Thursday, June 30, 2011

Phish Speared By The FBI

One of the chief conspirators of a large phishing gang, Kenneth Lewis II has just been sentenced to 11 years in jail by the authorities, according to various news outlets including a piece by Dan Kaplan of SC Magazine:

Kenneth Lucas II, 27, of Los Angeles who led the U.S. arm of a global phishing operation that resulted in more than 100 arrests in 2009, previously pleaded guilty to 49 counts of bank and wire fraud, aggravated identity theft, computer fraud and money laundering conspiracy.....About 50 individuals from California, Nevada and North Carolina, in addition to another 50 Egyptian citizens, were charged.

Let's hope this sends a strong message to global outfits that sometimes they are not beyond the reach of the law. At least in Egypt thats the case where there seems to be a rainbow at the end of the hacking pyramid.

Mobiles More Secure Than Desktops?

Symantec just released a whitepaper titled "A Window Into Mobile Device Security" examining the security risks that surround iOS and Android mobile devices in the enterprise market. Some key conclusions:

  • While offering improved security over traditional desktop-based operating systems, both iOS and Android are still vulnerable to many existing categories of attacks.
  • iOS’s security model offers strong protection against traditional malware, primarily due to Apple’s rigorous app certification process and their developer certification process, which vets the identity of each software author and weeds out attackers.
  • Google has opted for a less rigorous certification model, permitting any software developer to create and release apps anonymously, without inspection. This lack of certification has arguably led to today’s increasing volume of Android-specific malware.
  • Users of both Android and iOS devices regularly synchronize their devices with 3rd-party cloud services (e.g., web-based calendars) and with their home desktop computers. This can potentially expose sensitive enterprise data stored on these devices to systems outside the governance of the enterprise..
  • So-called “jailbroken” devices, or devices whose security has been disabled, offer attractive targets for attackers since these devices are every bit as vulnerable as traditional PCs.

As we are entering a world where the smartphone is on the ascent and rapidly replacing the desktop for a number of enterprise and consumer applications, the bad guys will start pointing their guns there as well. Apple was relatively safer vis-a-vis Microsoft-based PCs simply because the cost/benefit for targeting Macs made no sense in the past. Once Apples became more popular, the malware purveyors started targeting Apples as well. Most Man-in-the-Middle attacks target PCs. But a new generation of malware has started to emerge and the mobile variant is often referred to as Man-in-the-Phone (also known as Man-in-the-Mobile or MitMo attacks). Android versions like the Droid Kung Fu started to populate many of the Android application stores, and other applications that "stole" username/password credentials even managed to pass the strict Apple App Store process. Of course, there are also other ways of hijacking mobile platforms, such as exploiting zero day vulnerabilities and browser poisoning.

The very success of smartphones will make it a juicier target for malware authors and hackers, even if they are relatively more secure now, as Symantec argues. Just don't get carried away with a false sense of security: that is precisely the mindset that allows hackers to successfully fire their salvos.

Wednesday, June 29, 2011

Military Personnel To Be Spear Phished

Gannett, the publisher DefenseNews, the highly regarded military and defense news website, was hacked into. Hackers stole contact information of current and retired defense contractors and military personnel:

On June 7, 2011, the Gannett Government Media family of websites suffered a cyber attack that resulted in some users being unable to access parts or all of the websites. We also discovered that the attacker gained unauthorized access to files containing information of some of our users. The information in those files included first and last name, userID, password, email address, the internal number we assigned to the account, and, if provided, ZIP code, duty status, paygrade, and branch of service.

This contact information is very useful to launch customized phishing attacks, also known as spear phishing attacks, which have a higher success rate. In fact, spear phishing attacks coupled with zero day vulnerabilities led to some of the biggest hacks of very large entities that had seemingly been impenetrable due to the adoption of security software. It turns out that the security software that was adopted and breached were using "old" technologies. It is important to always keep one step ahead of the bad guys. They will never give up. Security should not be looked at as a cost in the IT department, but as important as the brand value. We only know the value of fire retardants and extinguishers after the house has burned down.

Dirty Rotten Scoundrels - Now Selling Malware

The world of fraudsters has long been dominated by mafioso and slickster-types. But now a new more cerebral kind has emerged. David Talbot in MIT's Technology Review has put together a great piece on these new digital scammers who "sell" scareware. The economics of it are so compelling that some people might be tempted to quit their day jobs; it seems to have become a billion dollar industry. The modern day equivalent of selling "protection" without the heavies in suits involved. One innovative provider of malware:
....Innovative Marketing had some 600 employees and 34 servers disseminating malware, most of them operating from a traditional office complex in Kiev. The corporate empire included divisions that handled credit card payments, the call center in Ohio, and several adult websites that did double duty as vectors for the fake antivirus software. McAfee noted that Innovative Marketing logged 4.5 million orders during an 11-month period in 2008; at $35 per order, the annual revenue apparently neared $180 million. That's better than the $150 million that Twitter will pull in this year, according to an estimate by the market research firm eMarketer.
It has become so lucrative that some of these purveyors of malware have established rather sophisticated affiliate programs much like Amazon's:

One distributor,, promised on its website that it would pay between $300 and $750 for every 1,000 installations in the United States, Canada, Great Britain, or Australia, where the chance is higher of encountering victims who can afford to pay what the fake warnings demand. Experience required: Avprofit sought hackers with "minimum average 250 installs per day."

Many of the affiliates do extremely well. SecureWorks, a unit of Dell, analyzed the distribution of a fake antivirus program called Antivirus XP 2008 via an outfit called Bakasoftware, which was based in Russia. According to documents provided by the hacker behind Bakasoftware, who went by the nickname Krab, one of his top affiliates was able to fool 154,825 people into installing copies of malware on their computers in 10 days, with 2,772 victims going on to enter their credit card numbers. If the documents are accurate, Krab's affiliate scuttled away with $146,524 in that brief period

These malware vendors are very innovative and have been employing multiple vectors to "sell" their wares including poisoning search engines like Bing and Google and are now going after social networks like Facebook and Twitter as well: engines might be the predominant vector now, says Stefan Savage, a computer scientist at the University of California, San Diego. The scam artists play a variety of search optimization tricks to fool the algorithms that Google, Bing, and other engines use to determine which Web links to show in response to search requests. Generally, a page on an infected site (such as ­ is quietly stuffed with trendy search terms and links to images. Then the malicious players interlink pages—hundreds or thousands of them—so that the search engines' Web-crawling programs rank the infected page near the top for apparent popularity and relevance. Denis Sinegubko, a malware researcher in Russia, believes that criminals "have managed to hijack search results on the first pages of Google Image search for millions of keywords." As a result, he estimates, people clicked on poisoned image-search results 15 million times a month this past spring. Google says it has since reduced the number of malicious links in image searches by 90 percent from peak levels, and a spokesman emphasized that it continues to plug holes in its algorithms to head off new methods of attack. Google says that 0.5 percent of searches bring back returns that include at least one known malicious website. This might sound low, but given that Google handles more than a billion searches daily, it means that five million search returns every day bear a malicious link.

As long as the economics are so compelling we will see these scammers continue to innovate as we buffer our defenses. It seems like it will be one long slog with lots of collateral damage like the never ending War on Drugs.

Citigroup Falling Behind on TPS Reports

According to numerous media outlets, including The Wall Street Journal, one of Citigroup's own employees has been moving pennies from the penny tray:

A former Citigroup Inc. employee was arrested and charged with allegedly embezzling more than $19 million from the bank in "the ultimate inside job," federal prosecutors said on Monday.

The case shows how management of increasingly complex derivatives transactions may create more illicit opportunities for staffers involved in their administration. Robert Jossen, a partner in the white-collar securities litigation practice at Dechert LLP, said such transactions involve "increasing use of sophisticated computer programs, electronic access and speed, none of which involves face-to-face interaction. This combination of factors may increase the temptation to seek personal gain."

Mr. Foster allegedly put a phony contract or deal numbers in the reference lines for his wire transfers to make them look like they were for legitimate contracts.
Yet another (and another) inside job. While not exactly an attack, it remains an example of a company with poor security monitoring. Citigroup is lucky Mr. Foster just took money, and that they didn't lose face and valuable market capitalization, as well. This should be a cakewalk for Citigroup, compared to their previous mishaps; it's not that they have no experience with these things...

There is a solution to this, of course, to prevent future incidents. We've recommended strong two-factor authentication before, utilizing challenge-response and transaction data signing, for user-side transaction authentication. The same technology can be used on both ends, and authenticate employees and transactions internally at companies. This is important for non-repudiation purposes.

2FA: Squared.
(Stapler not included)

Tuesday, June 28, 2011

GeoHot, The Sony Effect, The Untouchables, and Jon Stewart

You wanna know how to get Capone? They pull a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue. *That's* the *Chicago* way! And that's how you get Capone. Now do you want to do that? Are you ready to do that? I'm offering you a deal. Do you want this deal? - Malone (Sean Connery) from The Untouchables

George Hotz, nom-de-hack GeoHot, has just been hired by Facebook. If we jog our memories, he was the hacker who broke the Sony PS3 encryption libraries. After which, Sony came after him with the full force of the law and the DMCA act. In his purported defense came the hacker's army where they turned Sony and its multiple affilitiates into a digital pinata. The Sony Effect. Pick on one hacker, you get an army coming after you. At least that's what hacktivists like Anonymous and LulzSec would have us believe. But behind all this noise of the "grey" hats lurks the malevolent hacks. And Sony et al. are forced to they pick their fights, lest they be pushed into a corner by an anonymous army of keyboard commandos. As is often the case, The Daily Show with Jon Stewart highlighted the dilemma we face when dealing with prepubescents, where you run the risk of an outcry from those who are really criminal.

Monday, June 27, 2011

YouSendIt Founder/CEO Jailed For DDoS Attacks

The Department of Justice issued a press release stating that Khalid Shaikh, one of the founding members and former CEO of YouSendIt, a popular file-sharing site, pleaded guilty to launching DDoS (Distributed Denial-of-Service) attacks from December 2008 to June 2009 on the company's servers located in San Jose, California:
Mr. Shaikh sent an ApacheBench computer code to YouSendIt’s servers. ApacheBench is a benchmarking program used for measuring the performance of computers known as web servers. ApacheBench was designed to determine the number of requests per second a server is capable of serving. By intentionally transmitting the ApacheBench program to YouSendIt’s servers, Mr. Shaikh was able to overwhelm the servers’ capabilities and render it unable to handle legitimate network traffic.
This is again one of the more insidious type of cybercrimes, the inside job, that companies and enterprises have to keep their guards up for at all times. It's a tough crime to...ahem, "Shaikh"... as the former employees (in this case founder/former CEO/CTO) have intricate knowledge of the inner workings of most IT infrastructures compared to outside attackers. Let's hope less former employees go rogue. After all, the DoJ just pulled off a "YouJailIt."

The Ugly Set Sail For Fail? - LulzSec Forced to Hang Up Their Spurs or Walk the Plank

There are two kinds of spurs, my friend. Those that come in by the door; those that come in by the window. - Tuco (The UGLY)
LulzSec, aka Lulz Security, announced that they were retiring after a 50 day rampage through the digital world. Many have speculated that the digital noose was tightening around them and their high profile antics and brags were coming to an end. So better leave the party before the punch is finished? Or were they forced to leave the party by the bouncers or other digital attendants who were one better than them?

As hackers, LulzSec had the bravado of Tuco from "The Good, the Bad and the Ugly" and seemed to be in a constant Mexican Standoff with the authorities that be. But its seems their gunslinging techniques were limited to just two rather simple hack methods that most school children armed with keyboards could have carried out:

1) SQL injections (pronounced "sequel" and maybe the inspiration for constant repeat attacks)
2)DDoS or Distributed Denial-of-Service

SQL injections are the digital equivalent of figuring out that a certain type of window is easy to break with stones and constantly going after them. The solution against such attacks is rather simple by maintaining up-to-date versions of SQL and installing them properly.

DDoS is not even really a "hack", but more of an annoyance. It's as if you got the whole town to prank call your Math teacher at the same time, so that no one can reach them. The solution is once again rather simple and involves better distributed hosting infrastructure.

As the noose tightened around LulzSec and their ugliness, and their identities exposed by better armed gunslingers, they were forced to walk the plank. Does the story of LulzSec end here like the Hacking for Girliez of 1990s and NY Times fame? Or will the authorities start to round them up one by one, with all their accessories to crime?

The key takeaway for most companies is to be proactive when it comes to security policies and never to underestimate the hackers out there. It is always better to one-up them when it comes to best practices and adopt stronger measures than that conventional wisdom dictates. After all there probably will be a flood of copycat and SeQueL attacks in the not so distant future.

Wednesday, June 22, 2011

WordPress Forces Password Resets As A Precautionary Move

WordPress posted on it's blog that they:

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

Matt Mullenweg, founder of WordPress, chimed in that:

"There are 15 K plugins so happens sometimes. We haven't pissed off LulzSec yet. :)"

At least WordPress seems to have taken a rather draconian approach to stall and fend off hackers from their large user base, and also avoid the Sony Effect by pissing off hackers. Let's hope more companies take pre-emptive strikes like these and nip hacks in the bud. Let's hope they take stronger measures in the near future by adopting dynamic passwords and challenge-response based logins.

Tuesday, June 21, 2011

Sony France Hacked - A Lebanese and French Pair Beat LulzSec To The Bragging Rights

Over 177 thousand emails from Sony Pictures France have been compromised using the standard ploy of SQL injections as most of the previous hacks of Sony Fame (hence the Sony Effect). For a change this was not carried out by LulzSec or Anonymous, but by self-identified Lebanese Idahc and French Auth3ntiq. They claim to be NOT Black Hats and that it is just a POC (proof-of- concept). Why a proof-of-concept was necessary for Sony after receiving a battering of 20 hacks in the span of two months, as we all have probably figured out that Sony's CSO has been on holiday for a while, and Idahc had already penetrated Sony Europe's and Sony Ericcson's defenses before.

LulzSec Apprehended?- At Least Now Essex Boys And Not Just Girls Are In The News

Law enforcement agencies in the UK, with the FBI in tow, have arrested a 19 year old as one of LulzSec gang of hackers (probably just an accessory to the crimes committed and not a perpetrator). Not much is known about the arrest, but it is clearly a day when Essex boys have started to make the news, and not just page 3 but the headlines nontheless. Maybe Essex girls can make page one if they brushed up on their hacking skills as well.
LulzSec had this to say on the arrest:
The Lulz Boat

Dropbox Dropped The Security Ball - Hacking Into Anyone's Account Was A Fingertip Away

For the span of roughly four hours any layman trying to access other people's accounts at Dropbox ould have felt the same thrill as a hacker. In a post on Pastebin, a user describes how he noticed that there was no password control at Dropbox:
So I went to dropbox to change my password & the password change page looked flakey - I can't describe this in much more detail than so say that I clicked ok and nothing really seemed to happen. Did it work? Not sure, let's try the old password. Oh, it still works, so let's change it again. That appeared to work (I got a password updated message) - let's try the new password. Yup, good. Wait, I'm pretty sure I fat-fingered an extra character though -- etc. Which led to me realizing that any password at all was fine, at which point I logged into the accounts of two friends using 1-character passwords like 'q' and 'z'.
In response, Arash Ferdowsi, CTO of Dropbox, posted on the corporate blog:
Hi Dropboxers,
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

As more and more of us entrust our data jewels to the cloud, lets hope that services like Dropbox go on the offensive with regards to security practices and don't drop the ball. Let's hope they adopt stronger authentication methods than static username/passwords like one-time passwords or better yet challenge-response based logins.

Monday, June 20, 2011

In Bitcoin We Trust - The Currency of Choice of Hackers Hacked

"Let this be an example to take the security of your wallet.dat files very seriously. I never thought bitcoin would attract criminals so quickly but yet here it is." -allinvain
While Bitcoin received undue publicity and attacks by politicians like Senator Charles Schumer, it has emerged as perhaps the world's first digital currency for physical goods and services (unlike digital currencies like Linden Dollars where you could only purchase virtual goods). Established in 2009 by Satoshi Nakamoto (assumed to be his nom-de-hack) it has taken a life of its own. Although it is not fiat currency and has no central banker, it has emerged as the new target of hackers as there is a real "tradable" value to it. While LulzSec, a prominent hacking group, accepted donations in Bitcoins (roughly 7000 dollars worth), new hacking groups have gone after Bitcoins as there is real money there. A new trojan/malware titled Infostealer.Coinbit has been identified as specifically going after Bitcoins. A Bitcoin user with the handle "allinvain" (quoted above) has claimed that he has been defrauded of 25,000 Bitcoins which is the equivalent of almost 500 thousand USD depending on the exchange rate of the day. Maybe the politicians should let the hackers do the attacks to undermine the digital currency and let Ben Bernnanke sleep well at night.

Friday, June 17, 2011

Sega Hacked By Keyboard Commandos - Joins Nintendo, Sony, Bethesda, Epic Et Al.

Sega has joined a glorious list of gaming industry titans and publisher that have been hacked. The hackers are clearly showing no remorse and it seems this new game of hacking is more enjoyable to the keyboard commandos than Counter Strike or Sonic the Hedgehog ever was as in Lulz Security's latest press release post:
And that's all there is to it, that's what appeals to our Internet generation. We're attracted to fast-changing scenarios, and we can't stand repetitiveness, and we want our shot of entertainment or we just go and browse something else, like an unimpressed zombie. Nyan-nyan-nyan-nyan-nyan-nyan-nyan-nyan, anyway...
This is the Internet, where we screw each other over for a jolt of satisfaction. There are peons and lulz lizards; trolls and victims.
No one has yet claimed responsibility for the breach of the Sega Pass network. This is what Sega has revealed to the public about the breach:
Over the last 24 hours we have identified that unauthorised entry was gained to our SEGA Pass database.We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems....We have identified that a subset of SEGA Pass members emails addresses, dates of birth and encrypted passwords were obtained. To stress, none of the passwords obtained were stored in plain text.Please note that no personal payment information was stored by SEGA as we use external payment providers, meaning your payment details were not at risk from this intrusion.

Battered Customers Wait For RSA SecurID Replacements

It has long been a mystery to many sociologists on why women (it rarely is men) return to abusive relationships. Oftentimes, manipulation of the battered spouse/partner is cited as a reason. Doublespeak of course predated RSA's announcements and seems to have served many regimes well over the course of decades. Well, according to a WSJ piece, a lot of RSA SecurID customers cannot wait for their brand new security tokens to be replaced even if it means that they are at the mercy of hackers out there:
That means it could take at least six to eight months to replace all of the tokens, and at least two months to replace a third of them. The manufacturing bottleneck could be even greater given RSA tokens typically expire after three years and must be replaced.
But this demonstrates that the Laws of Inertia apply beyond the realm of physics and couch potatoes to corporate and government IT departments as well. The latest round of hacks have clearly made headlines, but preventing current and future hacks require a clean break from past best practices and require an out-of-the-box mindset. Otherwise, we will see more and more prominent hacks and one day they may be relegated to the inner pages of our daily rags just like Iraq and Afghanistan hardly make the headlines anymore.

Citibank Breach - Are Hacks The New Subprime?

Is 210,000 the new 360,000?

It seems quite a while since numeracy was a prerequisite for bankers. During the subprime mortgage gold rush of the 2000s income numbers were thrown out of the window and replaced with fuzzy logic like future potential income etc... It seems that hack announcements by institutions are the new subprime asset class where the numbers clearly do not add up. Bankers are now employing Quantitative Easing (QE henceforth) when it comes to their announcements. So Citibank has just now announced that it was not 200 K plus , but over 360 K victims. As in a previous blog post of ours we wonder how much more inflation the hack victim numbers will suffer, and when and if the whole truth will be revealed:
Citibank admits to a security breach affecting over 210,000 customers. They admitted it one month after the cyberattack. Are there more damaging releases that have been withheld? Is this the drip water torture of Chinese fame? How do we know this is the truth, the whole truth and nothing but the truth? Is it like thedoublespeak of RSA fame? Is it one of a string of damning breaches of Sony fame?

Thursday, June 16, 2011

Who You Gonna Call? Hackbusters Needed Against Keyboard Commandos

While Wall Street has deemed security software vendors companies to be New New Thing, all entities with a digital footprint are probably looking for a higher authority out there to help them navigate these choppy waters while the Lulz Boat and others are sailing. Strong security procedures built from the ground-up coupled with the latest advancements in security software are prerequisites. Furthermore, entities have to cover up loopholes by institutionalizing security at every level of the corporate hierarchy. It cannot be looked at as a cost in your P/L statement, otherwise you run the risk of your brand being tar-and-feathered by keyboard commandos. Digital security has finally made it to the boardroom and cabinet/ministerial level just like ERP had in the 1980s and 1990s. ERP is now the boring part of enterprise applications due to its wide success and adoption and being institutionalized. Let's hope that digital security will also be a given, and no longer a daily touching/embarrassing/scandalous subject.

Death, Taxes And Now Hacks??

If Benjamin Franklin was around today, he might have written in his correspondence with Jean-Baptiste Leroy that "in this world nothing can be said to be certain, except death, taxes and hacks." Every day passes by, and another government curries favors with the "hacktivists." The list includes governments ranging from the United States to Uganda to Israel to Spain to Turkey and now Malaysia. Every upset kid spurned by society and armed with an Internet connection (preferably the Wi-Fi of neighbors) can launch a series of attacks. Of course not all attacks are created equal, and the more sinister types remain unmentioned and usually unnoticed. Oftentimes, the more insidious hackers go for the digital jugular and can remain parasitic on host systems till it's too late. Governments, enterprises and entities should adopt stronger security software and help prevent against such intrusions. CIOs and CSOs should not be lulled into complacency and should look proactively for robust security software. Hacks are the new Tax of the digital era, and if we adopt strong defenses we will avoid paying the highest price online: the Death of online business.

Wednesday, June 15, 2011

LulzSec Has Taken Down The CIA Website & Prank Called The FBI

According to their Twitter update, LulzSec is listening to their fan base:
The Lulz Boat
Ohohhohawhaw, Pierre Dubois and Francois Deluxe are currently taking many phone calls!
The Hackathon that LulzSec has started seems to continue unabated. They seem to have flooded the FBI with prank calls and taken down The Company website with a distributed denial-of-service (DDoS) attack. Does the Company we keep indicate anything about us? They also released all personal information of contestants for the X-Factor show on FOX including the dude (no relation to The Dude from The Big Lebowski) from Mythbusters:
The Lulz Boat
That dude from Mythbusters is in our X-Factor database leak, true story.

I Got Hacks In Every Area Code - Call The Hackathon - Pierre Dubois & Francois Deluxe Are Listening

LulzSec has made the headlines almost daily since their "Hacktivist" feats with Sony, hence the Sony Effect, put them on the map. I wonder if there will ever be a Strange Maps for their hacks like there was one for the rapper Christopher Brian Bridges, aka Ludacris. And I wonder if they are on the bombing radar of the Pentagon after the new updated bombs-for-hacks military doctrine. They pulled off a Senate hack and are now inviting suggestions for new hacks/victims. I am sure the folks at Sony, Nintendo and PBS News wish the callers don't suffer from Schadenfreude. Anyway, the Frenchmen Pierre Dubois and Francois Deluxe are all ears for the next Tupacalypse and they are apparently "laughing out loud" with a French cum Peter Sellers/Pink Panther accent. You can reach them at 1-614-LULZSEC.

Saturday, June 11, 2011

IMF Annus Horriblis - Cyberattack Succeeds In Major Data Breach

The IMF has been in the news lately not for helping out failing States, but for attacks. The attacks have ranged from the alleged sexual assault of the recent head of the IMF Dominique Strauss-Kahn on a hotel maid to charges of incompetence/softness in bailing out the insolvent countries in the Euro-zone. According to a NY Times piece they have now suffered a major data breach as well. I suppose this is the Annus Horribilis of the IMF in its storied history. In fact, the World Bank has cut off its data link from the IMF after this breach and might have to distance itself in other respects as well. The IMF uses RSA SecurID security tokens and has apparently been offered to replace the old RSA SecurID tokens with new ones according to a Bloomberg piece:
The fund told employees June 8 that it would replace their RSA SecurID tokens. EMC Corp.’s RSA security-systems unit offered to swap the tokens after a breach of its own network, disclosed in March, resulted in the theft of RSA data. A SecurID device is shaped like a key fob or a computer-memory stick and generates random-number passwords used to gain access to a computer network.
The hackers behind the attacks are believed to be affiliated with a foreign government. Is it one of the governments/victims upset at IMF bailout terms? Or is it just good old fashioned intelligence gathering?

Friday, June 10, 2011

Citibank Hacked - The Hits Keep On Coming Muhammad Ali Style

Citibank admits to a security breach affecting over 210,000 customers. They admitted it one month after the cyberattack. Are there more damaging releases that have been withheld? Is this the drip water torture of Chinese fame? How do we know this is the truth, the whole truth and nothing but the truth? Is it like the doublespeak of RSA fame? Is it one of a string of damning breaches of Sony fame?

Will there be a bill of rights for known data breaches where victims will be indemnified and informed of the attack once it happens?

We will see legislators pounce on all these recent breaches to remain in the limelight, grandstand and posture on matters. However, what should really be highlighted is that a lot of the regulatory framework is already in place in other countries and are only issued as guidelines in the United States. They have just not been enforced. Kinda like telling a kid to stay away from the cookie jar when you leave it unattended. Security should not be an afterthought. After all, the only thing we have left with our Banks is Trust, up for review post-TARPS bailout of course, as opposed to placing our hard-earned dollars under the mattress.

Tuesday, June 7, 2011

RSA (In) SecurID Pulls A Sony

RSA had issued a vaguely worded blogpost on the breach of SecurID and who knows what else. Today, after numerous disclosed RSA SecurID related breaches, they have come clean... Or have they? They have promised to finally replace InSecurIDs with (drum roll please) more StrongerSecurIDs. Or have they? (More on that later, stay with us, now.)

The key problem that they have not approached was that they had a cash cow and maintained a central repository of ALL their customers' seeds and had an outdated approach to stronger security. That has not been addressed. We only know that it took a military contractor or two or three RSA SecurID-related breaches and a new, Pentagon-issued military doctrine for them to finally admit what most in the security world already knew.

Apparently this is the security equivalent of Ralph Nader's expose of the automobile industry.* RSA (In)SecurID still does not address any of the new emerging cyber attack vectors, and companies that replace old breached RSA tokens will still be left flapping in the breeze. So it begs the question: Do companies go along with the party line and continue with RSA even after it has let them down? After all, it was RSA that said:

"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."

There is one caveat that we might have overlooked, as Uri Rivner had posted that on the official EMC RSA Blog on none other than April Fool's Day. Obviously, all RSA SecurID customers should have known that that was a big joke.

Unfortunately for them, the joke is stuck in a time-continuum lapse. If one is to read between the lines (it is RSA, after all, that's stuck in Pravda-speak), not all RSA SecurID customers are created equal. Their metric makes no sense and anyone who can decipher it (pun intended) is worthy of cracking an egg that has already been smashed on RSA customers. RSA's generosity for those worthy of an upgrade:
  • An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
  • An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
So what constitutes a customer with a concentrated user base, typically focused on protecting IP and corporate networks? Does that not include a consumer goods company with a VPN? And what about web-based companies that do not include financial transactions? We tried Google Translate and it blew up.

*The 1965 publication Unsafe at Any Speed: The Designed-In Dangers of the American Automobile

DroidKungFu - Enter The Droid Malware Wars

According to researchers Yajin Zhou and Xuxian Jiang at North Carolina State University, there is a pretty robust Malware called DroidKungFu, and it apparently kicks the butt of most anti-virus out there. Clearly this new Martial-Artist-in-the-Middle is an ominous portent of more such dangerous Man-in-the-Phone attacks. This mobile malware seems to beset Android-based mobiles that run version 2.2 (the Froyo meets the DOJO!) or earlier by installing a backdoor and turning your phone into a bot:

"In Android versions 2.2 (Froyo) and earlier, DroidKungFu takes advantage of two vulnerabilities in the platform software to install a backdoor that gives hackers full control of your phone. Not only do they have access to all of your user data, but they can turn your phone into a bot – and basically make your smartphone do anything they want."

It seems that anti-virus utilities have to graduate to a black belt to defeat the next-generation of Imperial mobile malware. Let the Droid Wars begin.

Monday, June 6, 2011

There's An App (Hack I Meant) For That - FaceNIFF

One app probably not hitting the Apple App Store anytime soon is the FaceNIFF Android application, which helps you hack into Facebook, Twitter, and other web services.

FaceNIFF is more insidious than the Mozilla Firefox sniffing extension Firesheep as it works on not only Wi-Fi, but (drum roll please) encrypted WPA-encrypted Wi-Fi as well. Here's a video of FaceNIFF in action.

As a precaution to more such malicious browser extensions and emerging apps, change your settings on Twitter and Facebook et al to HTTPS, which will offer a degree of protection against some of these new sniffers.

Hacking Can Pay

It seems that hacking, just like crime, pays. LulzSec just announced on Twitter that they received anonymous donations of over 7200 US Dollars worth of Bitcoins.

The Sony Effect Continues Unabated - LulzSec Strikes Again At Sony

According to the latest news in twitterdom and LulzSec's press release, Sony has been hit again:
".......... We've recently bought a copy of this great new game called "Hackers vs Sony", but we're unable to play it online due to PSN being obliterated. So we decided to play offline mode for a while and got quite a few trophies. Our latest goal is "Hack Sony 5 Times", so please find enclosed our 5th Sony hack.  Enjoy this 54MB collection of SVN Sony Developer source code. That's hackers 16, Sony 0. Your move!  ACHIEVEMENT UNLOCKED: HACK SONY 6 TIMES! Oh damn, we just did it again, please also find enclosed internal network maps of Sony BMG.
The Sony Effect is out in full force, and it has become increasingly hard to keep abreast of the attacks. The misfortune to hit Sony is unfortunately a predicament that will face many other large companies, but they may not have the privilege of even being aware of it. A great analysis of Sony Pictures' passwords is presented here by Troy Hunter.

LulzSec Strikes Again - Tupacalypse Continues

Lulzsec, of Sony and PBS hacking fame, has been busy with another strike, this time FBI-"affiliated" sites like Infragard and Unveillance and it's CEO Karim Hejazi, where they managed to hack into the CEO's personal and work emails because the same passwords were used in secure and insecure logins:

"Over the last two weeks, my company, Unveillance, has been the target of a sophisticated group of hackers now identified as “LulzSec.” During this two week period, I was personally contacted by several members of this group who made threats against me and my company to try to obtain money as well as to force me into revealing sensitive data about my botnet intelligence that would have put many other businesses, government agencies, and individuals at risk of massive Distributed Denial of Service (DDoS) attacks.

In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities."

LulzSec posted a response on Pastebin to Karim's statement:

"RE: - whitehat morons

From: - masters of the seven proxseas

Dear Karim & Unveillance,

Greetings morons. We're writing in response to your recent press statement, which, while blatantly trying to hide your incompetence, attempts to paint an ill-conceived picture on The Lulz Boat. To clarify, we were never going to extort anything from you. We were simply going to pressure you into a position where you could be willing to give us money for our silence, and then expose you publicly.
Ironically, despite the fact that you A) claimed that you wouldn't do something like that, and B) foolishly got outsmarted yet again, we'd like to point out something that you did do: attempt to cooperate with mystery hackers in order to radically, and illegally, boost your company from the ground.
Karim, founder of Unveillance, attempted from the start to work with us for his own gain, and he even offered us payment for certain "tasks". These tasks, hardly subtle at this point, were those of a malicious nature; destroying Karim's competitors through insider info and holes Karim would supply us.
Karim also wanted us to help track "enemy" botnets and "enemy" botnet trackers. All in return for our silence and "mutual gain".

While it's normal for him to try and cover up this embarrassment by putting all the focus back on us, we can, again, see past this primitive social engineering. Karim compromised his entire company and the personal lives of his colleagues, then attempted to silence us with promises of financial gain and mutual benefits.

We don't need cleverly-crafted media spinning to cover up anything, we say it how it is, nice and loud: Karim is a giant fuckwit that used the same password for all of his online accounts and all accounts linked to a company he owns. Then he tried to bargain with hackers so his company wouldn't crumble.Try harder, Karim. We're too smart for your silly games.To everyone else: stay safe, secure yourself, the Internet is a playground for people like us. We love you."

This problem bedevils most individuals where they use the same password across many websites including unprotected websites like Facebook and Linkedin. Hackers only have to compromise one unprotected website to be able to access others. The only real solution to this problem is to have multiple passwords for all different sites and that leads to password fatigue. An alternative is for institutions to have dynamic passwords for their sites by using two-factor authentication and require logins that employ mutual authentication via challenge-response.

Friday, June 3, 2011

Canadian Government Hacked...Eh

It seems that the Canadian government has been hacked, as well, according to a CBC news post. Luckily, it seems, the Canadian government did not suffer from the Sony Effect. Let's hope they can implement the proper security measures to ward off future cyberattacks.

The Sony Effect - Sony Is Suffering A Tupacalypse

We were going to title today's Sony breach as "Better Safe Than Sony" as was widely mentioned in twitters and blogs and commentaries. However, it turns out that this breach was done by non other than LulzSec (aka Lulz Security), instead of the usually-blamed Anonymous, who had a field day giving PBS news a makeover via a fake story on Tupac Shakur still living and shooting cans with good ol' Elvis. We will not delve much in to Sony's recent string of breaches, rivaling those of companies that use RSA SecurID and military contractors, as we have already done that in some previous posts, but we do want to quote Lulz Security as relayed in the BBC article:

'Asking for it'

In a statement on Thursday, Lulz Security said it had hacked into a database that included unencrypted passwords as well as names, addresses and dates of birth of Sony customers.

"From a single injection, we accessed EVERYTHING," it said. "Why do you put such faith in a company that allows itself to become open to these simple attacks?

"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plain text, which means it's just a matter of taking it.

"This is disgraceful and insecure: they were asking for it."

The group also recently claimed responsibility for hacking the website of the PBS network and posting a fake story in protest at a news programme about WikiLeaks.

We wish Sony a fat 'good luck' after what seems to be their umpteenth data breach. It leads us to a second thought: Is this the hacking equivalent of the Streisand Effect (named by after the illustrious Barbara Streisand and not the Duck Sauce song). Could we call this the Sony Effect?
After all, these breaches all occurred after Sony took a very heavy handed approach with George Hotz, (whose nom-de-hack is GeoHot) for hacking the Playstation 3 . Sony opened up a classic can of worms by managing to anger enough people in the hacker community to suffer all these cyberattacks. Luckily for GeoHot, the Pentagon had not released their new military doctrine of bombs-for-hacks yet.

Sony may well be on its way to getting an eponymous "Effect", an entry in Wikipedia and a song. RSA SecurID breaches, especially in regards to military contractors, may well follow suit as well.

Thursday, June 2, 2011

Man-in-the-Phone Attacks and Mobile Malware

McAfees latest threat report has noted a dramatic increase in mobile malware. This is a great opening for the possibility of conducting Man-in-the-Phone attacks, also known as Man-in-the-Mobile or MitMo attacks. Man-in-the-Phone attacks can thwart relatively weak security such as SMS OTP (one-time password) and out-of-band authentication. Online-based authentication is susceptible to interception, and the weak authentication can be relayed back to the fraudsters. A better and stronger approach is to have the authentication done OFFLINE and employ mutual authentication (aka two-way authentication). Additionally, transaction-specific information can be repudiated by using challenge-response and transaction data signing. This dark new reality will start to confront institutions in the immediate future. They should preempt this emerging new class of attack vectors by future-proofing their security needs today. Otherwise, IT departments will continue to play a game of cat-and-mouse with quick-footed cyberattackers. Hackers are never slowed down by bureaucracy or quarterly budget concerns, cost cutting, or meeting analysts earnings calls.

Institutions can continue to rely on one-time passwords and SMS OTPs, but the harsh reality is that we have already passed their half-life and they will soon be radioactive. Avoiding the Chernobyls of breaches requires a comprehensive well thought out strategy from today and employing much stronger user and embedded transaction authentication and signing.

Government-in-the-Middle Attacks -- State-issued Malware

The increasing use of Skype by dissidents and those that seek a more secure way of communicating has led to a number of companies providing malware to States and regimes that want to keep tabs on their citizenry. According to a WSJ article, Skype was never deliberately designed for encrypted conversations for evading state controls, but for ensuring anonymity due to its peer-to-peer architecture and preventing Skype users from listening into other's conversations. Due to that strong encryption level built into it from the ground-up, and not as an afterthought, a lucrative market has emerged for European start-ups like Gamma of the UK, Germany's DigiTask, Switzerland's ERA IT Solutions AG, and Italy's Hacking Team SRL to provide governments with malware to snoop on Skype calls and chats. In addition, these government-issued malware include keyloggers and thus give citizens passwords to web based mail like gmail, hotmail, and yahoo. Perhaps we should call it Government-in-the-Middle attacks.

In addition to giving personal and private information to government employees at the Ministries of Interception, a whole host of the other information is available, such as online banking details and work correspondence. What rules will governments put in place to prevent their public-sector servants/snoopers from going rogue and using that information to defraud and blackmail people?

The Never Ending RSA SecurID Related Cyberattacks - Northrop Grumman Is The Latest Victim Outed

According to a Fox News exclusive, Northrop Grumman became another victim of the RSA SecurID breach and has joined a proud litany of fellow military contractors hit by cyberattackers. The upside is that it is in the same boat as competitors such as Lockheed Martin and L-3 and probably a lot of others who are either not aware of a RSA SecurID-related breach or have yet to be outed. Of course, the hackers now have to contend with the Pentagon doctrine of bombs-for-hacks program. The Pentagon has armed themselves with the latest generation of basement-buster missiles to hit the hackers--and the countries that provide them with a safe harbor.

These breaches do highlight that security and authentication cannot be taken lightly, and that companies have to start moving away from one-time password-based security tokens to adopting stronger authentication mechanisms like challenge-response and transaction data signing even for basic login schemes.

Wednesday, June 1, 2011

Hackers Against The World - The Pentagon Decides They Deserve A Caning

According to a WSJ piece, the Pentagon has decided that cyberattacks can be construed as acts of war to be dealt with by more...traditional methods.

The only minor problem there is how to ascertain the source of attacks in this world of proxies and botnets of zombie computers. So prior to the application of force, proportionate or not, we should really be sure about the emanation of the source, and then suspect that as well. It's a lot easier to cover up or fake digital tracks as opposed to a paper trail or a path laced with bread crumbs. Cyber sleuths clearly have their work cut out for them. But it makes me wonder how you prove something where there's no physical smoking gun.

So let's say we establish the "source" of the attack. What's the metric for a proportionate response? Is it a biblical eye for a eye, when the damages can be hard to quantify? Do we go ahead and nuke a country because a disgruntled teen in some lonely basement, spurned by the female kind, decided to take their angst out on a power grid in Tacoma or give a makeover to the PBS website. Or maybe the mere threat of being wiped out of existence has spurned some countries to deny their upset youth access to the World Wide WEB. Maybe we should laud Iran and encourage other countries to cut off their youth, especially as cyberattackers are invariably men, from the global Internet.

There is definitely more work to be done on establishing the rules of engagement, and hopefully conferences like the Cybersecurity Summit will help address that and define the terms better. The Pentagon has at least brought to attention that cyberattacks are no longer just a prank and can have serious ramifications for countries' state secrets and infrastructure.

Known Knowns - RSA SecurID Related Breaches In The News Again - Another Military Contractor Hit

Just days after the Lockheed Martin RSA SecurID related breach, an employee leaked to Wired magazine that L-3, a large military contractor, was also a target of coordinated cyberattacks. As we mentioned in previous blogs, we wonder how many other users of RSA SecurID are compromised and if they have the necessary systems and wherewithal to detect digital intrusion attempts. Donald Rumsfeld, the former Secretary of Defense, definitely did not have cyberattacks and RSA SecurID related breaches in mind when he said:

There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say we know there are some things we do not know.
But there are also unknown unknowns – the ones we don't know we don't know.

But CIOs and CSOs of companies with a reluctance to switch from RSA SecurID to another stronger authentication solution should take that quote to heart. Even adopting one-time passwords (OTP) is a stopgap measure and will be futile with the coming onslaught of more sophisticated attack vectors. Enterprises should consider adopting stronger two-factor authentication solutions above and beyond OTPs and should deploy challenge-response and transaction data signing en masse. Mutual authentication (aka 2 way authentication) should be the bare minimum.

IT departments should maybe adopt the preemptive attack mindset of the former Secretary of Defense when it comes to defending their digital fortress from the hordes of cyber insurgents.