Full transcript here: https://www.rt.com/shows/sophieco/340..
Cyber Warfare discussion at 22.18 mins
The US Power grid is 50 years old – and vulnerable.
No power means no food or water (electricity is needed to process food).
CIA estimates are that 90% of Americans would perish within 24 months of a power grid attack. Only 10% of America would survive due to lack of access to food and water.
Nuclear war cannot approach that level of devastation.
This is a very interesting rationale. Cyber warfare that attacks the civilian infrastructure would cause more harm than nuclear warfare. Water supplies would of course trigger immediate harm. Access to fresh clean water is of utmost priority. So rather than attacking the electrical grid, it would make more sense to target water supplies. Oh course, we all hope it never comes to this, but it’s a very interesting thought.
The natural antidote to this, is to locate clean fresh water, and the means of sterilising water.
A second point is that those homes with solar panels, will have some form of limited power (if it’s sunny). This highlights that power tools, that need electricity would be useless. Time to invest in some good quality but non powered tools for the garden then.
Camping equipment would be very useful. In fact, any equipment that would function during a power cut would be useful to have around. Gardening and camping stores would see a boom time – as would cash transactions, as your credit cards won’t work.
So logically we would be back in the barter system for a short while. The taxman would be most unhappy at that. No tax = no money for the government. What a thought!
Hackers managed to steal $80m (£56m) from Bangladesh’s central bank because it skimped on network hardware and security software, reports Reuters.
The bank had no firewall and used second-hand routers that cost $10 to connect to global financial networks.
Better security and hardware would have hampered the attackers, Reuters said, quoting an official investigator.
The hackers aimed to steal $1bn but made mistakes that led to the theft being spotted and stopped.
A firewall would have made attempts to hack the bank more “difficult”, Mohammad Shah Alam, a forensic investigator who works on the Bangladesh team investigating the theft, told Reuters.
The second-hand hardware also meant that basic security steps to segregate network traffic were not taken, he said.
The cheap routers have hindered the investigation, said Mr Alam, because they collected very little network data that could be used to pinpoint the hackers and shed light on their tactics.
The hack took place in early February and involved hackers getting access to the core network of Bangladesh’s central bank. They used this privileged access to transfer cash from Bangladesh’s account at the Federal Reserve Bank of New York to other banks.
A spelling mistake in one of the transfer orders alerted bank staff and meant the hackers only managed to steal $81m. This has been traced to accounts in the Philippines and to casinos in the same country. Most of the cash has yet to be recovered.
Take away message:
- Hackers must learn to spell.
- Banks must use firewalls.
- If you’re going to hack anyone, target their router.
The healthcare industry is a long way behind the financial sector in basic security practices, according to a study by two factor authentication firm Duo Security.
Duo found that healthcare devices were significantly more out of date and less secure than ones from finance, after comparing its healthcare customers’ devices to its finance customers’ equipment.
Healthcare has a four times greater density of Windows XP computers compared to finance. Windows XP has been unsupported by Microsoft since 2014 and unsupported OSes do not receive any software patches or updates, making them an easy target for attackers.
The risk is far from theoretical. For example, earlier this year Melbourne Health’s networks were infected with malware after an attack compromised the Royal Melbourne Hospital’s pathology department, which was running Windows XP.
The Qbot malware linked to the infection is capable of stealing passwords and logging keystrokes.
A significant minority (three per cent) of Duo’s installed base is stuck on Windows XP, which compares to one per cent of users across Duo’s entire client base. Across that customer base, finance has 50 per cent more instances of computers running on the Windows 10 operating system than healthcare.
Finance has more instances of computers running on Windows 7 (74 per cent) than healthcare (66 per cent). Staying with older versions of Microsoft’s OS can have security downsides, even if the operating system is still supported.
With more than 500 known vulnerabilities affecting Windows 7, there are many ways for an attacker to easily exploit flaws on the outdated OS to gain unauthorised access to a healthcare organisation’s computing environment, Duo warns.
Twice as many healthcare endpoints have Flash installed and three times as many healthcare customers have Java installed on their devices, again putting them at greater risk of vulnerabilities and exploitation.
Only 12 per cent of non-healthcare users have Java installed. compared to 36 percent in healthcare. Many popular electronic healthcare record (EHRs) systems and identity access and management (IAM) software supporting e-prescriptions require the use of Java, factors which could account for the higher installed base. But this is bad news for security because Java browser plug-ins are a popular exploit route for hackers.
A separate study from IBM X-force earlier this week warned that crooks were increasingly targeting healthcare concerns rather than banks partly because systems were more weakly defended. Stolen healthcare info contains personal data that is readily marketed through underground forums because it offer the collateral to carry out identity fraud and other scams.
Privacy campaign group Privacy International says documents it has obtained through a legal challenge to the UK security agencies data-harvesting practices illustrate the extent to which spies have systematically and secretly amassed a cache of data on UK citizens for the past 15 years — regardless of whether a particular individual is suspected of a crime.
Aka: mass surveillance.
The cache of 46 documents relate to policies, procedures and guidance in place for one aspect of UK state investigatory powers — so-called Bulk Personal Datasets (BPDs) — as well as covering Section 94 (of the Telecommunications Act 1984) directions for GCHQ, MI5 and MI6.
In several documents, including one pertaining to security and intelligence agency policy, agencies observe that the “majority” of the data amassed in these databases contains “personal data about a wide range of individuals, the majority of whom are not of direct intelligence interest”.
The policy document, dated February 2015, also warns staff to brace for “more onerous authorisation processes (beyond our current largely internal ones), as well as enhanced external oversight” as a consequence of the government considering changes to investigatory powers law.
“At the very least we should expect increased and significant public interest and debate,” it adds.
In another document pertaining to the handling of BPDs by GCHQ, the agency notes the elevated risk of privacy rights infringement from using this type of data:
Although bulk personal datasets constitute only a tiny proportion of the data GCHQ obtains, its retention and use of such datasets represent a significant interference with many people’s right to privacy under the European Convention on Human Rights (ECHR). This interference must be justified in terms of its necessity and proportionality, in accordance with Article 8(2) of the ECHR. The use of such data for operational purposes is also especially sensitive and carries an elevated degree of corporate risk. GCHQ has therefore established special arrangements to ensure appropriate handling of such data throughout its life-cycle, both within and, where applicable, beyond GCHQ.
The UK government is in the midst of pushing a new surveillance law through parliament which aims to expand the intrusive capabilities available to domestic police and security services. Yet, at the same time, the Home Secretary Theresa May has repeatedly rejected claims domestic security agencies are engaged in mass surveillance of citizens — preferring the euphemism term ‘bulk collection’.
Back in January she rebutted criticism that state agencies engage in mass surveillance, waspishly telling a parliamentary committee scrutinizing the draft Investigatory Powers Bill that: “We do not collect all the data, all of the time.”
However the documents obtained by Privacy International, as part of a legal challenge, show domestic intelligence agencies have been collecting, if not every last bit and byte, then certainly very large troves of data on UK citizens. And doing so for a very long time.
According to Privacy International, requisitioned data can include medical records, travel records, financial records, population data, commercial data (details of corporations and individuals involved in commercial activities), regular feeds from internet and phone companies, billing data or subscriber details, content of communications (including with lawyers, MPs and doctors), and records from government departments.
It adds that the documents indicate such data is routinely requisitioned.
Aka: mass surveillance.
“The papers released today act as proof of, and show the sheer scale of, British intelligence agency surveillance of our personal data,” it asserts. “It goes far beyond monitoring our text messages, email messages, and social media posts. The intelligence agencies have secretly given themselves access to potentially any and all recorded information about us.”
The use of BPDs as an investigatory tool was only revealed in March last year, via an Intelligence and Security Committee (ISC) report. Yet these large databases had been used in secret for scores of years, apparently sanctioned under a law that pre-dates the rise of the commercial Internet. (The documents confirm Section 94 of The Telecommunications Act 1984 has been used by the UK state to access data in bulk.)
The ISC report previously described BPDs as “large databases containing personal information about a wide range of people” — which it said are used by intelligence agencies to “identify individuals during the course of their investigations, to establish links between Subjects of Interest, and to verify information that they have gathered through other means”.
And Home Secretary May has described them as an invaluable tool for the security agencies, arguing that “bulk capabilities” are important to retrospectively sift through a target’s communications as part of an active investigation.
“You need to be able to acquire the communications in the first place and when the target is overseas bulk interception obviously is one of the key means, and indeed it may be the only means, by which it’s possible to obtain communications,” she told a parliamentary committee back in January, adding: “It is about keeping people safe and secure.”
The flip-side of that argument is of course that amassing gigantic databases containing sensitive personal data on every citizen in the country is not only a massive and disproportionate privacy infringement but also vastly increases the volume of data the intelligence agencies have to sift through — thereby increasing the signal to noise ratio and making effective, targeted intelligence work harder.
And if May wants to assert that gigantic intelligence databases are necessary to ‘keep people safe’, it’s worth making the obvious point that the UK security agencies’ bulk data collection habits did not prevent the 7/7 co-ordinated terror attack in London, in July 2005. Nor the slaying of solider Lee Rigby in a London street three years ago by two men who were in fact already known to the security services. The evidence that mass surveillance/bulk collection keeps people safe is as apparently elusive as the targets spy agencies are tasked with seeking.
Last year’s ISC report which first disclosed the existence of BPDs also revealed there are hundreds of millions of these databases, which it said may be linked together. Privacy International’s suggestion now is these databases “could be used to build detailed profiles about all of us”.
“The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data. This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities,” said Millie Graham Wood, Legal Officer at Privacy International, in a statement.
“This data is integrated into databases that could be used to build detailed profiles about all of us. The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime. This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals.
“The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time, in the Investigatory Powers Bill, which is currently being debated in Parliament. These documents reveal a lack of openness and transparency with the public about these staggering powers and a failure to subject them to effective Parliamentary scrutiny.”
The organization also notes that in recent years only three cases of non-compliance or misuse of BPDs have resulted in staff being disciplined. “It is not apparent that any victims have been notified,” it adds.
I use IVPN as my VPN provider. I’m openly biased as I know their system works – flawlessly, without outages and across many devices from Android to Mac, to Linux to iPhones and routers.
Warrant Canary – can be found here:
If you’ve forgotten the password on a Cisco switch, you need to find out how to circumvent the security. This is how you bypass a forgotten password on several Cisco switches.
Step 1 – Power off
Remove the power cable
Insert power cable and hold down the “mode” button for 4 seconds.
The mode will start to flash when it’s ready.
Step 2 – Cisco commands
Your Cisco switch will then helpfully display the 3 commands you’ll need.
Type in to the switch prompt:
Now wait for the boot sequence to complete. This is the slowest stage…
Dir flash: is to allow you to list all the files held in flash memory.
We need to look for config.text.
Step 3 – Rename the existing config.text
Once you can see the config.text file listed, type in at the prompt:
rename flash: config.text flash: config.old
to check the config.text file has been renamed:
Now boot the Cisco Switch (power off/on – and this time all passwords will be wiped).
The good news is that the old config.txt is still there – we try to keep old config files if we can.
Here’s a video of the bypassing of a password in action.
Change the Search engines
I deleted Bing, Yahoo and Google, and added Startpage.com
The two privacy search engines are Duckduckgo.com and Startpage.com – so make sure they’re the only two that you can default to.
Cog (Bottom Left Corner)
Add speed dials for your favourite sites. You can see that I’ve added IVPN.
IVPN kicks in to prevent any accidental encrypted connections to the Internet. This is the failsafe setting. I use the DNS servers of IVPN rather than the DNS of the ISP for ultimate privacy.
I added the Ghostery Chrome add on to stop trackers. It worked! So Chrome Add ons can be used with Vivaldi. The Ghostery feedback bubble gives great feedback to remind you that you are always being tracked online.
HTTPS EVERYWHERE – EFF – Encrypted Browsing
AdBlock Plus, Privacy Badger – Superb Addons
The new draft surveillance bill is like an iceberg, with a vast bulk of technical change obscured beneath the surface, according to civil liberties organisation NO2ID. Theresa May presented the Investigatory Powers Bill  to parliament today as a measure “consolidating and updating our investigatory powers, strengthening the safeguards”. But it amounts to a dramatic alteration in the powers already available not just to the intelligence services, but to police, tax inspectors, and officials and regulators in almost every department of state . It replaces several pieces of complex and technical legislation.
Guy Herbert General Secretary for NO2ID, said:
“I would have more sympathy for the Home Secretary if she did not resort to glib hypotheticals about kidnapped children. This is not a proposed bill that is easy to understand or straightforward in effect.”
“The much trumpeted change in oversight focuses on a tiny portion of cases, the handful of warrants issued by Secretaries of State every day. The real issue is the tens of thousands of surveillance actions a day carried out by officials.”
“The Bill is an iceberg. It is easy to focus on the sunlight glinting on a few peaks, it is harder to grasp the important bits beneath the surface. What is clear is that Parliament is expected to deal with all of this before the expiry of the Data Retention and Investigatory Powers Act at the end of 2016 – to swallow the iceberg before its dimensions can be fathomed.”
Notes for editors:
1) NO2ID is the national campaign against the database state, the tendency to try to use computers to manage society by maintaining state files on the population as a whole.
2) Statement to Parliament 4th November 2015:
3) Hundreds of official bodies have access to communications data and other surveillance powers, including bugging – which does not count as interception and does not need a warrant for an authorised agency.
Page 9 of this European report on the “Internet of Things” states:
Do nothing: “Personal data today may be processed more easily and on an unprecedented scale by both private companies and public authorities, which increases the risks for individuals’ rights and challenges their capacity of keeping control over their own data (…). Moreover, there are wide divergences in the way Member States have transposed and enforced the Directive, so that in reality the protection of personal data across the EU cannot be considered as equivalent today.” IoT technology will lead to an by far increased amount of personal data being processed. The very nature of IoT technology, to autonomously process and communicate data without human intervention increases the need for not only harmonised technical standards but also legal requirements. Doing nothing might reinforce the adverse effects and seems to be the least preferable option.
Binding law: Binding law in combination with increased level of data protection enforcement seem to be the most promising option to achieve the goals to ensure a fundamental rights compliant and trustworthy development of IoT technology. As IoT technologies are in a very early stage of development, it also seems to be economically preferable to provide clear binding requirements already at this stage of the development. This allows for designing technology according to these requirements, rather than having to change already existing technology later on.
My thoughts on these options are that the American system is the “do nothing” option; which has adverse effects on privacy. It is reassuring to note the comment from Europe, that this is the least preferable option.
Europe seems to support binding laws to curtail the impact of IOT on civilians. The impact of IOT cannot be overestimated. It needs to be tightly regulated, as the effects, on balance will be generally negative for most civilians.
You can buy this £120 iphone hacking tool in the UK from the fonefunshop.
Watch the hack here:
The website to buy this hacking tool at the fonefunshop is here:
It’s a brilliant example of “brute force hacking”, as it’s so visual.
At FoneFunShop we have been helping people setup their tools since 1996, so we understand the frustration of getting a new tool to work.
1. Download Software and update IP-Box to 8.2v
Here is a video showing you how to update the IP-Box V2
(This video will show you how to update your box firmware to new version 6.3, its the same method to update to 8.2)
2. Fix unlock code parameter settings on your IP-Box
You need to do this to fix a bug in version 8.2v, if you dont do this you will find that your box will work too quickly at entering codes.
Enter 4500 in the each group of data interval (ms) area and click Download (free computer test plan 1) to the instrument button to program the box
just like the picture below.
Once this is done you are ready to use your IP-Box to unlock the passcode on your first iPhone
3. Check iOS of iPhone you Plan to bruteforce
Identify the firmware version of the iPhone and make sure its 7.anything
Method 1 (recommended):
Use the iPhone Network Check service this will tell you the exact iOS version the iPhone is using
download ifunbox2014 Download iFunBox
make sure you take the 2014 version
Install and run itConnect your iPhone to your PC (close iTunes if it opens automatically)
Click your phone when it displays in the bottom left corner (pictured below)
Your ios version is now displayed (pictured below)
Make sure it is 7.x.x
4. Setting up cables and connections
now you are satisfied the iPhone is running 7.x.x its time to hook up your ip-box and get it earning its keep.
first of all, close any ip-box software you are running, its not needed.
if you are using a charging cable you will need to connect your mini usb cable to PC and to the ip-box, as the power from your pc will flow through the ip-box and ultimately keep charging your iPhone while its being brute forced.
if you arent using a charging cable theres no need to connect the ip-box to your pc.
now, connect your light sensor to the disabled iphone on a black part of the screen, place it in a place you know would be well lit after a password is entered correctly (just above the slide for emergency area of the screen works for me).
push the sensor through the foam so its sitting on the glass and its all nice and flush
hold the sensor in place with tape.
finally connect your cable from ip-box usb port to the phone port.
5. Release the Beast
now all the connections are in place, press the button on the clip to start the brute force procedure.you will see the number increase by one number and a subsequent BUZZ as the code fails.
you should get Number…BUZZ…Number…BUZZ…Number…BUZZ etc. etc.
TIP: if you get Number .. Number.. Number BUZZ then its not setup right, try stopping the process and repositioning the light sensor and restarting the procedure.
Now leave it going, and go and do something else while it does its job.Once the IP-Box gets the correct code the iPhone menu will appear as normal, which will trigger the light sensor and ultimately your IP-Box will begin beeping and flashing the correct passcode number.
JOB DONE !!!!