The Cruel Summer the title of this post refers to, is not the famous ’83 pop hit by Bananarama, but just a brief summary of what is happening on Information Security, most of all for those companies and istitutions falling among the target of Anonymous.
Yesterday the latest: as part of the #Antisec operation and in retaliation for the raids and the arrest again alleged Anonymous and LulzSec members (provided they are the right ones), Anonymous attacked 77 U.S. Law Enforcement Institutions, defacing and destroying their servers.
In the attack, as usual announced by Twitter, massive amounts of confidential and personal information were stolen (10 Gb according to Anonymous), including emails, passwords, classified documents, internal files, informant lists, and more.
Moreover 7,000 law enforcement officials’ private data were posted, including: social security numbers; email accounts and passwords; phone numbers and home addresses.
Here is the list of the compromised domains:
20jdpa.com, adamscosheriff.org, admin.mostwantedwebsites.net,
bakercountysheriffoffice.org, barrycountysheriff.com, baxtercountysheriff.com,
baxtercountysherifffoundation.org, boonecountyar.com, boonesheriff.com,
cameronso.org, capecountysheriff.org, cherokeecountyalsheriff.com,
cityofgassville.org, cityofwynne.com, cleburnecountysheriff.com,
coahomacountysheriff.com, crosscountyar.org, crosscountysheriff.org,
drewcountysheriff.com, faoret.com, floydcountysheriff.org, fultoncountyso.org,
georgecountymssheriff.com, grantcountyar.com, grantcountysheriff-collector.com,
hodgemansheriff.us, hotspringcountysheriff.com, howardcountysheriffar.com,
izardcountyar.org, izardcountysheriff.org, izardhometownhealth.com,
jacksonsheriff.org, jeffersoncountykssheriff.com, jeffersoncountyms.gov,
jocomosheriff.org, johnsoncosheriff.com, jonesso.com, kansassheriffs.org,
kempercountysheriff.com, knoxcountysheriffil.com, lawrencecosheriff.com,
lcsdmo.com, marioncountysheriffar.com, marionsoal.com, mcminncountysheriff.com,
meriwethercountysheriff.org, monroecountysheriffar.com, mosheriffs.com,
newtoncountysheriff.org, perrycountysheriffar.org, plymouthcountysheriff.com,
poalac.org, polkcountymosheriff.org, prairiecountysheriff.org,
prattcountysheriff.com, prentisscountymssheriff.com, randolphcountysheriff.org,
rcpi-ca.org, scsosheriff.org, sebastiancountysheriff.com, sgcso.com,
sharpcountysheriff.com, sheriffcomanche.com, stfranciscountyar.org,
stfranciscountysheriff.org, stonecountymosheriff.com, stonecountysheriff.com,
talladegasheriff.org, tatecountysheriff.com, tishomingocountysheriff.com,
tunicamssheriff.com, vbcso.com, woodsonsheriff.com
It has been an hard Week-End, started with the hack of ManTech, and just ended (maybe) with this further resounding action…
Luckily this dirty July is nearly over… from the meteorological point of view, this summer is not very hot, at least in Italy, the same can not be said for Information Security for which I do not remember a month so troubled. Will it end here, or will the peak (of meterological and information security temperatures) be reached in August?
It looks like the CNAIPIC Hack is really a never ending story… I wonder why each event occurring in Italy, however dramatic, must always have an ironic twist. I already discussed about the shadows surrounding the Italian Cyber Police Hack: few hours ago the latest episode of the farce, an hacker called evil18 defaced the Italian Anonymous Blog with an image of His Holiness Benedictus XVI, who fools the Italian Anonymous for the doubts surrounding the event:
In an Italian characterized by a deep German accent, the Pope (“His Holiness owns you”) fools the alleged perpetrators (“Beautiful Children Go Home”), quoting what it seems to be a chat fragment in which the alleged authors declare they will soon release the entire dump (so far only two releases of the promises three have been published).
The mistery continues…
Kudos to Guelfoweb for reporting the link!
Event quite common in the last times, it looks like another FBI contractor has been hacked, as a consolidated tradition, on Friday. This time the victim is ManTech and the hack has been claimed by Anonymous with a preview twitted by the AnonymousIRC account:
If confirmed the hack could sound quite embarassing, since, as mentioned on the tweet, nearly one year ago, Mantech won a $100M contract for FBI cybersecurity services.
On the other hand, Friday risks seriously to become a black day for FBI after other two infamous attacks happened on the same day (for what Anonymous defines #FFFriday): on June, the 3rd, 180 usernames, real names, passwords, and email addresses were leaked from another FBI contractor, Infraguard, and posted publicily by the LulzSec; on July, the 9h, IRC Federal was hacked, and the content of the leak, dumped at The Pirate Bay.
But also Monday is not a particular safe day for U.S. contractors after Anonymous attacked consulting firm Booz Allen Hamilton on July, the 12th, and released details of internal data including 90,000 military emails and passwords.
The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the security community.
The awards are given out once an year. The fifth annual ceremony will take place on Aug 3rd, 2011 in Las Vegas at the BlackHat USA security conference.
In 2011 there will be nine award categories:
- Pwnie for Best Server-Side Bug
- Pwnie for Best Client-Side Bug
- Pwnie for Best Privilege Escalation Bug
- Pwnie for Most Innovative Research
- Pwnie for Lamest Vendor Response
- Pwnie for Best Song
- Pwnie for Most Epic FAIL
- Pwnie for Lifetime Achievement
- Pwnie for Epic Ownage
Do you remember the hacking matrix I posted several days ago, emphasizing impact and innovation as two key factors in hacking? Well, it looks like the panel of the judges did recognized the value of these two factor (together with a certain amount of shallowness in case of Sony).
(Nearly) all the events drawn in the matrix, which happened in 2011 deserved a nominee for the prize, with the exception of Epsilon Data Breach, whose likely category, Most Epic Fail, has been literally monopolized by Sony with 5 nominations.
RSA deserved a nomination as well in the category “Lamest Vendor Response”, while the category Epic Ownage has been monopolized by LulzSec. Even if LulzSec has been appointed only once for “hacking everyone”, there is also a nomination for Anonymous for “hacking HBGary Federal”, probably this is a mistake since it looks clear that HBGary Federal was hacked by the Lulz Boat as well (as also ironically stressed by the LulzSec group itself).
The other two nominations for the Epic Ownage? Bradley Manning and Wikileaks (but I would also have inserted Lady Gaga since a fake Lady Gaga CD was used to perform the leak, and… most of all Stuxnet, who ranked at the top for impact an innovation in this matrix. Stuxnet is considered the first of a new generation of Cyber-weapons even if, so far, no other malware of similar sophistication has been detected (but U.S. Department of Homeland Security fears a modified Stuxnet variant could soon attack U.S. Infrastructure).
Interesting to notice, as suggested by Network World, whoever will win the Epic Ownage prize will be, in theory, a criminal for the law, consequently Law enforcement could be seriously interested to see if anyone actually shows up to this year to accept the prize for Epic Ownage at Black Hat, since all the nominees will face possible criminal charges.
At this link a complete list of the nominations.
The CNAIPIC Hack is becoming paradoxical. Yesterday Italian Security Professional (and Italian Newspapers) are literally gone crazy in analyzing the event, divided between those who claimed a huge and real damage (in terms of image and substance) for Cyber Italian Police, and those who raised doubts on the event, supported by the few details provided concerning the incident, together with the uncertain identity and origin of the attackers.
A couple of hours ago the last “coup de théâtre”: an official statement (in Italian) from the Italian Anonymous in which they (and the LulzSec) deny the paternity of the attack and dissociate themselves feom the hack (after dedicating ample space to the leak in their blog, claiming responsibility for it), because of the impossibility to verify the veracity of the information. Similarly, after so much noise, the tweets from the two groups are silent since 5/6 hours.
According to the Italian Anonymous the hack is exclusively attributable to the crew NKWT LOAD which is in no way related to Anonymous or LulzSec, and which is the only to possess the 8gbs of data. As a consequence, they may not confirm the accusations against CNAIPIC. At the same way they do not know which vulnerability was exploited to perform the hack.
At the beginning the action seemed a clear retaliation for the Italian Cyber Police raids against the Italian Anonymous splinter cell, but now differente hypotheses are open: a hoax, real data leaked from an Internal source, a simple 8 Gb USB key lost from a contractor or rather an attack from a foreign cyber army (with the attempt to introduce a red harring against the Anonymous)? To be continued with one clear evidence: when dealing with Italian Affairs, using a local expression, “The situation is always desperate but never serious”.
After the initial surprise more details are being divulged about the CNAIPIC Hack disclosed this morning. CNAIPIC stands for Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche) and in practice corresponds to Italian Cyber Police. The event was so resounding to deserve ample space on foreign press as well, starting from BBC, which shows that it has not a mere technical meaning.
Several quick considerations:
- As already stated, CNAIPIC played a primary role during the Campaign of July in which 15 alleged Anonymous members were arrested in 32 raids carried on in Italy and Switzerland. At first glance, this hack seems a clamorous retaliation… But this is too much simple and in my opinion there’s more… During the above mentioned raids, the Italian Police (a statement not reported by local press) reported that: Out of all of the current hacker groups, Anonymous is the largest, but is also populated by the least technical people. Some of its members carry out attacks using software downloaded from the Internet and do not carry out the most basic attempts to secure their IP address. A clear reference to the fact that, until then, the activities of the Anonymous/LulzSec cells in Italy were mainly focused on disruptive DDoS against several sites related to Government, Finance, Telcos and utilities probably made with LOIC without precautions. This attack has shown a much greater level of complexity and this can be easily intended as a kind of “revenge inside the revenge”: Anonymous is not (only) LOIC made DDoS.
- BBC reported that the Anonymous hacker group received the files from a “source”, implicitly suggesting an internal origin for the leak (also suggested by Gizmodo). Honestly speaking I do not agree with this interpretation. As a matter of fact the first tweet announcing the leak on the @AnonymousIRC account was a mere forward from an original tweet by @anonesc (who admitted not to have further details since only forwarded the info). Guess who gave the first tweet? Yes, it was Sabu (thanks to Punto 1 for reporting the info), an old acquaintance, the alleged leader of the LulzSec Group. I have already indicated that this hack resembled the one perpetrated against HBGary Federal which was already performed by Sabu, which could be involved in this hack as well the fact that he was the first to report the CNAIPIC leak cannot be considered a coincidence. Moreover, so far no details concerning the leak were given, not even from the Italian Anonymous and LulzSec.
- The statement was first written in English, of course with the purpose to reach a wider audience. Gizmodo suggests that “the broken English indicates a foreign agent—maybe Italian—and might hint at the possibility of this being an inside job” (considered the average level of English knowledge in Italy the fact that the first statement was written in English should exclude an internal origin but this is a personal consideration :-)). Anyway, the first statement lacks the irony (and the grammar) of the Lulz pastebins (but it looks like the Lulz Boat had a dedicated member, Topiary, for “public relations”). Curiously, the same statement in Italian was released several hours later and, honestly speaking, is a broken Italian, suggesting a quick translation from the original statement, perhaps with Google Translator or a similar tool, without further deep revisions. In any case, to me, it sounds more likely that the hack was performed with a foreign hand: if I were in an Italian attacker’s shoes I would have reserved more attention to my own language.
In any case, internal or external origin, the action is destined to raise many controversies in Italy, making even more bloody the fight against Anonymous.
- Italian Cyber Police Hacked? (paulsparrows.wordpress.com)
This morning the Anonymous tweets are particularly loud in Italy. It looks like a splinter cell of Anonymous hacked the Italian Cyber Police (CNAIPIC) releasing an image previews, two preview archives and a structure of the file archive (links are currently working). According to the related pastebin the content of the whole leak should amount to 8 Gb of data.
The Italian Cyber Police was heavily involved into the 32 raids which led, at the beginning of July, to the arrest of 15 alleged anonymous members in Italy during a campaign which interested the whole country and the Switzerland where the alleged leader of the group resided. Probably, to confirm a consolidated “tradition” of the group, the Anonymous decided to have a clamorous revenge (does this remember the HBGary affair?).
Moreover, this alleged leak follows another resounding leak happened in Italy, nearly in contemporary with the above raids, targeting several of the main Italian Universities.
This July 2011 seems to be endless from an Infosec perspective and, at my memory, I do not remember Italy has ever been involved so much, with actions by both sides.
Here is the full pastebin content:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ____ _______ ________
| | \ _ \ _____ \______ \
| | / /_\ \\__ \ | | \
| |__\ \_/ \/ __ \_| ` \
|_______ \_____ (____ /_______ /
\/ \/ \/ \/
+Legion of Anonymous Doom+ Release Zero1+
This is a prerelease of a series we are going to make to reveal the biggest in history of European LE cyber operation Evidence exploitation and abuse. Thing’s gonna get published and twittered all over anonymous and lulzsec community.
Today we were granted with the Italian law enforcement Pandora box, we really think it shall be a new era of “regreaissance” to the almighty Homeland Security Cyber Operation Unit in EU.
So we decided to leak everything they got since they were established as a full scale cyber taskforce named CNAIPIC.
This corrupted organization gathered all the evidence from the seized property of suspected computer professional entertainers and utilized it over many years to conduct illegal operations with foreign intelligence agencies and oligarchy to facilitate their lust for power and money, they never used obtained evidence to really support ongoing investigations.
Today we reveal a whole Load of stuff (estimated leak would be over 8Gb) from such owned institutions, just to make it clear all of this stuff was stored on CNAIPIC evidence servers for years while people are doing time in jail waiting for the trial while CNAIPIC used the evidence in the global spy game galore:
Egypt: Ministry of Transport and Communication
Australia: Ministry of Defence
Russia: Atomstroyexport, Diaskan, Sibneft, Gazprom etc.
Ukraine: several embassies and consulates on it’s territory
Nepal: Ministry of Foreign Affairs
Belarus: Ministry of Foreign Affairs, Belneftehim, Belspetzexport
Gibraltar, Cyprus, Cayman Islands etc: Tecno Develp, Line Holdings, Dugsberry Inc, Alpha Prime, Alpha Minerals etc.
Vietnam: PetroVietnam (PTSC), Ministry of Natural Resources (MONRE)
USA: EXXON MOBIL, US Department of agriculture and hundreds of attorneys and DOJ accounts including: McCallion & Associates LLP, Goodkind, Labaton, Rudoff & Sucharow, LLP, and hundreds of bullshit agencies we don’t even know why we pay taxes to support all of them.
So to cut the crap let’s get it over with fellaz…
Is the image preview to get a glimpse on what is meant to be said.
first of 2 preview archives with preview documents to get a general idea.
2nd preview archive
CNAIPIC file structure and listing Part 1
Thank you all,
Stay tuned…4 update on this one.
Actually I cleaned it up a little bit in order to show only some of the events happened in 2011, which were inserted in the original matrix. As a reference I left some events of the previous years (inserted in the original matrix as well) in order to have a kind of normalization. They include the infamous Ufo Hacker, the Greek Cellphone Caper, and finally the Palin’s Email Hacking.
As you may easily notice, Stuxnet deserves the Top of the Rock for Innovation and Impact. The infamous malware (the terror the nuclear power plants) has divided the infosec community in different factions: those who consider the malware as the first example of next-gen cyber-weapons developed (maybe by Israel and the U.S.) to seriously damage and delay the Iranian nuclear program (whose development took at least ten years of work), or those who consider it the work of an amateur, a script kid, possibly an astronomer with knowledge of the Holy Bible. Regardless of the real origin, because of its huge exploitation of 0-day vulnerabilities (which make it really contagious) the malware has established a new level, and probably a new standard for the information security landscape.
The RSA breach ranks in a considerable position as well. As known, compromised seeds were used to attack several main contractors of U.S. Defense (L-3, at the beginning of April but disclosed at the end of May, Lockheed Martin, on May, the 22nd, and Northrop Grumman on May, the 26th). As I told in one few posts ago I am afraid that also the Mother of All Breaches, that is the breach of 24,000 files by a Contractor, happened in March but disclosed by Pentagon last week, may be somehow related to the RSA Breach. As a consequence of the latter breach, a classified US military weapons system will have to be redesigned. Because of the impact, this breach should also be included in the matrix.
Probably the effects of the Epsilon Data Breach have been underestimated, since it is likely that security concerns, in terms of phishing, for the owners of breached e-mail addresses will last for years.
Obviously the matrix could not miss the infamous Anonymous and LulzSec Hacking groups. Their actions are considered quite simple with a major impact for the Lulz Boat. The Anonymous group is perhaps unfairly considered only for DDoS, and probably the matrix was drawn before the events of the last days such as the Monsanto Hack performed by Anonymous (whose impact is quite huge and denotes a growing interest of the group towards social problems), or the Sun Hacking (at this link some technical details on the hack).
Finally a quick consideration, of course it is a coincidence, but I could not help noticing that the author of the Ufo Hack, Gary McKinnon, has been diagnosed with the Asperger’s Syndrome, a form of Autism. Curiously the same disease has been diagnosed to Ryan Cleary, the alleged LulzSec member arrested in U.K. on June, the 21st. Probably some individuals suffering of autism spectrum disorders establish with machines the links and relationships they are not able to establish with the other human beings. This explains in part why they are so able with hacking…
Again, thanks to Massimo for reporting this really interesting (and enjoying) link.
- The LulzSec Boat is Back (and sails under The SUN) (paulsparrows.wordpress.com)