Atlanta Had Bad Backups and No Kaspersky...,

wsbtv |  City employees were asked to stay off their computers Friday just one day after a massive cyber-attack against the City of Atlanta.

Employees at Atlanta City Hall were handed instructions as they came through the front doors Friday.

Channel 2 Investigative Reporter Aaron Diamant obtained a copy of the flyer that requested employees not turn on computers or log onto their workstations.

Friday’s action comes as city officials are struggling to determine how much sensitive information may have been compromised in a Thursday cyber-attack.

The city has also received demands that it pay a ransom of $50,000, according to Mayor Keisha Lance Bottoms.

Bottoms kicked off a Friday news conference by assuring the public that investigators haven't found any evidence that sensitive customer, resident or employee information was compromised.

Bottoms said federal investigators will advise her on the best course of action.

"This is a marathon, not a sprint," Bottoms said.

The FBI and the Department of Homeland Security are working with city officials to identify the source of the attack.

Hartsfield-Jackson Atlanta International Airport took down the Wi-Fi at the world’s busiest airport after the cyber-attack. 

The Atlanta airport’s website said security wait times and flight information may not be accurate.

CIA False-Flagging and Impersonating Kaspersky

wikileaks |  Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. "perfectly-boring-looking-domain.com") for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a "hidden" CIA server called 'Blot'.

The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb(see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

The documentation for Hive is available from the WikiLeaks Vault7 series.

Having Nothing to Hide - Kaspersky Opens Transparency Centers

theintercept |  Responding to U.S. government suggestions that its antivirus software has been used for surveillance of customers, Moscow-based Kaspersky Lab is launching what it’s calling a transparency initiative to allow independent third parties to review its source code and business practices and to assure the information security community that it can be trusted.

The company plans to begin the code review before the end of the year and establish a process for conducting ongoing reviews, of both the updates it makes to software and the threat-detection rules it uses to detect malware and upload suspicious files from customer machines. The latter refers to signatures — search terms used to detect potential malware —  which are the focus of recent allegations.

The company will open three “transparency centers” in the U.S., Europe, and Asia, where trusted partners will be able to access the  third-party reviews of its code and rules. It will also engage an independent assessment of its development processes and work with an independent party to develop security controls for how it processes data uploaded from customer machines.

“[W]e want to show how we’re completely open and transparent. We’ve nothing to hide,” Eugene Kaspersky, the company’s chair and CEO, said in a written statement.

The moves follow a company offer in July to allow the U.S. government to review its source code.

Although critics say the transparency project is a good idea, some added it is insufficient to instill trust in Kaspersky going forward.

“The thing [they’re] talking about is something that the entire antivirus industry should adopt and should have adopted in the beginning,” said Dave Aitel, a former NSA analyst and founder of security firm Immunity. But in the case of Kaspersky, “the reality is … you can’t trust them, so why would you trust the process they set up?”

Kaspersky has come under intense scrutiny after its antivirus software was linked to the breach of an NSA employee’s home computer in 2015 by Russian government hackers who stole classified documents or tools from the worker’s machine. News reports, quoting U.S. government sources, have suggested Kaspersky colluded with the hackers to steal the documents from the NSA worker’s machine, or at least turned a blind eye to the activity.

Kaspersky Did Nothing Wrong: Thieving NSA JaMoke Self-Stooged

theintercept |  Kaspersky Lab said an individual, believed to be one identified as a National Security Agency worker in news accounts, triggered the company’s antivirus software and paved the way for it to upload classified NSA files from his computer when he tried to pirate Microsoft Office and ended up infecting himself with malicious software.

The piracy claim is included in a set of preliminary findings released by the Moscow-based company from an internal investigation into a byzantine spying scandal that didn’t seem like it could get any more bizarre. A series of news reports this month, citing U.S. intelligence sources, asserted that the files on the worker’s computer, which included source code for sensitive hacking tools he was developing for the spy agency, were uploaded by Kaspersky security software and then collected by Russian government hackers, possibly with the company’s knowledge or help. Kaspersky has denied that it colluded with Russian authorities or knew about the worker incident as it was described in the press.

Details from the investigation, including the assertion that Kaspersky’s CEO ordered the files deleted after they were recognized as potential classified NSA material, could help absolve the antivirus firm of allegations that it intentionally searched the worker’s computer for classified files that did not contain malware. But they also raise new questions about the company’s actions, the NSA worker, and the spying narrative that anonymous government sources have been leaking to news media over the last two weeks.

After facing increasingly serious allegations of spying, Kaspersky provided The Intercept with a summary of preliminary findings of an internal investigation the company said it conducted in the wake of the news reports.

In its statement of findings, the company acknowledged that it detected and uploaded a compressed file container, specifically a 7zip archive, that had been flagged by Kaspersky’s software as suspicious and turned out to contain malware samples and source code for what appeared to be components related to the NSA’s so-called Equation Group spy kit. But the company said it collected the files in the normal course of its operations, and that once an analyst realized what they were, he deleted them upon the orders of CEO Eugene Kaspersky. The company also insists it never provided the files to anyone else.

Kaspersky doesn’t say the computer belonged to the NSA worker in question and says the incident it recounts in the report occurred in 2014, not 2015 as news reports state. But the details of the incident appear to match what recent news reports say occurred on the worker’s computer.

The NSA could not be reached for comment.

Removing Kaspersky Is A Recipe For Cybernetic Pearl Harbor....,

I just renewed and enlarged my commitment for three years. Once you've looked at/tried all the competing products, including new-fangled "end-point security agents" and other such falderol and balderdash - in the end - there can be only one. Kaspersky is easily the best. Accept no substitutes!

strategic-culture |  On September 18, the US Senate voted to ban the use of products from the Moscow-based cyber security firm Kaspersky Lab by the federal government, citing national security risk. The vote was included as an amendment to an annual defense policy spending bill approved by the Senate on the same day. The measure pushed forward by New Hampshire Democrat Jeanne Shaheen has strong support in the House of Representatives, which also must vote on a defense spending bill. The legislation bars the use of Kaspersky Lab software in government civilian and military agencies. 

 On September 13, a binding directive issued by Acting Secretary of Homeland Security Elaine Duke, ordered federal agencies to remove Kaspersky Lab products from government computers over concerns the Russia-based cybersecurity software company might be vulnerable to Russian government influence. All federal departments and agencies were given 30 days to identify any Kaspersky products in use on their networks. The departments have another 60 days to begin removal of the software. The statement says, «The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks». The Russian law does not mention American networks, nevertheless it is used as a pretext to explain the concern.

Similar bans against US government use of Kaspersky products have been suggested before. In 2015, Bloomberg News reported that the company has «close ties to Russian spies».

According to US News, scrutiny of the company mounted in 2017, fueled by U.S. intelligence assessments and high-profile federal investigations of Russian interference in the 2016 election. This summer, the General Service Administration, which oversees purchasing by the federal government, removed Kaspersky from its list of approved vendors. In June, a proposal prohibiting the US military from using the company's products was reportedly included in the Senate's draft of the Department of Defense's budget rules. US intelligence leaders said earlier this year that Kaspersky Lab was already generally not allowed on military networks.

Asian Windows Bootleggers Now WannaCry....,

NYTimes |  China, India and Russia were among the countries most affected by the ransomware attack, according to the Moscow-based computer security firm Kaspersky Lab. The three countries are also big sources of pirated software. A study last year by BSA, a trade association of software vendors, found that in China, the share of unlicensed software reached 70 percent in 2015. Russia, with a rate of 64 percent, and India, with 58 percent, were close behind.

Zhu Huanjie, who is studying network engineering in the city of Hangzhou, blamed a number of ills for the spread of the attack, like the lack of security on school networks. But he said piracy was also a factor. Many users, he said, did not update their software to get the latest safety features because of a fear that their copies would be damaged or locked, while universities offered only older, pirated versions.

“Most of the schools are now all using pirate software, including operation system and professional software,” he said, adding: “In China, the Windows that most people are using is still pirated. This is just the way it is.”

On Monday, some Chinese institutions were still moving to clean out computer systems jammed by the attack, which initially struck on Friday and spread across the world. Prestigious research institutions like Tsinghua University were affected, as were major companies like China Telecom and Hainan Airlines.

China’s securities regulator said it had taken down its network to try to ensure it would not be affected, and the country’s banking regulator warned lenders to be cautious when dealing with the malicious software, which locked users out of their computers and demanded payment to allow them back in.

Police stations and local security offices reported problems on social media, while students at universities reported being locked out of final thesis papers. Electronic payment systems at gas stations run by the state oil giant PetroChina were cut off for much of the weekend. Over all, according to the official state television broadcaster, about 40,000 institutions were hit. Separately, the Chinese security company Qihoo 360 reported that computers at more than 29,000 organizations had been infected.

If those behind the ransomware attack profited from the hacking, they may have figured out how to do something that has been beyond Microsoft: making money from Windows in China. Microsoft and other Western companies have complained for years that a large majority of the computers running their software are using pirated versions.

Before Miss Lindsey and Auntie Maxine Blame Russia..,

Telegraph | Vladimir Putin has blamed the US for causing the global cyber attack. He said Russia had "nothing to do" with the cyber attack, adding that the US had indirectly caused it by creating the Microsoft hack in the first place.

"Malware created by intelligence agencies can backfire on its creators," said Putin, speaking to media in Beijing.

More than 45,000 attacks of the #WannaCry recorded by #Kaspersky in 74 countries around the world, mostly in Russia. https://t.co/Agtr2rFDt2 pic.twitter.com/r3JCpXf9MR

— Odisseus (@_odisseus) May 12, 2017

He added that the attack didn't cause any significant damage to Russia. Russian security firm Kaspersky said hospitals, police and railroad transport had been affected in the country. Another report suggested Russia was one of the worst hit locations.

Putin said:

As regards the source of these threats, I believe that the leadership of Microsoft have announced this plainly, that the initial source of the virus is the intelligence services of the United States. 

Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators.

So this question should be discussed immediately on a serious political level and a defence needs to be worked out from such phenomena.

Military-Backed Criminal Superhacking Looks Like....,

arstechnica |  A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers.

The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected, with Russia being disproportionately affected, followed by Ukraine, India, and Taiwan. Infections are also spreading through the United States. The malware is notable for its multi-lingual ransom demands, which support more than two-dozen languages.

Wcry is reportedly causing disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK government's National Health Service, and Spanish telecom Telefonica have all been hit. The Spanish CERT has called it a "massive ransomware attack" that is encrypting all the files of entire networks and spreading laterally through organizations.

The virally spreading worm was ultimately stopped when a researcher who uses the Twitter handle MalwareTech and works for security firm Kryptos Logic took control of a domain name that was hard-coded into the self-replicating exploit. The domain registration, which occurred around 6 AM California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first.

The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign. MalwareTech's registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world. As a result, the number of infection detections plateaued dramatically in the hours following the registration. It had no effect on WCry infections that were initiated through earlier campaigns.

is this why valodya was at an undisclosed location for ten days?

eutimes |  The Ministry of Defense (MoD) is reporting today that the Federation is now in a “state of war” thus bringing to full activation President Putin’s “Dead Hand” nuclear order issued 29 July 2014 to The Strategic Missile Forces (SMF).

According to this report, the full activation of the much feared “Dead Hand” nuclear option was authorized under President Putin’s previous order due to the discovery that the nuclear forces of the United Kingdom (UK) were preparing a first strike against military and civilian targets located in the Federation.

The intention of the nuclear forces of the UK preparing a first strike against the Federation, this report says, was revealed by Federal Security Services (FSB) electronic intelligence experts working in conjunction with Kaspersky Lab who discovered last month a massive US National Security Agency (NSA) cyber espionage programme targeting not just Russia, but everyone else on Earth.

Both the FSB and Kaspersky Lab experts, the MoD reports, were able to swiftly reverse engineer the computer code(s) involved in this massive NSA spying operation which then enabled them to electronically obtain the launching codes and coordinates of all the UK’s nuclear weapons showing their plan to launch a first strike against the Federation during the week of 15 March.

Though information of this highly successful FSB-Kaspersky Lab intelligence operation has been suppressed in the West, some counter-news of it has been reported by a few technical websites, including The Verge which in their article reported yesterday titled “A Network Error Routed Traffic For The UK’s Nuclear Weapons Agency Through Russian Telecom”, in part, says:

“For the past week, something strange has been going on in the European internet. For five days, web traffic from Texas to certain addresses in the UK has been routed through Ukrainian and Russian telecoms, taking a detour thousands of miles out of the way. Network traffic often takes a circuitous route as a result of network congestion or interconnection difficulties, but neither one would be enough to account for these routes. Instead, this was the result of a bad route announced by Ukraine’s Vega telecom, inserting itself in between.

It’s particularly disconcerting because of the sensitive nature of many of the sites involved. Among the dozens of sites involved was the UK’s Atomic Weapons Establishment, which is tasked with managing and delivering the UK’s nuclear warheads, as well as the UK’s official mail service, the Royal Mail. US defense contractor Lockheed Martin was also running a VPN connection that was caught up in the redirection.”

Upon the MoD’s confirmation of the UK’s intention to launch a nuclear first strike against the Federation, this report continues, Russian military forces throughout the country were immediately activated with a special emphasis placed upon massive rocket-artillery maneuvers on the southern borders.

military-backed criminal superhacking, or, three stacks for uncle sugar, one stack for me?

NYTimes |  In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says that the scope of this attack on more than 100 banks and other financial institutions in 30 nations could make it one of the largest bank thefts ever — and one conducted without the usual signs of robbery.

The Moscow-based firm says that because of nondisclosure agreements with the banks that were hit, it cannot name them. Officials at the White House and the F.B.I. have been briefed on the findings, but say that it will take time to confirm them and assess the losses.

Kaspersky Lab says it has seen evidence of $300 million in theft through clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.

The majority of the targets were in Russia, but many were in Japan, the United States and Europe.

No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information.

But the industry consortium that alerts banks to malicious activity, the Financial Services Information Sharing and Analysis Center, said in a statement that “our members are aware of this activity. We have disseminated intelligence on this attack to the members,” and that “some briefings were also provided by law enforcement entities.”

i've used kaspersky endpoint security for years and so should you...,

arstechnica |  A long list of almost superhuman technical feats illustrate Equation Group's extraordinary skill, painstaking work, and unlimited resources. They include:

• The use of virtual file systems, a feature also found in the highly sophisticated Regin malware. Recently published documents provided by Ed Snowden indicate that the NSA used Regin to infect the partly state-owned Belgian firm Belgacom.
• The stashing of malicious files in multiple branches of an infected computer's registry. By encrypting all malicious files and storing them in multiple branches of a computer's Windows registry, the infection was impossible to detect using antivirus software.
• Redirects that sent iPhone users to unique exploit Web pages. In addition, infected machines reporting to Equation Group command servers identified themselves as Macs, an indication that the group successfully compromised both iOS and OS X devices.
• The use of more than 300 Internet domains and 100 servers to host a sprawling command and control infrastructure.
• USB stick-based reconnaissance malware to map air-gapped networks, which are so sensitive that they aren't connected to the Internet. Both Stuxnet and the related Flame malware platform also had the ability to bridge airgaps.
• An unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require that all third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a known vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution.

Taken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.

"It seems to me Equation Group are the ones with the coolest toys," Costin Raiu, director of Kaspersky Lab's global research and analysis team, told Ars. "Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame."

In an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped short of saying Equation Group was the handiwork of the NSA—but they provided detailed evidence that strongly implicates the US spy agency.