Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Hackers reverse-engineer NSA spying tools and related technology

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 20, 2014

Click here to order the best dedicated server and at a great price.

Exactly a year ago, Edward Snowden leaked the NSA's Advanced Network Technology catalog, a complete listing of the hardware and software tools the agency makes available to its agents for its spying activities.

Since then, enterprising security experts are using the same extensive catalog to build similar tools using low-cost and readily available electronics that anybody can easily get.

Led by Michael Ossmann of Great Scott Gadgets, his team examined the leaked catalog and discovered that a number of the devices the NSA developed can be very simple to recreate.

To be sure, Ossmann was able to build a simple software-defined radio (SDR) system capable of recording and transmitting data from a target PC using a Kickstarter project, and says that the hardware can be bought from the market for $300 or less.

"SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format," he added.

Ossmann said that he was also able to build two devices from the NSA's catalog using little more than a few transistors and a two-inch length of wire as an antenna. These mimic the NSA products Ragemaster, a plug that sits on the monitor cable of a computer and broadcasts screen images.

And of course there's also the Surlyspawn keystroke logger, built at a small fraction (less than 5 percent) of the cost the U.S. government gets charged for the same thing.

In a presentation at the Hack In The Box conference in Amsterdam last month, Ossmann detailed some of his creations and the methods he and his team used to build them using off-the-shelf components.

Those devices aren't as small as the NSA's hardware, but are just as effective, he said. The team has now set up a website,, detailing the different spying products they have reverse-engineered, and more details will be given out at presentations at the DEFCON hacking conference being hosted in Las Vegas in August.

Ossmann's goal isn't to help hackers conduct their own spying operations, nor to make it easier for the government to get low-cost surveillance hardware. While he has developed tools for the federal government, the goal of his project is to help the security industry understand the range of threats it should be protecting against.

"Showing how such devices exploit weaknesses in our systems means we can make them more secure in the future," he added.

In other internet security news

It was revealed this morning that LinkedIn accounts can easily be hijacked through simple man in the middle (MITM) attacks due to a failure to promptly patch a SSL stripping vulnerability.

The security flaw is described as a zero-day vulnerability and it allows attackers to gain full control of a user's account after they had logged in via SSL.

Attackers could jump between the user and the service and replace the secure protocol with HTTP allowing access to their account.

User IDs, passwords and all LinkedIn data could then be siphoned off by hackers. All users outside of Europe and the United States who didn't tick a box to activate optional HTTPS beyond the login screen were vulnerable to the attack, said Zimperium CEO Zuk Avraham.

"Through a relatively straightforward MITM attack that leverages an SSL stripping technique, hackers can steal a user’s credentials and gain full control of the user’s account," Avraham said.

"We have reached out to LinkedIn six times over the last year to bring this critical security vulnerability to their attention and have urged them to improve their network security, but more than a year after disclosing the security hole they have yet to implement a patch for this vulnerability," he added.

"When the victim types in an email and a password, it’ll be sent over the network in an unencrypted form that can be easily read by any attacker, even the most amateur ones," he stated.

Avraham used his companies hacking tool to demonstrate the attack against his own account. He said accounts could be randomly accessed via the same flaw affecting LinkedIn's mobile app.

He warned that attackers could soil an organizations' reputation by breaking into their account and changing details or sending out messages.

LinkedIn has been gradually implementing full SSL across its websites since December last year and is testing various techniques to handle mixed content and speed up page loading under tighter security arrangements, we are told.

But LinkedIn did provide us with the following statement about the issues raised by Zimperium-- "LinkedIn is committed to protecting the security of our members. In December 2013 we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in the US and the EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default."

In other internet security news

Thousands of Supermicro baseboard management controllers (BMCs) continue to reveal administrator passwords in clear text after a security patch described as unsuitable was not applied by system administrators.

Overall, accessing the machines could be extremely simple for the tech savvy. Vulnerable servers would pop during a network or Shodan scan for port 49152.

Any of the roughly 3296 exposed BMCs could easily be accessed with the hardware's factory default password.

The world's worst access code "password" would grant full access to plenty of others. Baseboard management controllers were an element of motherboards that were the central component of Intelligent Platform Management Interfaces (IPMI) which provided remote access over UDP to system admins for physical state monitoring of machines.

In 2013, H.D. Moore of metasploit fame warned that Supermicro had a security issue. Fixes weren't very effective, leaving Carinet Security Incident Response Team security engineer Zachary Wikholm blown away by the Supermicro security flaw.

"This simply means that as of this this writing, there are 31,964 systems that have their passwords available on the open market, Wikholm wrote on web host Carinet's security incident response team's blog.

The issue wasn't noted by Tony Carothers of the SANS Internet Storm Centre which verified the flaw.

"The security vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152," Carothers said.

"One of our team has tested this security vulnerability, and it works very well." Admins would need to reflash their systems with a new IPMI BIOS issued by Supermicro as a fix, but this was not possible for some system admins, Wikholm said.

He offered an alternative work-around that he said did the trick for those unable to reflash.

The Shodan scan run by the sites proprietor John Matherly returned 9.8 million replies for HTTP GET requests from a scattering of devices running on port 49152, many of which ran embedded Linux platforms and broadcasted their kernel and hardware architectures.

Some 6.4 million of these were AT&T U-Verse web media boxes and did not spew critical data.

For the Supermicro controller subset, information on kernel versions could be matched against Shodan to help identify embedded host information.

Many of the total pool ran old Linux kernel versions-- 23,380 operated on kernel 2.4.31.x, 112,883 on 2.4.30.x kernel, and 710,046 systems maintained 2.4.19.x.

The news follows a few revelations last week that 207,000 BMCs exposed to the pubic internet could be exploited via a handful of basic configuration and protocol weaknesses.

Worse, access to the various BMCs permitted hackers to compromise the host server as well as other BMCs within its management group which shared common passwords, the researchers said at the time.

In other internet security news

Dell said today that hackers have made a staggering US $620,000 in the Dogecoin crypto-currency system by exploiting vulnerable Synology network attached storage (NAS) servers.

The clever attackers pulled off the largest heist of its kind so far by planting mining software on the NAS servers to 'borrow' their computational power.

Several NAS now boast powerful multi-core CPUs that would be capable of mining such coins.

Several unpatched Synology servers were infected and continued to mine Dogecoins for the assailants, according to Dell.

It took just two months for the attackers to accrue 500 million coins worth US $620,000, Dell Secureworks researcher Pat Litke wrote in a blog post.

"To this date, this incident is the single most profitable, illegitimate mining operation," Litke wrote."

"This conclusion is based in part on prior investigations and research done by Secureworks, as well as further searching of the internet," he added.

Secureworks' analysis suggests that an experienced hacker, likely of German descent and using the alias Folio, was behind the Dogecoin mining spree. And that he could probably as well had mined Bitcoins instead.

In a brazen stunt, Folio stored the mining software in a folder labelled PWNED, a move that could have foiled the plans earlier should forum warnings have been reported by the press.

Users first reported the attacks on web forums in February after noticing the folder and a drop in NAS performance due to the resource-intensive, non-authorized mining operation.

Worse, users remained vulnerable to a string of even more dangerous attacks due to the five-month-long exposure of Synology NASs to very serious security issues within the Linux-based DiskStation Manager.

These included unauthenticated remote file downloading and a command-injection security flaw.

Vulnerable servers could be found using only an advanced Google search (Google dorking) with keywords which could drop attackers right into exposed Synology NASs.

"Back in October of 2013, simply Googling for '' resulted in excess of one million results. By going to '', the user is routed directly to their NAS," Litke said.

Over time, awareness of the security flaws grew even more and by March of this year the SANS internet storm centre reported a huge spike in scans against port 5000 which was the default listening port for Synology NASs.

We approached Synology for comment, but the company had not replied as this article was published.

In other internet security news

Internet security startup company G-Data is warning its users about its discovery of malware that is already shipping preinstalled on some Chinese smartphones.

The German research firm said that it followed up on customer tips to study the Star N-9500 mobile phone.

The handsets, sold on eBay and many other online retail sites, are said to primarily be shipped out of China, and can be loosely described as a clone of the Samsung Galaxy S4.

While G-Data said that it has been unable to track down the company behind the N-9500, the security company still believes that one or more organizations are selling the smartphones new with malware bundled in.

G-Data said in its report that researchers have spotted a spyware bundle on handsets being offered for sale in Europe at costs ranging from €130 to €165.

The Android handsets were found to contain a fake copy of the Google Play application and the Uupay Android trojan installed directly in the handset's firmware.

Researchers believe that the malware performs a number of basic spyware functions such as listening in on phone and SMS conversations, reading email messages, and collecting mobile browsing information and account data.

G-Data reported that the infected handset it reviewed was uploading user information to a server in China, though the location of the person (s) actually extracting the data was not known at this time.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Michael Ossmann.

Click here to order the best dedicated server and at a great price.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.