Posts by tr1ck5t3r

I've been reporting this and other problems since Jan '15 to TalkTalk (numerous times), ActionFraud 3 or 4 times and GCHQ last year 3 days before it was announced in the news TalkTalk were hacked.

Some of the problems seen on TalkTalk, trying to call DVLA, 3 times the number would not connect (last Aug) so off to Google searching for a different DVLA number tried a number coming 3rd in the results and that was just a number which just gave you a short message to say it was connecting you before you got a 2nd dial tone that put you through to DVLA. I hung up at this point tried the DVLA number and it then worked. I suspect it recorded the call to harvest your personal details you gave out to TalkTalk. Reported to ActionFraud.

When phoning one bank, everytime I mentioned GCHQ the line went dead forcing me to recall the bank. Twice this happened.

When trying to access some of the highstreet banks online, not only were SSLv3 certs showing up in the browser which we know is now compromised (poodle iirc), but this could have been a MITM attack somewhere in the infrastructure as the banks certs were showing up as sslv3 in the browser even when running from a linux distro as a live CD (ie not installed) but these could have been compromised distro's with matching hashes if the TalkTalk DNS and/or switches have been compromised to reroute you to fake look-a-likey linux distro download sites.

Running Vlans at home for every device with default block and some reject rules to outgoing traffic ie total lockdown of all ports & traffic, I've created rules to allow a device access to things like dns, anything going out to a website or for an internal device to talk to another internal device. Everything logged.

Reason for doing this, is that when running NoScript to ad block, traffic is sent back to google and I had set the system up to block traffic to Google as this extra reporting of your web activity to google is what improves the results.

I've caught the TalkTalk TV box trying to connect to a W7 machine when there is no reason for doing so but suspect its tied in with a hidden W7 partition and series record for some tv programs being deleted. I've seen MITM attacks on forums like pfsense and UK media outlets with fake news stories with attacks coming from the DailyMail.co.uk and the Akami network which are picked up and blocked by Snort.

I've seen numerous times various W7 CD's direct from MS and other outlets installing a hidden partition which I cant find anything about which can be remotely deleted using the UEFI bios. I even have a few photos of a phone showing an unknown number which called and then deleted the partition at the time it was being examined in the hex editor on an old partition magic live cd as this is what you can do now with UEFI bios and Intel/AMD cpu's with out of band access/Wake on Lan.

I have seen various Linux distro's get hacked even when running from a linux live cd, only Ubuntu 14.04.3 32bit was the only one to complain about the 64MB malware that was on a usb stick as it popped up the terminal window in the gui complaining of a core OS problem before crashing it, ubuntu mate, linux mint, & tails didnt even complain neither did windows. 64MB is small enough to sit in most hard drive cache controllers, so when you boot up, it can be loaded from disk, sit in the cache to avoid detection and then write it self back to disk when you shutdown.

The 64MB malware on the usb stick was an unknown file system, and even I didnt recognise it when looking at it in a hex editor. I suspect this might have been dooqoo2 as I saw some references to it on the pfsense forums at the time when I was frequenting the pfsense forums.

Perhaps the hackers were confident they wouldnt get caught?

One of these hacks means you cant burn anything to CD from a live cd or even windows. So if you attempt to burn anything from an infected windows or linux machine as evidence, you cant.

Backups have been trashed so I now only burn to DVD and bluray ie read only media.

I've seen what was the latest versions of pfsense (middle of last year) install a virtual network interface called "nk0]" which gives you a backdoor into pfsense. I've seen pfsense ignoring block rules letting traffic through.

Have photo's of the screens and various firewall logs taken on an old digital camera after the evidence I was burning was not being burnt.

Windows updates were being interfered with and because windows wants to download updates one by one unlike linux apt-get update && upgrade, not only were windows updates being stalled, but when using a talktalk line to ask for a video camera to be record the screen of the affected Windows machines, the windows updates mysteriously started working again!

I now from professional contacts there is a UK phone company that uses Windows to do its billing software which suggests a windows machine is hooked up to BT openreach for itemised billing.

When these hackers have called the talktalk line, if you dont answer it but ring the number back, it plays a message saying the call can not accept incoming calls, but even those who are ex-directory will get a call back from the hackers within an hour or so which suggests the billing system of TalkTalk is still compromised even today. Again all reported to TalkTalk and action fraud.

On the point of the advice being given out by computer crime agencies, they want you to contact them by email, but if a business hosts their own email or web and have been hacked, then you dont have any way to get in touch as they dont/didnt have a phone number to call which is what prompted me to call GCHQ last year before it was announced TalkTalk was hacked. The Police couldnt investigate anything encrypted, even when spotting unknown encrypted traffic heading to Argentine servers.

Banks using local rate numbers for telephone banking must give out a normal UK number for overseas callers, but some of these are well hidden so the banks can claw back a few pence for customers calling them. Since then at least one bank has switched over to an 0800 freephone number as customers looking for the UK number for overseas callers were seeing the wrong number when using google to search for it.

I've seen rsyslog dropping syslog messages which is a bug so unless you have tested it by sending it your own messages to stress test it, you wouldnt know you are not getting all the syslog messages.

So all in all, when you add these all up, if connected then someone/group has been planning these hacks for at least a few years quite possibly in retaliation for Snowden and the Five Eyes.

In a way peoples lazyiness has been exploited, because unless you go the effort of logging and blocking everything leaving your systems, whilst checking images and storage devices frequently even if running read only filesystems, you wouldnt know you have been hacked, much like Lizard squads attack.

No AV has to date reported anything on windows but then if this hidden partition I have found is some sort of virtualisation software loading before windows, then windows AV will never find it. Interesting even a phone call to Kasperksy to sell them a copy of the malware I have caught didnt go anywhere, but then if the TalkTalk phone system has been hacked, how do you know you arent talking to the hackers (or spooks) if you are never spoken to the person at the call centre before?

Interesting times!