Monday, July 25, 2011

Small is Beautiful - Hackers are PC and Target Small Firms

According to a WSJ piece, hackers are targeting small firms who are often unaware that they are even victims - the "unknown unknowns." While all the large companies like Sony and Lockheed Martin make the headlines, many small businesses are targeted because they are easy picks for cyber criminals and have little defenses put in place. Most do not even have an IT team and are thus vulnerable and oftentimes unaware of the hacks:
With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.......................
..........In the time it takes to break into a major company like Citigroup Inc., a hacker could steal data from dozens of small businesses and not get detected, says Bryce Case Jr., a former hacker who broke into several government and corporate websites a decade ago and now runs an online message board for hackers called Digital Gangster. Now that small companies use computers, "the juice has become worth the squeeze," he says. "Even a pizza place has addresses, names and credit-card information."
Even small businesses have to adopt protective measures to inoculate themselves against these threats if they do not want to face the threat of bankruptcy. They also lack the scale advantage of large corporations whereby governments could bail them out on the classic too-big-to-fail logic they employ. Malware comes in many forms, even in batteries, and it seems there is no hierarchy of hacking. Hackers are equal opportunity employers after all and they seem to cherish diversity as much as the next liberal arts college when it comes to their victims. The era of PC (politically correct) hackers has just begun.

Saturday, July 23, 2011

Man-in-the-Battery Attack

The Man-in-the-Middle attack class seems to have had a brand new addition. Former NSA employee Charlie Miller, and currently a researcher at consultancy Accuvant, has identified a firmware exploit in Apple Macs that allows you take control of the computer through the microcontrollers of the battery by taking root control through the default passwords. He told Andy Greenberg of Forbes magazine:

“You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack and screw you over. There would be no way to eradicate or detect it other than removing the battery.” says Miller.

Charlie Miller plans on offering a tool to correct this potential security exploit at the upcoming Black Hat conference in August called "Caulkgun".

Friday, July 22, 2011

DNS Cache Poisoning Attack Hits Santander Bank In Brazil

Man-in-the-Middle attacks have started to emerge as the attack-class of choice by sophisticated hackers, as many institutions have started implementing preventative measures against Phishing attacks and Pharming attacks by adopting one-time password generators.

DNS Cache Poisoning attacks are not so common yet, and reported cases of it hitting banks are even more rare. Santander Bank's Brazilian branch just got hit by such an attack. The hackers managed to hijack the DNS servers that resolve the website and replace it with a visually perfect copy so as to harvest customer credentials and passwords. The only giveaway to users would have been if they glanced at the URL address bar in the browser and noticed that it was HTTP instead of HTTPS, a fact that the majority of users would have overlooked.

So it might be too early to pronounce the death of one-time passwords for most user authentication purposes, but it definitely is passe and old hat for banking security. Banks will have to adopt challenge-response and transaction data signing as hackers continue to innovate on all fronts and develop more man-in-the-middle attack class ranging from man-in-the-phone, man-in-the-browser, browser poisoning and the aforementioned DNS Cache Poisoning.

Wednesday, July 20, 2011

Activists Activate Attacks - Google Users Hacked Via IE

Google users are being victimized, apparently by politically motivated hackers. From the Google Online Security Blog:

We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.

For now, we recommend concerned users and corporations seriously consider deploying Microsoft's temporary Fixit to block this attack until an official patch is available.

To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.

The MHTML exploit is IE-specific because only IE supports MHTML, essentially a container format that stores several files in one document. The exploit has been around for quite a while now, but has only recently seen serious proliferation, partly because, as an IE-specific tool, MHTML is not cross-platform, so it's taken a while to take hold.

As noted above, Microsoft has issued a temporary fix, but it's just that: temporary. Users are still exposed and so is their data. User's should look into two-factor authentication to mitigate the loss of their username and password data. Google Authenticator is one such tool, and 2D barcode technology exists for those seeking stronger challenge-response security.

Tuesday, July 19, 2011

Apple Fixes JailBreak Hole, But Not For Long

Recently we wrote about JailBreakMe's latest hack to relieve your iOS device of it's shackles.

Apple did not take long to respond to the hacking exploit and released a security fix roughly 2 weeks after JailBreakMe 3.0, the only current option for jailbreaking an iPad 2, arrived.

One day later, JailBreakMe is up and running once more, with an (anti)patch for the Apple patch. While not nearly as convenient as the last version (the hack now requires tethering, and must be repeated upon each reboot), the fact remains that Apple is once again exposed. The "bricking" threat for Apple iPhones we previously addressed (amongst others) on this blog continues to exist.

Monday, July 18, 2011

The Death of One-Time Passwords?

When Willie Sutton, the prolific US bank robber, was asked by a reporter on why he robbed banks he famously said "because that's where the money is."

A number of institutions have adopted one-time passwords as part of their two-factor authentication defense systems. Banks have instituted mainly SMS OTPs for their online banking. This has been a cost-effective preventative measure against phishing and pharming attacks. But as in every arms race, once the ante is raised, the hackers keep pace with any security development. We have always argued that such measures will only form a short-term solution, and that entities must plan for the looming worst case scenarios, sooner rather than later. With the emergence of a new class of man-in-the-middle attacks that leverage mobile phone operating systems and "talk" with the OS, the Man-in-the-Phone (sometimes referred as Man-in-the-Mobile or MitMo attacks), more online banking users are being targeted now.

Zeus, one of the most successful Man-in-the-Middle malware programs, has now emerged on the Android platform after already targeting the BlackBerry and Symbian OSes. Zeus on the mobile is often referred to as Zitmo. It poses as the trusted bank application Rapport, by Trusteer, and harvests SMS OTPs and Mobile Transaction Authentication Numbers (MTANs), then forwards them to a central server.

We will start to see more and more variants of these malware applications and browser exploits as more institutions use "weak" security on mobile phones. Banks and other entities should take a closer look at adopting challenge-response and transaction data signing if they want to futureproof themselves rather than continue firefighting. The recent security attacks have shown that hackers are the modern day equivalents of Willie Suttons. There will be more to come.

Wednesday, July 13, 2011

JailBreakMe is a Free Pass for Hackers

One year ago this month, jailbreaking was made legal in the USA, having found that Apple's claims of copyright infringement were not convincing.

Now, popular hacker squad JailBreakMe has made jailbreaking your iPhone easier than ever. Jailbreaking, of course, is when a user hacks into their phone in order to gain administrative access that was previously blocked by the manufacturer. (To an Android user, it's known as "rooting," as in obtaining "root" access.) Such access allows the installation of unofficial operating systems, custom ROMS, unapproved apps, and more. To be sure, given the "approval" system imposed by the Apple App Store, jailbreaking can be very appealing.

JailBreakMe 3.0, the latest version of the software, does away with complicated procedures and tethering your iOS device, and allows you to unlock all the extra goodies online, from a Safari browsing window, on The process is even reversible (handy, considering Apple's tight restrictions on warranty). Naturally, the site uses an unpatched flaw in iOS's structure to gain admin rights. In this case, the flaw is in how Safari displays PDFs, and once past that point, the jailbreaking floodgates open.

However, where there's a JailBreakMe exploit, there's a legitimate security hole.

Sites like JailBreakMe make the process much simpler.

But if visiting the JailBreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone.

If they exploited the same vulnerability in a copy-cat manoeuvre, cybercriminals could create booby-trapped webpages that could - if visited by an unsuspecting iPhone, iPod Touch or iPad owner - run code on visiting devices.

A website like JailBreakMe is making it easy to jailbreak your iPhone or iPad - but it could also be said to be giving a blueprint to malicious hackers on how to infect such devices with malware.

To be clear, JailBreakMe doesn't create holes; it just exploits them. The problem is that if helpful hackers can get past Apple's (lack of) security, malicious hackers can, too. While it might delay the JailBreakMe party some, it is imperative that Apple patch the flaw to prevent trojans from marching in. Browser poisoning is one such risk that users now face. As always, we recommend users adopt strong challenge-response and TDS authentication to mitigate any infiltrations.

One last note on jailbreaking:
Anyone worth their hacking salt can tell you about the dangers of "bricking." For the layman, "bricking" a device means rendering it completely useless as a tech object, i.e. like a brick. Jailbreaking and rooting both run the risk of bricking if not done precisely. This is why, much like an anesthesiologist and his varied patients, there are specific procedures for each device. The jailbreaking community is a dedicated one (the list for Android devices alone is staggering, as it should be considering the number of OS versions floating around).

Perhaps the scariest thing about this flaw is that remote jailbreaking initiated by fraudsters runs the (same) risk of destroying the phone, or at least voiding the warranty, as an adventurous (and legitimate) end-user. For a sloppy attacker, a device may just be ruined before any real attacking occurs. On Android phones, in particular, bootloaders are usually unlocked for rooting purposes, breaking manufacturer rules and warranties. This is fine if the device owner accepts the consequences ahead of time, but what about those that don't care to wake up one day to find their device irreversibly altered? Users are now victims from multiple potential vectors.