Tag Archive for: Secrets

A Mysterious Leak Exposed Chinese Hacking Secrets

/in


While the documents have now been removed from GitHub, where they were first posted, the identity and motivations of the person, or people, who leaked them remains a mystery. However, Chang says the documents appear to be real, a fact confirmed by two employees working for i-Soon, according to the Associated Press, which reported that the company and police in China are investigating the leak.

“There are around eight categories of the leaked files. We can see how i-Soon engaged with China’s national security authorities, the details of i-Soon’s products and financial problems,” Chang says. “More importantly, we spotted documents detailing how i-Soon supported the development of the notorious remote access Trojan (RAT), ShadowPad,” Chang adds. The ShadowPad malware has been used by Chinese hacking groups since at least 2017.

Since the files were first published, security researchers have been poring over their contents and analyzing the documentation. Included were references to software to run disinformation campaigns on X, details of efforts to access communications data across Asia, and targets within governments in the United Kingdom, India, and elsewhere, according to reports by the New York Times and the The Washington Post. The documents also reveal how i-Soon worked for China’s Ministry of State Security and the People’s Liberation Army.

According to researchers at SentinelOne, the files also include pictures of “custom hardware snooping devices,” such as a power bank that could help steal data and the company’s marketing materials. “In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work,” the researchers write. “The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.”

The Federal Trade Commission has fined antivirus firm Avast $16.5 for collecting and selling people’s web browsing data through its browser extensions and security software. This included the details…

Source…

Ex-CIA computer engineer gets 40 years in prison for giving spy agency hacking secrets to WikiLeaks

/in


NEW YORK — A former CIA software engineer was sentenced to 40 years in prison on Thursday after his convictions for what the government described as the biggest theft of classified information in CIA history and for possession of child sexual abuse images and videos.

The bulk of the sentence imposed on Joshua Schulte, 35, in Manhattan federal court came for an embarrassing public release of a trove of CIA secrets by WikiLeaks in 2017. He has been jailed since 2018.

“We will likely never know the full extent of the damage, but I have no doubt it was massive,” Judge Jesse M. Furman said as he announced the sentence.

The so-called Vault 7 leak revealed how the CIA hacked Apple and Android smartphones in overseas spying operations, and efforts to turn internet-connected televisions into listening devices. Prior to his arrest, Schulte had helped create the hacking tools as a coder at the agency’s headquarters in Langley, Virginia.

In requesting a life sentence, Assistant U.S. Attorney David William Denton Jr. said Schulte was responsible for “the most damaging disclosures of classified information in American history.”

Given a chance to speak, Schulte complained mostly about harsh conditions at the Metropolitan Detention Center in Brooklyn, calling his cell, “My torture cage.”

But he also claimed that prosecutors had once offered him a plea deal that would have called for a 10-year prison sentence and that it was unfair of them to now seek a life term. He said he objected to the deal because he would have been required to relinquish his right to appeal.

“This is not justice the government seeks, but vengeance,” Schulte said.

Immediately afterward, the judge criticized some of Schulte’s half-hour of remarks, saying he was “blown away” by Schulte’s “complete lack or remorse and acceptance of responsibility.”

The judge said Schulte was “not driven by any sense of altruism,” but instead was “motivated by anger, spite and perceived grievance” against others at the agency who he believed had ignored his complaints about the work environment.

Furman said Schulte continued his crimes from behind bars by trying to leak more classified materials and by creating a hidden…

Source…

No secrets or stored credentials with Badge’s new authentication system

/in


Badge Inc., a digital privacy firm founded by MIT cryptographers, is celebrating the launch of its patented authentication software, which allows users to enroll once and authenticate across devices thereafter without re-registration. According to a press release, the biometric public key system is easily integrated with leading digital identity providers, and eliminates the risk of centrally stored personal identity information and biometric data being exposed to breaches, thus rendering passwords, knowledge-based authentication (KBA) and biometric credential storage obsolete.

“The problem of storing credentials has vexed the security community for decades,” says Ray Rothrock, Badge advisor, venture capitalist and former CEO of Red Seal. According to Badge, by doing away with stored credentials the system eliminates the target of 49 percent of all data breaches. “The pervasive concern of PII being in the open and unprotected is over,” says Rothrock. “Badge enables identity without secrets.”

The product does so by letting users derive private keys on the fly using their biometrics and factors of choice, without having to rely on hardware tokens or secrets. It also dodges the problem of on-device authentication that locks users to a specific device that can be lost or rendered inoperable, leading to cumbersome account recovery processes. Per the release, users enroll once then “seamlessly authenticate across any device using authentication factors that are unique and inherent to them, including biometric factors such as fingerprint or face. These biometric factors can be combined with other factors such as passive attributes, attestation signals, PINs, etc.,” for an MFA method that does not rely on a specific device or token.

“You are your token”

Tina P. Srivastava, co-founder of Badge and an MIT aerospace PhD, says Badge’s core mission is to move the trust-anchor for digital identities to the human instead of hardware. “After losing my own identity in a breach,” says Srivastava, “we went back to the fundamentals. We relied on math to solve the problem and used cryptography to build a user-centric solution that makes people their own…

Source…

Google OAuth secrets exposed as account-hijacking MultiLogin vulnerability discovered

/in


Facepalm: OAuth is an open standard designed to share account information with third-party services, providing users with a simple way to access apps and websites. Google, one of the companies offering OAuth authentication to its users, is seemingly hiding some dangerous “secrets” in the protocol.

A malware developer was recently able to discover one of Google’s OAuth secrets, a previously unknown feature named “MultiLogin” that is responsible for synchronizing Google accounts across different services. MultiLogin accepts a vector of account ID and auth-login tokens, using such data for managing simultaneous sessions or seamlessly switching between user profiles.

MultiLogin is a Chromium feature that can be abused to compromise a user’s Google account. The “bug” was unveiled by a malware developer known as PRISMA in October 2023. The cyber-criminal shared details about a critical exploit designed to generate persistent cookies for “continuous” access to Google services, even after a user’s password reset.

The exploit was first revealed on PRISMA’s Telegram channel, and it was soon adapted by various malware groups as a new, potent tool to steal access credentials on users’ PCs. As highlighted by CloudSEK analysts, the 0-day exploit provided two key features for infostealer creators: session persistence, and valid cookie generation.

Cyber-criminals quickly adapted the new exploit, integrating even more advanced features to bypass Google’s security restrictions for token regeneration. Recent infostealer malware can infect a user’s PC, scan the machine for Chromium session cookies, then exfiltrate and send the data to remote servers controlled by cyber-criminals.

Thanks to MultiLogin, the stolen tokens can be used to log in with an OAuth identity even if the user changes their Google password. The exploit can be countered by completely logging out from the Google account, invalidating the session tokens and thus preventing further exploitation.

CloudSEK said that the MultiLogin exploit underscores the “complexity and stealth” of modern security threats. Google confirmed the session-stealing attack, saying that such kind of malware is not new. The company routinely upgrades its…

Source…