Fork me on Github
Fork me on Github

Joe Dog Software

Proudly serving the Internets since 1999

You won’t guess where Russian spies are hiding their control servers

Brittany Spears

In the natural world, some predators bide their time near a watering hole waiting for thirsty prey to stop by for a drink. In the cyber world, this is aptly known as a watering hole attack. It’s a favorite tactic of Turla, a Russian hacker group.

According to a new report by Eset, an antivirus manufacturer, Turla used Brittany Spears official Instagram page to hide instructions its malware could use to locate the command server. Once it has that address, the malware can upload its stolen details. We Live Security has the sordid details

[We Live Security]: Turla’s Watering Hole Campaign



Covert Channels and Poor Decisions: The Tale of DNSMessenger

This is why our emails and sensitive documents are all over Wikileaks. Stop clicking shit.  (Geekish)

Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.



Trump’s cyber-guru Giuliani runs ancient ‘easily hackable website’

A good way to undermine your “security” brand is to launch a website rife with publicly known exploits.

But how does this even happen? If Rudy Giuliani erred on the side of eye-candy, if he relied on designers instead of infosec specialists, then he’d still have a website built with the most contemporary tools. Designers love new stuff. Instead giulianisecurity.com was built on an end-of-life PHP (5.4) and Joomla (3.1.1). His team exposed LDAP, sshd and mysql — all of which were old and EOL’d.

We can’t trust these people to set up our DVRs, let alone harden our country’s cyber infrastructure.  It’s stunning, really.

Stunned security experts tear strips off president-elect pick hours after announcement

Source: www.theregister.co.uk/2017/01/13/giuliani_joomla_outdated_site/

UPDATE: The DNS record has been taken down but you can still reach giulianisecurity.com by it’s raw IP address.



Searching For Email Addresses In Ashley-Madison Data

Your JoeDog was recently asked about the Ashley-Madison email list. Could he use his nerd-powers to find a particular email address?

“Yeah, sure, but that data dump is huge, I’ll need some time.”

Before he could act, Your JoeDog’s IM was filled with curse words. His contact found the address she was looking for in a website that lets you to search the Ashley-Madison data.

“Okay, but let’s see what’s in the actual data.”

Getting your hands on that data is no easy task. As soon as it’s posted, it’s deleted because no hosting company wants it on its severs. Pastebin is Your JoeDog’s first stop for this sort of thing. An “ashley-madison” search returns many links that point to deleted data. Strike one.

Unable to find it on pastebin, he turned to the gray web, specifically Kickass Torrents. There he found the data available for download … all 23 gigs of it. Can you imagine trying to download 23 gigs over torrent? That’s not going to happen.

Fortunately, Torrent allows you to look at the contents within the zip file. Your JoeDog found a list of files with names like member_email.dump.gz If he could pull down just the parts he wanted, then the download would be quite manageable.

He searched for ‘member_email.dump.gz’ and hit pay dirt. A site had the files listed on Torrent along with their PGP signatures for verification. The hackers posted the verification so you could ensure the files came from them.

As it turns out, the email address she found on that website was NOT in the actual Ashley-Madison data. It was a scam.

Be careful out there. The internets are a scam machine. Sites like the one she used are filled with spammer’s email lists in the hope of extracting payment for scrubbing addresses from the database. People are also using the data to extort money. “Hey, I found your email address in the Ashley-Madison dump. Be a shame if your wife found out.”

In order to determine with certainty if an email address is in the Ashley-Madison database, you will need a quality nerd. But before you find that nerd, ask yourself this: do you really want to know?

NOTE: Even if an email address and a credit card is in the database, there’s still no guarantee the person used that site. Accounts could be opened with stolen cards. Again, Your JoeDog urges caution. Do you really want to confront your significant other only to learn they were the victim of theft? Be careful out there.



Hackers Have Your Ashley-Madison Account Information

It’s a bad time for cheaters. Two months after Adult Friend Finder was compromised, Ashley-Madison was also hacked. The online infidelity broker was breached by a group known as “The Impact Team.” They now have account information for all of Ashley-Madison’s thirty-seven million users. Unless the website is permanently shut down, the “group” plans to release this information to the public:

Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.

How many members do you think comprise “The Impact Team”? Their demand sounds like it was prompted by scorn. It sounds like a guy whose woman hooked-up on Ashley-Madison. He’s bitter and he wants the site removed. Your JoeDog will answer that question with his guess: it’s a team of one.

Ashley-Madison is a multi-million dollar industry. There’s no chance that Avid Life Media shuts down the site. The Impact Team will soon release that data and we’ll be treated to a lively news cycle. The list probably includes a sitting Senator or two….

Note: You can find the Adult Friend Finder database information here.

[Krebs: Online Cheating Site Ashley-Madison Hacked]



Did The St. Louis Cardinals Hack Into Another Team’s Database?

Get A Brain! Morans - Did St. Louis Hack the Astro's databaseYour JoeDog roots for the Pittsburgh Pirates. They are a major league baseball team in the same division as the St. Louis Cardinals. On June 16, the New York Times broke a bombshell story about the Cardinals. They were under investigation by the FBI for breaking into a Houston Astros database.

That seems like an odd choice, right? At the time of the 2013 breach, the Astros weren’t particularly good. They weren’t even in the same division as the Cardinals. Yet they did have something with which St. Louis was familiar, a General Manager named Jeff Luhnow. He worked with the Cardinals before he was hired by Houston in 2011.

When Luhnow was with the Cardinals, he built a computer system known as Redbird. It was a large database filled with scouting information and player analysis. In Houston, he built a similar system called Ground Control. It was basically Redbird under a different name. So St. Louis was familiar with the system but by 2013 they didn’t have Luhnow’s updated information. Did they breach Houston’s computers in order to obtain it? The FBI thinks that’s possible.

One of FBI’s supoenas sought information on the IP addresses from which the attackers logged into Ground Control. It is believed those addresses point directly to the Cardinals or Cardinals’ personnel. The breach itself wasn’t particularly sophisticated. The attacker just stone cold logged in with a password. Again, this takes us back to St. Louis.

Remember, Luhnow used to work with the Cardinals. He brought several Cardinals’ employees with him to Houston. There’s a pretty good chance they had dormant accounts back in St. Louis. Those accounts had login credentials. If any of those former Cardinals employees reused their credentials in Houston, St. Louis had everything it needed to break in.

In the worst case for computer security, St. Louis stored its passwords in the clear (or an employee left a sticky note on his desk). With this information, all they needed to do was log in. If passwords were stored in a secure hash, then St. Louis could have downloaded a password cracker like John The Ripper to get the goods.

This goes beyond anything Tom Brady did. This is no Deflategate. If the accusations hold, then people in St. Louis committed wire fraud, computer hacking, corporate espionage and theft of trade secrets. Those crimes are punishable with incarceration. The guilty won’t find a low level equipment manager to take the fall for this one. The stakes are way too high for that.



US Government: We Suck At Security; Trust Us With Your Records

navalwarcollegehackers_168457_372093-300x193Your JoeDog is not one of those knee-jerk anti-gub’mint guys but god damn sometimes they test his patience.

By now you’ve heard of that database breach in which the Chinese allegedly stole the personal information of approximately 4 million government employees. About half of those records represent current employees, the rest are for previous workers. According to an unnamed US “official,” the data goes back to 1985.

CNN interviewed “experts” who told the network that the Chinese appear to be building a large database of Federal employees which will help them model the organization and setup insider attacks.

One-third of Your JoeDog’s visitors are from China and we’re starting to feel like an abused spouse. We give you free software and you break down the door and steal our records. Thanks, China. Thanks, a lot.

But here’s the real kick in the ass: US government officials cite this breach as a reason to pass a host of legislature which will, among other things, put more personal information into the hands of government. Information-sharing clauses in these bills will essentially channel more personal data from businesses to the Federal government. That makes Your JoeDog’s head explode. The government is essentially saying, “We can’t secure our own records so give us more records.”

The chairpersons of the select committee on cybersecurity have their hair on fire. They predict dire consequences if we don’t grant them more personal data: “Business and industry leaders warned us of the growing threats during various hearings, and this attack shows why the Senate needs to move quickly on a cyber bill.”

The shittier a bill is the quicker is must be passed, people. Don’t worry your pretty little heads about its contents.

Funny thing: Newton’s Third Law applies to politics as well as physics. For every asshole, there’s an equal and opposite anti-asshole. Are you from Oregon, Dear Reader? Then pat yourself on the back because your senator is our anti-asshole.

I believe sharing information about cyber-threats is a worthy goal, it is unlikely that information sharing by private companies would have made any significant difference in protecting federal employee data. That’s why cybersecurity experts say that passing a bill like this will do little to reduce security breaches.

“This is a bad excuse to try and pass a bad bill.”

Amen, Senator Anti-asshole. Amen.



Ransomware Creator: Sorry About That

By now you’ve probably heard of ransomware. It’s a form of malware that encrypts your files and demands a payment for the decryption keys. The whole concept of ransomware says a lot about humans, huh? It says we’re quite clever but we’re also basically dicks.

Last week a new strain of human dickishness was unleashed on an unsuspecting public. Locker is a form of ransomware known as a sleeper. That’s a variant that lies dormant until the administrator wakes it up. Last week the alarm rang. The program rolled out of bed and encrypted files on thousands of PCs.

Now this week an internet user who claims to be the author apologized for that whole making-your-life-suck thing. To prove his sincerity, he released this statement on PasteBin:

I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my intention to release this.

I uploaded the database to mega.co.nz containing ‘bitcoin address, public key, private key’ as CSV. This is a dump of the complete database and most of the keys weren’t even used. All distribution of new keys has been stopped.

He went on to say that automatic decryption will begin today. If your files are already borked by this program, then I suppose you don’t have much choice but to trust the author. Try to decrypt the files with the keys he provided. If that fails, make sure your computer is connected to the internet so you can receive the task signal.