Crooks Reused Passwords on Hansa and Dream, so Dutch Police Hijacked Their Accounts after running Hansa for a month

Currently, the infosec community and former Hansa vendors themselves have spotted two ways in which Dutch authorities are going after former Hansa vendors.
Police gain access to Dream accounts via password reuse

In the first, Dutch investigators have taken the passwords of vendors who have the same usernames on both the old Hansa Market and the Dream Market — today’s top Dark Web marketplace after the seizure of the Hansa and AlphaBay marketplaces.

If vendors reused passwords and they didn’t activate 2FA for their Dream Market accounts, authorities take over the profiles, change passwords, and lock the vendors out of their shops.
The second method of operation spotted by the Dark Web community involves so-called “locktime” files that were downloaded from the Hansa Market before Dutch authorities shut it down on July 20.

Under normal circumstances a locktime file is a simple log of a vendor’s market transaction, containing details about the sold product, the buyer, the time of the sale, the price, and Hansa’s signature. The files are used as authentication by vendors to request the release of Bitcoin funds after a sale’s conclusion, or if the market was down due to technical reasons.

According to people familiar with Hansa’s inner workings who shared their knowledge with Bleeping Computer, Hansa locktime files were usually just a simple text file.

Source: Crooks Reused Passwords on the Dark Web, so Dutch Police Hijacked Their Accounts

It took DEF CON hackers minutes to pwn these US voting machines

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside.

In less than 90 minutes, the first cracks in the systems’ defenses started appearing, revealing an embarrassing low level of security. Then one was hacked wirelessly.
The machines – from Diebolds to Sequoia and Winvote equipment – were bought on eBay or from government auctions, and an analysis of them at the DEF CON Voting Village revealed a sorry state of affairs. Some were running very outdated and exploitable software – such as unpatched versions of OpenSSL and Windows XP and CE. Some had physical ports open that could be used to install malicious software to tamper with votes.

Source: It took DEF CON hackers minutes to pwn these US voting machines

In Car Head up Displays

Life has changed since 2007 and 2012 so it’s time for a rundown of modern systems!

For around $400,- you get Navdy, which takes some time to set up but offers the best solution for sale at the moment. It has map navigation, notifications, direct sunlight, hand gestures and control button on the steering wheel. You can answer calls, set up your music, etc. It’s well thought out and works best with you smartphone connected. It’s clearly visible in sunlight. It has it’s own screen through which you look.


amazon product page

Garmin has one which is way more basic, but also way cheaper at $150,-. It works with Garmin Streetpilot or Navigon apps for navigation. Also clearly visible in sunlight and has a reflector lens or can project onto a sticker on your windshield.

Garmin site + buy it

For around EUR 45,- you can buy an A8 system. It’s a bit more limited in it’s display (no navigation) and projects onto your windshield, which means you need to place a sticker in order to see it properly in daylight. For the price though, you can’t complain!



The we have the category: put your smartphone in it and project onto our little screen. Hudway Glass is an example of this. At $50,- they are clearly overpriced (and you can buy them cheaper om Amazon!) and you also need HUD software for it (if you have an iphone look at Atoll Ordenadores with ASmartHud+ and many others).

Hudway Glass

There are two promising pre-orders out there:

Exploride can be pre-ordered for $300 and will be produced for $500. This is a complete unit with its’ own screen and connects to you smartphone for lots of functionality

Carloudy which is an e-ink wireless HUD that connects to your smartphone. It has a voice command interface. It looks like it reflects onto a windshield sticker You can sign into the public beta in the US now for $260,-

Finally the Continental HUD as used in Mercedes, Audi and BMW. The information is very basic but the visibility is great from all angles.

EVE Online’s Real Life Planet-Discovery Minigame Is Live Now

Project Discovery, a collaborative project between CCP Games, Massively Multiplayer Online Science (MMOS), and the University of Geneva, aims to use EVE’s playerbase to locate, identify and catalog real life planets outside the bounds of our own solar system. By quantifying scientific data provided by the Keplar Satellite telescope, EVE players can save university scholars hundreds of thousands of hours of work, and potentially advance their research by several years.

Source: EVE Online’s Real Life Planet-Discovery Minigame Is Live Now

Netherlands turns into total surveillance state: unsupervised mass internet tapping, storage and sharing with whoever they feel like

AMSTERDAM (Reuters) – The Dutch Senate passed a law early on Wednesday giving intelligence agencies broad new surveillance and other powers, including the ability to gather data from large groups of people at once.

The Senate’s approval was the last hurdle for the “tapping law,” which was moulded into its current form after years of debate and criticism from both the country’s constitutional courts and online privacy advocates.

The law, which was passed with broad support, will go into effect this month after it is signed by the country’s monarch and circulated in the official legislative newspaper.

Online rights group Bits of Freedom warned the Netherlands’ military and civil intelligence agencies will now have the opportunity to tap large quantities of internet data traffic, without needing to give clear reasons and with limited oversight.

They also object to a three-year term for storage of data that agencies deem relevant, and the possibility for them to exchange information they cull with foreign counterparts.

Source: Dutch pass ‘tapping’ law, intelligence agencies may gather data en masse

Bloke takes over every .io domain by snapping up crucial name servers

Want to control over 270,000 websites? That’ll be $96 and a handover cockup, please

Late Friday, Matthew Bryant noticed an unusual response to some test code he was using to map top-level domains: several of the .io authoritative name servers were available to register.

Out of interest, he tried to buy them and was amazed to find the registration went through – leaving him potentially in control of hundreds of thousands of websites.

These crucial name servers – specifically,,,,,,, and – are like the telephone directories of the .io space. If your web browser wants to connect to, say,, it may have to go out to one of these authoritative name servers to convert into a public IP address to connect to.

Those and addresses should be owned and maintained by .io’s operators. But Bryant was able to purchase and register,,, and, and point them at his own DNS servers, allowing him to, if he wanted, potentially redirect connections to any .io domain to a server of his choosing.

Source: Bloke takes over every .io domain by snapping up crucial name servers

.io registry is sticking it’s head in the sand. oops.

CIA Vault 7 tools steal active SSH sessions on Linux and Windows

BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.

Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Web inventor Sir Tim and W3C decide to close up the web: world has 2 weeks to appeal

Traditionally, web technology has been open. HTML markup, CSS, and JavaScript code can be viewed (though not necessarily easily understood, thanks to minification), remixed, and reused. The web’s openness allowed it to flourish.

But those selling costly content – software and media companies – prefer open wallets to anything goes. So they have employed copy deterrence schemes based on proprietary technologies like Adobe Flash and Wildvine to make high-value content viewable but not easily copyable in web browsers. However, this approach leaves much to be desired in terms of user experience and ongoing compatibility.

The Encrypted Media Extensions API – supported by companies like Apple, Google, Microsoft and Netflix and opposed by the free software community, academic researchers, and foes of anti-piracy mechanisms – provides a standards-based mechanism to display DRM-protected content in compliant web browsers.

Source: Web inventor Sir Tim sizes up handcuffs for his creation – and world has 2 weeks to appeal

The argument Tim Berners-Lee gives why he agreed to this (“If W3C did not recommend EME, then the browser vendors would just make it outside W3C,” he wrote. “…It is better for users for the DRM to be done through EME than other ways.”) is inane! If he doesn’t agree, then the vendors would all go around implementing different standards (as they historically and to the great annoyance of web designers everywhere have done) and DRM would only work on one type of browser. I thought by now we realised that DRM doesn’t work, is expensive in terms of money and resources and gets broken pretty much the day it leaves the factory.

Create a user called ‘0day’, get bonus root privs – thanks, Systemd!

To obtain root privileges on a Linux distribution that utilizes systemd for initialization, start with an invalid user name in the systemd.unit file.

Linux usernames are not supposed to begin with numbers, to avoid ambiguity between numeric UIDs and alphanumeric user names. Nevertheless, some modern Linux distributions, like RHEL7 and CentOS, allow this.

The systemd software will not allow unit files to be created with an invalid user name. But other tools can create such files.

Curiously, if systemd encounters an invalid name in a unit file, like “0day,” it will ignore the parameter and create the requested service. As the documentation states, “If systemd encounters an unknown option, it will write a warning log message but continue loading the unit.”

But it will run the unit with root privileges instead of rejecting it or adopting more restrictive permissions.

Source: Create a user called ‘0day’, get bonus root privs – thanks, Systemd!

Systemd claims it’s not a bug!

At 18, He Strapped a Rocket Engine to His Bike. Now He’s Taking on SpaceX: Rocket Lab, led by someone who knows what he’s  doing!

After decades of tinkering, Peter Beck and Rocket Lab are poised to bring low-cost launches to the world.

Source: At 18, He Strapped a Rocket Engine to His Bike. Now He’s Taking on SpaceX

As opposed to running a company on insane working hours and crazy project changes, this guy is launching rockets at $5m per pop, doing 500lbs. He has a launch site that allows for a huge amount of launches into many different areas. His engines are simple and actually work. It’s a great story of a space startup that looks like it actually will work.

NASA QueSST goes supersonic quietly

NASA has achieved a significant milestone in its effort to make supersonic passenger jet travel over land a real possibility by completing the preliminary design review (PDR) of its Quiet Supersonic Transport or QueSST aircraft design. QueSST is the initial design stage of NASA’s planned Low Boom Flight Demonstration (LBFD) experimental airplane, otherwise known as an X-plane.

Senior experts and engineers from across the agency and the Lockheed Martin Corporation concluded Friday that the QueSST design is capable of fulfilling the LBFD aircraft’s mission objectives, which are to fly at supersonic speeds, but create a soft “thump” instead of the disruptive sonic boom associated with supersonic flight today. The LBFD X-plane will be flown over communities to collect data necessary for regulators to enable supersonic flight over land in the United States and elsewhere in the world.

NASA partnered with lead contractor, Lockheed Martin, in February 2016 for the QueSST preliminary design. Last month, a scale model of the QueSST design completed testing in the 8-by 6-foot supersonic wind tunnel at NASA’s Glenn Research Center in Cleveland.

Source: The QueSST for Quiet | NASA

HMS QE: Britain’s newest Aircraft Carrier runs Windows XP

The Royal Navy’s brand new £3.5bn aircraft carrier HMS Queen Elizabeth is currently* running Windows XP in her flying control room, according to reports.

Defence correspondents from The Times and The Guardian, when being given a tour of the carrier’s aft island – the rear of the two towers protruding above the ship’s main deck – spotted Windows XP apparently in the process of booting up on one of the screens in the flying control room, or Flyco.

“A computer screen inside a control room on HMS Queen Elizabeth was displaying Microsoft Windows XP – copyright 1985 to 2001 – when a group of journalists was given a tour of the £3 billion warship last week,” reported Deborah Haynes of The Times, accurately describing the copyright information on the XP loading screen.

Source: HMS Windows XP: Britain’s newest warship running Swiss Cheese OS

Oh dear oh dear

Intel’s Skylake and Kaby Lake CPUs have nasty microcode bug

The Debian advisory says affected users need to disable hyper-threading “immediately” in their BIOS or UEFI settings, because the processors can “dangerously misbehave when hyper-threading is enabled.”

Symptoms can include “application and system misbehaviour, data corruption, and data loss”.

Henrique de Moraes Holschuh, who authored the Debian post, notes that all operating systems, not only Linux, are subject to the bug.

Source: Intel’s Skylake and Kaby Lake CPUs have nasty microcode bug

Here’s hoping your mobo supplier releases a BIOS / UEFI update soon…

Obama’s secret struggle to punish Russia for Putin’s election assault

The White House debated various options to punish Russia, but facing obstacles and potential risks, it ultimately failed to exact a heavy toll on the Kremlin for its election meddling.

Source: Obama’s secret struggle to punish Russia for Putin’s election assault

Anthem to shell out $115m in largest-ever data theft settlement: 1/3rd goes to lawyers, 10% to Experian, much to taxes, leaves around 10% for victims. Shows you what use the Law is for justice.

If you were one of those hit by the intrusion, don’t expect a big payout. Plenty of others will be getting their cuts first. According to the terms of the settlement, a full third of the package ($37,950,000) has been earmarked to cover attorney fees.

An additional $17m will be paid out to Experian, who is handling the credit and identity monitoring services for victims. Any taxes the government levies on the $115m payout will also be deducted from the fund itself.

After all that, people affected will be able to fill out the necessary forms to claim a share of the settlement, including coverage of out-of-pocket expenses they have incurred from the breach (but only up to $15m – beyond that no more out-of-pocket claims will be accepted).

Source: Anthem to shell out $115m in largest-ever data theft settlement

The amount of money going to the lawyers and experian beggars belief! There is no way this can have been possible within an in any way sane hourly fee. The fact that almost none goes to the 78.8 million victims shows you the law is self serving and has nothing to do with justice.

Password Reset man in the middle attack

The Password Reset Man in the Middle (PRMITM) attack exploits the similarity of the registration and password reset processes.

To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource (e.g. free software). Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on).

Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.

Source: Password Reset MITM: Exposing the need for better security choices – Help Net Security

That this works is down to some serious cognitive laziness during the registration process!

Gmail no longer will scan your emails – because they allready know enough about you through other channels

G Suite’s Gmail is already not used as input for ads personalization, and Google has decided to follow suit later this year in our free consumer Gmail service. Consumer Gmail content will not be used or scanned for any ads personalization after this change. This decision brings Gmail ads in line with how we personalize ads for other Google products. Ads shown are based on users’ settings. Users can change those settings at any time, including disabling ads personalization. G Suite will continue to be ad free.

Source: As G Suite gains traction in the enterprise, G Suite’s Gmail and consumer Gmail to more closely align

This is what is called a phyrric victory

CIA airgaps using Brutal Kangaroo software

The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked.

The Brutal Kangaroo project consists of the following components: Drifting Deadline is the thumbdrive infection tool, Shattered Assurance is a server tool that handles automated infection of thumbdrives (as the primary mode of propagation for the Brutal Kangaroo suite), Broken Promise is the Brutal Kangaroo postprocessor (to evaluate collected information) and Shadow is the primary persistence mechanism (a stage 2 tool that is distributed across a closed network and acts as a covert command-and-control network; once multiple Shadow instances are installed and share drives, tasking and payloads can be sent back-and-forth).


NSA opens Github repo

THE TECHNOLOGIES LISTED BELOW were developed within the National Security Agency (NSA) and are now available to the public via Open Source Software (OSS). The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace. OSS invites cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community’s enhancements to the technology.


Humanity uploaded an AI to Mars and lets it shoot rocks with lasers

AEGIS doesn’t cover general operations, which are still directed by humans. Instead it lets Curiosity pick its own targets on which to focus its ChemCam, an instrument that first vaporizes Martian rocks with a laser and then studies the resulting gases. AEGIS does so after analysing images captured by Curiosity’s NavCam, which snaps stereo images, and also using ChemCam’s own Remote Micro-Imager context camera. Once it detects a worthy target, ChemCam puts the nuclear-powered space tank’s laser to work eliminating Martian pebbles.

The paper says AEGIS now goes to work after most of Curiosity’s short drives across Mars, and “has proven useful in rapidly gathering geochemical measurements and making use of otherwise idle time between the end of the drive and the next planning cycle.” 54 slices of idle time to be precise, as that’s the number of occasions on which Curiosity’s had enough juice to run it.

The software is making good assessments of what to zap and sniff: the paper says “in a number of cases [AEGIS] has chosen rock targets which were among the same ones that were independently ranked highly by the science team for study.” The result is better-targeted work, as Curiosity was previously set to do blind targeting “at pre-selected angles with respect to the rover, without knowing what it would find at that position post-drive.” Now it’s focussing in on outcrops, a desirable target.

Source: Humanity uploaded an AI to Mars and lets it shoot rocks with lasers

Navistone saves filled in form data on hundreds of sites before you submit it!

[As you fill out a form] You change your mind and close the page before clicking the Submit button and agreeing to Quicken’s privacy policy.[…]Your email address and phone number have already been sent to a server at “,” which is owned by NaviStone, a company that advertises its ability to unmask anonymous website visitors and figure out their home addresses. NaviStone’s code on Quicken’s site invisibly grabbed each piece of your information as you filled it out, before you could hit the “Submit” button.

During a recent investigation into how a drug-trial recruitment company called Acurian Health tracks down people who look online for information about their medical conditions, we discovered NaviStone’s code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.
Only one site of the dozens we reviewed,, explicitly revealed in its privacy policy what it was doing. It read, “Information you enter is collected even if you cancel or do not complete an order.” The rest of the sites had the usual legalese in their policies about using standard tracking tech such as cookies and Web beacons, which did not describe the way this particular information capture works.

Source: Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data

Not only are they saving your data without your consent, they boast that they can send you post within 2 days. Once Gizmodo tested a few of the sites with their technology enabled, they denied everything, even though Gizmodo was sitting on the proof. Scumbags.

Walmart Gears Up Anti-Amazon Stance in Wake of Whole Foods Deal

Days after arch-rival Amazon announced plans to buy Whole Foods for $13.7 billion, Walmart is apparently ramping up its defense.

That acquisition takes square aim at Walmart’s bread-and-butter grocery business by giving the online retailer 465 new retail locations—thus a much bigger brick-and-mortar presence.

Now, Walmart is telling some partners and suppliers that their software services should not run on Amazon Web Services cloud infrastructure, according to the Wall Street Journal.

The report quoted Bob Muglia, CEO of Snowflake Computing, saying that a Walmart (wmt, +0.98%) partner wanted to use his company’s data warehouse service, but was told it had to run on Microsoft (msft, +0.63%) Azure cloud instead of AWS.

Source: Walmart Gears Up Anti-Amazon Stance in Wake of Whole Foods Deal

Mazda Getinfo allows you to use the USB port to edit the 2014+ Mazda Car’s infotainment system

mazda_getInfo – A PoC that the USB port is an attack surface for a Mazda car’s infotainment system and how Mazda hacks are made

Inventory insurers in NL sneakily exclude smartphones

It turns out they won’t cover the cost of your smartphone breakages, because they are the most popular claims. And if they do cover your tablet, there are surcharges and other difficulties.

Allrisk inboedelverzekeraars hebben zich gewapend tegen kwetsbare smartphones, zo blijkt uit onderzoek van financieel communicatiebureau SevenEight onder 23 grote allrisk inboedelverzekeraars.

Source: Inboedelverzekeraar niet dol op smartphones – Emerce

Personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an unsecured Amazon server.

A huge trove of voter data, including personal information and voter profiling data on what’s thought to be every registered US voter dating back more than a decade, has been found on an exposed and unsecured server, ZDNet has learned.

It’s believed to be the largest ever known exposure of voter information to date.

The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics
Each record lists a voter’s name, date of birth, home address, phone number, and voter registration details, such as which political party a person is registered with. The data also includes “profiling” information, voter ethnicities and religions, and various other kinds of information pertinent to a voter’s political persuasions and preferences, as modeled by the firms’ data scientists, in order to better target political advertising

Source: ZDNet

Skip to toolbar