Search Results for “Sean Gallagher”

May 29, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Baltimore Mayor and City Council Pressing for Ransomware Attack to Be Declared Disaster So They Can Seek Federal Funds

The mayor and city council president of Baltimore are pressing for the RobbinHood ransomware attack that has crippled the city to be declared a disaster and are seeking federal funds to clean up the damage following the New York Times’ report that a leaked NSA exploit EternalBlue was used in the attack. Sources say the ransomware arrived via a phishing attack against a city employee and was spread in part by EternalBlue. But Baltimore’s dilemma is at least in part the result of more than a decade of neglect toward Baltimore’s IT infrastructure, with turmoil in the IT department and IT funding allocation less than half the average for U.S. cities.

May 9, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Hacking Collective ‘Fxmsp’ Is Actively Marketing Data Breaches at Three U.S. Antivirus Vendors

A collective of Russian and English-speaking hackers that calls itself “Fxmsp” is actively marketing the spoils of data breaches at three US-based antivirus software vendors, researchers at the threat-research company Advanced Intelligence (AdvIntel) revealed. Fxmsp is selling both source code and network access to the companies for $300,000 and is providing samples that show strong evidence of the validity of its claims. Fxmsp had managed to steal source code that included code for antivirus agents, analytic code based on machine learning, and “security plug-ins” for Web browsers, according to the researchers.

April 11, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
DHS and FBI Bulletin States That Russian Probing and Hacking Efforts Prior to 2016 Election Took Place in Majority of U.S. States

In the first official report to confirm that the Russian reconnaissance and hacking efforts in advance of the 2016 presidential election went well beyond the 21 states confirmed in previous reports, a joint intelligence bulletin (JIB) issued by the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) to state and local authorities said that new information obtained by the agencies “indicates that Russian government cyber actors engaged in research on—as well as direct visits to—election websites and networks in the majority of US states.” The bulletin further states that the “FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections.” Between June and October of 2016, the group associated with the election hacking “researched websites and information related to elections in at least 39 states and territories, according to newly available FBI information,” the bulletin states,” according to the bulletin.

June 27, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Iranian Threat Group APT33 Switches to 1,200 New Domains Used for Controlling, Spreading Malware After Infrastructure Is Exposed, Report

Activity from APT33, also known as Elfin, the Iranian threat group previously tied to the Shamoon wiper attack and other Iranian cyber-espionage and destructive malware attacks has risen dramatically, with the organization creating over 1,200 domains for use in controlling and spreading malware, Recorded Future’s Insikt Group reports. Recorded Future found that APT33 had launched attacks on multiple Saudi companies, including two healthcare organizations as well as an Indian media company and a “delegation from a diplomatic institution.” The majority of these attacks involved “commodity” malware, well-known remote access tools (RATs). Of the 1,200 domains, 728 were identified communicating with the infected hosts and five of the 728 domains were observed communicating with hosts infected by one of 19 mostly publicly available RATs. After being called out by Symantec, which revealed APT33’s infrastructure, the group registered over 1,200 new domains to continue its activity.

July 1, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Small Town of Key Biscayne Becomes Third Florida Municipality Hit by Ransomware

A third Florida local government, Key Biscayne, has become the third Florida city to be struck by ransomware, one of the so-called triple-threat ransomware trio called Ryuk. Key Biscayne, which has 3,000 residents, said that a “data security event” struck on Sunday, June 23, with some city operations moved offline after the attack. By Wednesday, June 26th, all the city’s systems were up and running normally.

June 4, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Twitter Account Reportedly Belonging to the Operator of the Baltimore Ransomware Attack Taken Down

A Twitter account, @robihkjn, which has been confirmed by researchers to be that of the operator of the ransomware that took down Baltimore City’s networks May 4, has been taken down after posting racist taunts of Baltimore City officials and tweeting documents demonstrating that at least some data was stolen from a city server. The messages posted on Twitter matched those delivered to Baltimore along with the malware according to Joe Stewart, an independent security consultant working on behalf of the cloud security firm Armor, and Eric Sifford, a security researcher with Armor’s Threat Resistance Unit (TRU). The two security professionals also confirmed that some of the documents posted to the account came from the Baltimore City government. The operator of the Twitter account said that the NSA exploit EternalBlue was not used to spread the ransomware within Baltimore City’s networks.

September 6, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Flagstaff Cancels Classes in Its School District Due to Ransomware Discovered During Routine Maintenance

All classes were canceled September 5 at Flagstaff Unified School District (FUSD) schools in Arizona after the discovery of a ransomware attack against the district’s servers during routine maintenance on Wednesday, September 4. The district says all FUSD issued devices, including laptops, at all sites need to be updated and asked all FUSD employees to bring any Windows-based laptops to Sinagua Middle School by 9 a.m. Friday. Officials say they have to “break the connection” from the Internet to all school devices to mitigate the issue.

August 23, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Would-Be Digital Cryptography Firm Crown Sterling Sues Black Hat Conference Organizers, Ten ‘Doe’ Defendants Over Disruption at Sponsored Presentation

After almost getting booed off the stage at Black Hat, “emerging digital cryptography” firm Crown Sterling is suing conference company UBM alleging that its Black Hat USA event had breached “its sponsorship agreement with Crown Sterling and the implied covenant of good faith and fair dealing arising therefrom.” The company also accuses the conference organizers of “other wrongful conduct” connected to events surrounding the presentation of a paper by Crown Sterling CEO and founder Robert E. Grant. In addition to legally targeting the conference, Crown Sterling has also filed suit against 10 “Doe” defendants, who it claims orchestrated disruption of the company’s sponsored talk at Black Hat. Before, during and after the conference, cryptographers were extremely skeptical with what Crown Sterling was pitching, with some referring to the talk as “snake oil crypto.”

Related: U.S. District Court (PDF), Business Wire, Cyberscoop

Tweets:@malwarejake @gossithedog @jwgoerlich @J0hnnyXm4s @oscaron @matir @halvarflake @betoonsecurity @snlyngaas @thepacketrat @JGamblin @fs0c131y @shotgunner

U.S. District Court Southern District of New York: Complaint (PDF)
Business Wire: Crown Sterling Files Complaint Against UBM — Owner and Organizer of Black Hat USA 2019 Cryptography Industry Conference
Cyberscoop: The company behind ‘Time A.I.’ is suing the company behind Black Hat

@malwarejake: Does Crown Sterling know there are photos and videos of the room? Because you can call this room a lot of things, but "filled to capacity with conference attendees" isn't one of them...
@gossithedog: Remember the TIME AI(tm) people, Crown Sterling, who bought a talk at Black Hat and then presented laughable rubbish buzzword nonsense? They’re suing Black Hat. If this was a smaller con it would finish them. Never give Crown Sterling a stage again, any and every event.
@jwgoerlich: Remember waaay back at ?Black Hat, when there was a crazy five dimension “crypto” talk, TIME AI, and ? @dguido ? called them out? Well. The TIME AI guys are back. And they brought lawyers. (via ? @thepacketrat ?)
@J0hnnyXm4s: This is the best they could come up with: Holding Black Hat responsible for the conduct of its attendees. GLHF
@oscaron: The only guy I saw complaining was THIS guy....who is connected to Crown Sterling
@matir: Crown Sterling is like a flat earther who read a math textbook while on LSD.
@halvarflake: The Crown Sterling thing is the Infosec variant of the Trump administration :-). Don't reply plz, this is a statement and not an invitation to discuss.
@betoonsecurity: Crown Sterling is a fraud. Not allegedly. I am actively accusing them of being frauds and charlatans.
@snlyngaas: The COO referred Jeff to the lawsuit, but also didn't fail to mention that Crown Sterling has an "exciting" new product set to take the cybersecurity industry by storm.
@thepacketrat: From the lawsuit: "Excitement over Crown Sterling's presence had been building..."
@JGamblin: If 5D encryption doesn't work for Crown Sterling I think they have the Laapr (Lawsuit as a Press Release) market cornered.
@fs0c131y: Seriously? These guys have no shame
@shotgunner: Never fails to amaze me how stupid companies are and those that control them. Crown Sterling is apparently going all out on the stupidity path lol.

September 21, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Controversial Cryptography Company Crown Sterling Touts Decryption Accomplishment, Experts Immediately Deride Company’s Claim

Controversial digital cryptography company Crown Sterling issued a press release claiming that it had decrypted two RSA 256-bit asymmetric public keys in approximately 50 seconds from a standard laptop computer before a gathering of what the press release says is “approximately 100 academics and business professionals,” a claim met with great derision among experts who understand cryptography. Crown Sterling also released a video of the decryption demonstration. Crown Sterling has been promoting its “Time AI” cryptographic system which it says will fix the breakable-ness of RSA cryptography by using an entirely different method of generating keys, one that doesn’t rely on factoring large prime numbers. The company is suing cybersecurity conference Black Hat for alleged breach of contract over a sponsored presentation it gave at the event in August, which generated jeers from the presentation attendees.

Related: Schneier on Security, Yahoo Finance

Tweets:@thepacketrat @thepacketrat @lesleycarhart @TheSweetKat @gregotto @LargeCardinal @henrykploetz @erratarob @malwaretechblog @matthew_d_green @XorNinja @taviso

Schneier on Security: Crown Sterling Claims to Factor RSA Keylengths First Factored Twenty Years Ago
Yahoo Finance: Crown Sterling Decrypts RSA Asymmetric Public Keys in Live Demonstration

@thepacketrat: Sooooo. Anyone available to comment on this?
@thepacketrat: Video here.
@lesleycarhart: Wow, the hole just gets deeper and deeper...
@TheSweetKat: Breaking news: Crown Sterling cracks symmetric encryption method known as ROT-13
@gregotto: Crown Sterling (the company that is suing Black Hat) just sent out a press release saying it decrypted RSA keys Thursday in front of a room full of academics in California yesterday. If you were in that room, I would like to speak with you
@LargeCardinal: I think @matthew_d_green has done stuff on this, but these numbers don't seem that impressive... Doing some digging now.
@henrykploetz: Well, this is Sagemath on my Ultrabook (X1 Carbon 2017). I'm assuming the default implementation is single-threaded. So, "50 seconds" is exactly the expected performance on a 4-core laptop.
@erratarob: Cracking 256-bit RSA keys is simple and not a convincing demonstration. Whatever you demo in a controlled setting with a laptop is not believable, since you can cheat. This means nothing. Solving any real-world problem, such as the above key, is what would convince people.
@malwaretechblog: Who exactly are they trying to impress? You can factor 256 bit RSA on a smartphones in < 1h, and 512 bit is doable in a few mins with a EC2 cluster.
@matthew_d_green: These Crown Sterling people are going to launch a cryptocurrency, mark my words.
@XorNinja: Say what you want about Crown Sterling, but this is definitely a breakthrough in cryptography bullshit
@taviso: I googled some of the strings in the output, it looks like a modified version of cado-nfs, e.g. the tasks.threads message comes from here ?;a=blob;f=scripts/cadofactor/;hb=6b6df64249cf60eeace0f7611a266d972af74d56#l806

September 25, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Threat Group Tortoiseshell Is Targeting U.S. Military Veterans and Companies With Malicious Employment Site, Installs Spyware to Collect Data About Target Systems

A threat group, Tortoiseshell, previously identified as being behind a set of attacks on IT providers in Saudi Arabia, has now been spotted targeting US military veterans and companies with a malicious webpage,, that purports to be an employment site, according to Cisco Talos. The bogus site offers a free desktop client which is, in reality, a spyware installer. Tortoiseshell is reported to be behind attacks on eleven companies in Saudi Arabia. All of the attacks used the same remote access tool, Backdoor.Syskit by Symantec, coded in both Delphi (the Object Pascal programming language introduced by Borland) and Microsoft .NET. A similar backdoor, named “IvizTech” in this case, is part of a package dropped by the website discovered by Talos. When the installer connects, it downloads two files from a server hosted by a company in Atlanta: a reconnaissance tool and the backdoor. If it fails to install, the backdoor sends an email to a Gmail address from another Gmail address (, the credentials for which are hard-coded in the installer. The reconnaissance tool, with the filename “bird.exe,” is internally named Liderc, collects data about the infected system, including date, time, installed drivers, patch level, network configuration, domain controller, name of the administrator account, and a list of other accounts available.

Related: ZDNet Security, Techaeris, SecurityWeek, Cisco Talos

Tweets:@campuscodi @joetidy