Wednesday, September 7, 2011

Apple Gets It Up for Counterfeiting




John Theriault, formerly of the FBI and Pfizer's counterfeit-busting division, has been hired by Apple. The recent wave of fake Apple stores appearing in China (23 so far) has prompted Steve Jobs and Apple to crackdown on the clones. As Apple's global security chief, Theriault, Champion of Legitimate Viagra, outlined a plan in 2008 to eradicate the issue.

Why mention this on a security blog? Well, such fake stores sell equally fake hardware, which is indistinguishable from the real thing in appearance. Besides using inferior internal parts the clones can potentially contain pre-installed malicious software. That software puts user data at risk.

As always, we recommend strong authentication such as challenge-response and transaction data signing.

Monday, August 29, 2011

Keep your friends close...

Kent Brockman would know what to do.


Forbes recently unveiled the identity of "Comex", the hacker famous for JailBreakme.com. JailBreakMe exploited a loophole on iPads and iPad 2s that allowed easy jailbreaking via a website, at least before Apple released a patch.

As Forbes explains, Comex is actually Nicholas Allegra of Chappaqua, NY, a student at Brown University who describes jailbreaking is as easy for him as "editing and English paper." At the end of the article, Forbes suggested Apple hire the young jailbreaking pioneer, probably a dream come true for Allegra, a self-described "Apple fanboy."

Apple has now done just that, and decided that rather than wage a back-and-forth war, they should coach the boy as a summer intern. (We're sure they'd like to glean some skills from the lad, too). Sony should take notice.

Tuesday, August 2, 2011

Zeus Targets Victims Using The RSA SecurID Breach as Bait

Malware writers are notorious for being flexible and oftentimes ahead-of-the-curve when it comes to exploits. According to a post by Dan Raywood at SC Magazine, the latest victims of malware writers are the users of RSA SecurID, which was breached by hackers in February 2009, and who were told they were in "safe" hands by none other than RSA. Well the nefarious and multifaceted Zeus has started to target RSA users as well. Victims receive a link with what's purported to be a security scanner for exploits of the RSA securid breach. This then installs a variant of the Zeus trojan. The RSA Securid related hack saga continues.

Zeus, and other hack attempts of RSA SecurID users will be on the increase. The number of phishing, spear phishing and man-in-the-middle attacks will be on the upswing and more such breaches will come to light. The key thing is for institutions, whether small or large, to adopt as many preventative measures as possible to mitigate such risks.

Monday, July 25, 2011

Small is Beautiful - Hackers are PC and Target Small Firms

According to a WSJ piece, hackers are targeting small firms who are often unaware that they are even victims - the "unknown unknowns." While all the large companies like Sony and Lockheed Martin make the headlines, many small businesses are targeted because they are easy picks for cyber criminals and have little defenses put in place. Most do not even have an IT team and are thus vulnerable and oftentimes unaware of the hacks:
With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.......................
..........In the time it takes to break into a major company like Citigroup Inc., a hacker could steal data from dozens of small businesses and not get detected, says Bryce Case Jr., a former hacker who broke into several government and corporate websites a decade ago and now runs an online message board for hackers called Digital Gangster. Now that small companies use computers, "the juice has become worth the squeeze," he says. "Even a pizza place has addresses, names and credit-card information."
Even small businesses have to adopt protective measures to inoculate themselves against these threats if they do not want to face the threat of bankruptcy. They also lack the scale advantage of large corporations whereby governments could bail them out on the classic too-big-to-fail logic they employ. Malware comes in many forms, even in batteries, and it seems there is no hierarchy of hacking. Hackers are equal opportunity employers after all and they seem to cherish diversity as much as the next liberal arts college when it comes to their victims. The era of PC (politically correct) hackers has just begun.

Saturday, July 23, 2011

Man-in-the-Battery Attack

The Man-in-the-Middle attack class seems to have had a brand new addition. Former NSA employee Charlie Miller, and currently a researcher at consultancy Accuvant, has identified a firmware exploit in Apple Macs that allows you take control of the computer through the microcontrollers of the battery by taking root control through the default passwords. He told Andy Greenberg of Forbes magazine:

“You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack and screw you over. There would be no way to eradicate or detect it other than removing the battery.” says Miller.

Charlie Miller plans on offering a tool to correct this potential security exploit at the upcoming Black Hat conference in August called "Caulkgun".

Friday, July 22, 2011

DNS Cache Poisoning Attack Hits Santander Bank In Brazil

Man-in-the-Middle attacks have started to emerge as the attack-class of choice by sophisticated hackers, as many institutions have started implementing preventative measures against Phishing attacks and Pharming attacks by adopting one-time password generators.

DNS Cache Poisoning attacks are not so common yet, and reported cases of it hitting banks are even more rare. Santander Bank's Brazilian branch just got hit by such an attack. The hackers managed to hijack the DNS servers that resolve the santander.com.br website and replace it with a visually perfect copy so as to harvest customer credentials and passwords. The only giveaway to users would have been if they glanced at the URL address bar in the browser and noticed that it was HTTP instead of HTTPS, a fact that the majority of users would have overlooked.

So it might be too early to pronounce the death of one-time passwords for most user authentication purposes, but it definitely is passe and old hat for banking security. Banks will have to adopt challenge-response and transaction data signing as hackers continue to innovate on all fronts and develop more man-in-the-middle attack class ranging from man-in-the-phone, man-in-the-browser, browser poisoning and the aforementioned DNS Cache Poisoning.

Wednesday, July 20, 2011

Activists Activate Attacks - Google Users Hacked Via IE


Google users are being victimized, apparently by politically motivated hackers. From the Google Online Security Blog:

We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.

For now, we recommend concerned users and corporations seriously consider deploying Microsoft's temporary Fixit to block this attack until an official patch is available.

To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.

The MHTML exploit is IE-specific because only IE supports MHTML, essentially a container format that stores several files in one document. The exploit has been around for quite a while now, but has only recently seen serious proliferation, partly because, as an IE-specific tool, MHTML is not cross-platform, so it's taken a while to take hold.

As noted above, Microsoft has issued a temporary fix, but it's just that: temporary. Users are still exposed and so is their data. User's should look into two-factor authentication to mitigate the loss of their username and password data. Google Authenticator is one such tool, and 2D barcode technology exists for those seeking stronger challenge-response security.

Tuesday, July 19, 2011

Apple Fixes JailBreak Hole, But Not For Long


Recently we wrote about JailBreakMe's latest hack to relieve your iOS device of it's shackles.

Apple did not take long to respond to the hacking exploit and released a security fix roughly 2 weeks after JailBreakMe 3.0, the only current option for jailbreaking an iPad 2, arrived.

One day later, JailBreakMe is up and running once more, with an (anti)patch for the Apple patch. While not nearly as convenient as the last version (the hack now requires tethering, and must be repeated upon each reboot), the fact remains that Apple is once again exposed. The "bricking" threat for Apple iPhones we previously addressed (amongst others) on this blog continues to exist.

Monday, July 18, 2011

The Death of One-Time Passwords?

When Willie Sutton, the prolific US bank robber, was asked by a reporter on why he robbed banks he famously said "because that's where the money is."

A number of institutions have adopted one-time passwords as part of their two-factor authentication defense systems. Banks have instituted mainly SMS OTPs for their online banking. This has been a cost-effective preventative measure against phishing and pharming attacks. But as in every arms race, once the ante is raised, the hackers keep pace with any security development. We have always argued that such measures will only form a short-term solution, and that entities must plan for the looming worst case scenarios, sooner rather than later. With the emergence of a new class of man-in-the-middle attacks that leverage mobile phone operating systems and "talk" with the OS, the Man-in-the-Phone (sometimes referred as Man-in-the-Mobile or MitMo attacks), more online banking users are being targeted now.

Zeus, one of the most successful Man-in-the-Middle malware programs, has now emerged on the Android platform after already targeting the BlackBerry and Symbian OSes. Zeus on the mobile is often referred to as Zitmo. It poses as the trusted bank application Rapport, by Trusteer, and harvests SMS OTPs and Mobile Transaction Authentication Numbers (MTANs), then forwards them to a central server.

We will start to see more and more variants of these malware applications and browser exploits as more institutions use "weak" security on mobile phones. Banks and other entities should take a closer look at adopting challenge-response and transaction data signing if they want to futureproof themselves rather than continue firefighting. The recent security attacks have shown that hackers are the modern day equivalents of Willie Suttons. There will be more to come.

Wednesday, July 13, 2011

JailBreakMe is a Free Pass for Hackers




















One year ago this month, jailbreaking was made legal in the USA, having found that Apple's claims of copyright infringement were not convincing.

Now, popular hacker squad JailBreakMe has made jailbreaking your iPhone easier than ever. Jailbreaking, of course, is when a user hacks into their phone in order to gain administrative access that was previously blocked by the manufacturer. (To an Android user, it's known as "rooting," as in obtaining "root" access.) Such access allows the installation of unofficial operating systems, custom ROMS, unapproved apps, and more. To be sure, given the "approval" system imposed by the Apple App Store, jailbreaking can be very appealing.

JailBreakMe 3.0, the latest version of the software, does away with complicated procedures and tethering your iOS device, and allows you to unlock all the extra goodies online, from a Safari browsing window, on JailBreakMe.com. The process is even reversible (handy, considering Apple's tight restrictions on warranty). Naturally, the site uses an unpatched flaw in iOS's structure to gain admin rights. In this case, the flaw is in how Safari displays PDFs, and once past that point, the jailbreaking floodgates open.

However, where there's a JailBreakMe exploit, there's a legitimate security hole.

Sites like JailBreakMe make the process much simpler.

But if visiting the JailBreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone.

If they exploited the same vulnerability in a copy-cat manoeuvre, cybercriminals could create booby-trapped webpages that could - if visited by an unsuspecting iPhone, iPod Touch or iPad owner - run code on visiting devices.

A website like JailBreakMe is making it easy to jailbreak your iPhone or iPad - but it could also be said to be giving a blueprint to malicious hackers on how to infect such devices with malware.


To be clear, JailBreakMe doesn't create holes; it just exploits them. The problem is that if helpful hackers can get past Apple's (lack of) security, malicious hackers can, too. While it might delay the JailBreakMe party some, it is imperative that Apple patch the flaw to prevent trojans from marching in. Browser poisoning is one such risk that users now face. As always, we recommend users adopt strong challenge-response and TDS authentication to mitigate any infiltrations.


One last note on jailbreaking:
Anyone worth their hacking salt can tell you about the dangers of "bricking." For the layman, "bricking" a device means rendering it completely useless as a tech object, i.e. like a brick. Jailbreaking and rooting both run the risk of bricking if not done precisely. This is why, much like an anesthesiologist and his varied patients, there are specific procedures for each device. The jailbreaking community is a dedicated one (the list for Android devices alone is staggering, as it should be considering the number of OS versions floating around).

Perhaps the scariest thing about this flaw is that remote jailbreaking initiated by fraudsters runs the (same) risk of destroying the phone, or at least voiding the warranty, as an adventurous (and legitimate) end-user. For a sloppy attacker, a device may just be ruined before any real attacking occurs. On Android phones, in particular, bootloaders are usually unlocked for rooting purposes, breaking manufacturer rules and warranties. This is fine if the device owner accepts the consequences ahead of time, but what about those that don't care to wake up one day to find their device irreversibly altered? Users are now victims from multiple potential vectors.

Thursday, June 30, 2011

Phish Speared By The FBI

One of the chief conspirators of a large phishing gang, Kenneth Lewis II has just been sentenced to 11 years in jail by the authorities, according to various news outlets including a piece by Dan Kaplan of SC Magazine:

Kenneth Lucas II, 27, of Los Angeles who led the U.S. arm of a global phishing operation that resulted in more than 100 arrests in 2009, previously pleaded guilty to 49 counts of bank and wire fraud, aggravated identity theft, computer fraud and money laundering conspiracy.....About 50 individuals from California, Nevada and North Carolina, in addition to another 50 Egyptian citizens, were charged.

Let's hope this sends a strong message to global outfits that sometimes they are not beyond the reach of the law. At least in Egypt thats the case where there seems to be a rainbow at the end of the hacking pyramid.

Mobiles More Secure Than Desktops?


Symantec just released a whitepaper titled "A Window Into Mobile Device Security" examining the security risks that surround iOS and Android mobile devices in the enterprise market. Some key conclusions:

  • While offering improved security over traditional desktop-based operating systems, both iOS and Android are still vulnerable to many existing categories of attacks.
  • iOS’s security model offers strong protection against traditional malware, primarily due to Apple’s rigorous app certification process and their developer certification process, which vets the identity of each software author and weeds out attackers.
  • Google has opted for a less rigorous certification model, permitting any software developer to create and release apps anonymously, without inspection. This lack of certification has arguably led to today’s increasing volume of Android-specific malware.
  • Users of both Android and iOS devices regularly synchronize their devices with 3rd-party cloud services (e.g., web-based calendars) and with their home desktop computers. This can potentially expose sensitive enterprise data stored on these devices to systems outside the governance of the enterprise..
  • So-called “jailbroken” devices, or devices whose security has been disabled, offer attractive targets for attackers since these devices are every bit as vulnerable as traditional PCs.

As we are entering a world where the smartphone is on the ascent and rapidly replacing the desktop for a number of enterprise and consumer applications, the bad guys will start pointing their guns there as well. Apple was relatively safer vis-a-vis Microsoft-based PCs simply because the cost/benefit for targeting Macs made no sense in the past. Once Apples became more popular, the malware purveyors started targeting Apples as well. Most Man-in-the-Middle attacks target PCs. But a new generation of malware has started to emerge and the mobile variant is often referred to as Man-in-the-Phone (also known as Man-in-the-Mobile or MitMo attacks). Android versions like the Droid Kung Fu started to populate many of the Android application stores, and other applications that "stole" username/password credentials even managed to pass the strict Apple App Store process. Of course, there are also other ways of hijacking mobile platforms, such as exploiting zero day vulnerabilities and browser poisoning.

The very success of smartphones will make it a juicier target for malware authors and hackers, even if they are relatively more secure now, as Symantec argues. Just don't get carried away with a false sense of security: that is precisely the mindset that allows hackers to successfully fire their salvos.

Wednesday, June 29, 2011

Military Personnel To Be Spear Phished

Gannett, the publisher DefenseNews, the highly regarded military and defense news website, was hacked into. Hackers stole contact information of current and retired defense contractors and military personnel:

On June 7, 2011, the Gannett Government Media family of websites suffered a cyber attack that resulted in some users being unable to access parts or all of the websites. We also discovered that the attacker gained unauthorized access to files containing information of some of our users. The information in those files included first and last name, userID, password, email address, the internal number we assigned to the account, and, if provided, ZIP code, duty status, paygrade, and branch of service.


This contact information is very useful to launch customized phishing attacks, also known as spear phishing attacks, which have a higher success rate. In fact, spear phishing attacks coupled with zero day vulnerabilities led to some of the biggest hacks of very large entities that had seemingly been impenetrable due to the adoption of security software. It turns out that the security software that was adopted and breached were using "old" technologies. It is important to always keep one step ahead of the bad guys. They will never give up. Security should not be looked at as a cost in the IT department, but as important as the brand value. We only know the value of fire retardants and extinguishers after the house has burned down.

Dirty Rotten Scoundrels - Now Selling Malware

The world of fraudsters has long been dominated by mafioso and slickster-types. But now a new more cerebral kind has emerged. David Talbot in MIT's Technology Review has put together a great piece on these new digital scammers who "sell" scareware. The economics of it are so compelling that some people might be tempted to quit their day jobs; it seems to have become a billion dollar industry. The modern day equivalent of selling "protection" without the heavies in suits involved. One innovative provider of malware:
....Innovative Marketing had some 600 employees and 34 servers disseminating malware, most of them operating from a traditional office complex in Kiev. The corporate empire included divisions that handled credit card payments, the call center in Ohio, and several adult websites that did double duty as vectors for the fake antivirus software. McAfee noted that Innovative Marketing logged 4.5 million orders during an 11-month period in 2008; at $35 per order, the annual revenue apparently neared $180 million. That's better than the $150 million that Twitter will pull in this year, according to an estimate by the market research firm eMarketer.
It has become so lucrative that some of these purveyors of malware have established rather sophisticated affiliate programs much like Amazon's:

One distributor, Avprofit.com, promised on its website that it would pay between $300 and $750 for every 1,000 installations in the United States, Canada, Great Britain, or Australia, where the chance is higher of encountering victims who can afford to pay what the fake warnings demand. Experience required: Avprofit sought hackers with "minimum average 250 installs per day."

Many of the affiliates do extremely well. SecureWorks, a unit of Dell, analyzed the distribution of a fake antivirus program called Antivirus XP 2008 via an outfit called Bakasoftware, which was based in Russia. According to documents provided by the hacker behind Bakasoftware, who went by the nickname Krab, one of his top affiliates was able to fool 154,825 people into installing copies of malware on their computers in 10 days, with 2,772 victims going on to enter their credit card numbers. If the documents are accurate, Krab's affiliate scuttled away with $146,524 in that brief period

These malware vendors are very innovative and have been employing multiple vectors to "sell" their wares including poisoning search engines like Bing and Google and are now going after social networks like Facebook and Twitter as well:

....search engines might be the predominant vector now, says Stefan Savage, a computer scientist at the University of California, San Diego. The scam artists play a variety of search optimization tricks to fool the algorithms that Google, Bing, and other engines use to determine which Web links to show in response to search requests. Generally, a page on an infected site (such as ­Kiwiblitz.com) is quietly stuffed with trendy search terms and links to images. Then the malicious players interlink pages—hundreds or thousands of them—so that the search engines' Web-crawling programs rank the infected page near the top for apparent popularity and relevance. Denis Sinegubko, a malware researcher in Russia, believes that criminals "have managed to hijack search results on the first pages of Google Image search for millions of keywords." As a result, he estimates, people clicked on poisoned image-search results 15 million times a month this past spring. Google says it has since reduced the number of malicious links in image searches by 90 percent from peak levels, and a spokesman emphasized that it continues to plug holes in its algorithms to head off new methods of attack. Google says that 0.5 percent of searches bring back returns that include at least one known malicious website. This might sound low, but given that Google handles more than a billion searches daily, it means that five million search returns every day bear a malicious link.

As long as the economics are so compelling we will see these scammers continue to innovate as we buffer our defenses. It seems like it will be one long slog with lots of collateral damage like the never ending War on Drugs.

Citigroup Falling Behind on TPS Reports

According to numerous media outlets, including The Wall Street Journal, one of Citigroup's own employees has been moving pennies from the penny tray:

A former Citigroup Inc. employee was arrested and charged with allegedly embezzling more than $19 million from the bank in "the ultimate inside job," federal prosecutors said on Monday.
[snip]

The case shows how management of increasingly complex derivatives transactions may create more illicit opportunities for staffers involved in their administration. Robert Jossen, a partner in the white-collar securities litigation practice at Dechert LLP, said such transactions involve "increasing use of sophisticated computer programs, electronic access and speed, none of which involves face-to-face interaction. This combination of factors may increase the temptation to seek personal gain."

[snip]
Mr. Foster allegedly put a phony contract or deal numbers in the reference lines for his wire transfers to make them look like they were for legitimate contracts.
Yet another (and another) inside job. While not exactly an attack, it remains an example of a company with poor security monitoring. Citigroup is lucky Mr. Foster just took money, and that they didn't lose face and valuable market capitalization, as well. This should be a cakewalk for Citigroup, compared to their previous mishaps; it's not that they have no experience with these things...

There is a solution to this, of course, to prevent future incidents. We've recommended strong two-factor authentication before, utilizing challenge-response and transaction data signing, for user-side transaction authentication. The same technology can be used on both ends, and authenticate employees and transactions internally at companies. This is important for non-repudiation purposes.

2FA: Squared.
(Stapler not included)

Tuesday, June 28, 2011

GeoHot, The Sony Effect, The Untouchables, and Jon Stewart

You wanna know how to get Capone? They pull a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue. *That's* the *Chicago* way! And that's how you get Capone. Now do you want to do that? Are you ready to do that? I'm offering you a deal. Do you want this deal? - Malone (Sean Connery) from The Untouchables


George Hotz, nom-de-hack GeoHot, has just been hired by Facebook. If we jog our memories, he was the hacker who broke the Sony PS3 encryption libraries. After which, Sony came after him with the full force of the law and the DMCA act. In his purported defense came the hacker's army where they turned Sony and its multiple affilitiates into a digital pinata. The Sony Effect. Pick on one hacker, you get an army coming after you. At least that's what hacktivists like Anonymous and LulzSec would have us believe. But behind all this noise of the "grey" hats lurks the malevolent hacks. And Sony et al. are forced to they pick their fights, lest they be pushed into a corner by an anonymous army of keyboard commandos. As is often the case, The Daily Show with Jon Stewart highlighted the dilemma we face when dealing with prepubescents, where you run the risk of an outcry from those who are really criminal.

Monday, June 27, 2011

YouSendIt Founder/CEO Jailed For DDoS Attacks

The Department of Justice issued a press release stating that Khalid Shaikh, one of the founding members and former CEO of YouSendIt, a popular file-sharing site, pleaded guilty to launching DDoS (Distributed Denial-of-Service) attacks from December 2008 to June 2009 on the company's servers located in San Jose, California:
Mr. Shaikh sent an ApacheBench computer code to YouSendIt’s servers. ApacheBench is a benchmarking program used for measuring the performance of computers known as web servers. ApacheBench was designed to determine the number of requests per second a server is capable of serving. By intentionally transmitting the ApacheBench program to YouSendIt’s servers, Mr. Shaikh was able to overwhelm the servers’ capabilities and render it unable to handle legitimate network traffic.
This is again one of the more insidious type of cybercrimes, the inside job, that companies and enterprises have to keep their guards up for at all times. It's a tough crime to...ahem, "Shaikh"... as the former employees (in this case founder/former CEO/CTO) have intricate knowledge of the inner workings of most IT infrastructures compared to outside attackers. Let's hope less former employees go rogue. After all, the DoJ just pulled off a "YouJailIt."

The Ugly Set Sail For Fail? - LulzSec Forced to Hang Up Their Spurs or Walk the Plank

There are two kinds of spurs, my friend. Those that come in by the door; those that come in by the window. - Tuco (The UGLY)
LulzSec, aka Lulz Security, announced that they were retiring after a 50 day rampage through the digital world. Many have speculated that the digital noose was tightening around them and their high profile antics and brags were coming to an end. So better leave the party before the punch is finished? Or were they forced to leave the party by the bouncers or other digital attendants who were one better than them?

As hackers, LulzSec had the bravado of Tuco from "The Good, the Bad and the Ugly" and seemed to be in a constant Mexican Standoff with the authorities that be. But its seems their gunslinging techniques were limited to just two rather simple hack methods that most school children armed with keyboards could have carried out:

1) SQL injections (pronounced "sequel" and maybe the inspiration for constant repeat attacks)
2)DDoS or Distributed Denial-of-Service

SQL injections are the digital equivalent of figuring out that a certain type of window is easy to break with stones and constantly going after them. The solution against such attacks is rather simple by maintaining up-to-date versions of SQL and installing them properly.

DDoS is not even really a "hack", but more of an annoyance. It's as if you got the whole town to prank call your Math teacher at the same time, so that no one can reach them. The solution is once again rather simple and involves better distributed hosting infrastructure.

As the noose tightened around LulzSec and their ugliness, and their identities exposed by better armed gunslingers, they were forced to walk the plank. Does the story of LulzSec end here like the Hacking for Girliez of 1990s and NY Times fame? Or will the authorities start to round them up one by one, with all their accessories to crime?

The key takeaway for most companies is to be proactive when it comes to security policies and never to underestimate the hackers out there. It is always better to one-up them when it comes to best practices and adopt stronger measures than that conventional wisdom dictates. After all there probably will be a flood of copycat and SeQueL attacks in the not so distant future.

Wednesday, June 22, 2011

WordPress Forces Password Resets As A Precautionary Move


WordPress posted on it's blog that they:

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

Matt Mullenweg, founder of WordPress, chimed in that:

"There are 15 K plugins so happens sometimes. We haven't pissed off LulzSec yet. :)"

At least WordPress seems to have taken a rather draconian approach to stall and fend off hackers from their large user base, and also avoid the Sony Effect by pissing off hackers. Let's hope more companies take pre-emptive strikes like these and nip hacks in the bud. Let's hope they take stronger measures in the near future by adopting dynamic passwords and challenge-response based logins.

Tuesday, June 21, 2011

Sony France Hacked - A Lebanese and French Pair Beat LulzSec To The Bragging Rights

Over 177 thousand emails from Sony Pictures France have been compromised using the standard ploy of SQL injections as most of the previous hacks of Sony Fame (hence the Sony Effect). For a change this was not carried out by LulzSec or Anonymous, but by self-identified Lebanese Idahc and French Auth3ntiq. They claim to be NOT Black Hats and that it is just a POC (proof-of- concept). Why a proof-of-concept was necessary for Sony after receiving a battering of 20 hacks in the span of two months, as we all have probably figured out that Sony's CSO has been on holiday for a while, and Idahc had already penetrated Sony Europe's and Sony Ericcson's defenses before.

LulzSec Apprehended?- At Least Now Essex Boys And Not Just Girls Are In The News

Law enforcement agencies in the UK, with the FBI in tow, have arrested a 19 year old as one of LulzSec gang of hackers (probably just an accessory to the crimes committed and not a perpetrator). Not much is known about the arrest, but it is clearly a day when Essex boys have started to make the news, and not just page 3 but the headlines nontheless. Maybe Essex girls can make page one if they brushed up on their hacking skills as well.
LulzSec had this to say on the arrest:
The Lulz Boat

Dropbox Dropped The Security Ball - Hacking Into Anyone's Account Was A Fingertip Away

For the span of roughly four hours any layman trying to access other people's accounts at Dropbox ould have felt the same thrill as a hacker. In a post on Pastebin, a user describes how he noticed that there was no password control at Dropbox:
So I went to dropbox to change my password & the password change page looked flakey - I can't describe this in much more detail than so say that I clicked ok and nothing really seemed to happen. Did it work? Not sure, let's try the old password. Oh, it still works, so let's change it again. That appeared to work (I got a password updated message) - let's try the new password. Yup, good. Wait, I'm pretty sure I fat-fingered an extra character though -- etc. Which led to me realizing that any password at all was fine, at which point I logged into the accounts of two friends using 1-character passwords like 'q' and 'z'.
In response, Arash Ferdowsi, CTO of Dropbox, posted on the corporate blog:
Hi Dropboxers,
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

As more and more of us entrust our data jewels to the cloud, lets hope that services like Dropbox go on the offensive with regards to security practices and don't drop the ball. Let's hope they adopt stronger authentication methods than static username/passwords like one-time passwords or better yet challenge-response based logins.

Monday, June 20, 2011

In Bitcoin We Trust - The Currency of Choice of Hackers Hacked

"Let this be an example to take the security of your wallet.dat files very seriously. I never thought bitcoin would attract criminals so quickly but yet here it is." -allinvain
While Bitcoin received undue publicity and attacks by politicians like Senator Charles Schumer, it has emerged as perhaps the world's first digital currency for physical goods and services (unlike digital currencies like Linden Dollars where you could only purchase virtual goods). Established in 2009 by Satoshi Nakamoto (assumed to be his nom-de-hack) it has taken a life of its own. Although it is not fiat currency and has no central banker, it has emerged as the new target of hackers as there is a real "tradable" value to it. While LulzSec, a prominent hacking group, accepted donations in Bitcoins (roughly 7000 dollars worth), new hacking groups have gone after Bitcoins as there is real money there. A new trojan/malware titled Infostealer.Coinbit has been identified as specifically going after Bitcoins. A Bitcoin user with the handle "allinvain" (quoted above) has claimed that he has been defrauded of 25,000 Bitcoins which is the equivalent of almost 500 thousand USD depending on the exchange rate of the day. Maybe the politicians should let the hackers do the attacks to undermine the digital currency and let Ben Bernnanke sleep well at night.

Friday, June 17, 2011

Sega Hacked By Keyboard Commandos - Joins Nintendo, Sony, Bethesda, Epic Et Al.

Sega has joined a glorious list of gaming industry titans and publisher that have been hacked. The hackers are clearly showing no remorse and it seems this new game of hacking is more enjoyable to the keyboard commandos than Counter Strike or Sonic the Hedgehog ever was as in Lulz Security's latest press release post:
And that's all there is to it, that's what appeals to our Internet generation. We're attracted to fast-changing scenarios, and we can't stand repetitiveness, and we want our shot of entertainment or we just go and browse something else, like an unimpressed zombie. Nyan-nyan-nyan-nyan-nyan-nyan-nyan-nyan, anyway...
This is the Internet, where we screw each other over for a jolt of satisfaction. There are peons and lulz lizards; trolls and victims.
No one has yet claimed responsibility for the breach of the Sega Pass network. This is what Sega has revealed to the public about the breach:
Over the last 24 hours we have identified that unauthorised entry was gained to our SEGA Pass database.We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems....We have identified that a subset of SEGA Pass members emails addresses, dates of birth and encrypted passwords were obtained. To stress, none of the passwords obtained were stored in plain text.Please note that no personal payment information was stored by SEGA as we use external payment providers, meaning your payment details were not at risk from this intrusion.

Battered Customers Wait For RSA SecurID Replacements

It has long been a mystery to many sociologists on why women (it rarely is men) return to abusive relationships. Oftentimes, manipulation of the battered spouse/partner is cited as a reason. Doublespeak of course predated RSA's announcements and seems to have served many regimes well over the course of decades. Well, according to a WSJ piece, a lot of RSA SecurID customers cannot wait for their brand new security tokens to be replaced even if it means that they are at the mercy of hackers out there:
That means it could take at least six to eight months to replace all of the tokens, and at least two months to replace a third of them. The manufacturing bottleneck could be even greater given RSA tokens typically expire after three years and must be replaced.
But this demonstrates that the Laws of Inertia apply beyond the realm of physics and couch potatoes to corporate and government IT departments as well. The latest round of hacks have clearly made headlines, but preventing current and future hacks require a clean break from past best practices and require an out-of-the-box mindset. Otherwise, we will see more and more prominent hacks and one day they may be relegated to the inner pages of our daily rags just like Iraq and Afghanistan hardly make the headlines anymore.

Citibank Breach - Are Hacks The New Subprime?

Is 210,000 the new 360,000?

It seems quite a while since numeracy was a prerequisite for bankers. During the subprime mortgage gold rush of the 2000s income numbers were thrown out of the window and replaced with fuzzy logic like future potential income etc... It seems that hack announcements by institutions are the new subprime asset class where the numbers clearly do not add up. Bankers are now employing Quantitative Easing (QE henceforth) when it comes to their announcements. So Citibank has just now announced that it was not 200 K plus , but over 360 K victims. As in a previous blog post of ours we wonder how much more inflation the hack victim numbers will suffer, and when and if the whole truth will be revealed:
Citibank admits to a security breach affecting over 210,000 customers. They admitted it one month after the cyberattack. Are there more damaging releases that have been withheld? Is this the drip water torture of Chinese fame? How do we know this is the truth, the whole truth and nothing but the truth? Is it like thedoublespeak of RSA fame? Is it one of a string of damning breaches of Sony fame?

Thursday, June 16, 2011

Who You Gonna Call? Hackbusters Needed Against Keyboard Commandos

While Wall Street has deemed security software vendors companies to be New New Thing, all entities with a digital footprint are probably looking for a higher authority out there to help them navigate these choppy waters while the Lulz Boat and others are sailing. Strong security procedures built from the ground-up coupled with the latest advancements in security software are prerequisites. Furthermore, entities have to cover up loopholes by institutionalizing security at every level of the corporate hierarchy. It cannot be looked at as a cost in your P/L statement, otherwise you run the risk of your brand being tar-and-feathered by keyboard commandos. Digital security has finally made it to the boardroom and cabinet/ministerial level just like ERP had in the 1980s and 1990s. ERP is now the boring part of enterprise applications due to its wide success and adoption and being institutionalized. Let's hope that digital security will also be a given, and no longer a daily touching/embarrassing/scandalous subject.

Death, Taxes And Now Hacks??

If Benjamin Franklin was around today, he might have written in his correspondence with Jean-Baptiste Leroy that "in this world nothing can be said to be certain, except death, taxes and hacks." Every day passes by, and another government curries favors with the "hacktivists." The list includes governments ranging from the United States to Uganda to Israel to Spain to Turkey and now Malaysia. Every upset kid spurned by society and armed with an Internet connection (preferably the Wi-Fi of neighbors) can launch a series of attacks. Of course not all attacks are created equal, and the more sinister types remain unmentioned and usually unnoticed. Oftentimes, the more insidious hackers go for the digital jugular and can remain parasitic on host systems till it's too late. Governments, enterprises and entities should adopt stronger security software and help prevent against such intrusions. CIOs and CSOs should not be lulled into complacency and should look proactively for robust security software. Hacks are the new Tax of the digital era, and if we adopt strong defenses we will avoid paying the highest price online: the Death of online business.

Wednesday, June 15, 2011

LulzSec Has Taken Down The CIA Website & Prank Called The FBI


According to their Twitter update, LulzSec is listening to their fan base:
The Lulz Boat
Ohohhohawhaw, Pierre Dubois and Francois Deluxe are currently taking many phone calls!
The Hackathon that LulzSec has started seems to continue unabated. They seem to have flooded the FBI with prank calls and taken down The Company website CIA.gov with a distributed denial-of-service (DDoS) attack. Does the Company we keep indicate anything about us? They also released all personal information of contestants for the X-Factor show on FOX including the dude (no relation to The Dude from The Big Lebowski) from Mythbusters:
The Lulz Boat
That dude from Mythbusters is in our X-Factor database leak, true story.

I Got Hacks In Every Area Code - Call The Hackathon - Pierre Dubois & Francois Deluxe Are Listening

LulzSec has made the headlines almost daily since their "Hacktivist" feats with Sony, hence the Sony Effect, put them on the map. I wonder if there will ever be a Strange Maps for their hacks like there was one for the rapper Christopher Brian Bridges, aka Ludacris. And I wonder if they are on the bombing radar of the Pentagon after the new updated bombs-for-hacks military doctrine. They pulled off a Senate hack and are now inviting suggestions for new hacks/victims. I am sure the folks at Sony, Nintendo and PBS News wish the callers don't suffer from Schadenfreude. Anyway, the Frenchmen Pierre Dubois and Francois Deluxe are all ears for the next Tupacalypse and they are apparently "laughing out loud" with a French cum Peter Sellers/Pink Panther accent. You can reach them at 1-614-LULZSEC.

Saturday, June 11, 2011

IMF Annus Horriblis - Cyberattack Succeeds In Major Data Breach

The IMF has been in the news lately not for helping out failing States, but for attacks. The attacks have ranged from the alleged sexual assault of the recent head of the IMF Dominique Strauss-Kahn on a hotel maid to charges of incompetence/softness in bailing out the insolvent countries in the Euro-zone. According to a NY Times piece they have now suffered a major data breach as well. I suppose this is the Annus Horribilis of the IMF in its storied history. In fact, the World Bank has cut off its data link from the IMF after this breach and might have to distance itself in other respects as well. The IMF uses RSA SecurID security tokens and has apparently been offered to replace the old RSA SecurID tokens with new ones according to a Bloomberg piece:
The fund told employees June 8 that it would replace their RSA SecurID tokens. EMC Corp.’s RSA security-systems unit offered to swap the tokens after a breach of its own network, disclosed in March, resulted in the theft of RSA data. A SecurID device is shaped like a key fob or a computer-memory stick and generates random-number passwords used to gain access to a computer network.
The hackers behind the attacks are believed to be affiliated with a foreign government. Is it one of the governments/victims upset at IMF bailout terms? Or is it just good old fashioned intelligence gathering?

Friday, June 10, 2011

Citibank Hacked - The Hits Keep On Coming Muhammad Ali Style

Citibank admits to a security breach affecting over 210,000 customers. They admitted it one month after the cyberattack. Are there more damaging releases that have been withheld? Is this the drip water torture of Chinese fame? How do we know this is the truth, the whole truth and nothing but the truth? Is it like the doublespeak of RSA fame? Is it one of a string of damning breaches of Sony fame?

Will there be a bill of rights for known data breaches where victims will be indemnified and informed of the attack once it happens?

We will see legislators pounce on all these recent breaches to remain in the limelight, grandstand and posture on matters. However, what should really be highlighted is that a lot of the regulatory framework is already in place in other countries and are only issued as guidelines in the United States. They have just not been enforced. Kinda like telling a kid to stay away from the cookie jar when you leave it unattended. Security should not be an afterthought. After all, the only thing we have left with our Banks is Trust, up for review post-TARPS bailout of course, as opposed to placing our hard-earned dollars under the mattress.

Tuesday, June 7, 2011

RSA (In) SecurID Pulls A Sony

RSA had issued a vaguely worded blogpost on the breach of SecurID and who knows what else. Today, after numerous disclosed RSA SecurID related breaches, they have come clean... Or have they? They have promised to finally replace InSecurIDs with (drum roll please) more StrongerSecurIDs. Or have they? (More on that later, stay with us, now.)

The key problem that they have not approached was that they had a cash cow and maintained a central repository of ALL their customers' seeds and had an outdated approach to stronger security. That has not been addressed. We only know that it took a military contractor or two or three RSA SecurID-related breaches and a new, Pentagon-issued military doctrine for them to finally admit what most in the security world already knew.

Apparently this is the security equivalent of Ralph Nader's expose of the automobile industry.* RSA (In)SecurID still does not address any of the new emerging cyber attack vectors, and companies that replace old breached RSA tokens will still be left flapping in the breeze. So it begs the question: Do companies go along with the party line and continue with RSA even after it has let them down? After all, it was RSA that said:

"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."

There is one caveat that we might have overlooked, as Uri Rivner had posted that on the official EMC RSA Blog on none other than April Fool's Day. Obviously, all RSA SecurID customers should have known that that was a big joke.

Unfortunately for them, the joke is stuck in a time-continuum lapse. If one is to read between the lines (it is RSA, after all, that's stuck in Pravda-speak), not all RSA SecurID customers are created equal. Their metric makes no sense and anyone who can decipher it (pun intended) is worthy of cracking an egg that has already been smashed on RSA customers. RSA's generosity for those worthy of an upgrade:
  • An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
  • An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
So what constitutes a customer with a concentrated user base, typically focused on protecting IP and corporate networks? Does that not include a consumer goods company with a VPN? And what about web-based companies that do not include financial transactions? We tried Google Translate and it blew up.

*The 1965 publication Unsafe at Any Speed: The Designed-In Dangers of the American Automobile