Information Security News
A Massachusetts man who reportedly illegally accessed the cell phone of socialite Paris Hilton 10 years ago has agreed to serve four years in federal prison for a more recent hacking spree that targeted computer networks around the country, including those belonging to law enforcement organizations that stored sensitive data and communications.
Cameron Lacroix, 25, of New Bedford, Massachusetts, submitted a written agreement to plead guilty to two counts of computer intrusion and one count of access device fraud, documents filed in Boston federal court alleged. Over a two-year span beginning in May 2011, the man pursued a hacking spree that targeted a multitude of groups, prosecutors said. One of the hacked networks belonged to a local Massachusetts police department and exposed an e-mail account belonging to the unidentified department's chief of police. Lacroix is also accused of repeatedly penetrating the defenses of other law enforcement computer servers containing sensitive information, including police reports, intelligence reports, arrest warrants, and sex offender information.
Another prong of his alleged two-year hacking spree was the Bristol Community College. Prosecutors said Lacroix breached the college's servers on multiple occasions from September 2012 to December 2013 so he could change his grades and those of two other students. Lacroix allegedly used stolen login credentials belonging to three instructors to gain illegal access. The man is also accused of obtaining and possessing payment card data for more than 14,000 unique account holders. As part of the plea agreement, Lacroix is expected to be sentenced to four years in prison to be followed by three years of supervised release.
By now many you have already read the reporting on Brian Krebs on the Gameover Zeus (GOZ) and Cryptolocker takedowns (or more accurate, disruptions). You can read the US Justice Department's court documents here which include a named suspect behind the operation of GOZ. This is the result of large-scale multijurisdictional law enforcement cooperation and work from the private sector. The TL;DR version is that as of this moment, Gameover Zeus has been disrupted and can no longer control clients. In the case of Cryptolocker, new victim machines can no longer communicate with command and control (C2s) servers which means files will not be encrypted. If your files are already encrypted, these is no change as once the files are encrypted there is no other communication that is necessary with the C2s unless you are paying the ransom. This, unfortunately, is likely temporary in nature (between 2 weeks and 6 months depending on the specific circumstances).
One thing that would be helpful is that if you observe new GOZ or Cryptolocker infections, please write in with details so they can be analyzed.
bambenek \at\ gmail /dot/ com
Security researchers have discovered vulnerabilities in a widely used WordPress extension that leaves sites susceptible to remote hijacking.
WordPress-powered sites that use the All in One SEO Pack should promptly install an update that fixes the privilege escalation vulnerabilities, Marc-Alexandre Montpas, a researcher with security firm Sucuri wrote in a blog post published Saturday. Administrators can upgrade by logging in to the admin panel, selecting plug-ins, and choosing the All in One title. The just-released version that fixes the vulnerabilities is 2.1.6.
The worst of the attacks made possible by the bugs can allow attackers to inject malicious code into the admin control panel, Montpas warned. Malicious hackers could then change an admin's password or insert backdoor code into the underlying websites. People could also remotely tamper with a site's search engine optimization settings. To exploit the bugs, attackers need only an unprivileged account on the site, such as one for posting reader comments. In some cases, the privilege escalation and cross-site scripting bugs in All in One SEO are combined with another vulnerability that Montpas didn't elaborate on.
It just got easier to exploit the catastrophic Heartbleed vulnerability against wireless networks and the devices that connect to them thanks to the release last week of open source code that streamlines the process of plucking passwords, e-mail addresses, and other sensitive information from vulnerable routers and connected clients.
Dubbed Cupid, the code comes in the form of two software extensions. The first gives wireless networks the ability to deploy "evil networks" that surreptitiously send malicious packets to connected devices. Client devices relying on vulnerable versions of the OpenSSL cryptography library can then be forced to transmit contents stored in memory. The second extension runs on client devices. When connecting to certain types of wireless networks popular in corporations and other large organizations, the devices send attack packets that similarly pilfer data from vulnerable routers.
The release of Cupid comes eight weeks after the disclosure of Heartbleed, one of the most serious vulnerabilities to ever hit the Internet. The flaw, which existed for more than two years in OpenSSL, resides in "heartbeat" functions designed to keep a transport layer security (TLS) connection alive over an extended period of time.