Home Tags Turkey

Tag: Turkey

Now UK bans carry-on lappies, phones, slabs on flights from six...

Hit list: Turkey, Lebanon, Egypt, Jordan, Tunisia, Saudi Arabia The UK has banned airline passengers on direct inbound flights from six countries in the Middle East and North Africa from taking a range of electronic devices into the cabin due to fears of a terrorist attack.…

Twitter app pwned by pro-Turkey hackers: Users’ accounts sling ‘Nazi’ slurs

Something Erdogan, something something cardigan A hack against the Counter third-party Twitter app was used to push propaganda messages containing swastikas through numerous high profile accounts on Wednesday.…

Turkcell selects TEOCO’s HELIX 9.0 for network service assurance

Turkcell’s #1-rated network will benefit from TEOCO’s unified service assurance suite FAIRFAX, VA., USA – 28 February 2017 – TEOCO, the leading provider of analytics, assurance and optimization solutions to over 300 communication service providers (CSPs) and OEMs worldwide, has been selected by Turkcell, who will use TEOCO’s HELIX 9.0 unified service assurance suite to reduce costs and increase the efficiency of its multi-vendor network.Turkcell serves over 66.7 million customers across nine countries, including Turkey,... Source: RealWire

Türk Telekom and Argela Announce that Türk Telekom will use Argela’s...

Argela and Türk Telekom announced that they have decided to utilize Argela’s Virtual Probes (vProbe) to monitor the Türk Telekom’s virtual network.

This will enable Türk Telekom to have end-to-end, real-time, and complete intelligence on its traditional network as well as its virtualized network which they are in process of transitioning into.

Türk Telekom, Turkey’s leading communication and entertainment technologies provider, and Argela, a leading provider of telecommunications solutions for mobile and fixed operators as... Source: RealWire

Chinese solar exports fall in 2016 with global anti-dumping measures

Besides trade issues, manufacturers have also been opening Southeast Asian factories.

Hack reveals data company Cellebrite works with everyone from US cops...

Enlarge / Leeor Ben-Peretz is the executive vice president of the Israeli firm Cellebrite.JACK GUEZ/AFP/Getty Images reader comments 38 Share this story On Thursday, Vice Motherboard reported that an unnamed source provided the site with 900GB of data hacked from Cellebrite, the well-known mobile phone data extraction company. Among other products, Cellebrite's UFED system offers "in-depth physical, file system, password, and logical extractions of evidentiary data," and is often the go-to product for law enforcement to pull data from seized phones and other devices. In a statement, Cellebrite called this hack "illegal" and noted that "the company is not aware of any specific increased risk to customers as a result of this incident; however, my.Cellebrite account holders are advised to change their passwords as a precaution." In addition, the trove of materials contains “customer support tickets” showing that the Israeli company sells its services to countries with questionable human rights records, including Turkey, Russia, and the United Arab Emirates. Cellebrite’s own website shows that the company works with numerous local, state, and federal law enforcement agencies, ranging from the Hartford, Connecticut police to the North Wales police in the United Kingdom. (The company reportedly aided the FBI to unlock the seized San Bernardino iPhone that became the center of a protracted legal battle.) However, little is known about the company’s business in many parts of the world. This would not be the first time that a digital surveillance company sold to unsavory regimes.
In 2015, data dumps from Hacking Team showed that it sold exploits to Egypt, Russia, Saudi Arabia, Bahrain, and the United Arab Emirates. Similarly, in 2014, documents leaked online showing that software created by the controversial UK-based Gamma Group International was used to spy on computers that appeared to be located in the US, the UK, Germany, Russia, Iran, and Bahrain.

Shamoon Can Now Destroy Virtual Desktops, Too

Enlarge / A computer infected by Shamoon System is unable to find its operating system.Palo Alto Networks reader comments 19 Share this story There's a new variant of the Shamoon disk-wiping malware that was originally unleashed on Saudi Arabia's state-owned oil company in 2012, and it has a newly added ability to destroy virtual desktops, researchers said. The new strain is at least the second Shamoon variant to be discovered since late November, when researchers detected the return of disk-wiping malware after taking a more than four-year hiatus.

The variant was almost identical to the original one except for the image that was left behind on sabotaged computers. Whereas the old one showed a burning American flag, the new one displayed the iconic photo of the body of Alan Kurdi, the three-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece. Like the original Shamoon, which permanently destroyed data on more than 30,000 work stations belonging to Saudi Aramco, the updates also hit one or more Saudi targets that researchers have yet to name. According to a blog post published Monday night by researchers from Palo Alto Networks, the latest variant has been updated to include legitimate credentials to access virtual systems, which have emerged as a key protection against Shamoon and other types of disk-wiping malware.

The actor involved in this attack could use these credentials to manually log into so-called virtual management infrastructure management systems to attack virtual desktop products from Huawei, which can protect against destructive malware through its ability to load snapshots of wiped systems. "The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack," the Palo Alto Networks researchers wrote. "If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment." Several of the usernames and passwords are included in official documentation as administrator accounts for Huawei’s virtualized desktop products, such as FusionCloud.

The researchers still aren't sure if Shamoon attackers obtained the credentials from an earlier attack on the targeted network or included the default usernames and passwords in an attempt to guess the login credentials to the VDI infrastructure. In addition to the virtualization-defeating update, the variant found by Palo Alto Networks also contained hardcoded Windows domain account credentials that were specific to the newly targeted organization.

The credentials met Windows password complexity requirements, a finding that suggests the attackers obtained the credentials through a previous breach. Like the previous Shamoon variant, the new one spread throughout a local network by "logging in using legitimate domain account credentials, copying itself to the system and creating a scheduled task that executes the copied payload." The Shamoon update was set to begin overwriting systems on November 29, 2016 at 1:30am.

The timing aligns with previous Shamoon strains, which attempted to maximize their destructive impact by striking when the targeted organization would have fewer personnel and resources available on site. Post updated in the headline and third paragraph to make clear VDI systems are manually accessed.

Shamoon disk-wiping malware can now destroy virtual desktops, too

Enlarge / A computer infected by Shamoon System is unable to find its operating system.Palo Alto Networks reader comments 14 Share this story There's a new variant of the Shamoon disk-wiping malware that was originally unleashed on Saudi Arabia's state-owned oil company in 2012, and it has a newly added ability to destroy virtual desktops, researchers said. The new strain is at least the second Shamoon variant to be discovered since late November, when researchers detected the return of disk-wiping malware after taking a more than four-year hiatus.

The variant was almost identical to the original one except for the image that was left behind on sabotaged computers. Whereas the old one showed a burning American flag, the new one displayed the iconic photo of the body of Alan Kurdi, the three-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece. Like the original Shamoon, which permanently destroyed data on more than 30,000 work stations belonging to Saudi Aramco, the updates also hit one or more Saudi targets that researchers have yet to name. According to a blog post published Monday night by researchers from Palo Alto Networks, the latest variant has been updated to attack virtual desktops, which have emerged as one of the key protections against Shamoon and other types of disk-wiping malware.

The update included usernames and passwords related to the virtual desktop infrastructure products from Huawei, which can protect against a destructive malware through its ability to load snapshots of wiped systems. "The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack," the Palo Alto Networks researchers wrote. "If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment." Several of the usernames and passwords are included in official documentation as administrator accounts for Huawei’s virtualized desktop products, such as FusionCloud.

The researchers still aren't sure if Shamoon attackers obtained the credentials from an earlier attack on the targeted network or included the default usernames and passwords in an attempt to guess the login credentials to the VDI infrastructure. In addition to the virtualization-defeating update, the variant found by Palo Alto Networks also contained hardcoded Windows domain account credentials that were specific to the newly targeted organization.

The credentials met Windows password complexity requirements, a finding that suggests the attackers obtained the credentials through a previous breach. Like the previous Shamoon variant, the new one spread throughout a local network by "logging in using legitimate domain account credentials, copying itself to the system and creating a scheduled task that executes the copied payload." The Shamoon update was set to begin overwriting systems on November 29, 2016 at 1:30am.

The timing aligns with previous Shamoon strains, which attempted to maximize their destructive impact by striking when the targeted organization would have fewer personnel and resources available on site.

Facebook already has a Muslim registry—and it should be deleted

Enlarge / A Hollerith machine used in the 1890 US Census. Hollerith's company later merged with three others to create the company that later became known as IBM, and similar machines were instrumental in organizing the Holocaust.Marcin Wichary reader comments 84 Share this story Since Donald Trump's election, many in the tech industry have been concerned about the way their skills—and the data collected by their employers—might be used. On a number of occasions, Trump has expressed the desire to perform mass deportations and end any and all Muslim immigration. He has also said that it would be "good management" to create a database of Muslims, and that there should be "a lot of systems" to track Muslims within the US. In the final days of his presidency, Barack Obama has scrapped the George W.

Bush-era regulations that created a registry of male Muslim foreigners entering the US—the registry itself was suspended in 2011—but given Trump's views, demands to create a domestic registry are still a possibility. As a result, some 2,600 tech workers (and counting) have pledged both not to participate in any such programs and to encourage their employers to minimize any sensitive data they collect.

The goal is to reduce the chance that such data might be used in harmful ways. The fear in the tech community is of being complicit in some great crime.

The neveragain.tech pledge reads, in part: We have educated ourselves on the history of threats like these, and on the roles that technology and technologists played in carrying them out. We see how IBM collaborated to digitize and streamline the Holocaust, contributing to the deaths of six million Jews and millions of others. We recall the internment of Japanese Americans during the Second World War. We recognize that mass deportations precipitated the very atrocity the word genocide was created to describe: the murder of 1.5 million Armenians in Turkey. We acknowledge that genocides are not merely a relic of the distant past—among others, Tutsi Rwandans and Bosnian Muslims have been victims in our lifetimes. Today we stand together to say: not on our watch, and never again. Their concerns are not unfounded.
IBM, in particular, has a dark history when it comes to assisting with genocides.

The company's punch card-based Hollerith machines were instrumental in enabling the Nazis to efficiently round up Jews, seize their assets, deport them to concentration camps, and then systematically slaughter them. After Trump's election, IBM CEO Ginni Rometty wrote the president-elect to congratulate him on his victory and offer IBM's services in support of his agenda. Oracle co-CEO Safra Catz has joined Trump's transition team, rank and file workers have been outspoken in their unwillingness to cooperate with programs that don't, in their view, respect the Constitution or human rights or which have disturbing historical precedent. Rometty's letter has provoked a petition from current and former IBM staff; Catz's role has resulted in at least one resignation. One company, however, stands head and shoulders above the rest when it comes to collecting personal data: Facebook.

Facebook's business is data collection in order to sell more effectively targeted advertisements. While massive data collection is not new or unique to Facebook—search engines such as Google and Microsoft's Bing have the same feature—Facebook is unusual in that it actively strives to make that information personally identifiable.

Facebook accounts tend to use our legal names, and Facebook relationships tend to reflect our real-life associations, giving the company's data a depth and breadth that Google or Microsoft can only dream about. Among the pieces of personal information that the site asks users for is religion.

As with most pieces of information that Facebook requests, this is of course optional.

But it's an option that many people fill in to ensure that our profiles better reflect who we are. This data collection means that Facebook already represents, among other things, a de facto—if partialMuslim registry.

Facebook has the data already; the company can provide a list of self-attested Muslims in the US simply by writing a query or two.

That data could be similarly queried for anyone who isn't straight. As such, government coercion of Facebook—or even a hack of the company—represents a particular threat to civil liberties.

Accordingly, Facebook should take a simple and straightforward protective step: delete that information. Remove the field from our profiles, and discard the historic saved data. Deleting the information will not make Facebook safe.
It will still be a treasure trove of relationships and associations, and an intelligence agency could make all manner of inferences from the data contained within. (Religion, for instance, is likely to be discernible from the content of posts and from images of holidays and religious gatherings, but this would be more difficult to do in bulk—though we know similar inferences are already made about race.) But it would mean that Facebook is no longer so trivially searchable, and it would mean that it ceases to be such a clear database of religious affiliation. Making a change like this should be trivial for Facebook. No doubt it would marginally reduce the company's ability to tailor advertisements to individual users—but it would serve as a clear statement against the threat such a database poses.

DoD Warns Contractors About Iran-Linked Malware

Shamoon, a piece of malware that tries to turn infected computers into unusable bricks, is back. Earlier this month, a number of cybersecurity firms reported that hackers had used the malware against thousands of computers in Saudi Arabia's civil aviation agency and other government bodies. According to Bloomberg, the attacks, like previous ones involving Shamoon, seemingly originated from Iran. Now, the Defense Security Service (DSS), part of the US Department of Defense, has issued a bulletin to cleared contractors warning them of the threat. “Between 2 and 7 December 2016, DSS was given information from another government agency regarding Indicators of Compromise (IOC) associated with a Shamoon malware variant and may be used in computer network exploitation attempts,” the bulletin, distributed on Thursday and obtained by Motherboard, reads. It does not specify the government agency that provided the information. These bulletins are sent to contractors to alert them to threats from foreign intelligence entities (FIEs), and in particular, FIEs' infrastructure, malware, tactics, techniques or procedures. “This information is being shared by DSS in order to enable potential targets of possible espionage activity to detect, disrupt or deny FIE's exploitation of cleared contractor information systems, networks or personnel,” it reads. In 2012, the “Cutting Sword of Justice,” a suspected Iranian hacking group, used Shamoon to aggressively wipe tens of thousands of computers belonging to Saudi Aramco. Aramco is the state-owned oil company of Saudi Arabia. In the wake of the attack, Armaco had to take itself entirely offline. “No emails, no phones, nothing,” Chris Kubecka, a consultant who worked with Aramco, told an audience at the Black Hat hacking conference last year. The hackers also replaced emails and documents with a picture of a burning American flag, according to The Register. The new version of Shamoon, however, displays a picture of a Alan Kurdi, the 3-year-old Syrian boy who drowned while trying to cross from Turkey to Greece, according to a report from security company Symantec. Neither the FBI or the Department of Defense provided comment in time for publication, and the NSA did not respond to a request for comment.

Shamoon malware returns to again wipe Saudi-owned computers

Iran suspected as likely source of re-vamped nastyware Thousands of computers in Saudi Arabia's civil aviation agency and other Gulf State organisations have been wiped by the Shamoon malware after it resurfaced some four years after wiping thousands of Saudi Aramco workstations. Security firms FireEye, CrowdStrike, McAfee, PaloAlto, and Symantec reported on the advanced sabotage malware which United States intelligence officials say is Iran's handiwork. Shamoon's 2012 attack crushed Saudi Aramco, wiping data on three-quarters of its enterprise computers, replacing emails and documents with a picture of a burning American flag.
Iran's oil ministry, the Kharg Island terminal which processes 80 percent of the nation's oil exports and is owned by Saudi Aramco, and other rigs all hit trouble. The 2012 raid was launched on the eve of a religious holiday, assuring that the company's 55,000 employees would be staying home. The USA's claim that Shamoon is an Iranian product are not convincingly confirmed by technical evidence, as hackers are known to drop hints in the hope of misdirecting investigators. Shamoon's only variant to appear since those devastating attacks has changed little other than to use the horrific photograph of the body of Alan Kurdi, the three-year old Syrian boy who washed up drowned in Bodrum, Turkey last year. None of the security companies openly discussed which organisations and agencies Shamoon has targeted in the latest wave of attacks.
Sources familiar with the investigation told Bloomberg Saudi Arabia's General Authority of Civil Aviation lost "critical data" in attacks that brought operations to a halt for several days. FireEye researchers opting to write anonymously say colleagues at high-end forensics firm Mandiant responded to the new attacks against an unnamed organisation in mid November and based in the Gulf states. "Since then, Mandiant has responded to multiple incidents at other organisations in the region," its advanced malware team says. Symantec malware analysts say Shamoon's authors have made "significant" preparatory work for the attacks imbuing their malware with stolen internal passwords that likely facilitated its spread. A prompt thrown by the Wiper malware.
Image: Palo Alto. Palo Alto security experts shore up the findings in their analysis of the wiper module known as Disttrack, finding the adminstrator and user credentials stored within are not within public domain, and are too strong to have been obtained through brute force or dictionary guessing attacks, and as a result are likely to be the fruits of phishing. In 2012, like now, Shamoon was triggered to wipe data at a pre-set point in time. On 17 November 8:45PM Saudi time the malware activated its disk wiping payload in what researchers say is a likely effort to reduce the chance of discovery because it took place on a Thursday, the end of the Saudi working week. The malware is still modular; its 32- and 64- bit dropper component creates the NtsSrv Windows service which downloads Disttrack and its Eldos driver that is required for the wiper to access hard disks from user mode. That latter driver, according to FireEye, is a legitimate tool attackers used under a free trial licence which forced Shamoon writers to set clocks on infected computers to August 2012 in order for the disk-wiping to take place. A reporter module handles command and control communications including reporting infections and disk erasing success, and downloading new configurations or time to execute, although the respective server appeared inactive. All security firms have released indicators of compromise for security professionals to use to detect identical Shamoon infections. ® Sponsored: Customer Identity and Access Management

Shamoon wiper malware returns with a vengeance

Enlargereader comments 5 Share this story A new variant of Shamoon, the malware that wiped hard drives at Saudi Aramco and other energy companies in 2012, has struck multiple organizations in Saudi Arabia in a new campaign that researchers call a "carefully planned operation." The new variant, which is almost identical to the version used in the 2012 attacks, has replaced the message it previously displayed—which included an image of a burning American flag—with the photo of the body of Alan Kurdi, the 3-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece. Bloomberg reports that digital forensics by Saudi officials indicated that the attacks were launched from Iran.
Several Saudi government agencies were among the organizations attacked. New versions of Shamoon, also known as Disttrack, have been detected by multiple information security companies, including McAfee, Symantec, Palo Alto Networks, and FireEye.
It isn't yet clear how the malware's "dropper" has gotten into the networks it has attacked.

But once on a victim's Windows system, it determines whether to install a 32-bit or 64-bit version of the malware.

According to a report from Symantec, the latest Shamoon attack was configured to automatically start wiping the disk drives of computers it had infected at 8:45am local time on November 17. The wiper malware itself uses RawDisk, a commercial software driver from EldoS that gives direct access to the disk drives of the infected system to write data—or in this case, overwrite data.

The same driver was used in the "wiper" attacks against Sony Pictures in 2014.

Before beginning the wipe, the malware sets the system clock of the infected computer back to a random date in August of 2012, according to a report from FireEye—likely to bypass code in the EldoS driver from checking for a valid license. "Analysis suggests this might be for the purposes of ensuring the [EldoS driver] that wipes the Master Boot Record (MBR) and Volume Boot Record (VBR) is within its test license validity period," the FireEye research team wrote. The new Shamoon variant attempts to spread across the network by turning on file sharing and attempting to connect to common network file shares, and it disables user access controls for remote control sessions with a Windows Registry change.

The malware attempts to connect to ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on the target systems with the local user's current privileges first.
If they aren't enough to gain access to those shares, it starts trying stolen credentials—credentials that have been hard-coded into the malware samples, indicating that the attackers had previously managed to penetrate the targeted networks and harvest user credentials for Windows domain administrators and other high-level accounts. When it finds these shares available, it copies itself into the Windows directory of the other system. While these latest malware attacks have included code to communicate with a command-and-control system, the attackers apparently disabled the code, leaving it pointed at a nonexistent server.

There was clearly no desire to exfiltrate information—though information may well have already been stolen before Shamoon was activated, and the disk wiper may have been left as a parting gift by the attackers.