Why (I believe) WADA was not hacked by the Russians

Disclaimer: This is my personal opinion. I am not an expert in attribution. But as it turns out, not many people in the world are good at attribution. I know this post lacks real evidence, and is mostly based on speculation.Let's start with the main facts we know about the WADA hack, in a chronological order:1. Some point in time (August - September 2016), the WADA database has been hacked and exfiltrated2. August 15th, "WADA has alerted their stakeholders that email phishing scams are being reported in connection with WADA and therefore asks its recipients to be careful"  https://m.paralympic.org/news/wada-warns-stakeholders-phishing-scams3.September 1st, the fancybear.net domain has been registered Domain Name: FANCYBEAR.NET ... Updated Date: 18-sep-2016 Creation Date: 01-sep-20164. The content of the WADA hack has been published on the website5. The @FancyBears and @FancyBearsHT Twitter accounts have been created, and started to tweet on 12th September, reaching out to journalists6. 12th September, Western media started headlines "Russia hacked WADA"7. The leaked documents have been altered, states WADA https://www.wada-ama.org/en/media/news/2016-10/cyber-security-update-wadas-incident-responseThe Threatconnect analysisThe only technical analysis on why Russia was behind the hack, can be read here: https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/After reading this,...
Read more

One reason why InfoSec sucked in the past 20 years – the "security tips" myth

From time to time, I get disappointed how much effort and money is put into securing computers, networks, mobile phones, ... and yet in 2016 here we are, where not much has changed on the defensive side. There are many things I personally blame for this situation, and one of them are the security tips.The goal of these security tips is that if the average user follows these easy to remember rules, their computer will be safe. Unfortunately, by the time people integrate these rules into their daily life, these rules either become outdated, or these rules were so oversimplified that it was never true in the first place. Some of these security tips might sound ridiculous to people in InfoSec nowadays, but this is exactly what people still remember because we told them so for years.PDF is safe to openThis is an oldie. I think this started at the time of macro viruses. Still, people think opening a PDF from an untrusted source is safer than opening a Word file. For details why this is not true, check: https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.htmlOn an unrelated note, people still believe PDF is integrity protected because the content cannot be changed (compered to a...
Read more

How I hacked my IP camera, and found this backdoor account

The time has come. I bought my second IoT device - in the form of a cheap IP camera. As it was the cheapest among all others, my expectations regarding security was low. But this camera was still able to surprise me.Maybe I will disclose the camera model used in my hack in this blog later, but first I will try to contact someone regarding these issues. Unfortunately, it seems a lot of different cameras have this problem, because they share being developed on the same SDK. Again, my expectations are low on this.The obvious problemsI opened the box, and I was greeted with a password of four numeric characters. This is the password for the "admin" user, which can configure the device, watch it's output video, and so on. Most people don't care to change this anyway.It is obvious that this camera can talk via Ethernet cable or WiFi. Luckily it supports WPA2, but people can configure it for open unprotected WiFi of course. Sniffing the traffic between the camera and the desktop application it is easy to see that it talks via HTTP on port 81. The session management is pure genius. The...
Read more