Cogitatio Exasperans?


28 January 2019
Press Release

The takedown by law enforcement in April 2018 of the illegal marketplace as part of Operation Power OFF has given authorities all over Europe and beyond a trove of information about the website’s 151 000 registered users. Coordinated by Europol and the Joint Cybercrime Action Taskforce (J-CAT) with the support of the Dutch Politie and the British National Crime Agency, actions are currently underway worldwide to track down the users of these Distributed Denial of Service (DDoS) attacks. is believed to have been the world’s biggest marketplace to hire DDoS services, having helped launched over 4 million attacks for as little as € 15.00 a month.
In the United Kingdom a number of users have recently been visited by the police, who have seized over 60 personal electronic devices from them for analysis as part of Operation Power OFF. UK police are also conducting a number of live operations against other DDoS criminals; over 250 users of and other DDoS services will soon face action for the damage they have caused.
The impact of successful DDoS attacks globally was highlighted recently by the sentencing of a 30-year-old hacker to almost three years imprisonment in the UK after being found guilty of carrying out DDoS attacks against Liberia’s leading mobile phone and internet company, using rented botnets and stressers before developing his own botnet. At their peak in November 2016, these DDoS attacks crashed the West African country’s entire internet access with one attack resulting millions of pounds worth of damage.
In the Netherlands, the police and the prosecutor’s office have developed a dedicated project, known as Hack_Right, to deal with young first-time offenders in order to prevent them from going onto more serious crimes. A Dutch user of has already received this alternative sanction.
The countries to join the fight against DDoS attacks are Belgium, Croatia, Denmark, Estonia, France, Germany, Greece, Hungary, Ireland, Lithuania, Portugal, Romania, Slovenia, Sweden, Australia, Colombia, Serbia, Switzerland, Norway and the United States.
While some are focusing their actions against the users of specifically, law enforcement agencies around the world have intensified their activities against the users of DDoS booter and stresser services more generally. To this effect, the FBI seized last December 15 other DDoS-for-hire websites, including the relatively well known Downthem and Quantum Stresser. Similarly, the Romanian police has taken measures against the administrators of 2 smaller-scale DDoS platforms and has seized digital evidence, including information about the users. Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain.
The DDoS-for-hire trend is a pressing issue, mainly due to how easily accessible it has become. Stresser and booter services have effectively lowered the entry barrier into cybercrime: for a small nominal fee, any low-skilled individual can launch DDoS attacks with the click of a button, knocking offline whole websites and networks by barraging them with traffic. The damage they can do to victims can be considerable, crippling businesses financially and depriving people of essential services offered by banks, government institutions and police forces.
Emboldened by a perceived anonymity, many young IT enthusiasts get involved in this seemingly low-level crime, unaware of the consequences that such online activities can carry. Cybercrime isn’t a victimless crime and it is taken extremely seriously by law enforcement. The side effects a criminal investigation could have on the lives of these teenagers can be serious, going as far as a prison sentence in some countries.
Skills in coding, gaming, computer programming, cyber security or anything IT-related are in high demand and there are many careers and opportunities available to use these wisely.

TUFF is acting as a repository and offers the information to members so that they can make their own minds up about its value.

$190M in crypto-currency locked as password dies along with CEO

They say you can’t take it with you, but the CEO of Canadian crypto exchange QuadrigaCX apparently did.
When QuadrigaCX founder and owner Gerald Cotton died unexpectedly in December of complications from Crohn’s Disease, the password to $190 million worth of crypto-currency died with him, according to Fortune.
The funds are effectively as frozen as a corpse in the morgue. His widow, Jennifer Robertson, has signed a sworn affidavit detailing that the bitcoins and related products were stored in a special server to protect them from hacking and theft. This, and Cotton’s laptop, are so heavily encrypted that not even master hackers have been able to crack it so far.
Since Cotton was the sole person responsible for handling the funds and coins, in the name of safety only he had the password to it all, his wife said.
Conspiracy theorists are suggesting he very literally took it with him
“Despite repeated and diligent searches, I have not been able to find them written down anywhere,” she said in the affidavit, according to Fortune. “Quadriga’s inventory of cryptocurrency has become unavailable and some of it may be lost.”
In fact, some conspiracy theorists are suggesting he very literally took it with him, faking his own death and absconding with their funds. He reportedly died in India in December, reported.
QuadrigaCX didn’t even announce Cotten’s death until mid-January, more than a month after it occurred, Coindesk reported. This has customers who were already questioning the financially troubled company even more suspicious.
“The fact that it happened a month ago, and they just announced it now, and no proof of death, no obituary, no Linkedin profiles of any of the staff, no physical addresses, limited crypto withdrawal limits, etc. all makes people suspicious,” investor Xitong Zou told Coindesk. “There’s a bunch of warning bells going off in most people’s heads right now.”
Feb 5th 2019 7:53AM

TUFF is acting as a repository and offers the information to members so that they can make their own minds up about its value.

Hackers hijack Nest camera, issue fake warning of North Korea missile attack.

By AJ Dellinger — Posted on January 22, 2019 4:08PM PST

The idea of having a security camera in your house is to make you feel safe. Unfortunately for a family in Orinda, California, hackers managed to hijack their Nest security camera and gave the home quite the scare by issuing a fake emergency broadcast warning of an incoming nuclear attack from North Korea.

The Lyons family was hit with the unexpected warning on Sunday afternoon, according to an account provided to the San Jose Mercury News. Without warning, they heard a loud sound similar to the static-sounding squeal that comes before the start of an emergency broadcast alert coming from their Nest security camera. That noise was followed by a message that claimed three intercontinental ballistic missiles had been launched from North Korea and were heading to Los Angeles, Chicago, and Ohio. The alert claimed the United States was retaliating against Pyongyang for the attack, but warned people in the affected cities they had three hours to evacuate.

Needless to say, the message had the family panicking. Laura Lyons told Mercury News that the message sounded legitimate and it caused “five minutes of sheer terror and another 30 minutes trying to figure out what was going on.” The family looked for any sort of indication the attack was real, turning on the TV and flipping to news channels to see if there was any coverage of the supposed attack. The Lyons’ son hid under a rug while the adults called 911 and Nest’s customer service to determine if the warning was real. The family eventually determined the warning was likely the result of a third-party hack that allowed the attackers to hijack the family’s security camera.
In a statement provided to Digital Trends, a spokesperson for Nest insisted that the company “was not breached.” Instead, the hack was likely the result of a targeted attack against the family’s security setup, which may have reused an exposed password that was available online.
“These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk,” the spokesperson said. “We take security in the home extremely seriously, and we’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.”

TUFF is acting as a repository and offers the information to members so that they can make their own minds up about its value.

Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach.

Now is a good time to get a password manager app
By Gareth Corfield 17 Jan 2019 at 11:50

Infosec researcher Troy Hunt has revealed that more than 700 million email addresses have been floating around “a popular hacker forum” – along with a very large number of plain text passwords.

The data dump, which Hunt has uploaded to his Have I Been Pwned site for people to check if they’re included, comprises “1,160,253,228 unique combinations of email addresses and passwords”, in Hunt’s words.

“I found a combination of different delimiter types including colons, semicolons, spaces and indeed a combination of different file types such as delimited text files, files containing SQL statements and other compressed archives,” he added in his blog post announcing his find.
After cleaning up the data, Hunt boiled it down to 772.9 million unique email addresses, along with 22.2 million unique passwords. He estimated the hacked credentials were from the years 2008-2015.

The addresses and passwords were found lurking on Mega, the latest incarnation of rotund rascal Kim Dotcom’s file sharing website. It comprised “more than 87GB of data”.

While Hunt emphasised that he hasn’t exhaustively verified whether this is all new data or if it’s (even in part) a compendium of old creds floating around hacker forums, he did say: “My own personal data is in there and it’s accurate; right email address and a password I used many years ago.”

Security firm ESET’s Jake Moore opined: “There has never been a better time to change your password… If you’re one of those people who think it won’t happen to you, then it probably already has. Password managing applications are now widely accepted, and they are much easier to integrate into other platforms than before.”

From ‘The Register’ ®

TUFF is acting as a repository and offers the information to members so that they can make their own minds up about its value.

Industry briefing note – Ransomware/The Ransomware Decryption Compendium.


PROFiT – Industry Briefing Notes

The documents are provided by our colleagues at PROFiT.  The following should be noted:

6.1 Ransomware
This part has sections on:
• Background,
• What to do if you become a victim of a ransomware attack,
• How do ransomware infections occur,
• How to reduce the risk of a ransomware infection,
• Why are ransomware attacks effective,
• Who Is behind ransomware attacks, and
• Some key dates for ransomware.

The appendices cover:
A          List of ransomware infections
B          Some common ransomware variants
C          Some helpful people.

6.2 Ransomware Decrypt Compendium
• What to do if you become a victim of a ransomware attack, and
• List of 151 free decrypt tools which claim to be able to help.

Please note that we have not checked out the organisations behind these tools, nor the tools themselves and do not warrant their success rates or ability in any way.  However in the last resort they may be all you have.

Always make Action Fraud your initial point of call if attacked by phoning 0300 123 2040.


TUFF is acting as a repository and offers the information to members so that they can make their own minds up about its value. As with PROFiT, TUFF has not tested the 3rd party organisations mentioned, or the tools they provide.

Members are encouraged to offer feedback to Reproduction of the information should be cleared with TUFF in the first instance.

Guidance for ISPs.

TUFF is a member of the Global Cyber Alliance. It does not endorse and has not tested the product. The information is offered for members to make their own decision about use of the product.

Members are invited to send any relevant feedback to in the first instance.

Industy Briefing Note -Card Transactions.

TUFF is acting as a repository and offers the information to members so that they can make their own minds up about its value.

Twitter Security Flaw Uses Text Spoofing to Hijack UK Accounts – US Accounts Don’t Seem to be Vulnerable to the Bug

Source: Gizmodo, The Guardian

A Twitter security flaw gives hackers a way to post unauthorized tweets via text messaging, and British cybersecurity firm Insinia has proven its existence by hijacking some celebrities’ accounts. The company was able to post tweets as other people without having to enter their passwords by spoofing their mobile numbers. It’s easy to forget the feature if you have data and a smartphone, but Twitter still allows you to tweet via SMS. You simply have to link your digits to your account and then text what you want to post to a number Twitter designated for your country and carrier.

A Twitter spokesperson explained to The Guardian that the bug “allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.” It’s not entirely clear what makes certain accounts susceptible to the bug, but as Gizmodo explains, Insinia was able to send out unauthorized tweets using “longcodes.” See, Twitter uses two kinds of numbers for tweeting via SMS: longcodes and shortcodes. The former looks like a typical phone number, while the latter is just three to five digits. It’s different for every country and, sometimes, every carrier — the USA uses a shortcode (40404), for instance, while the UK uses both shortcodes and a longcode (+447624800379).

That spokesperson also announced that the social network already “resolved the bug,” but Insinia said it was able to hijack accounts even after Twitter claimed that it rolled out a fix. While hackers won’t be able to access DMs or personal details by exploiting this particular flaw, Insinia chief Mike Godfrey said his company conducted the experiment to show how text messaging should not be used to verify people’s identities.

“We should not be using 50-year old technology,” he explained. “It is massively flawed by design. Even someone completely unskilled could carry [out] this attack within half an hour. This took us 10 minutes.”

Godfrey was also hoping that putting a spotlight on the issue would compel Twitter to issue a solution, seeing as this problem could be going on for a few years now. As Gizmodo noted, Twitter admitted that it suffered from an SMS spoofing vulnerability way back in 2012. This seems to be the exact same bug, or at least a very similar one. If you’re in the US, though, you might not have to worry about randos tweeting for you: the company’s spokesperson said Twitter doesn’t “believe there is any significant risk to US-based account holders.”

Source: Gizmodo, The Guardian

The article is offered to provoke thought – It represents the views of the author; TUFF Ltd does not endorse it.