Malware researcher Marcus Hutchins pleads guilty, ending his legal case

Malware researcher Marcus Hutchins has pleaded guilty to two counts of creating and selling a powerful banking malware, ending a long and protracted battle with U.S. prosecutors.

Hutchins, a British national who goes by the online handle MalwareTech, was arrested in August 2017 as he was due to fly back to the U.K. following the Def Con security conference in Las Vegas. Prosecutors charged Hutchins with his involvement with creating the Kronos banking malware, dating back to 2014. He was later freed on bail.

A plea agreement was filed with the Eastern District of Wisconsin, where the case was being heard on Friday. His trial was set to begin later this year.

Hutchins agreed to plead guilty to distributing Kronos, a trojan that can be used to steal passwords and credentials from banking websites. In recent years, the trojan has continued to spread. He also agreed to plead guilty to a second count of conspiracy.

Hutchins faces up to 10 years in prison. Prosecutors have dropped the remaining charges.

In a brief statement on his website, Hutchins said: “I regret these actions and accept full responsibility for my mistakes.”

“Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes,” he said. “I will continue to devote my time to keeping people safe from malware attacks.”

His attorney Marcia Hoffman did not immediately return a request for comment.

Hutchins rose to prominence after he stopped the spread of the WannaCry ransomware attack in May 2017, months before his arrest. The attack used powerful hacking tools developed by the National Security Agency, which were later leaked, to backdoor thousands of Windows computers and install ransomware. The attack was later attributed to hackers backed by North Korea, knocking U.K. hospitals offline and crippling major companies around the world.

By registering a domain name found in the malware’s code, Hutchins stemmed the spread of the infection. He was hailed a hero for stopping the attack.

Prior to his release and after, Hutchins gained further praise and respect from the security community for his contributions to the malware-reversing field, and demonstrating his findings so others can learn from his findings.

Justice Department spokesperson Nicole Navas declined to comment.

Hacker dumps thousands of sensitive Mexican embassy documents online

A hacker stole thousands of documents from Mexico’s embassy in Guatemala and posted them online.

The hacker, who goes by the online handle @0x55Taylor, tweeted a link to the data earlier this week. The data is no longer available for download after the cloud host pulled the data offline, but the hacker shared the document dump with TechCrunch to verify its contents.

The hacker told TechCrunch in a message: “A vulnerable server in Guatemala related to the Mexican embassy was compromised and I downloaded all the documents and databases.” He said he contacted Mexican officials but he was ignored.

In previous correspondence with the hacker, he said he tries to report problems and has received bounty payouts for his discoveries. “But when I don’t get a reply, then it’s going public,” he said.

More than 4,800 documents were stolen, most of which related to the inner workings of the Mexican embassy in the Guatemalan capital, including its consular activities, such as recognizing births and deaths, dealing with Mexican citizens who have been incarcerated or jailed and the issuing of travel documents.

More than a thousand passports — including identification issued to diplomats — were stolen. (Image: supplied)

We found more than a thousand highly sensitive identity documents of primarily Mexican citizens and diplomats — including scans of passports, visas, birth certificates and more — but also some Guatemalan citizens.

Several documents contained scans of the front and back of payment cards.

One of the diplomatic visas issued to a Mexican diplomat stolen in the files. (Image: supplied)

The stolen data also included dozens of letters granting diplomatic rights, privileges and immunities to embassy staff. Diplomatic rights grant employees of the foreign embassy certain protections from their host country’s government and law enforcement. Diplomatic immunity, for example, allows staff to be granted safe passage in and out of the country and are generally safe from prosecution. Other documents seen by TechCrunch were signed off personally by Mexico’s ambassador to Guatemala, Luis Manuel López Moreno, and were instructed to be transported by diplomatic bag, which foreign missions use to transport official correspondence between countries that cannot be searched by police or customs.

Many of the files were marked “confidential,” though it’s not known if the hacked data included anything considered by the Mexican government to be classified or secret. Other files were internal administrative documents relating to staff medical expenses, vacation and time off and vehicle certifications.

When reached Friday, Gerardo Izzo, a spokesperson for the consul general in New York, said it is taking the matter “very seriously” but did not immediately have comment.

Friday is a national holiday in Mexico.

Related stories:

Alphabet’s Sidewalk Labs is developing visual cues to indicate when their tech is monitoring you

Alphabet’s subsidiary focused on urban tech development, Sidewalk Labs, is now trying to reinvent signage for smart cities. These signs aren’t to direct the flow of traffic, or to point the way to urban landmarks — they’re designed to let citizens know when they’re being monitored.

The proposal is part of a push by the company to acclimate people to the technologies that it’s deploying in cities like New York and Toronto.

Globally, competition for contracts to deploy sensors, data management, and predictive technologies in cities can run into the tens of millions, if not billions of dollars, and Sidewalk Labs knows this better than most. Because its projects are among the most ambitious deployments of sensing and networking technologies for smart cities, the company has also faced the most public criticism.

So at least partially in an attempt to blunt attacks from critics, the company is proposing to make its surveillance and monitoring efforts more transparent.

“Digital technology is all around us, but often invisible. Consider: on any one urban excursion (your commute, perhaps), you could encounter CCTVs, traffic cameras, transit card readers, bike lane counters, Wi-Fi access points, occupancy sensors that open doors — potentially all on the same block.” writes Jacqueline Lu, who’s title is “assistant director of the public realm” at Sidewalk Labs.

Lu notes that while the technologies can be useful, there’s little transparency around the data these technologies are collecting, who the data is being collected by, and what the data is collected for.

Cities like Boston and London already indicate when technology is being used in the urban environment, but Sidewalk Labs convened a group of designers and urban planners to come up with a system for signage that would make the technology being used even more public for citizens going about their day.

Image courtesy of Sidewalk Labs

Back in 2013, the U.S. Federal Trade Commission called for the development of these types of indicators when it issued a call for mobile privacy disclosures. But that seems to have resulted in companies just drafting reams of jargon-filled disclosures that obscured more than they revealed.

At Sidewalk, the goal is transparency, say the authors of the company’s suggested plan.

“We strongly believe that people should know how and why data is being collected and used in the public realm, and we also believe that design and technology can meaningfully facilitate this understanding. For these reasons, we embarked on a collaborative project to imagine what digital transparency in the public realm could be like,” writes Lu and her co-authors Principal Designer Patrick Keenan and Legal Associate Chelsey Colbert.

As an example, Sidewalk showed off potential designs for signage that would alert people to the presence of the company’s Numina technology.

That tech monitors traffic patterns by recording, anonymizing and transmitting data from sensors using digital recording and algorithmically enhanced software to track movement in an area. These sensors are installed on light poles and transmit data wirelessly.

At the very least, the technology can’t be any worse than the innocuously intended cameras that are monitoring publicly spaces already (and can be turned into surveillance tools easily).

The hexagonal designs indicate the purpose of the technology, the company deploying it, the reason for its use, whether or not the tech is collecting sensitive information and a QR code that can be scanned to find out more information.

The issue is with experiments like these in the public sphere is that there’s no easy way to opt out of them. Sidewalk Lab’s Toronto project is both an astounding feat of design and the apotheosis of surveillance capitalism.

Once these decisions are made to cede public space to the private sector, or sacrifice privacy for security (or simply better information about a location for the sake of convenience) they’re somewhat difficult to unwind. As with most of the salient issues with technology today, it’s about unintended consequences.

Information about a technology’s deployment isn’t enough if the relevant parties haven’t thought through the ramifications of that technology’s use.

Security flaw in French government messaging app exposed confidential conversations

The French government just launched its own messaging app called Tchap in order to protect conversations from hackers, private companies and foreign entities. But Elliot Alderson, also known as Baptiste Robert, immediately found a security flaw. He was able to create an account even though the service is supposed to be restricted to government officials.

Tchap wasn’t built from scratch. The DINSIC, France’s government agency in charge of all things digital, forked an open source project called Riot, which is based on an open source protocol called Matrix.

In a few words, Matrix is a messaging protocol that features end-to-end encryption. It competes with other protocols, such as the Signal Protocol that is widely used by consumer apps, such as WhatsApp, Signal, Messenger’s secret conversations and Google Allo’s incognito conversions — Messenger and Allo conversations aren’t end-to-end encrypted by default.

Riot is a Matrix client that works on desktop and mobile. You can join rooms, start private conversations, share photos and do everything you’d expect from a modern messaging app. Here’s what it looks like:

Developing Tchap became essential as Emmanuel Macron’s campaign team relied heavily on Telegram — the French government still uses Telegram and WhatsApp for many sensitive conversations. By default, Telegram doesn’t use end-to-end encryption. In other words, people working for Telegram could easily read Macron’s conversations. It’s a serious security weakness.

Similarly, you don’t want the Ministry of Defense to use Slack to talk about sensitive operations. The U.S. government could potentially issue a warrant to access those conversations on Slack’s servers.

Tchap features end-to-end encryption, and encrypted messages are stored on French servers. Access is restricted to government officials as you need to have an active email address that ends in @something.gouv.fr, or in @elysee.fr.

Yesterday, Alderson found out that you can create an account and access public channels even if you don’t have an official address. Adding @elysee.fr at the end of his email address was enough to receive the confirmation email to his real email address.

Alderson quickly disclosed the bug to the Matrix team. Matrix quickly issued a fix and deployed it. It was related to the identification system used by the French government.

According to Alderson, there’s a bug in the parsing method used in a well-known Python module. The bug hasn’t been fixed since July 2018.

The good news is that Tchap is officially launching today. The DINSIC managed to fix this security flaw just in time before the official launch and somebody could leverage it. In its press release, the government says that the DINSIC will launch a bug bounty program to identify other vulnerabilities.

Russian hacked ‘at least one’ Florida county prior to 2016 election

Russian operatives successfully targeted and hacked “at least one” Florida county government in the run up to the 2016 U.S. presidential election, according to new findings by the Special Counsel Robert Mueller.

The report, published Thursday by the Justice Department, said the county was targeted by the Russian intelligence service, known as the GRU. The hackers sent spearphishing emails to more than 120 email accounts used by county officials responsible for administering the election, the report said.

According to the findings:

In August 2016, GRU officers targeted employees of [REDACTED], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network… the spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.

The findings are a significant development from previous reporting that said Florida’s election systems were merely targets of the Russian operatives.

Sen. Bill Nelson (D-FL) was derided after he claimed just days before his eventual re-election that hackers had gained access to the state’s election systems. According to NBC News, some of Nelson’s assertions were based off classified information that was not yet public.

Nelson’s remarks came almost a year after The Intercept published a classified document — later discovered to have been sent by since-jailed NSA whistleblower and Reality Winner — showing that intelligence pointed to a concerted effort by the GRU to target election infrastructure. The NSA said the hackers sent emails impersonating voting technology company VR Systems to state government officials.

The Orlando Sentinel confirmed Thursday following the release of Mueller’s report’s that Volusia County was sent infected emails containing malware, suggesting Volusia County — north of Orlando — may have been the target.

Mueller’s report confirmed that the FBI investigated the incident.

The office of Florida’s secretary of state said that Florida’s voter registration system “was and remains secure,” and “official results or vote tallies were not changed.”

Two years later following the 2018 midterm elections, the Justice Department and Homeland Security said there was “no evidence” of vote hacking or tampering.

Mueller says use of encrypted messaging stalled some lines of inquiry

A single paragraph in the Mueller report out Thursday offers an interesting look into how the Special Counsel’s investigation came head-to-head with associates of President Trump who used encrypted and ephemeral messaging to hide their activities.

From the report:

Further, the Office learned that some of the individuals we interviewed or whose conduct we investigated-including some associated with the Trump Campaign — deleted relevant communications or communicated during the relevant period using applications that feature encryption or that do not provide for long-term retention of data or communications records. In such cases, the Office was not able to corroborate witness statements through comparison to contemporaneous communications or fully question witnesses about statements that appeared inconsistent with other known facts.

The report didn’t spell out specifics of whom or why, but clearly Mueller wasn’t happy. He was talking about encrypted messaging apps that also delete conversation histories over a period of time. Apps like Signal and WhatsApp are popular for this exact reason — you can communicate securely and wipe any trace after the fact.

Clearly, some of Trump’s associates knew better.

But where prosecutors who have faced similar setbacks with individuals using encrypted messaging apps to hide their tracks have often attacked tech companies for building the secure apps, Mueller did not. He just stated a fact and left it at that.

For years, police and law enforcement have lobbied against encryption because they say it hinders investigations. More and more, apps are using end-to-end encryption — where the data is scrambled from one device to another — so that even the tech companies can’t read their users’ messages. But just as criminals use encrypted messaging for bad, ordinary people use encrypted messaging to keep their conversations private.

According to the report, it wasn’t just those on the campaign trail. The hackers associated with the Russian government and WikiLeaks, both of which were in contact following the breaches on Hillary Clinton’s campaign and the Democratic National Committee, took efforts to “hide their communications.”

Not all of Trump’s associates have fared so well over the years.

Michael Cohen, Trump’s former personal attorney, learned the hard way that encrypted messaging apps are all good and well — unless someone has your phone. Federal agents seized Cohen’s BlackBerry, allowing prosecutors to recover streams of WhatsApp and Telegram chats with Trump’s former campaign chief Paul Manafort.

Manafort, the only person jailed as part of the Mueller investigation, also tripped up after his “opsec fail” after prosecutors obtained a warrant to access his backed-up messages stored in iCloud.

Facebook now says its password leak affected ‘millions’ of Instagram users

Facebook has confirmed its password-related security incident last month now affects “millions” of Instagram users, not “tens of thousands” of users as first thought.

The social media giant confirmed the new information in its updated blog post, first published on March 21.

“We discovered additional logs of Instagram passwords being stored in a readable format,” the company said. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”

“Our investigation has determined that these stored passwords were not internally abused or improperly accessed,” the updated post said, but the company still has not said how it made that determination.

The social media giant did not say how many millions were affected, however.

Last month, Facebook admitted it had inadvertently stored “hundreds of millions” of user account passwords in plaintext for years, said to have dated as far back as 2012. The company said the unencrypted passwords were stored in logs accessible to some 2,000 engineers and developers. The data was not leaked outside of the company, however. Facebook still explained how the bug occurred

Facebook posted the update at 10am ET — an hour before the Special Counsel’s report into Russian election interference was published.

We asked the company when it learned of the new scale of the password leak and will update if we hear back.

Chipotle customers are saying their accounts have been hacked

A stream of Chipotle customers have said their accounts have been hacked and are reporting fraudulent orders charged to their credit cards — sometimes totaling hundreds of dollars.

Customers have posted on several Reddit threads complaining of account breaches and many more have tweeted at @ChipotleTweets to alert the fast food giant of the problem. In most cases, orders were put through under a victim’s account and delivered to addresses often not even in the victim’s state.

Many of the customers TechCrunch spoke to in the past two days said they used their Chipotle account password on other sites. Chipotle spokesperson Laurie Schalow told TechCrunch that credential stuffing was to blame. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.

But several customers we spoke to said their password was unique to Chipotle. Another customer said they didn’t have an account but ordered through Chipotle’s guest checkout option.

Tweets from Chipotle customers. (Screenshot: TechCrunch)

When we asked Chipotle about this, Schalow said the company is “monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers,” and reiterated that the company’s data points to credential stuffing.

It’s a similar set of complaints made by DoorDash customers last year, who said their accounts had been improperly accessed. DoorDash also blamed the account hacks on credential stuffing, but could not explain how some accounts were breached even when users told TechCrunch that they used a unique password on the site.

If credential stuffing is to blame for Chipotle account breaches, rolling out two-factor authentication would help prevent the automated login process — and, put an additional barrier between a hacker and a victim’s account.

But when asked if Chipotle has plans to roll out two-factor authentication to protect its customers going forward, spokesperson Schalow declined to comment. “We don’t discuss our security strategies.”

Chipotle reported a data breach in 2017 affecting its 2,250 restaurants. Hackers infected its point-of-sale devices with malware, scraping millions of payment cards from unsuspecting restaurant goers. More than a hundred fast food and restaurant chains were also affected by the same malware infections.

In August, three suspects said to be members of the FIN7 hacking and fraud group were charged with the credit card thefts.

A new state-backed hacker group is hijacking government domains at a phenomenal pace

A few months ago, researchers at Cisco’s Talos cybersecurity unit sounded the alarm after discovering a previously undiscovered hacker group targeting a core part of the internet’s infrastructure.

Their alarm was heard: FireEye quickly came out with new intelligence warning of a “global” domain name hijacking campaign targeting websites of predominantly Arab governments. The campaign, dubbed “DNSpionage,” rerouted users from a legitimate web address to a malicious server to steal passwords. Homeland Security warned the U.S. government had been targeted, and ICANN, the non-profit charged with keeping the internet’s address book, said the domain name system (DNS) was under an “ongoing and significant” attack and urged domain owners to take action.

Now, Talos researchers say they have found another highly advanced hacker group, likely backed by a nation-state, which they say has targeted 40 government and intelligence agencies, telecom firms and internet giants in 13 countries for more than two years.

“This is a new group that is operating in a relatively unique way that we have not seen before.” Craig Williams, Cisco Talos

“We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage,” said the Talos report out Wednesday, seen by TechCrunch.

The group, which Talos calls “Sea Turtle” — an internal codename that ended up sticking — similarly targets companies by hijacking their DNS. That allows the hackers to point a target’s domain name to a malicious server of their choosing. This clever site-spoofing technique exploits long-known flaws in DNS that can be used to trick unsuspecting corporate victims into turning over their credentials on fake login pages, which the hackers can use for further compromise.

“This is a new group that is operating in a relatively unique way that we have not seen before, using new tactics, techniques, and procedures,” Craig Williams, director, outreach at Cisco Talos, told TechCrunch.

The hackers first compromise an intended target using spearphishing to get a foothold on the network, then use known exploits to target servers and routers to move laterally and obtain and exfiltrate network-specific passwords. The hackers then use those credentials to target the organization’s DNS registrar by updating its records so that the domain name points away from the IP address of the target’s server to a server controlled by the hackers.

Once the target’s domain is pointing to the malicious server, the hackers can run a man-in-the-middle operation to impersonate login pages and scrape the usernames and passwords of the staff as a way of getting deeper access into the network. The hackers also used their own HTTPS certificate for the target’s domain from another provider to make the malicious server look like the real thing.

With the credentials for greater network access in hand, the hackers aim to obtain the target’s SSL certificates used across the corporate network, granting greater visibility into the organization’s operations. The attackers also stole the SSL certificates used in security appliances, like virtual private networks (VPN), which were used to steal credentials to gain access to the organization’s network from outside its walls.

Using this same technique, Talos said that the hacker group compromised Netnod, a DNS provider in Sweden and one of the 13 root servers that powers the global DNS infrastructure. In February, Netnod confirmed its infrastructure was hijacked. The successful attack allowed the hackers to steal the passwords of administrators who manage Saudi Arabia’s top-level domain — .sa — suggesting other Saudi-based companies could be in the hacker group’s crosshairs.

Williams said Talos can “conclusively” link the Sea Turtle hackers to the Netnod attack.

In another case, the hackers gained access to the registrar that manages Armenia’s top-level domains, allowing the group to potentially target any .am domain name.

Talos wouldn’t name the targets of the attacks nor name the registrars at risk, citing the risk of further or copycat attacks — and the researchers wouldn’t name the state likely behind the group, instead deferring to the authorities to attribute. But the researchers said Armenia, along with Egypt, Turkey, Swwden, Jordan, and the United Arab Emirates were among the countries where it found victims.

Given the eventual targets included internet and telecom infrastructure companies, foreign ministries, and intelligence agencies in the Middle East and Africa, Williams said the group’s primary motivations are to conduct espionage.

Sea Turtle are said to be “highly capable,” said the researchers’ findings, and the hackers are able to maintain long-term access by using the stolen credentials.

The researchers urged companies to begin using DNSSEC, a cryptographically more secure domain name system that’s far tougher to spoof, and employing two-factor on an organization’s DNS records.

“While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,” the researchers said.

Alsid raises $14.7 million to secure your Active Directory installation

French startup Alsid has raised a $14.7 million funding round (€13 million). The company is working on a security solution to protect your Microsoft Active Directory installation and make sure a hacker can’t access your system.

Idinvest Partners is leading today’s round. Existing investors 360 Capital Partners and Axeleo Capital are also participating.

If you have a corporate laptop or if you access files on your corporate network, chances are your company uses Active Directory. Most companies uses this this directory service to manage users and their access rights. Whenever you enter your login and password on your corporate laptop, macOS or Windows check the Active Directory to see if you have the rights to use this laptop and various corporate services.

Big companies have a hard time managing this directory. They acquire other companies, merge directories and don’t realize that some users end up with very generous access rights. Hackers take advantage of that.

There are some solutions to scan your directory and fix vulnerabilities, but they require admin access. They create a risk as much as a solution. Alsid has a completely different approach.

“We operate like an employee working remotely. Our system asks a lot of questions to the directory and detects issues,” co-founder and CEO Emmanuel Gras told me in 2017. The company creates a normal user account, connects to your corporate network with a VPN and uses Microsoft’s API to attack your own Active Directory.

Alsid then generates reports with detailed steps to protect a directory. And of course, the company tries to monitor the directory as often as possible. You can deploy Alsid locally or in the cloud.

The company uses a software-as-a-service approach and currently monitors 3 million Active Directory users. Many big companies already use the service, such as Groupe Accor, Orange, Sanofi and Unibail-Roadmco-Westfield.