Project Insecurity

Last updated
Project Insecurity
Type Private
Industry Computer Security
Founder Matthew Telfer
Headquarters
London [1]
,
United Kingdom
ProductsComputer Security Tools, Exploits, and Educational Content
ServicesEducation, Exploit Development, Vulnerability Analysis and Remediation
Website https://insecurity.sh/

Project Insecurity was a computer security organization founded in 2018 [2] by Matthew Telfer focusing on educational resources, vulnerability identification and remediation, and exploit development. [1]

Project Insecurity have responsibly disclosed and released a number of security flaws since their formation in 2018.

History

In April 2018, Project Insecurity released two exploits affecting live chat systems used by various Internet Service Providers and Financial corporations around the world. Nuance Communications and LiveChat were the affected software vendors, both of which appeared to be vulnerable to bugs of a similar nature. These bugs could have allowed a malicious actor to glean information on employees relating to the affected companies, such as the name, email, and employee ID of the chat agent, alongside other information such as the backend systems in use, allowing a malicious hacker to potentially gain a foothold within these networks. One of the founders of this exploit was Kane Gamble, who was convicted and given a two-year prison sentence shortly after these exploits were disclosed. Kane's sentencing was unrelated to any activities involving Project Insecurity and was instead due to his involvement with Crackas With Attitude, a group responsible for purportedly hacking the CIA, FBI and Department of Homeland Security. [3] Prior to his sentencing, Kane Gamble had been attempting to show that he had reformed his character, not only working alongside Project Insecurity to help secure the above affected systems, but also by reporting vulnerabilities to companies such as T-Mobile USA of his own accord. [4]

In August 2018, Project Insecurity released a series of critical exploits for OpenEMR, an electronic medical system. There was over 25 vulnerabilities released in total, some of which would allow a malicious hacker to obtain full access to any machine running OpenEMR. This meant that such a flaw could be leveraged to expose the personal information of more than 100 million people worldwide, including 30-million US Citizens. [5] [6] [7]

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

<span class="mw-page-title-main">Vulnerability (computing)</span> Exploitable weakness in a computer system

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

<span class="mw-page-title-main">Security hacker</span> Computer security term; someone who hacks computer systems

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.

<span class="mw-page-title-main">Data breach</span> Intentional or unintentional release of secure information

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

<span class="mw-page-title-main">Goatse Security</span> Hacker group

Goatse Security (GoatSec) was a loose-knit, nine-person grey hat hacker group that specialized in uncovering security flaws. It was a division of the anti-blogging Internet trolling organization known as the Gay Nigger Association of America (GNAA). The group derives its name from the Goatse.cx shock site, and it chose "Gaping Holes Exposed" as its slogan. The website has been abandoned without an update since May 2014.

Răzvan Manole Cernăianu, nicknamed "TinKode", is a Romanian computer security consultant and hacker, known for gaining unauthorized access to computer systems of many different organizations, and posting proof of his exploits online. He commonly hacks high-profile websites that have SQL injection vulnerabilities, although unknown methods were used in his most recent attacks. Other aliases included sysgh0st.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

MLT, real name Matthew Telfer, is a cybersecurity researcher, former grey hat computer hacker and former member of TeaMp0isoN. MLT was arrested in May 2012 in relation to his activities within TeaMp0isoN, a computer-hacking group which claimed responsibility for many high-profile attacks, including website vandalism of the United Nations, Facebook, NATO, BlackBerry, T-Mobile USA and several other large sites in addition to high-profile denial-of-service attacks and leaks of confidential data. After his arrest, he reformed his actions and shifted his focus to activities as a white hat cybersecurity specialist. He was the founder of now-defunct Project Insecurity LTD.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers, and the operating systems of most smartphones, as well as other operating systems such as Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the C.I.A.

Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".

<span class="mw-page-title-main">Foreshadow</span> Hardware vulnerability for Intel processors

Foreshadow, known as L1 Terminal Fault (L1TF) by Intel, is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.

<span class="mw-page-title-main">Microarchitectural Data Sampling</span> CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

<span class="mw-page-title-main">Sakura Samurai (group)</span> Hacker group

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. 1 2 https://www.linkedin.com/company/project-insecurity [ self-published source ]
  2. "PROJECT INSECURITY LTD - Overview (free company information from Companies House)". beta.companieshouse.gov.uk.
  3. "Kane Gamble, British hacker, admits targeting heads of CIA, FBI". Washington Times. 2018. Retrieved 2018-05-05.
  4. "British teen who tried to hack CIA chief finds 'critical' T-Mobile flaw exposing customer accounts". International Business Times. 2018. Retrieved 2018-05-05.
  5. https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf [ bare URL PDF ]
  6. at 23:01, Shaun Nichols in San Francisco 7 Aug 2018. "Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities". www.theregister.co.uk.
  7. "Health details of 100 million patients vulnerable to OpenEMR security flaw". www.scmagazineuk.com.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.