This Tiny Device Can Infect Point-of-Sale Systems and Unlock Hotel Rooms

Millions of point-of-sale systems and hotel room locks can be hacked by temporarily placing a small, inexpensive device several inches away from their card readers.

The device, due to be presented Sunday at the DEF CON conference in Las Vegas, is the creation of Weston Hecker, a senior security engineer at Rapid7. It was inspired by MagSpoof, another device created last year by security researcher Samy Kamkar.

MagSpoof can trick most standard card readers to believe a certain card was swiped by generating a strong electromagnetic field that simulates the data stored on the card’s magnetic stripe. Kamkar presented it as a way to replace all your cards with a single device, but Hecker took the idea and investigated what else could be done with it.

He started by looking at point-of-sale systems and found that many of them treat the card readers as standard USB human input devices and would therefore also accept keyboard input through them.

Hecker created a device that’s similar to MagSpoof and which, when placed near a card reader, will send malicious keyboard commands that will be executed on the point-of-sale system. This means an attacker could use such a device to remotely open a command prompt on the system and then use it to download and install memory scraping malware through the necessary keyboard commands.

The vulnerability is not vendor specific, the attack affecting most PoS systems that run Windows and are designed to work with a keyboard, according to Hecker. This design is popular and such payment systems are widespread.

An attacker would need to place the device within four-and-a-half inches of the reader in order to ensure that there is no interference and packet loss. However, because the device is about the size of a deck of cards, it can be easily hidden in the attacker’s sleeve or in an empty phone case. Then it’s only a matter of creating a situation where the PoS remains unattended for a few seconds, like asking the cashier to summon the manager.

Rapid7 reported the design flaw to US-CERT, which is in the process of identifying and notifying affected vendors. Unfortunately, the flaw will take a long time to fix even if vendors develop a software patch because many PoS devices require manual updating by a technician.

Hecker also found a way to use his device on electronic hotel door locks, which also typically work with magnetic cards. Unlike the PoS attack, where the goal was to infect the system, in the case of hotel door locks, the goal is to brute force the data encoded on the associated key card.

The data on room access cards are not encrypted and consist of a record ID generated by the hotel when a guest checks in, the room number and the check-out date.

The date can be determined or guessed easily because a hotel stay is usually limited to a few days, and the record ID, or folio number, can be brute-forced using Hecker’s device because it’s typically short and is increased sequentially with each new guest. This means that an attacker can have a pretty good idea about the range of numbers to test by reading data of another card — for example, his own.

Hecker estimates that brute forcing a typical room lock in a hotel with 50 to 100 rooms would take around 18 minutes. Brute forcing a special key, like those used by maids and staff, would take around a half an hour.

The nice part, for the attacker, is that he can even leave the device working on the door and be notified on his mobile phone when the correct data combination has been found.

This is another design flaw that seems to affect many vendors, Hecker said. The best fix would be for folio numbers to be made larger and to be assigned randomly to new guests. Adding encryption to the process would be better, but would almost certainly require replacing the existing system with new encryption-capable locks, he said



Hackers Accessed Telegram Messaging Accounts in Iran

Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.

The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.

Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc’s (FB.O) WhatsApp, say they have similar capabilities.

Headquartered in Berlin, Telegram says it has 100 million active subscribers and is widely used in the Middle East, including by the Islamic State militant group, as well as in Central and Southeast Asia, and Latin America.

Telegram’s vulnerability, according to Anderson and Guarnieri, lies in its use of SMS text messages to activate new devices. When users want to log on to Telegram from a new phone, the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.

Armed with the codes, the hackers can add new devices to a person’s Telegram account, enabling them to read chat histories as well as new messages.

“We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company,” Anderson said in an interview.

Telegram’s reliance on SMS verification makes it vulnerable in any country where cellphone companies are owned or heavily influenced by the government, the researchers said.

A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows – though it does not require – customers to create passwords, which can be reset with so-called “recovery” emails.

“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said Markus Ra, the spokesman.

Iranian officials were not available to comment. Iran has in the past denied government links to hacking.


The Telegram hackers, the researchers said, belonged to a group known as Rocket Kitten, which used Persian-language references in their code and carried out “a common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus.”

Anderson and Guarnieri declined to comment on whether the hackers were employed by the Iranian government. Other cyber experts have said Rocket Kitten’s attacks were similar to ones attributed to Iran’s powerful Revolutionary Guards.

The researchers said the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.

“We see instances in which people … are targeted prior to their arrest,” Anderson said. “We see a continuous alignment across these actions.”

The researchers said they also found evidence that the hackers took advantage of a programing interface built into Telegram to identify at least 15 million Iranian phone numbers with Telegram accounts registered to them, as well as the associated user IDs. That information could provide a map of the Iranian user base that could be useful for future attacks and investigations, they said.

“A systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation” has never been exposed before, Guarnieri said.

Ra said Telegram has blocked similar “mapping” attempts in the past and was trying to improve its detection and blocking strategies.

Cyber experts say Iranian hackers have become increasingly sophisticated, able to adapt to evolving social media habits. Rocket Kitten’s targets included members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents, U.S.-Israeli security firm Check Point said last November.


Telegram was founded in 2013 by Pavel Durov, known for starting VKontakte, Russia’s version of Facebook, before fleeing the country under pressure from the government.

While Facebook and Twitter are banned in Iran, Telegram is widely used by groups across the political spectrum. They shared content on Telegram “channels” and urged followers to vote ahead of Iran’s parliamentary elections in February 2016.

Last October, Durov wrote in a post on Twitter that Iranian authorities had demanded the company provide them with “spying and censorship tools.” He said Telegram ignored the request and was blocked for two hours on Oct. 20, 2015.

Ra said the company has not changed its stance on censorship and does not maintain any servers in Iran.

After complaints from Iranian activists, Durov wrote on Twitter in April that people in “troubled countries” should set passwords for added security.

Amir Rashidi, an internet security researcher at the New York-based International Campaign for Human Rights in Iran, has worked with Iranian hacking victims. He said he knew of Telegram users who were spied on even after they had set passwords.

Ra said that in those cases the recovery email had likely been hacked.

Anderson and Guarnieri will present their findings at the Black Hat security conference in Las Vegas on Thursday. Their complete research is set to be published by the Carnegie Endowment for International Peace, a Washington-based think tank, later this year.


200 million Yahoo accounts go up for sale on digital black market

Yahoo users might want to reset their passwords. A hacker claims to have stolen the login information for 200 million Yahoo accounts and is selling them on the black market.

The stolen records are up for sale on TheRealDeal, a darknet marketplace that offers illegal goods. For 3 bit-coins, or US$1,824, anyone can buy them.

The hacker, known as peace_of_mind, has claimed to have previously sold login credentials for LinkedIn and Tumblr users.

In a brief message, peace_of_mind said the Yahoo database came from a Russian group that breached LinkedIn and Tumblr, in addition to MySpace.

In the case of the Yahoo accounts, the database “most likely” comes from 2012, the hacker said. Copies of the stolen Yahoo database have already been bought, peace_of_mind added.

On Monday, Yahoo said it was “aware” that the stolen database was on sale, but it neither confirmed nor denied that the records were real.

“Our security team is working to determine the facts,” the company said in an email.

Back in 2012, Yahoo reported a breach, but of only 450,000 accounts. A hacking group called D33ds Company had claimed responsibility, but Yahoo said that most of the stolen passwords were invalid.

It’s unclear if that hack is connected with this sale of 200 million accounts. Other security researchers have also noticed a Russian hacker known as “the Collector” selling tens of millions of email logins from Yahoo, Gmail and Hotmail.

Peace_of_mind has posted a sample of the stolen Yahoo database, which includes user email addresses, along with passwords that have been hashed using the MD5 algorithm.

Those passwords could easily be cracked using a MD5 decrypter available online. The database also contains backup email addresses, as well as the users’ birth dates.

IDG News Service tried several email addresses from the stolen records and noticed that Yahoo’s login page recognized them and then asked for a password. However, other emails addresses were no longer valid.

Although Yahoo hasn’t confirmed the breach, users should still change their passwords, said Adam Levin, chairman of security firm IDT911, in an email.

In addition, users should make sure they aren’t using the same passwords across Internet accounts, he added.



North Korea Stole Data of Millions of Online Consumers

The South Korean police said on Thursday that the North’s main intelligence agency had stolen the personal data of more than 10 million customers of an online shopping mall in the South, in what they said was an attempt to obtain foreign currency.

The online mall, Interpark, was subjected in May to an online attack on a server that contained customers’ names, email addresses, telephone numbers and other personal data, the National Police Agency said.

Interpark did not learn about the breach until July 11, when it received an anonymous message threatening to publicize the leak of personal data unless it paid the equivalent of $2.6 billion in South Korea’s currency, the won. After the attack was reported, thousands of Interpark customers threatened to sue for damages. Most of the customers whose data was stolen were South Koreans.

On Thursday, the National Police Agency attributed the attack to the General Bureau of Reconnaissance, North Korea’s main spy agency. It said the intrusion had used some of the same code and internet protocol addresses as in previous digital breaches attributed to the North.

The message sent to Interpark also used vocabulary specific to the North Korean dialect, the police agency said. The United States blacklisted the General Bureau of Reconnaissance after North Korean hackers were accused of breaking into the computer network of Sony Pictures in 2014.

It was unclear on Thursday whether, or how, the hackers had exploited the stolen data, other than in their effort at blackmail. But it showed that the North, whose access to hard currency has been hampered by sanctions over its nuclear arms program, was “using computer hacking technology to try to steal our people’s property in a criminal act of earning foreign currency,” the police said in a statement.

South Korea has blamed the North for a number of online attacks on banks, government websites and media companies since 2008. In March, its intelligence agency told lawmakers that North Korea had broken into the mobile phones of 40 national security officials. The North denied that accusation.

In May, researchers working for the digital security firm Symantec said that they had found a potential link between North Korea and a recent spate of digital breaches of Asian banks, including one against the central bank of Bangladesh in February that resulted in the theft of more than $81 million. They said the intrusions appeared to be the first known case of a nation using digital attacks for financial gain.



Democratic Fund-Raising Group for US Congress Candidates Confirms Hack

A committee that raises money for Democratic candidates for the U.S. House of Representatives confirmed on Friday it had been hacked in an intrusion possibly linked to Russian hackers, similar to an earlier breach targeting another Democratic Party group.

In an incident that escalated concerns about the potential for Russian meddling in U.S. politics, Reuters first reported on Thursday that the U.S. Federal Bureau of Investigation is probing the hack at the Democratic Congressional Campaign Committee, or DCCC.

The intrusion took place from at least June 19 to June 27, though it may have been longer, according to analysis conducted by U.S. network security company FireEye.

The committee said in a statement it has hired cyber security firm CrowdStrike to investigate. “We have taken and are continuing to take steps to enhance the security of our network,” the committee said. “We are cooperating with federal law enforcement with respect to their ongoing investigation.”

The DCCC hack may be related to an earlier hack against the Democratic National Committee, which raises money and sets strategy for Democratic candidates nationwide. The DNC and DCCC occupy the same office building in Washington.

Potential links to Russian hackers in both incidents were likely to heighten accusations, so far unproven, that Moscow is trying to meddle in the U.S. presidential election campaign to help Republican nominee Donald Trump.

The Kremlin denied involvement in the DNC cyber attack.

In June, a bogus website was registered with a name resembling a DCCC donation site. For some time, donation-related internet traffic that was supposed to go to a donation-processing firm instead went to the fake site.

The DCCC intrusion may have been used to compromise the computer systems of donors who visited the spoof site, rather than to collect their personal information, said John Hultquist, manager of cyber espionage analysis at FireEye.

Several major Democratic donors contacted by Reuters on Friday said they had not been notified of the hack and were not concerned about their information being accessed.

“I’m less concerned about that than I am about my Amex being hacked,” said John Morgan, 60, a Florida attorney.

Cindy Miscikowski, 68, a California donor, said she would be upset if hackers got her bank information, but otherwise she was not worried because donations are disclosed publicly.


The time frame of the DCCC hack would place it days after the DNC went public with its breach and said the hackers had been kicked out of its systems.

Sources said the numerical Internet address of the spurious DCCC site resembled one used by a Russian government-linked hacking group, one of two suspected in the DNC breach.

Rich Barger, co-founder of security intelligence firm ThreatConnect Inc, said his analysis of the fake donation site tied it to the group linked to Russian military intelligence.

He said the web domain name was set up through a service that accepts bitcoin, with a contact email address that had been used to set up websites involved in a major German hack, which also was attributed to the Russian group.

Cyber experts and U.S. officials said this week there was evidence that Russia engineered the DNC hack to release sensitive party emails and influence U.S. politics.

The DNC hack raised concerns among Democrats at the party’s convention in Philadelphia, where Hillary Clinton was nominated as the party’s candidate in the Nov. 8 presidential election.

The new hack at the DCCC could add pressure on the Obama administration to make a public accusation or retaliate. The Justice Department and other agencies have said it is important for deterrence to “name and shame” cyber adversaries.

“Any efforts on a nation state’s part to interfere with U.S. politics through cyber attacks would appear to cross a line that would demand a response from the U.S. government,” said D.J. Rosenthal, a former Justice Department and National Security Council official.

A former White House official, speaking on condition of anonymity, said any formal accusation would require overwhelmingly certain evidence.

Staffers for the Republican National Committee and the Democratic Senatorial Campaign Committee said separately that those campaign organizing groups had not been hacked.



Osram ‘Smart Light’ Bugs Could Allow Corporate Wi-Fi Access

Security researchers have revealed several major vulnerabilities in Osram Lightify smart lighting systems which could allow remote hackers to launch browser-based attacks and even access corporate networks.

Osram, which sells both Home and Pro products, claims it agreed to testing of its Lightify products by Rapid7.

One of the most serious of the nine vulnerabilities discovered by Rapid7 research lead, Deral Heiland, is a cross-site scripting flaw in the web management interface of the Pro product which could allow an attacker to launch browser-based attacks.

“This vulnerability allows a malicious actor to inject persistent JavaScript and HTML code into various fields within the Pro web management interface. When this data is viewed within the web console, the injected code will execute within the context of the authenticated user,” explained the firm in a blog post.

“As a result, a malicious actor can inject code which could modify the system configuration, exfiltrate or alter stored data, or take control of the product in order to launch browser-based attacks against the authenticated user’s workstation.”

Another potentially dangerous vulnerability is CVE-2016-5056, which could allow remote attackers to access corporate wireless networks and from there go on to attack high value resources.

The problem lies with the system’s use of weak default WPA2 pre-shared keys (PSKs) – using only an eight character PSK and only drawing from “0123456789abcdef.”

Rapid7 was able to crack the code in less than six hours, and in one case under three hours, gaining access to the cleartext WPA2 PSK.

Heiland claimed the bugs he found show “we need to build better policy around managing the risk and develop processes on how to deploy these technologies in a manner that does not add any unnecessary risk.”

Osram explained in a statement sent to Infosecurity that the majority of bugs would be patched in the next version update, planned for August.

It added:

“Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee protocol, which are unfortunately not in Osram’s area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.”

Thomas Fischer, global security advocate at Digital Guardian, argued that IoT devices are often produced with “simplified hardware” which keep costs down but also means they “lack basic principals of integrity and failover.”

“Companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there’s a much higher chance mistakes will be made and vulnerabilities missed,” he added.

“It is critical that organizations developing IoT technologies – and even those selling them – ensure these products have been developed, built and sold with security in mind.”


Source: Info Security Magazine

Android App Stole User Photos for Over a Year

A malicious Android application that was posing as a development tool was stealing users’ media files for over a year, researchers at Symantec warn.

The offending software was being distributed via Google Play, the official app storefront for Android, where it was posing as a development tool called “HTML Source Code Viewer,” published by Sunuba Gaming. The application had between 1,000 and 5,000 downloads when researchers discovered its nefarious activities.

Instead of offering development capabilities to unsuspecting users, the program was grabbing photos and videos from the compromised devices and was sending them to a remote server, Symantec researchers discovered.

To ensure that it could perform its malicious activities unhindered, the program requested a series of permissions that should have tipped users off on its hidden agenda. These include the ability to open network connections, access to information about networks, the permission to read from external storage, and the permission to write to external storage.

This is the second media-stealing app that was found in Google Play over the course of a month, after a piece of software called Beaver Gang Counter was found in late June to be engaging into similar behavior. That application, however, was targeting photos and videos from the popular social media app Viber.

The newly discovered malicious program, on the other hand, is targeting all of user’s personal photos and videos by searching for the files stored in  “/DCIM/Camera” and “/DCIM/100LGDSC/” folders, which are the standard locations for this type of content. All of these files were then uploaded to a web server hosted on, researchers say.

What’s more worrying than the fact that the server contains a great deal of personal photos and videos stolen from victims is that some of these files are dated as far back as March, 2015. “This personal media could be used for blackmailing, ransomware attacks, identity theft, pornography, and other forms of victimization,” Symantec’s Shaun Aimoto explains.

The security researchers also discovered that the attacker’s server is hosted in Azerbaijan and that the malicious application is targeting Gingerbread and newer versions of Android. Google was informed on the nefarious activities the HTML Source Code Viewer application was engaged into and has removed it from Google Play.

By SecurityWeek News


Russian Site is ‘One-Stop Shop’ for Cyber Crime

Cyber situational awareness company Digital Shadows has unearthed an “all-in-one” outsourced online shop for cyber-criminals looking for low-cost entry methods to sell their ill-gotten assets.

The firm estimates the total number of shops hosted on Russian-language site to be close to 1000, the majority of which selling products that are stolen or from compromised accounts. This is despite administrators insisting they warn their hosted shops not to sell illegal goods and deny all responsibility for any illegal items advertised.

However, the site has been detected as advertised on well-known criminal forums such as Xeksek, AntiChat, Zloy and Exploit, raising suspicions that organizers may be willing to turn a blind eye to some activity and listings.

“This is the continuation of a trend that we’ve been seeing for some time where the barriers to entry for cyber-criminals continue to be lowered,” James Chappell, founder and CTO of Digital Shadows, told Infosecurity. “In particular, this development improves the ability for criminals to sell much more readily.” offers services such as technical hosting including anonymity and security, payment handling, website design and distributed denial of service protection; things that hackers with little or no technical expertise often struggle to orchestrate themselves, so by providing them is likely to be very attractive to users with low-technical capabilities, says Digital Shadows.

Chappell explained that this is the first time they have come across this type of ‘all-in-one’ outsourced online shop which provides hosting, design and a payment solution.

“It’s fair to say that the fact that all of these support services are wrapped into a one-stop shop marks a change and is a step up in terms of maturity in the marketplace. It’s also interesting to note that this exists on the surface web, which is a reminder that the dark web does not monopolize criminality.” also clearly seems to be a successful, profitable setup, claiming to have helped to generate more than 240 million rubles (RUB) (around $3.8 million USD) for its customers since at least October 2013. It charges a monthly fee of 500 RUB (approximately $8) to provide customer service and product development, and was observed giving prompt responses to queries. The breadth of offerings and responsiveness almost certainly contribute to the apparent popularity of the service.

Furthermore, the automatic payment system provided – available for Webmoney, Yandex Money and QIWI – enables transactions to occur 24/7 without requiring constant vendor attention.

“The ‘hands off’ nature of the way shops are run simply means criminal transactions can continue uninterrupted. The site seems to have focused on a high level of customer service,” Chappell added.



LastPass Password Manager “Zero-Day” Bug Hits the News

A dangerous, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts.

LastPass is a password vault which pulls user passwords from a secure area and auto fills credentials for you. The system uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to protect the valuable data stored within, but according to Google Project Zero hacker Tavis Ormandy, the software contains a “bunch of critical problems” which could put user accounts at risk.

On Tuesday, the white hat researcher revealed on Twitter that he was exploring LastPass security, claiming that it only took a “quick look” to find “obvious” security problems.

According to The Register, millions of users may be at risk until the problem is patched — and it only takes a visit to a malicious website to become a victim. If an attacker is able to compromise a LastPass account, this gives them access to a treasure trove of credentials for other online services.

Ormandy has sent a report detailing the zero-day and any other critical security issues the researcher found. However, no technical details have been released or are likely to be until LastPass has replicated Ormandy’s findings and patched any problems.

The researcher, who has found critical problems and security failures in software including Symantec products and Avast solutions is setting his sights on 1Password next.

LastPass said in a blog post:

An attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0.”



Possible breach at GunMag Warehouse

A third-party provider is being blamed for a possible breach into customer transactions at GunMag Warehouse, according to The Firearms Blog.

The breach seemed to affect Reddit users who ordered rifle magazines (the ammunition-storing component, not the print product) from the distributor of print magazines for “the shooting community.”

Some customers reported transactions on their credit card statements of anywhere from 28 cents to thousands of dollars after Reddit online transactions purchasing a six-pack of rifle magazines, Hexmag AR-15.

Michael Lambka, president of GunMag Warehouse, apologized for the security incursion and said his company hired cybersecurity experts at Securi who isolated and patched a flaw in a third-party module update on the e-commerce platform.

Credit card information is not stored on servers of GunMag Warehouse, he added. Additional security measure have been put in place “to ensure our site has redundant security points.” he said.