Data is assessed by our team members

Investigations can reveal some very sensitive & personal data. This intel is assessed by us & closely guarded used only for the purpose of fullfilling the needs of our clients to achieve the results we are commissioned to undertake More »

Team leader heads a group of professional investigators on the ready

We are proud to have access to the finest team members & discreet qualified persons who pride themselves in obtaining results for our clients where others fail. More »

The latest technology & equipment allow us to keep our finger on the intel pulse

Scientific apparatus & technical staff allow us to get sensitive & usefull information by utilizing the latest technology in getting information for our clients.The storage, use & availability of this data is done with great care More »

Communications between team members & networks is critical

In these days of world wide communications being at a peak of efficiency, the task of passing on & receiving information in the blink of an eye becomes possible between our team members & the network we have access to More »

Team leader & CEO of the intel agencies group is Donna-Lee Sapiecha Eyers

Donna-Lee is here at her graduation law degree ceremony proudly supported by her mother Karen, her sister Sharah-Lee & father Henry More »


Courts gave Hacker who gave Isis ‘hitlist’ of US targets 20 years in prison

Do the crime do the time.Good to see.Let this be an example of what the courts can, will & do do to these masked ISIS cowardly terrorists & their support groups. These lessons should be learned by all who deliberately or inadvertently create danger to a country & its people or threaten national security.

internet-hacker image

Ardit Ferizi struggles to explain why he sent extremist group the details of hundreds of US government and military officials

Ardit Ferizi, a 20-year-old native of Kosovo, is the first person convicted in the US of both computer hacking and terrorism charges Photograph: Dominic Lipinski/PA

A hacker who helped Islamic State by providing the names of more than 1,000 US government and military workers as potential targets was sentenced on Friday to 20 years in prison.

The sentence was much higher than the six-year term sought by defense lawyers, who argued their client, Ardit Ferizi, meant no real harm and was not a true Isis supporter.

“He was a nonsensical, misguided teenager who did not know what he was doing,” said public defender Elizabeth Mullin. “He has never embraced Isil’s ideology.”

Ferizi, a 20-year-old native of Kosovo who was arrested last year in Malaysia, is the first person convicted in the US of both computer hacking and terrorism charges. He admitted hacking a private company and pulling out the names, email passwords and phone numbers of about 1,300 people with .gov and .mil addresses. Isis published the names with a threat to attack.

At Friday’s sentencing hearing, Ferizi struggled to explain why he did it, when asked directly by US district judge Leonie Brinkema for an explanation. He said that it all happened very quickly.

“I feel so bad for what I did,” he said. “I am very sorry for what I did, making people feel scared.”

Prosecutors asked for the maximum sentence of 25 years.

Assistant US attorney Brandon Van Grack said: “The defendant’s conduct has indefinitely put the lives of 1,300 military members and government workers at risk.”

He disputed the idea that Ferizi’s crime was a whim. Before turning over the names to the “Islamic State hacking division” last year, he operated a website devoted to propagating Isis propaganda. In online conversations, Ferizi defended Isis, and when he gave the 1,300 identities to the group, he knew he was putting them in would-be terrorists’ crosshairs, Van Grack said.

“This was a hitlist. The point was to find these individuals and hit them, to ‘strike at their necks’,” Van Grack said, mimicking the language Isis used when it published the names.

Van Grack quoted a letter from one of the victims, who said she had an easily identifiable name and was now nervous when she interacted with Muslims, something she felt guilty about. And Van Grack cited another terrorism case in northern Virginia, in which the defendant, Haris Qamar, allegedly used a hitlist, similar to the one Ferizi created, to stake out the homes of two neighbors in the town of Burke.

Mullin countered that nobody on the list has actually been harmed, and said much of the information Ferizi helped disseminate was publicly available anyway.

Court papers describe a difficult life for Ferizi, who was nominally raised as a Muslim and was just four years old when Nato airstrikes forced Serbian forces to withdraw from the territory, which subsequently became independent. Ferizi’s uncle was murdered and his father was kidnapped during the war, according to letters written by Ferizi’s family.

As a teenager, Ferizi got in trouble for hacking into Kosovar government databases, but he avoided jail. Ferizi went to Malaysia to study cybersecurity, but continued his hacking activities and developed worsening mental health problems, defense lawyers said.

He met an Isis recruiter on the internet while he was trying to expose online pedophiles, his lawyers said.


Henry Sapiecha

Yahoo data hacked – At risk are 500 million stolen account details

yahoo-logo image

Yahoo is the latest company to be embroiled in what is thought to be one of the largest cybersecurity breaches ever.

As data becomes more precious, especially to brands and publishers who are constantly trying to sift through the information to find pertinent monetisation strategies and more personalised user advertising, data security and privacy fears are already at an all time high.

Which is why a recent investigation by Yahoo, which confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by a “state-sponsored actor”, is nothing short of a PR nightmare.

It is becoming harder for brands and publishers to stay ahead of the ever-evolving online threats.

Based on the ongoing investigation, Yahoo say it believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is ‘currently’ in Yahoo’s network.

It’s working closely with law enforcement on this matter and the account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.

“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” a Yahoo spokesperson says.

It says it is notifying potentially affected users and is asking those who may be affected to change their passwords and adopt alternate means of account verification.

It recommends that all users who haven’t changed their passwords since 2014 to do this immediately and consider using Yahoo Account Key – an authentication tool that eliminates the need to use a password altogether.

“An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries,” a Yahoo spokesperson says.

“Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”


Henry Sapiecha

High Risk Terrorist Offenders Bill under scrutiny

aust gov logo white on black

The Parliamentary Joint Committee on Intelligence and Security has reconvened for the 45th Parliament, electing Mr Michael Sukkar MP as Chair and the Hon Anthony Byrne MP as Deputy Chair and commencing work on a number of inquiries.

Criminal Code Amendment (High Risk Terrorist Offenders) Bill 2016

The Committee has commenced an inquiry into Criminal Code Amendment (High Risk Terrorist Offenders) Bill 2016, which was introduced into the Parliament on 15 September 2016.

The bill establishes a scheme for the continuing detention of high risk terrorist offenders at the conclusion of their custodial sentence. Measures in the bill include:

  • the Attorney-General can apply to the Supreme Court of a State or Territory for a continuing detention order during the last six months of the sentence of a ‘terrorist offender’,
  • a ‘terrorist offender’ is a person convicted of certain terrorist offences against the Criminal Code and serving a sentence of imprisonment for the offence,
  • the Supreme Court may make an order if satisfied to a high degree of probability that the offender poses an unacceptable risk of committing a ‘serious Part 5.3 offence’ [terrorist offence] if released,
  • under a continuing detention order a ‘terrorist offender’ is committed to detention in a prison for the period the order is in force, which can be up to three years,
  • a continuing detention order must be reviewed by the Court at least annually,
  • the continuing detention of minors is not permitted, and
  • an interim detention order of up to 28 days may be made by the Court in circumstances where an offender will be released before the application for a continuing detention order has been determined, and consecutive interim orders may be granted for up to three months.

The Committee invites submissions to the inquiry. Please email the Secretariat at by Friday 23 September 2016 if you intend to make a submission. Submissions are requested no later than Wednesday, 12 October 2016.

A public hearing will be held on Friday, 14 October 2016. The Committee has been asked to report by 4 November 2016.

Further information about the inquiry can be accessed via the Committee’s website at The Bill and Explanatory Memorandum can be accessed via

Declaration of Islamic State as a declared terrorist organisation under the Citizenship Act

The Committee has commenced a review of the declaration of Islamic State as a ‘declared terrorist organisation’ under section 35 of the Australian Citizenship Act 2007. This is the first time an organisation has been declared under the Act.

Section 35 of the Australian Citizenship Act 2007 provides that dual citizens aged over 14 years lose their Australian citizenship if they fight for, or are in the service of, a ‘declared terrorist organisation’ overseas.

Under section 35AA of the Citizenship Act, the Parliamentary Joint Committee on Intelligence and Security may review a declaration made by the Minister and report the Committee’s findings within the 15 sitting day parliamentary disallowance period.

Members of the public are welcome to make submissions to this review, which should be received no later than Friday, 7 October 2016.

The Minister’s declaration and supporting documentation are available on the Committee’s website.

Re-listing of six terrorist organisations under the Criminal Code

In its third inquiry, the Committee has commenced a review of the re-listing of Abu Sayyaf Group,
al-Qa’ida, al-Qa’ida in the Lands of the Islamic Maghreb, Jabhat al-Nusra, Jamiat ul-Ansar, and Jemaah Islamiyah.

Under section 102.1A of the Criminal Code, the Parliamentary Joint Committee on Intelligence and Security may review listings of terrorist organisations and report on the Committee’s findings within the 15 sitting day parliamentary disallowance period.

Members of the public are welcome to make submissions to this review. Submissions should be received no later than Friday, 7 October 2016.

Further information about these listings can be obtained from the Committee’s website.

Media enquiries: Chair, Mr Michael Sukkar MP (Deakin, Vic) on (03) 9874 1711 (Electorate office) or (02) 6277 4847 (Parliament House)


Henry Sapiecha

Scamming Ransomware network chalked up $121M in the 1st half of 2016

Healthcare and manufacturing companies are among the least prepared in preventing data loss, finds Intel’s McAfee Labs Threat Report, which reveals US$100,000 worth of hospital-targeted ransomware payments.

glowing-keyboard-hacker-security-620x465 image ransomware-attacks-synology-nas-devices image

A ransomware network appears to have chalked up US$121 million in payments over the first half of 2016 alone, as healthcare companies become hot targets due to their reliance on legacy systems.

A spate of ransomware attacks had been unleashed on hospitals early this year, with victims forking out some US$100,000 in payments to specific bitcoin accounts. While they still accounted for a comparatively small portion of overall ransomware targets, hospitals were among new verticals targeted by attack networks, according to Intel Security’s latest McAfee Labs Threat Report.

Researchers from the security vendor tracked a ransomware network that appeared to have receive bitcoin payments worth US$121 million from ransomware activities targeting several sectors. The distributor seemed to have chalked up profits of US$94 million in the first half of 2016 alone, the report stated.

Hackers split on ‘ethics’ of ransomware attacks on hospitals

Pointing to the increased focus on the healthcare sector, it noted that this industry’s dependence on legacy IT systems and medical devices with weak or no security as key reasons that made such companies targets. Furthermore, these organisations tapped third-party services that might be commonly used in the sector and needed immediate access to information to support patient care. These also made them hot targets for malicious attacks.

“Hospitals represent an attractive combination of relatively weak data security, complex environments, and the urgent need for access to data sources, sometimes in life or death situations,” said Vincent Weafer, vice president for Intel Security’s McAfee Labs. “The new revelations around the scale of ransomware networks and the emerging focus on hospitals remind us that the cybercrime economy has the capacity and motivation to exploit new industry sectors.”

He added that in addition to the manufacturing sector, the two industries provided significant opportunities for cybercriminals due to their weak defense mechanisms and complex environments. “Cybercriminals’ motive is ease of monetisation, with less risk,” Weafer said. “Corporations and individuals can easily cancel stolen payment cards soon after a breach is discovered, but you can’t change your most personal data or easily replace business plans, contracts, and product designs.”

The apparent compliance among healthcare and manufacturing companies might be due to the low frequency of attacks these sector experienced in the past, according to the McAfee survey. This, however, also meant the organisations made fewer investments in cybersecurity and had the least comprehensive data protection capabilities.

The report determined that retail and financial services companies had the most extensive protection against data loss, which was likely the result of the frequency of attacks targeting these sectors as well as the value of the data they held.

Across the board, more than 25 percent of respondents did not monitor data sharing and access involving sensitive employee or customer information. Some 37 percent did so, and this figure was a higher 50 percent where the largest organisations were concerned.

And while 90 percent had cloud security strategies, only 12 percent said they had visibility of data activities in the cloud.

Almost 40 percent had experience data loss involving physical media such as thumb drives, the report found, but only 37 percent used endpoint monitoring of user activities and physical media connections.

For the second quarter, McAfee Labs identified 316 new threats a minute with significant spikes in ransomware, mobile malware, and macro malware. Some 1.3 million new ransomware samples were recorded, the highest ever registered since the security vendor began tracking such threats.

Total ransomware climbed 128 percent in the quarter over the previous year, while macro malware increased 106 percent. New mobile malware reached a record high in the quarter, growing 151 percent year-on-year to hit nearly 2 million new samples.

New Trojans such as Necurs and Dridex fuelled more than 200 percent increase in new macro malware in the quarter.


Henry Sapiecha

Data-retention grants: Telstra gets $40m, Vodafone $29m, Optus $14m, NBN $1m

ISPs are being given 80 percent of their compliance costs, according to the attorney-general, under the government’s AU$128 million data-retention grants program.


Australian Attorney-General George Brandis has announced the recipients of its AU$128 million data-retention grant pool, with Australia’s largest telecommunications providers getting tens of millions of dollars in funding to comply with the federal government’s data-retention scheme.

Under the grants [PDF], Telstra is receiving AU$39.9 million; Vodafone Australia is receiving AU$28.8 million; Optus is receiving AU$14,8 million; Vocus and M2 — now one company — are receiving AU$3.4 million combined; MNF Group is receiving AU$3 million; TPG is receiving AU$2.2 million in combination with its now-subsidiary iiNet; Exetel is receiving AU$1.8 million; and the National Broadband Network (NBN) company is receiving AU$1,067,515.

Also receiving over AU$1 million are Broadband Solutions, with AU$2.2 million; Message4U, with AU$1.3 million; BigAir, with AU$1,042,666; and The Summit Group, with AU$1,032,000.

“Today, I am pleased to announce the outcomes of the AU$128.4 million Data Retention Industry Grants Programme,” Brandis said.

“The programme delivers on the government’s commitment to make a substantial financial contribution to service providers’ upfront costs of meeting their data-retention obligations, with particular emphasis on support for smaller providers.

“Most providers will receive a grant of 80 percent of their implementation costs … service providers will receive 50 percent of their grant immediately upon signing a funding agreement. This will help businesses on their path to compliance. The remaining 50 percent will be paid upon the completion of reporting requirements.”

The AU$128.4 million data-retention grants program, announced in January, was designed to cover the costs caused by upfront compliance with the newly passed data-retention legislation.

It has been divided between 180 ISPs, with the smallest amount being AU$10,000, received by ISP Arris, and the most received by Telstra.

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, passed by the Australian government in March, came into effect last October. It will see customers’ call records, location information, IP addresses, billing information, and other data stored for two years by telcos, accessible without a warrant by law-enforcement agencies.

In April, small operators said they were continuing to do nothing about data-retention compliance due to the costs associated, according to Communications Alliance CEO John Stanton.

“Many service providers — particularly smaller operators — have told us that they are doing very little or nothing to build their compliance capabilities at the moment,” Stanton said at the time.

“Who can blame them — if they start investing in new systems now, without knowing how much of that investment will remain unfunded once the subsidies arrive, they are putting themselves at risk of bankruptcy.

“Other operators have been investing in compliance measures, but are doing so in an ongoing climate of uncertainty.”

Stanton on Monday afternoon welcomed the grants allocation announcement, saying the government has “done a reasonable job of apportioning the limited funds available”.

“Some of the larger players face heavy unfunded expenses to meet their compliance requirements,” he added, however.

“But the lengthy delay in finalising the grants process has put many services providers under immense pressure to complete, on time, the work to enable them to comply with this regime.

“The government should acknowledge that these delays have made compliance more difficult to achieve within the prescribed time frame.

“The Attorney-General should publicly commit that no action will be taken, come April next year, against any service provider that is genuinely working to comply with the regime, but has been disadvantaged by the slow pace of decision making.”

large loan application banners image (5)

Henry Sapiecha

Intel snaps up Movidius to create future computer vision, virtual reality tech

The deal may propel Intel further into next-generation technologies including VR, drones and artificial intelligence.

intel & mividius ceos together image


Intel has announced the acquisition of Movidius, a chip manufacturer focusing on developing next-generation computer sensing and vision technology.

San Mateo, California-based Movidius, which already counts Google and Lenovo as customers, develops sight capabilities for machines and PCs.

The company’s vision processing unit (VPU), the main shunt of the company, is a platform for on-device vision processing which works in tandem with Intel RealSense technology to give computer systems the capability to view 3D images, understand surroundings and objects, and then react accordingly.

This technology can be found within drones, security cameras, artificial intelligence and virtual reality, and as these industries develop, the potential use for such inventions will also increase.

The financial terms of the deal were not disclosed.

Remi El-Ouazzane, CEO of Movidius said in a blog post that Movidius will continue to focus on the “mission to give the power of sight to machines,” but the deal will give the firm’s development teams more resources to boost research and execute at scale.

The executive also revealed that Movidius has recently begun to focus on granting “sight” to low-power hardware, a complex task considering the use of sophisticated algorithms at the device level. At Intel, this challenge will continue, but cloud computing and networking will also be included in the project.

“When computers can see, they can become autonomous and that’s just the beginning,” El-Ouazzane commented. “We’re on the cusp of big breakthroughs in artificial intelligence. In the years ahead, we’ll see new types of autonomous machines with more advanced capabilities as we make progress on one of the most difficult challenges of AI: getting our devices not just to see, but also to think.”

In August, Intel revealed Project Alloy, a virtual reality headset which combines RealSense technology with battery power, allowing users to experience what Intel CEO Brian Krzanich called a “merged reality.”

Considering Movidius’ specialisation in power-limited devices and VR, the combination of both companies’ technology appears to be a solid fit — and that may only scrape the surface of what Intel plans for the new acquisition.

“We see massive potential for Movidius to accelerate our initiatives in new and emerging technologies,” said Josh Walden, Senior Vice President and General Manager of Intel’s New Technology Group. “The ability to track, navigate, map and recognize both scenes and objects using Movidius’ low power and high-performance SoCs opens up opportunities in areas where heat, battery life and form factors are key.”


Henry Sapiecha


Russian internet giant hacked, leaking a massive 98 million accounts

The internet giant stored passwords in unencrypted plaintext.

glowing-keyboard-hacker-security-620x465 image

Russian internet portal and email provider has become the latest victim in a growing list of historical hacks.

Breach notification site, which obtained a copy of an internal customer database, said the attack dates back to February 17, 2012.

More than 98.1 million accounts were in the database, including usernames, email addresses, social account data, and passwords, the group said in a blog post. Unlike other major breaches, those passwords were stored in unencrypted plaintext, meaning anyone at the company could easily see passwords.

The last time a breach on this scale was found using plaintext password storage was Russian social networking site, which saw 171 million accounts taken in the breach. now joins the hacked ranks of LinkedIn and in 2012, and MySpace and Tumblr in 2013.

LeakedSource said it had verified the breach, and has added the cache into its searchable database. is one of the largest websites in the world, and one of the most visited in Russia. Founded in 1996, the company provides search, news, email, and advertising, making it a powerhouse of the Russian internet. The company competes with Yandex, and (which also owns which made headlines for a second time this year for suffering at the hands of hackers again.

We reached out to prior to publication, but did not hear back. If that changes, we’ll update the piece.


Henry Sapiecha

Thousands of security threats happen every five minutes

hooded-hacker-with-laptop image

The pace at which businesses now find themselves operating has allowed for the files on a network to be encrypted and beyond an organisation’s reach in just five minutes.

In just five minutes, files on a company’s network can be encrypted and beyond its reach, according to Rik Ferguson, vice president of Security Research at Trend Micro.

Trend Micro has seen a lot of development around ransomware capabilities targeting businesses rather than consumers, Ferguson said during his keynote speech at Cloudsec Australia 2016 in Sydney on Thursday, with 1,800 new threats released out into the wild every five minutes.

Additionally, he said that more than 800,000 people are exposed to malicious URLs, exploit kits, phishing websites, malware, spam, and threats every five minutes, with almost 7,000 records on average being exposed in the same timeframe.

“Just so we can measure the speed of things, the fastest trains today … can reach top speed of about 450km/h. That means in five minutes, you can travel close to 40 kilometres. That’s an incredible distance to be able to go in a very, very short period of time,” Ferguson pointed out.

“It gives you an idea of really how short that time is. In five minutes, [aside from] propelling you across the surface of the earth, it can also result in a number of other things.

“If you were hit by a crypto ransomware attack, within five minutes, all of the files on your computer or the files, god forbid, on all of the computers on your network … can be encrypted and beyond your reach unless you paid criminals some money.”

Ferguson said that universities, corporations, individuals, and healthcare organisations are all being targeted by ransomware that is being developed with specific capabilities to target enterprise.

“Ransomware used to be a consumer thing that would go after your computer, your things, and encrypt all that knowing that if you wanted to get all the files back, you were going to pay the ransom,” he said.


“Over the course of the last calendar year, we saw 29 new families of ransomware, which was already a huge jump on the 13 in the year before that. In the first half of this year, we’ve already seen 79 new families of ransomware, which is a massive increase.”

He said that criminals are investing time, money, and expertise into creating new tools, tool kits, and delivery mechanisms to get ransomware out there, because “this stuff pays dividends”.

“One of the Trend Micro competitors out there, a startup, is offering a ransomware guarantee — but their guarantee is not you’ll never get hit by it; it’s that if you do get hit by it, they’ll pay the ransom for you. That’s a cybersecurity company offering to give money to criminals,” he said.

Over the last few years, Trend Micro has also seen an uptake in what Ferguson called business email compromise, or CEO fraud, which he said is a basic scam that pays criminals a lot of money.

“It’s really simple. It’s a criminal doing the research upfront, identifying the target organisation, looking at who fulfills which role, and then sending a fake email into that company or compromising a mailbox that belongs to an employee of that company,” he said.

“[The criminals] target an email of the right victim, quite often the CFO or someone responsible in the finance department of the business, with requests from a known colleague to pay outstanding money or wire transfer money to a third-party supplier, often abroad, who is fictitious.”


He said this practice has been hugely successful, with $2.3 billion lost to CEO compromise or fraud between 2013 and 2015, with an estimated 79 different countries being affected.

“A certain Australian government department, local council, lost over AU$200,000 to this scam by paying fake invoices. That’s AU$200,000 of your money, I guess, at the end of the day,” he said.

“Australia is not immune. You have the — I don’t know if it’s the good fortune or the misfortune — to speak one of the most simplest and widespread languages on the planet, and it’s the most-targeted language when it comes to cybercrime globally.”

Aside from being a VP with Trend Micro, Ferguson is also special adviser to Europol, project lead with the International Cyber Security Prevention Alliance, vice chair of the Centre for Strategic Cyber Security and Security Science, and an advisor to various UK government technology forums.

Also speaking at Cloudsec Australia 2016, Timothy Wallach, Supervisory Special Agent Cyber Taskforce with the FBI, said the two most significant increases the FBI has seen over the last couple of years has been ransonware or extortion, and business email compromise.

“This is probably the reason why we are seeing a decrease in the number of records stolen, because these schemes are much easier to monetise than compromising a network, stealing information, getting it to the dark web, and eventually on an online market,” he said.

When it comes to consumer ransomware, Wallach said the requested amount is somewhat affordable, at around $450 to $500. However, this is a lot different in an enterprise environment, as the ransom is usually based on the number of endpoints or the servers that are compromised.

“If an organisation has 30,000 endpoints in its network and potentially that many endpoints have been struck with ransomware, it’s generally 30,000 times one bitcoin,” he said.

“The FBI does not recommend paying your ransom. That’s a business decision an organisation has to make.

“When organisations pay ransom, they’re involved in the criminal activity. It’s encouraging the scheme to continue.”

Additionally, Wallach highlighted that paying a ransom does not always mean that you are left with a clean system, or that everything an organisation had initially lost has been recovered.

“Whatever infected your organisation in the first place is still there,” he said. “What we do recommend is prevention, business continuity, and remediation.


Henry Sapiecha

Dropbox hack leaks 68 million usernames and passwords

A hack way back from 2012 reportedly resulted in the breach of far more user information than previously believed.


dropbox-logo image

Wait, how many accounts were affected by a 2012 hack on Dropbox? About 68 million, according to multiple reports.

Back in 2012, Dropbox disclosed that a hacker had accessed its internal systems and accessed a list of user email accounts. It didn’t say the list included passwords.

Now Motherboard, security expert Troy Hunt, and online leak-tracker LeakedSource have each reported they reviewed stockpiles of account information from Dropbox. The account information includes emails as well as passwords, which are encrypted.

Dropbox head of trust Patrick Heim confirmed in a statement that the usernames and passwords were from mid-2012. The company said all customers who haven’t updated their passwords since that time period have been required to change their passwords.

Heim also reminded users that they should think about whether they reused their Dropbox passwords in other accounts.

“While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites,” Heim said in a statement.


Henry Sapiecha

Evidence points to another Snowden at the NSA it appears

nsa-building-usa image

In the summer of 1972, state-of-the-art campaign spying consisted of amateur burglars, armed with duct tape and microphones, penetrating the headquarters of the Democratic National Committee. Today, amateur burglars have been replaced by cyberspies, who penetrated the DNC armed with computers and sophisticated hacking tools.

Where the Watergate burglars came away empty-handed and in handcuffs, the modern- day cyber thieves walked away with tens of thousands of sensitive political documents and are still unidentified.

Now, in the latest twist, hacking tools themselves, likely stolen from the National Security Agency, are on the digital auction block. Once again, the usual suspects start with Russia – though there seems little evidence backing up the accusation.

In addition, if Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale. It would be like a safecracker stealing the combination to a bank vault and putting it on Facebook. Once revealed, companies and governments would patch their firewalls, just as the bank would change its combination.

A more logical explanation could also be insider theft. If that’s the case, it’s one more reason to question the usefulness of an agency that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us.

In what appeared more like a Saturday Night Live skit than an act of cybercrime, a group calling itself the Shadow Brokers put up for bid on the Internet what it called a “full state-sponsored toolset” of “cyberweapons.” “!!! Attention government sponsors of cyberwarfare and those who profit from it !!!! How much would you pay for enemies cyberweapons?” said the announcement.

The group said it was releasing some NSA files for “free” and promised “better” ones to the highest bidder. However, those with loosing bids “Lose Lose,” it said, because they would not receive their money back. And should the total sum of the bids, in bitcoins, reach the equivalent of half a billion dollars, the group would make the whole lot public.

While the “auction” seemed tongue in cheek, more like hacktivists than Russian high command, the sample documents were almost certainly real. The draft of a top-secret NSA manual for implanting offensive malware, released by Edward Snowden, contains code for a program codenamed SECONDDATE. That same 16-character string of numbers and characters is in the code released by the Shadow Brokers. The details from the manual were first released by The Intercept last Friday.

The authenticity of the NSA hacking tools were also confirmed by several ex-NSA officials who spoke to the media, including former members of the agency’s Tailored Access Operations (TAO) unit, the home of hacking specialists.

“Without a doubt, they’re the keys to the kingdom,” one former TAO employee told the Washington Post. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.” Another added, “From what I saw, there was no doubt in my mind that it was legitimate.”

Like a bank robber’s tool kit for breaking into a vault, cyber exploitation tools, with codenames like EPICBANANA and BUZZDIRECTION, are designed to break into computer systems and networks. Just as the bank robber hopes to find a crack in the vault that has never been discovered, hackers search for digital cracks, or “exploits,” in computer programs like Windows.



The most valuable are “zero day” exploits, meaning there have been zero days since Windows has discovered the “crack” in their programs. Through this crack, the hacker would be able to get into a system and exploit it, by stealing information, until the breach is eventually discovered and patched. According to the former NSA officials who viewed the Shadow Broker files, they contained a number of exploits, including zero-day exploits that the NSA often pays thousands of dollars for to private hacking groups.

The reasons given for laying the blame on Russia appear less convincing, however. “This is probably some Russian mind game, down to the bogus accent,” James A. Lewis, a computer expert at the Center for Strategic and International Studies, a Washington think tank, told the New York Times. Why the Russians would engage in such a mind game, he never explained.

Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents.

So, if Snowden could not have stolen the hacking tools, there are indications that after he departed in May 2013, someone else did, possibly someone assigned to the agency’s highly sensitive Tailored Access Operations.

In December 2013, another highly secret NSA document quietly became public. It was a top secret TAO catalog of NSA hacking tools. Known as the Advanced Network Technology (ANT) catalog, it consisted of 50 pages of extensive pictures, diagrams and descriptions of tools for every kind of hack, mostly targeted at devices manufactured by U.S. companies, including Apple, Cisco, Dell and many others.

Like the hacking tools, the catalog used similar codenames. Among the tools targeting Apple was one codenamed DROPOUTJEEP, which gives NSA total control of iPhones. “A software implant for the Apple iPhone,” says the ANT catalog, “includes the ability to remotely push/pull files from the device. SMS retrieval, contact-list retrieval, voicemail, geolocation, hot mic, camera capture, cell-tower location, etc.”

Another, codenamed IRATEMONK, is, “Technology that can infiltrate the firmware of hard drives manufactured by Maxtor, Samsung, Seagate and Western Digital.”

In 2014, I spent three days in Moscow with Snowden for a magazine assignment and a PBS documentary. During our on-the-record conversations, he would not talk about the ANT catalog, perhaps not wanting to bring attention to another possible NSA whistleblower.

I was, however, given unrestricted access to his cache of documents. These included both the entire British, or GCHQ, files and the entire NSA files.

But going through this archive using a sophisticated digital search tool, I could not find a single reference to the ANT catalog. This confirmed for me that it had likely been released by a second leaker. And if that person could have downloaded and removed the catalog of hacking tools, it’s also likely he or she could have also downloaded and removed the digital tools now being leaked.

In fact, a number of the same hacking implants and tools released by the Shadow Brokers are also in the ANT catalog, including those with codenames BANANAGLEE and JETPLOW. These can be used to create “a persistent back-door capability” into widely used Cisco firewalls, says the catalog.

Consisting of about 300 megabytes of code, the tools could easily and quickly be transferred to a flash drive. But unlike the catalog, the tools themselves – thousands of ones and zeros – would have been useless if leaked to a publication. This could be one reason why they have not emerged until now.

Enter WikiLeaks. Just two days after the first Shadow Brokers message, Julian Assange, the founder of WikiLeaks, sent out a Twitter message. “We had already obtained the archive of NSA cyberweapons released earlier today,” Assange wrote, “and will release our own pristine copy in due course.”

The month before, Assange was responsible for releasing the tens of thousands of hacked DNC emails that led to the resignation of the four top committee officials.

There also seems to be a link between Assange and the leaker who stole the ANT catalog, and the possible hacking tools. Among Assange’s close associates is Jacob Appelbaum, a celebrated hacktivist and the only publicly known WikiLeaks staffer in the United States – until he moved to Berlin in 2013 in what he called a “political exile” because of what he said was repeated harassment by U.S. law enforcement personnel. In 2010, a Rolling Stone magazine profile labeled him “the most dangerous man in cyberspace.”

In December 2013, Appelbaum was the first person to reveal the existence of the ANT catalog, at a conference in Berlin, without identifying the source. That same month he said he suspected the U.S. government of breaking into his Berlin apartment. He also co-wrote an article about the catalog in Der Spiegel. But again, he never named a source, which led many to assume, mistakenly, that it was Snowden.

In addition to WikiLeaks, for years Appelbaum worked for Tor, an organization focused on providing its customers anonymity on the Internet. But last May, he stepped down as a result of “serious, public allegations of sexual mistreatment” made by unnamed victims, according to a statement put out by Tor. Appelbaum has denied the charges.

Shortly thereafter, he turned his attention to Hillary Clinton. At a screening of a documentary about Assange in Cannes, France, Appelbaum accused her of having a grudge against him and Assange, and that if she were elected president, she would make their lives difficult. “It’s a situation that will possibly get worse” if she is elected to the White House, he said, according to Yahoo News.

It was only a few months later that Assange released the 20,000 DNC emails. Intelligence agencies have again pointed the finger at Russia for hacking into these emails.

Yet there has been no explanation as to how Assange obtained them. He told NBC News, “There is no proof whatsoever” that he obtained the emails from Russian intelligence. Moscow has also denied involvement.

There are, of course, many sophisticated hackers in Russia, some with close government ties and some without. And planting false and misleading indicators in messages is an old trick. Now Assange has promised to release many more emails before the election, while apparently ignoring email involving Trump. (Trump opposition research was also stolen.)

Edward Snowden speaks via video link from Moscow to attendees at a discussion about an International Treaty on the Right to Privacy, Protection Against Improper Surveillance and Protection of Whistleblowers in New York City, September 24, 2015. REUTERS/Andrew Kelly

Edward Snowden speaks via video link from Moscow to attendees at a discussion about an International Treaty on the Right to Privacy, Protection Against Improper Surveillance and Protection of Whistleblowers in New York City, September 24, 2015. REUTERS/Andrew Kelly

In hacktivist style, and in what appears to be phony broken English, this new release of cyberweapons also seems to be targeting Clinton. It ends with a long and angry “final message” against “Wealthy Elites . . . breaking laws” but “Elites top friends announce, no law broken, no crime commit[ed]. . . Then Elites run for president. Why run for president when already control country like dictatorship?”

Then after what they call the “fun Cyber Weapons Auction” comes the real message, a serious threat. “We want make sure Wealthy Elite recognizes the danger [of] cyberweapons. Let us spell out for Elites. Your wealth and control depends on electronic data.” Now, they warned, they have control of the NSA’s cyber hacking tools that can take that wealth away. “You see attacks on banks and SWIFT [a worldwide network for financial services] in news. If electronic data go bye-bye where leave Wealthy Elites? Maybe with dumb cattle?”

Snowden’s leaks served a public good. He alerted Americans to illegal eavesdropping on their telephone records and other privacy violations, and Congress changed the law as a result. The DNC leaks exposed corrupt policies within the Democratic Party.

But we now have entered a period many have warned about, when NSA’s cyber weapons could be stolen like loose nukes and used against us. It opens the door to criminal hackers, cyber anarchists and hostile foreign governments that can use the tools to gain access to thousands of computers in order to steal data, plant malware and cause chaos.

It’s one more reason why NSA may prove to be one of Washington’s greatest liabilities rather than assets.

About the Author

James Bamford is the author of The Shadow Factory: The Ultra-Secret NSA From 9/11 to the Eavesdropping on America. He is a columnist for Foreign Policy magazine.


Henry Sapiecha