Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts

Friday, 18 January 2019

Independent Investigation into the 773 Million Records - "Collection #1"

On 17 January 2019, media reports concerning an article posted by Troy Hunt where a huge trove of data with nearly 773 million records were exposed in a giant 87GB archive. On the same day, Brian Krebs posted an article stating that the 773 million password "Megabreach" were most likely to be old data.

So on the night of 18 January, I started to conduct my own research and investigation to find out more about this Megabreach. Using the screenshot of the database trove posted on Troy Hunt's website, I decided to start digging...

Screenshot of the 'archive' posted on Troyhunt.com

Taking some of the texts in the screenshot, I found a link that many of the domains (listed in the screenshot) were also listed in a list called "dumplist.txt" posted on 28 September 2018.

Thousands of 'hacked DBs' dumps. No data - just the names of the dumps.

According to Troy Hunt, he was directed to a post in a well known hacking forum - that was where the screenshot was taken from. I was able to find the forum and i believed this was the forum Troy Hunt was referring/redirected to.

Posted on a forum known for hacking, cracking and even advertising hacked DBs

Upon further inspection of the screenshot/post, I noticed the naming convention was quite interesting and realized that this was most likely copied and pasted from the dumplist.txt. Two samples of similarities are highlighted below:

Same naming convention and structure

Troy Hunt also posted the list of "allegedly hacked databases" amounting to over 2000 'DBs' on Pastebin: https://pastebin.com/UsxU4gXA

While I was cross-referencing Troy Hunt's list to dumplist.txt and confirming my view that some (or most) of the hacked DBs were listed in that dumplist.txt using the exact naming convention, mirrored word by word, i also identified a Pastebin content which has most of these DBs listed in its content.

Posted on 29 August 2018

A total of 8301 presumable hacked DBs
This list, not only has the same naming convention, but also contains over 8000 allegedly hacked DBs. This list however was posted on 29 August 2018!

According to Troy Hunt and Brian Krebs, these data from Collection #1 are all a collection or compilation of previous data breaches and advertised as a 'new' database for sale. I took the liberty to research some of the samples 'hacked' DBs to identify if these DBs were indeed not new. To achieve this, I cross reference a hacked DB from the latest Pastebin content posted (by Troy Hunt), then looked at the contents from 2018 posts.

Using kabarindonesia[.]com as a sample

For this particular example, the hacked DB allegedly belonging to kabarindonesia[.]com was present in all the lists. Additionally, this was further confirmed from Breach Aware that kabarindonesia[.]com was one of the victims involved in the data breach of early 2018.

kabarindonesia[.]com pointed as one of the victims of a past data breach

Now further investigation reveals that the screenshot on the hacking forum posted on Troy Hunt's website was not the ground zero. I was able to identify a forum post (a different forum from the one in Troy Hunt's website) that was selling databases similar to the ones in Collection #1.

A typical advertisement in hacking forums

The list of databases for sale in this advertisement

Upon closer inspection of the data advertised, there seems to be a similar offering to the contents of Collection #1. I assess (with medium confidence) that the data advertised in the forum is also possibly included in the bigger data in Collection #1 (right).

Possibly same data, different seller and databases

Now according to Brian Krebs, his interaction with the seller known as "Sanixer" on Telegram reveals that Collection #1 (87GB) was just the beginning of the bigger 993.36GB (almost 1TB) data dump. This was being sold for just $45!

The Telegram User Sanixer (below right)

While Sanixer was offering/advertising the 1TB data for $45, I spotted a forum post who was actually giving this away for free!!! Apparently the forum user was unhappy claiming that Sanixer was sharing his "Infinity Black Combo" in that storage. As an act of retaliation, he posted links to all the 1TB data that can be accessed for free!!

Links to the 1 TB data! 

And to make things worse, other forum users were spotted posting links to these data as well. The post below was posted on 9 January and another 19 January.

Another set of links to the 1 TB data

Another post from a different forum 

Due to ethics, I did not download any of these content, however I took screenshots of these content to show what was being offered.

Screenshot of Collection 1

Screenshot of Collection 2

Screenshot of Collection 3

Screenshot of Collection 4

Screenshot of Collection 5

Screenshot of Antipublic 1

Screenshot of Antipublic 2
In conclusion, I believe that most (if not all) of these data are not new but could be either bought or downloaded from existing databases in the deep web. While some researchers or journalists published this 'breach' as the biggest or largest breach, allow me to recollect your memory to the 1.4 Billion credentials leak of 2017 - reported by 4iQ and the Exploit[.]in compilation of over 592 Million accounts (leaked databases) in the same year. I have a feeling that this 1 TB of data advertised in the underground community is merely a compilation of previous and past years breaches until mid 2018.
Posted by at No comments:
Labels: , , , , , , , ,

Saturday, 24 January 2015

Blackhat Movie Review

Blackhat movie review (with SPOILERS): It's been awhile since i did a movie review here and since this movie, with its title, about hacking, i think it's wise for me to write a thing or two (well probably more) about what i feel about it.

Blackhat movie poster

First off, just for general movie knowledge, when this movie was initially scripted there were a lot of protests within the industry about the synopsis that the American government is working with the Chinese government to tackle a foreign hacker while in fact, there's a huge friction between the two in the cyber war arena in the real world. (the latter was briefly mentioned in the movie)

The start of the movie was quite cool, we see a hacker clicking the Enter button and showed the movement of the data in a matrix-ial format from the computer right to the destination, a power plant. I enjoyed the first 10 mins of the movie as it showed the HMI (Human Machine Interface) of the SCADA systems and how it was hijacked. Those who know how Stuxnet works can relate to the movie since the RAT (remote access trojan) or 'virus' in this movie was probably inspired by the Stuxnet worm (where it was able to destroy many nuclear centrifuges causing it to be replaced and renewed costing millions of dollars) What a huge coincidence that i talked about this SCADA and Power Plants security talks last year.

Power Plant Meltdown from the Blackhat movie
HMI interface for a SCADA system

However, the way the things was handled by the US government and the Chinese government (cooperating with each other) was unrealistic. From the book, 'WORMS' by Mark Bowden, back when the famous Conficker virus was going on a rampage in the US, affecting millions of computers, the US government did not even bother to take further action especially when being educated that the Conficker has the ability to start a Cyber Pearl Harbor back in the days so to see that the US government providing assistance to the Chinese government was quite far fetched (but hey, who knows this movie could entice a possible cooperation between them). 

WORM by Mark Bowden

Everything went well until when they decided to kill the direction of the movie. Im not going to comment on this as i was utterly disappointed.. its like watching the latest Transformers scene in China...pointless! Chris Hemsworth, the hacker in the movie was somehow good at martial arts and even know how to use a gun better than the villains. (Seriously??? Now i missed Hugh Jackman in Swordfish). 

Swordfish the movie
My verdict: It was all positive hype in the first 30 mins until it went totally downhill the rest. Don't expect a Blackhat vs Blackhat cyber battle or a Die Hard 4.0 kind of vibe. The villains were lame and making the 90s movie Hackers way better than this.

Posted by at No comments:
Labels: , , , , , , , , ,

Tuesday, 2 December 2014

DefCamp - Where Hacking and Security Collide

After completing my talk at BSidesVienna, we went to Budapest for a short getaway before heading to Bucharest, Romania for DefCamp. The exposure i got from BSidesVienna made me more comfortable and confident in speaking at DefCamp.

About 20mins away drive from the hotel, the weather was so cold and it was almost minus 2 degrees. We loved it but of course, not for long cos after a while we were shivering. The exterior view of the conference hall was quite plain but once inside, we were surprised by the interior design. Greeted by receptionists (pretty Romanians ladies!), we register our names and got ourselves a landyard pass and a bag of goodies. Although there were no Tshirts (something i was expecting), this event had a new thing...a Black Hat!!! Pretty cool! There were also many free stickers to choose from.

There were about 600 attendees, majority locals and of course international speakers as near as the US to as far as Singapore. We had a great time there. However, despite a 5th year in a row for DefCamp, i feel for such a huge event, they can do with some minor improvements that can help future events to benefit both speakers and audience.

Some improvements they can tackle:

1) Unlike most big conferences, DefCamp did not have a speakers corner or a room for speakers to prep, network and speech test.

2) Most conferences will have a tea break/lunch area for speakers. This was not seen in DefCamp. The reason to have this is because as speakers, we need to rush our coffee/lunch to prepare for our talk and queuing up with the hundreds of audience will definitely have an impact to the speaker especially when the next speaking slot are them after the break/lunch.

3) Having international speakers equates to diversity of cultures. Some were vegetarian and some couldn't eat meat and some were hoping to settle for seafood. However, the choices for these handful were limited so we had to settle with bread and salads. Imagine queuing for 25mins and you only have these to select from.

4) Most speakers commented that they have to cut down their presentations from the usual 1 hr down to 30mins. And some were seen to rush towards the end of the 5mins notice. I can understand the time limit to accommodate all slots in a two days conference and perhaps this is something the organizers can look into.

On the positive side,

1) The goodies were great. Like i said, the black hat was unique and the stickers were cute and many to take from.

2) One of the things that attracted me to this conference was their trailer. If you haven't seen it, check it out here: https://www.youtube.com/watch?v=pu6YTyQvdQ8. The background music that accompanies the video was just awesome.

3) Many conferences do not have alternative way of speaking other than just using a standalone, immovable mic. For DefCamp, they allowed speakers to pick either a wireless mic to hold to or a mouth piece attached by the ear. This selection definitely help presenters to select which one is more comfortable for them.

4) The presenter screens! Usually, a typical conference will have a one single screen but for Defcamp they have 3 huge screens! This was indeed a plus effort by the organizers as everyone can see them clearly and audience seated at the far right or far left were able to appreciate the visual presentation.

5) The landyard. I have been to many conferences, some as expensive as US$1000 to attend but could not provide a professional landyard. DefCamp's landyard was impressive. I would say they were so much better, so much professional than conferences like HITB and Hacker Halted. Organizers need to realize that the landyards are something memorable where the audience could keep but to have a piece of rubber wrapping around your wrist or a plain 50cents landyard with no sponsor and a cheap print out of name for a thousand over dollars conference really show how far they would go to profit from the attendees. Shout out to DefCamp and BSides conferences for being creative and not cheap in this part.

The LandYard and the Price of the con. 


Overall, i enjoyed my time here. I got to meet many speakers and networking with local security enthusiasts, exchanging name cards and linkedin profiles. Also, it was also my first time seeing Russians, and they (The Balalaika Cr3w) were the winners in the D-CTF challenge followed by the Romanians. I am confident that DefCamp in time, can be improved to be one of the most focused and huge conference events in Europe.

Link: www.Defcamp.ro
Facebook Pictures: https://www.facebook.com/DefCampRO
Some pictures:




 

 










































































































Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)