent the sale of illegal information or services that can affect us all.

The post PROBIV: The most famous Russian black market to find job or buy illegal things appeared first on Information Security Newspaper | Hacking News.

These devices were designed to encrypt call and message signals with algorithms, protecting their users from any kind of interception or data leakage. An encrypted device is so secure that even if it gets involved no one could understand the messages or extract information from their calls. Below are some of the most popular cryptophones among security agencies and even used by some criminal groups, in addition to detailing some measures that law enforcement agencies have implemented against criminal use of these solutions.

Blackphone

Launched in 2014 the Blackphone was one of the first encrypted phones marketed, thinking about its use for business customers and having some options that would ensure the confidentiality of calls and messages. The Blackphone came with a modified version of the Android operating system called SilentOS.

EncroChat

In 2016 the EncroChat, a device that replaced the Blackphones, was released. EncroChat was a communications network and service provider that guaranteed privacy in all communications it provided, which was very useful to celebrities or large entrepreneurs who feared for the security of their calls. Unsurprisingly, encroChat’s service as well as its devices became very popular, especially in Europe and Latin America. Given its attractive features, narcos and organized crime also decided to make use of this secure communication service, as they required anonymity and a lot of privacy.

Before EncroChat there had already been other secure and encrypted communication networks of this type. One of the companies that offered this service in the communications market before EncroChat was the manufacturer of Phantom Secure encrypted phones. They offered BlackBerry phones modified to have different features focused on message and call security. In fact, one of his most famous clients was “El Chapo” Guzmán, who used it to carry his communications privately.

In 2018, EncroChat was already a very popular company for its privacy-oriented services.  It expanded rapidly and reached the point of having more than 60,000 customers.

Operación Venetic

It was only on June 13 of this year that EncroChat realized that their service had been infiltrated by a powerful malware. They claim that it was a really very sophisticated attack, which made them think that it came from a government.

They quickly sent a message to all their customers and users asking them to destroy their phones as soon as possible since they could no longer guarantee security in their communication; however, for many of their clients, it was too late. Collaborations between the UK’s National Crime Agency and agencies in France and the Netherlands were responsible for this elaborated attack that managed to infiltrate the EncroChat network during Operation Venetic in July this year.

The malware they used for this operation was installed on all EncroChat phones and was so well designed that it could hide itself from detection. It was also designed to be able to register the screen lock password, as well as to clone all data from the different applications on the device. This malware allowed the National Crime Agency to read messages written and stored on the device, even before they were encrypted and sent over the Internet.

After the Venetic operation, it was revealed that 90% of EncroChat users were criminals and the authorities obtained all the evidence such as images of drugs, weapons, money, and hideout locations. Operation Venetic allowed the arrest of 746 criminals, in addition to the discovery of torture houses used by organized crime.

Soon after, an FBI report revealed that another organized crime group in Mexico with ties to the Sinaloa cartel also used Encrochat phones to be able to transport fentanyl to the United States.

In general, devices like those offered by EncroChat are also known as “carbon units” or carbon phones. This means that the devices are already sold modified and with pre-installed applications, as well as a secure operating system. They are basically modified Android devices. Among those most used by EncroChat to make their carbon phones are the BQ Aquaris, some Samsung devices, and BlackBerry phones.

Carbon units

 “Carbon units” are modified smartphones whose GPS, camera and microphone have been intentionally removed or deactivated. As per experts from International Institute of Cyber Security, these devices run modified versions of the Android operating system. In fact, they run two operating systems at the same time, side by side. In case you want to use the device like any other Android phone, it simply starts up normally, thus helping to avoid suspicion. If you want to use some type of secure communication, you can make the change to the secure operating system, which in turn has applications designed to maintain privacy. An important feature of these “carbon units” is a panic or emergency option. This allows a certain PIN number to immediately erase all data on the phone.

After a famous interview by Edward Snowden with the Vice team, “carbon phones” became even more popular.

In the interview Snowden disassembles a smartphone to remove the cameras and GPS from it, explaining that each part of the phone must be there to serve us and not the other way around. 

In case you are interested in creating your own carbon phone following the advice of Edward Snowden, the first thing you have to do is deactivate or remove the included cameras as per cyber security experts. This is because, despite the fact that phone cameras are a great convenience, they also represent a risk to your safety. They can be activated remotely and used to spy on you.

Later, you would have to deactivate or remove the GPS antenna that comes by default in all cell phones. Not only does it follow you everywhere, but it can also help the government or cybercriminals to track your location remotely.

Finally, you must deactivate or remove the microphone that comes with your cell phone. To be able to talk on the phone, you will need to wear a headset with a built-in microphone. This way, your microphone will only be activated when you are actually calling someone on the phone and cannot be activated remotely or used to spy on you.

You can find many videos on the internet that explain how to do all this, you just have to look for the instructions for your type of smartphone. Similarly, any phone repair shop in your area can do it for you. 

Encrypted SIM cards

In case you don’t want to make your own carbon unit but want to keep your mobile communication safe, you also have the option to buy one. You can also choose to purchase an encrypted SIM card, which are also known as white SIM cards. An encrypted SIM card makes and receives encrypted calls that cannot be intercepted. Additionally, using one of these, your phone number is randomly generated or you can spoof the phone number of any person, in order to hide your identity and location. As an extra feature, many of these SIM cards also offer voice change during calls to protect against audio analysis and identification. On the black market these SIM cards are sold at cryptocurrencies prices.

Today there are many companies offering secure phones for sale as well as encrypted SIM cards. Among them are the following companies.

Omerta smartphones

Some of Omerta’s smartphones include GrapheneOS in their carbon units. On their site they claim that there are no back doors and that their encryption software is impenetrable even to the FBI and CIA.

They offer carbon units made with Google Pixel phones and their prices range from 500 to 3,500 euros per phone, depending on the model and required customizations. On average, the price of an encrypted SIM card is 1300 euros for a 6-month plan and they ensure that you can use it in any country without any problem.

Cipher Phone

Cipher Phone is another option within this type of secure mobile communications. Their phones offer features like a kill switch for the camera and for the built-in microphone. On the other hand, according to their site, they offer a software with features focused on privacy and security of communication. This has services such as switching between operating systems, a delete button and a VPN that changes every 30 minutes.

PinePhone

Another option is the PinePhone phone, developed by the Pine64 computer manufacturers, and designed to allow its users absolute control over their smartphones. Their operating systems are based on Linux. In addition, they allow the customer to easily disassemble the device to turn into a carbon unit easily. In total, it includes six physical switches for the front and rear camera, Wi-Fi, Bluetooth, GPS, microphone and cellular network.

GSMK CryptoPhone

GSMK CryptoPhone is another secure phone option. They offer a baseband firewall, a tamper-proof hardware and, of course, an end-to-end encryption on their devices. They also claim that they can detect SS7 attacks and mobile phone jammers. In addition, like many devices of this type, they also have an emergency erase function.

Boeing Black Smartphone

Another option is the Boeing Black Smartphone; however, it is intended primarily for defense companies and the United States military. Nonetheless, compared to other secure phones on the market, it is not the best when it comes to privacy.

Silent Phone

In case you consider that a cryptophone is out of your reach, you can also use your own smartphone but with applications designed to maintain secure communications. One of these is Silent Phone. The Silent Circle Company, who originally created the Blackphone, now offers an app called Silent Phone that provides voice, video, conference calling, and secure messaging.

Signal

Another of these applications designed to maintain your privacy is Signal. This is a cross-platform encrypted messaging service that allows encrypted voice and video calls. It is completely free and is available for both Android and Iphone.

Graphene OS

There is also, GrapheneOS, a secure operating system that you could opt for.  GrapheneOS is a mobile operating system based on Android, but reinforced in security. It’s privacy-centric, free, and open source, so you could install it on your current smartphone. It was previously called Android Hardening and is compatible with Google Pixel phones; however, it does not have Google applications, so no one can spy on you through Google and all its services. Edward Snowden himself mentioned on Twitter that if he was setting up a smartphone today, he would use GrapheneOS as the base operating system.

Conclusion

Today there are many ways to communicate securely, maintaining our privacy and leaving no trace that can be used against us. However, you need to stay informed and aware of new developments in mobile technology to know all the features that an encrypted smartphone has and know if it is really what we are looking for.

The post Top CIA Surveillance Free Secure Phones. How to Make Your Encrypted Carbon Phone From Any Smartphone appeared first on Information Security Newspaper | Hacking News.

I2P is based on the principle of overlay, that is, an anonymous and secure layer runs on top of another network. One of the main features of I2P is decentralization, as there are no DNS servers on this network, as these are replaced by automatically updated “address books”.

Each I2P user can get their own key, which cannot be tracked by others. Below are some differences between this anonymous network and Tor browser:

• Tor uses onion routing, sending its traffic through the well-known eight proxy method that alone does not protect against decryption attempts. On the other hand, I2P relies on traffic encryption
• Tor resorts to using SOCKS, while I2P prefers to use its own API
• I2P tunnels are unidirectional unlike Tor

Still, not everything is a difference between these tools, as both of them share a fundamental feature: these platforms cannot be accessed without additional software. We know what it takes to use Tor, but what is required to use I2P? The required items are shown below:

• Java in its version for Windows systems, available here
• Official I2P installer, available on its website
• If you have Windows, open “→ All I2P →” and select “Start I2P”. If you have Linux, you probably know what to do yourself
• The next step is to open a browser like Firefox and access “→ Settings → Network → Use Proxy”. We’ll fill in the fields in the same way as in the following screenshot

You can access the console yourself using http://127.0.0.1:7657/home.

This allows you to start using I2P. You can go to the “Traffic” section and there you can change the transit traffic ratio to 100% and increase the number of kilobytes to load and download per second to maximum, as shown in the following screenshot. Practice shows that this reduces network response time.

What can I2P find?

Although this is not as vast a world as tor extensions, proper search will allow you to find multiple really interesting platforms. Remember that this is an anonymous network, so it would not be uncommon to find forums for potentially illegal activity.

Blogs and forums

The Hidden Answers forum is a good starting point. This is a platform in people asking questions to discuss any topic, from popular youtubers to how to perform an abortion. Any forum user can answer any question, so needless to say that applying the tips available in this forum is not the best idea. SecretChat, the Russian-speaking counterpart of Hidden Answers, is also a good alternative.

I2P is full of personal blogs, especially on topics that many users would not dare to have on the conventional Internet. Of course, I2P is not safe from pornographic sites, although it should be mentioned that there is nothing too different from what any Internet user can find. 

Not all blogs available on I2P are useless. In your personal space, cyber security expert shares helpful network security tips, as well as material that will be of great help to programmers around the world. 

On how to find more information about the sites available on I2P, at F*ck Society users could find information about all kinds of sites on I2P where banned substances, blogs of radical political postures and other topics very typical of forums can be found on dark web. 

Finally, Onelon is a kind of Facebook in which there are virtually no restrictions. Users can post anything and write to any user and with any intention, although the onion browser version is much more popular.

Communications

One of the most useful services available in I2P is vPass, which helps users find a password for specific domains. Security specialists mention that virtually all tools of this class are also available in .onion, although I2P provides complete anonymity like Echelon and I2P Bote.

Trade forums

I2P would be an incomplete network if it did not have websites dedicated to the sale of all kinds of items. Forums like nvspc or Eepsites function as a counterpart to popular platforms like Hydra in .onion so that those interested in buying unusual items contact sellers around the world and make payments, usually in cryptocurrency. 

Another interesting platform is Wiki I2P, a Russian-speaking wiki dedicated to project development that allows users to make edits anonymously to existing articles. This wiki also serves as a directory of links to popular platforms on I2P, although many of the links are broken. 

Libraries

Platforms like Flibusta are also found in I2P, and work successfully for all kinds of users. On the other hand, platforms such as Extreme Chemistry or Fantasy World focus on users with more specific interests, although they have a reduced catalog.

File hosting

There are many file hosting services, including Buried and Serien. There are also sites for exchange through torrents.

Cybercrime

The Tor network clearly leads the way in the treatment of illegal online issues, although this does not mean that there is no cybercriminal community in I2P. However, the groups hosted on this network are really small and not any user can contact them; However, it is possible to hire denial of service (DoS) attacks, password hacking and similar services like Armada or BumpTeam

More experienced users recommend not contacting the operators of these services, as there is always the possibility of looking for problems with law enforcement agencies or even scams.

Cryptocurrency exchange

I2P is a very open network with Bitcoin and other variants of virtual assets. For example, this network allows transactions with Zcash and many other well-known cryptocurrencies. It should be remembered that the use of Bitcoin and other options may have malicious purposes thanks to its anonymity, so it is worth thinking twice before making any transaction in I2P.

An attractive option for many users

I2P is a relatively complex network for many users, mainly because there are similar options in .onion much easier to use. According to specialists, this is not the ideal network for publishing content, but its use has much more to do with anonymity in navigation; At least in this regard, I2P works much better than Tor or a VPN.

Having a decentralized network is important, even for many conventional Internet users. Although these projects sometimes have a bad reputation, I2P is a considerable effort to improve the privacy experience when using the Internet.

The post Browsing the dark web using the anonymous network I2P appeared first on Information Security Newspaper | Hacking News.