About these ads

Archive

Archive for September, 2011

Anonymous vs Syrian Electronic Soldiers

September 28, 2011 2 comments

Hactivism is making possible to bring wars and revolutions on the cyberspace, the fifth domain of war. In particular the Arab Spring has given the definitive consecration to politically driven hacking actions that have proven to be a key factor inside the protests that are changing the political landscape in the Middle East: non conventional weapons used together with “traditional” methods by both parties involved on revolutions: cyber-opponents vs cyber-supporters.

Tunisia has been the first example of this new way to provide backing to social protests: at the beginning of 2011 the Anonymous activists targeted Tunisian government sites. It was the 4th of January and this action (or Operation quoting the same term used by the Anonymous) showed to the world the real, political and social power of the Cyber warfare.

Few days later (June, 26th 2011) the same fate befell to Egypt: government sites were targeted with DDOS attacks which contributed to draw attention to ongoing protests which led to the fall of President Mubarak.

Following the wake of the Arab spring, the Anonymous also took position in the Libyan Revolution declaring their engagement with the rebels. Although, from an information security perspective, no practical consequence followed this statement, it had a huge symbolic significance, since in a clear and decisive manner, an hacker crew crossed the boundary of the cyberspace and took position on a social and political event even before performing any hacking acton.

But in Syria the revolution fought in the fifth domain has reached its “bloody” peak. On August, the 7th 2011 the Anonymous targeted the Syrian Ministry of Defense with a resounding defacement. A couple of days later, in retaliation of the previous defacement, the Syrian Electronic Soldiers defaced Anonplus, the Anonymous Social Network, that had already been, a couple of weeks before, the target of a defacement performed by the same Syrian Crew.

But the “war inside the war” fought between the two groups does not stop here: following the bloody events in Syria, on Sunday, 25th of September, the Anonymous decided to open again the hostilities unleashing a chain of defacement action, against the Syrian Government, hacking and defacing the official sites of seven major Syrian cities, which stayed up in their defaced version for more than 16 hours. The defacement actions kept on the following day in which 11 Syrian Government Sites were defaced as part of the same operation.

Of course a retaliation of the Syrian Electronic Soldier was predictable (and close in time) and targeted, in an unexpected manner, one of the most important US Universities, the University of Harvard which was victim of a resounding defacement on Monday, the 26th of September.

So far the two Cyber Armies have shown an unprecedented impetus in countering their respective acts of cyberwar. Probably the story will not end up here and, most of all, we will have to get used to watch the wars and the revolutions on a double perspective involving real battlefields and virtual battlefields. The problem here is that information security professionals and system administrators are not likely to be mere spectators, but the real soldiers of this non conventional war.

About these ads

The Beauty (RC4) and The BEAST (TLS)

September 25, 2011 5 comments

Hard times for Information Security and for the authentication models it had been built upon. The inglorious falls of  SecureID and Certification Authority Authentication models were not enough in this troubled 2011 and now it looks like the last authentication bastion was breached after Thai Duong and Juliano Rizzo unleashed their BEAST (Browser Exploit Against SSL/TLS) attack.

The attack exploits a well known vulnerability on CBC mode encryption algorythms (such as AES and 3DES) which affects SSL and TLS 1.0. CBC mode encryption divides the plaintext in fixed size blocks (usually 128 bits). In this mode of operation each block of ciphertext is not directly encrypted, rather, before undergoing the operation, is XORed with the previous Ciphertext. Of course the first block of the message may not be XORed with any previous Ciphertext and for this reason an hard-guessable random vector, called IV or Inizialization Vector is chosen to inizialize the encryption process.

During an encryption session (think for instance to an HTTPS session) several TLS messages are transmitted inside the same encryption channel and here come the troubles: unfortunately TLS 1.0 implementation does not use a new IV for each TLS message, that is the ciphertext of the last block of the previous message is used as the Inizialization Vector of the new message. Unfortunately this approach limits the unpredictability of the Inizialization vector: an attacker could in theory try to guess some plaintext somewhere in the encryption stream and inject a crafted plaintext so that if the encrypted output of that block corresponds exactly to the ciphertext of the block in which the guessed original message was encrypted, this means that the attacker’s guess was right. The attack is made possible in theory just because the CBC mode use the output of the previous block as the IV for the next plaintext block.

From a more formal point of view a nice and very clear description is reported at this link which I report in the following lines:

Consider the case where we have a connection between Alice and Bob. You observe a record which you know contains Alice’s password in block i, i.e., Mi is Alice’s password. Say you have a guess for Alice’s password: you think it might be P. Now, if you know that the next record will be encrypted with IV X, and you can inject a chosen record, you inject:

X ⊕ Ci-1 ⊕ P

When this gets encrypted, X get XORed in, with the result that the plaintext block fed to the encryption algorithm is:

Ci-1 ⊕ P

If P == Mi, then the new ciphertext block will be the same as Ci, which reveals that your guess is right.

The question then becomes how the attacker would know the next IV to be used. However, because the IV for record j is the CBC residue of record j-1 all the attacker needs to do is observe the traffic on the wire and then make sure that the data they inject is encrypted as the next record, using the previous record’s CBC residue as the IV.

So apparently nothing new under the sun, except the fact the attack scenario is higly unlikely since the attacker should find a way to guess some patterns and inject some well known patterns inside the encrypted channel unless…

Unless the attacker could inject a large amount of known malicious data at a time (in order to limit the guessable plaintext in each block) and use a Web server side method to inject them.

This is exactly where the two main features of the BEAST attack rely: what if an attacker could guess where the encrypted password is located inside the encrypted channel, and split the original block in several 16 bytes blocks in which a single byte contains the original character of the password and the remaining 15 bytes contain the malicious known padding? Quite Easy! The attacker should try “only” 2^8 (256) possible values in order to guess the first character and obtain the same encrypted output than the crafted plaintext. Once guessed the first character, he could obtain the IV for the next block from the ciphertext, and guess the next character of the password in the next block with the same method: the first byte is known to be the first character of the password, the second byte is the unknown quantity and the other 14 bytes contain the malicious known padding. Shifting up to the last block the attacker could obtain the password.

Of course in theory there is still a big issue consisting in the injection of the known pattern in the encryption channel. In order to overcome it the attackers used a method (for which so far few details were disclosed) leveraging Web Sockets, a technology which provides for bi-directional, full-duplex communications channels, over a single TCP Socket. In a meshed-up world, Web Sockets are used for instance when a Web Server redirects a browser to another server to get a certain content (for instance an embedded Image). In Web Socket models, the browser handshakes directly with the remote server and verify if the connection is ok from the first server (origin based consent).

The same article mentioned above delineates how Web Sockets may be exploited to perpetrate the attack:

Say the attacker wants to recover the cookie for https://www.google.com/. He stands up a page with any origin he controls (e.g., http://www.attacker.com/. This page hosts JS that initiates a WebSockets connection to https://www.google.com/. Because WebSockets allows cross-origin requests, he can initiate a HTTPS connection to the target server if the target server allows it (e.g., because it wants to allow mash-ups). Because the URL is provided by the attacker, he can make it arbitrarily long and therefore put the Cookie wherever he wants it with respect to the CBC block boundary. Once he has captured the encrypted block with the cookie, he can then send arbitrary new packets via WebSockets with his appropriately constructed plaintext blocks as described above. There are a few small obstacles to do with the framing, but Rizzo and Duong claim that these can be overcome and those claims seem plausible.

Although TLS 1.1 and 1.2 introduce a randomizaton of the IV for each message, the dramatic thing is that TLS 1.1 has been published in 2006 but it is far from being commonly adopted. The funny thing is that in order to mitigate the attack Web Servers should use a cipher which does not involve CBC mode, as for instance RC4 (back to the future).

Google servers already use RC4 while Chrome developers are testing a workaround. Will RC4 be enough to save the infosec world from the fall of authentication?

Cyberwar, Il Quinto Dominio Della Guerra

September 24, 2011 1 comment

Le Cyberwar sono state definite il quinto dominio della guerra. Ma se doveste spiegare in parole semplici a cosa corrisponde una Cyberwar come la definireste? In queste slide divulgative, redatte in occasione di un convegno al quale sono stato invitato, ho cercato di inserire la mia personalissima risposta con gli esempi più famosi del 2011 e alcuni collegamenti, apparentemente improbabili, alla vita di tutti i giorni.

Le slide non sono tecniche e qualche purista storcerà sicuramente il naso. Per chi volesse approfondire tutto il materiale è reperibile all’interno del blog sotto i tag Stuxnet, RSA, e naturalmente all’interno del Master Index relativo agli attacchi informatici del 2011.

Visto il tempo (e lo spazio) a disposizione nelle slide non sono citati gli esempi di Operation Aurora e Shady RAT. Alla fine la sostanza non cambia: entrambi rimangono comunque esempi degni di nota (anche se il secondo è ancora argomento di controversia).

Per ulteriori dettagli sulle altre vittime illustri (Fondo Monetario, ONU, etc.) il punto di riferimento è sicuramente il Master Index.

Buona Lettura.

September 2011 Cyber Attacks Timeline (Part I)

September 15, 2011 5 comments

So here it is, also for this month, the first part of My Cyber Attacks Timeline covering the first half of September.

Apparently It looks like the wave of the Anonymous attacks that characterized August has stopped. Even if several isolated episodes occurred, their impact was slightly lower than the previous months.

Probably the most important security incident for this month was the Diginotar Hack, not only because the Dutch Certification Authority has been banned forever by the main browsers and OSes but also because all the authentication model based on CAs is under discussion. Moreover once again a cyber attack has been used as a mean of repression. This incident is a turnkey point for information security but in my opinion also the DNS hacks by Anonymous Sri Lanka and Turkguvenligi are noticeable since they reinforce the need for a quick adoption of DNSSEC.

For the first time not even the Linux Operating System (an open world) was immune from hackers: both the Linux Kernel and the Linux Foundation Web Sites were hacked during this month, two episodes that Penguin Lovers will remember for a long time.

Easily predictable an attack recalling 9/11 carried on against the Twitter Account of NBC News was also reported.

Other noticeable events: three huge data breaches were reported, four attacks with political motivations targeting India, Nigeria, Colombia, and the Russia Embassy in London were perpetrated and another security vendor (Panda Security) was indirectly targeted.

The remainder of the month was characterized by many smaller attacks (mostly defacements and data leaks) and an actress (Scarlett Johansson) was also victim of data leaks.

Useful Resources for compiling the table include:

And my inclusion criteria do not take into consideration simple defacement attacks (unless they are particularly resounding) or small data leaks.

Date Author Description Organization Attack
Sep 1

?

Kernel.org

The site of Kernel.org suffered a security breach leading which caused the server to be rooted and 448 credential compromised. Although it is believed that the initial infection started on August the 12th, it was not detected for another 12 days.


rootkit (Phalanx)
Sep 1
Apple, Symantec, Facebook, Microsoft, etc.

The Sri Lankan branch of Anonymous claims to have hacked into the DNS servers of Symantec, Apple, Facebook, Microsoft, and several other large organizations over the past few days,  posting the news and records of its exploits on Pastebin.


DNS Cache Snoop Poisoning
Sep 1 ?
Birdville Independent School District

Two students hack into their school district’s server and accessed a file with 14,500 student names, ID numbers, and social security numbers. Estimated cost of the breach is around $3,000,000.

?
Sep 2 Texas Police Chiefs Association

As usual happens on Fridady, Texas Police Chiefs Association Website is hacked by Anonymous for Antisec Operation. Hacker defaced their website and posted 3GB of data in retaliation for the arrests of dozens of alleged Anonymous suspects. According to Hackers the site has been owned for nearly one month.

SQLi?
Sep 2
EA Game Battlefield Heroes

One of the most famous games over the world Battlefield Heroes developed by EA Games is hacked by a hacker named “Why So Serious?” who leaks the User Login passwords on pastebin

SQLi?
Sep 2
vBTEAM Underground

Vbteam.info, the underground vBulletin Hacking website is hacked by “Why So Serious?“, who leaks 1400+ accounts of the Vbteam.info forum in pastebin.

SQLi?
Sep 3 Nomcat
Indian Government

An Indian Hacker named “nomcat” claims to have been able to hack into the Indian Prime Ministers Office Computers and install a Remote Administration Tool) in them. He also Exposes the Vulnerability in Income Tax website and Database Information.

SQLi?
Sep 4

Popular Websites: : Daily Telegraph, The Register, UPS, Vodafone

Popular websites including The Register, The Daily Telegraph, UPS, and others fall victim to a DNS hack that has resulted in visitors being redirected to third-party webpages. The authors of the hack, a Turkish group called Turkguvenligi, are not new to similar actions and leave a message declaring this day as World Hackers’ Day.


DNS Hijacking
Sep 5
Mobile App Network Forum

Mobile APP Network Forum is Hacked by “Why So Serious?”. He leaks over 15.000 accounts of the community (Forum) on Pastebin in two parts (Part 1 and Part 2).

SQLi?
Sep 5

European Union Institute For Energy and Transport

One of the Sub domain of European Union (Institute for Energy) is hacked and Defaced by Inj3ct0r. Hackers deface the web page, release some internal details and leave a message against Violence in Lybia and Russian influence in Ukraine.

http://ie.jrc.ec.europa.eu
Defacement
Sep 5  Cocain Team Hackers United Nations Sub Domain of Swaziland

United Nations Sub-Domain of Swaziland is hacked and defaced by Cocain Team Hackers. 

UN Logo
Defacement
Sep 5
Uronimo Mobile Platform

The Uronimo Mobile platform is hacked by Team Inj3ct0r. They leak the web site database and release on Pastebin internal data including Username, Hash Password, emails and Phone Numbers of 1000 users. Estimated Cost of the Breach is $214,000.


SQLi?
Sep 6 Comodo Hacker
Diginotar

The real extent of the Diginotar breach becomes clear: 531 bogus certificates issued including Google, CIA, Mossad, Tor. Meanwhile in a pastebin message Comodo Hacker states he own four more CAs, among which GlobalSign which precautionally suspends issuance of certificates.


Several Vulnerabilities
Sep 7 ?
Beaumont Independent School District

The superintendent of schools for Beaumont Independent School District announces that letters are being mailed to parents of nearly 15,000 of its 19,848 students to inform them of a potential breach of data that occurred recently. Inadvertently, private information including the name, date of birth, gender, social security number, grade and scores on the Texas Assessment of Knowledge and Skills (TAKS) exam of students who were in the third through 11th grades during the 2009-2010 school year–were potentially exposed.  Estimated cost of the breach is $3,210,000.


Human Mistake
Sep 7 ?
Stanford Hospital, Palo Alto, Calif.

A medical privacy breach leads to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes. The information stayed online for nearly a year from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork. Estimated Cost of The Breach is $4,280,000.

Human Mistake
  Sep 9 Comodo Hacker
GlobalSign

After suspending issuing certificates, GlobalSign finds evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the http://www.globalsign.com website.


?
Sep 9
 Comodo Hacker
Google

As consequence of the infamous Diginotar Breach Google advises its users in Iran to change their Gmail passwords, and check that their Google accounts have not been compromised. Google also indicates that it is  directly contacting users in Iran who may have been hit by a man-in-the-middle attack.


Man In The Middle
Sep 9
NBC News

The NBC News Twitter account is hacked and starts to tweet false reports of a plane attack on ground zero. The account is suspended and restored after few minutes.


Trojan Keylogger  via Email
Sep 9 ?
Samsung Card

Data of up to 800,000 Samsung Card clients may have been compromised after an employee allegedly extracted their personal information. The Breach was discovered on Aug. 25 and reported to police on Aug. 30. It is not clear what kind of information has been leaked, maybe the first two digits of residence numbers, the names, companies and mobile phone numbers were exposed. Estimated cost of the breach is $171,200.000.


Unauthorized Access
Sep 10 ?
BuyVIP (Amazon Owned)

Although not officially confirmed, BuyVIP users received an e-mail informing that their database had been hacked. Apparently, the website had been offline for a couple days and it looks like that not only names and email addresses were retrieved, but also birth dates, real shipping addresses as well as phone numbers.


SQLi
Sep 11 ?
Linux Foundation

Few weeks after the kernel.org Linux archive site suffered a hacker attack, the Linux Foundation has pulled its websites from the web to clean up from a security breach. A notice posted on the Linux Foundation said the entire infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011.

Linux Foundation
SQLi?
Sep 11
AryansBook.com

Anonymous leaks the complete database from a well known nazi website AryansBook.com and posts the content on The Pirate Bay. This is a fight towards racism of any kind.

AryansBook
SQLi?
Sep 12 ?
Bitconitalk Forum

An unknown hacker uses a zero day flaw to steal email addresses, hashed passwords and read personal messages from the bitcointalk.org forum. Forum administrators said the attacker gained root access on 3 September and was able to run arbitrary PHP code not detected until the attacker injected “annoying JavaScript” into the forum pages a week later: the Javascript splashed actor Bill Cosby across the forums and replaced all references to BitCoin with CosbyCoin.

Bitcoin
0-day exploit in SMF
Sep 12 ?
Nigerian Government Website

Nigerian Government Website is hacked and defaced by Brazilian Hackers that leave a message in the main page.


Defacement
Sep 12 ?
Vacationland Vendors

A hacker gains unauthorized access to the card processing systems at Wilderness Waterpark Resort  and improperly acquires 40,000 credit card and debit card information. Estimated Cost of the Breach is $8,560,000.


N/A
Sep 12 X-Nerd Panda Security

Another Security Company Hacked: a hacker going by the name of X-Nerd hacks and defaces the Pakistan Server of a very well known security software website:  Panda Security.


SQLi?
Sep 12 ?
Russian UK Embassy

Just before Prime Minister David Cameron’s first visit to Moscow, the website belonging to the Embassy Of The Russian Federation in London was taken down by hackers. It seems as the attack was launched in sign of protest to the upcoming visit after a 5-year break in which no British leader went to Moscow.

DDoS
Sep 13 Cyb3rSec
thetvdb.com

Cyb3rSec dumps a list of 3500+ Accounts from the forum thetvdb.com.

SQLi?
Sep 13
top100arena.com

Albanian hackers belonging to Albanian Cyber Army exploit one of the biggest Game Arena site “Top100″ database using SQL injection attack. They leak the database on mediafire.

SQLi
Sep 14
President of Bolivia (presidencia.gob.bo)

SwichSmoke crew hacks the site belonging to President of Bolivia and dumps the leaked data on pastebin.

Various Exploits
Sep 14 ?
uTorrent.com

The uTorrent.com Web servers has been compromised and consequently the standard Windows software download was replaced with a type of fake antivirus “scareware” program.

  SQLi
Sep 14 ?
Bright House Networks

Bright House Networks, the sixth largest owner and operator of cable systems in the U.S., has sent a letter to customers warning that they may have been exposed after servers used to process Video on Demand (VOD) were breached.

  ?
Sep 14 ?
Scarlett Johansson

Also an actress may be victim of hackers: The FBI investigate reports that nude photos of a famous celebrity (allegedely Scarlett Johansson) have been leaked onto the web. The day before Twitter was flooded with messages claiming to link to naked pictures of her, which were allegedly stolen from her iPhone by a hacker earlier this year.

  ?
Sep 15 Stohanko
Various Sites

More than 101 sites, with huge amount of data and personal information which ranges from emails, phone numbers, to full names and addresses, have been hacked by an hacker dubbed Stohanko. At this link a list of the hacked sites and the links to dumped data.

?

Anatomy Of A Twitter Scam

September 15, 2011 4 comments

Do you remember Mobile Phishing and the related risks? Well This morning I had a bad surprise and could see it anction with my hands (or better with my fingers on the display of my Android Device).

This morning I woke up early (6 AM) since I previously arranged a travel to my hometown which takes approximately 4 hours. As usual I have the bad habit to check email upon awakening, directly from my Android device. This morning found a strange DM strange DM on my Twitter Account:

This made me laugh so hard when i saw this about you lol hxxp://t.co/AusOXeQ

I already exchanged some DMs in English with this contact, so, the content was not so strange (probably a similar message from an Italian contact would have received a different impact and triggered an alarm bell). Moreover I suppose my neurons were not completely up and running (actually they are rerely in this state), so a little bit for curiosity, a little bit for fun I clicked the link directly from my mobile device.

In the following screenshots you may realize how easy and dangerous for the user, mobile phishing is: as a matter of facts the link points to a bogus Twitter-like site, but, believe me, from a 3.7″ screen is really difficult to discriminate it.

The page is really similar to the real one:

But yes, if you look carefully at the address bar (but at the 6 AM with the sleep fog surrounding you is not so easy) you will notice a misplaced detail and it is the link (currently up): hxxp://www.ltwittier.com/session-verify (but not all the address is visibile on the bar). If you click on the text box the situation is even worse since the address bar, a default beaviour for the Android Browser, disappears.

Needless to say, if you login, your account will be hacked and your contacts will suffer the same fate.

This event shows how easy is to fall victim of phishing in case of mobile devices and, even worse, in case the bait comes from Social Network (and a professional social network how Twitter is for me, in which I trust the reputation of my contacts).

Always remember to check the links and be careful to follow strange links from mobile devices!

P.S.

If you point to the incomplete link: hxxp://www.ltwittier.com/ there is a clear evidence of the fact that the site is bogus:

http://paulsparrows.files.wordpress.com/2011/09/wronglink.png” alt=”” width=”300″ height=”494″ />

Processor Assisted Or OS Embedded Endpoint Security?

September 14, 2011 1 comment

Yesterday, September the 13th 2011, the Information Security Arena has been shaken by a couple of announcements earthquakes unleashed by two of the most important players in this market.

The first earthquake was detected in San Francisco, at the Intel Developer Forum, where McAfee announced DeepSAFE, a jointly developed technology from McAfee and Intel that enables to build hardware-assisted security products that take advantage of a deeper security footprint. According to McAfee, sitting beyond the operating system and close to the silicon, DeepSAFE technology allows to gain an additional vantage point in the computing stack to better protect systems. Although initially conceived as an anti-rootkit (and 0-day) technology, McAfee promises that DeepSAFE Technology will be the foundation for its next gen security products, maybe landing also on the Android Platform (but not on Intel’s MeeGo Mobile Platform).

The second earthquake was detected in Redmond where Microsoft announced that antivirus protection will be a standard feature for its next gen flagship OS Windows 8: features from its Security Essentials program, currently available as a separate download for Windows users, will be added to the Windows Defender package already built into Windows, allowing the users to get out-of-the-box protection against malware, along with firewall and parental controls, from within Windows without requiring a separate software. Another new security feature being baked into Windows 8 is protection from bootable USB drives that are infected with malware.

Although easily predictable (even if Microsoft took only 6 years to fully embed Sybari technology inside its OSes after the 2005 acquisition, rumors on a hardware assisted security technology were the pillars of the McAfee acquisition by Intel), these announcements have a potential huge impact on the landscape, both for consumers and more in general for the whole antivirus industry.

As fare as the Micorsoft announcement is concerned, consumers will be happy to find a free “OS-embedded” antimalware solution inside their (favourite ?) desktop operating system, on the other hand the antivirus industry will likely not be happy to have an embedded competitor to fight against (and to disable during the installation of their own products).

Similarly, just like the Operating System, the processor itself is a “necessary evil” for a PC so the other endpoint security vendors will not be happy to fight against a competitor technology which (quoting textual words) allows “McAfee DeepSAFE technology (to) sit beyond the operating system (and close to the silicon) allowing McAfee products to have an additional vantage point in the computing stack to better protect systems.”

Of course all this turmoil on the endpoint security arena looks paradoxical if compared with Google’s assertions according to which, its brand new ChromeOS will need no antivirus at all because of its many built in layers of security. On the other hand it risks to become a turmoil for the consumer who will have soon to face an hard question: will my next operating system need “software embedded” antimalware, “hardware assisted” antimalware or no antimalware at all?

Personally I do not like the idea of a single Microsoft Antivirus for every PC equipped with Windows 8 (a single vulnerability would be enough to infect millions of devices), in the same way I believe that an Operating System without antimalware protection is an unrealistic model which is not compatible with the multi-layer approach of the endpoint security (it is not a coincidence that ChromeOS has already fallen under the blows of a XSS vulnerability.

Similarly I do believe that, in order to avoid (further) Antitrust lawsuits Intel will open its direct access to processor layer to other vendors besides McAfee. On the other hand, in order to obtain the “go-ahead” from the European Commission, Intel promised to ensure that rival security vendors will have access to “all necessary information” to use the functionalities of Intel’s CPUs and chipsets in the same way as those functionalities are used by McAfee, the commission said in a statement…

Otherwise the lawyers seriously risk to be the sole winners of this endpoint revolution.

An E-mail Attack to Ground Zero

September 11, 2011 1 comment

Easily Predictable, the 10th 9/11 anniversary turned out to be a too tempting opportunity for unscrupulous hackers and cyber pranksters. Probably the NBC News Twitter account (and its 130,000 followers) will remember this anniversary eve for a long time after, late on Friday September the 9th, the Twitter account started to tweet false reports of a plane attack on ground zero.

Original Image by Naked Security

Although there were some misplaced details on the tweets, few minutes later the Company Chief Digital Officer, admitted the account was hacked, asking their followers not to retweet the bogus tweets:

The account was suspended and restored after few minutes, and you will probably remember that the misplaced detail, that is The Script Kiddies who claimed to have hacked the account, are not new to such similar actions since they already hacked the FOX News political account on July, the 4th 2011, announcing a bogus report on Mr. Obama death.

This is not a coincidence, probably the hacker(s), a splinter cell of Anonymous and LulzSec have exploited the same (human?) vulnerability. The NBC News account is tightly controlled and only three NBC News executives have the password.

One of them, Ryan Osborn, the NBC director of social media, said he was monitoring the account at the time and noticed the bogus messages within seconds, noticing that the password to NBC News’ Twitter account had been altered. He immediately contacted Twitter, which shut the account down eight minutes after the tweets appeared.

But there is a further particular: although the warning on easily predictable 9/11 scams, Osborn said he recently received a suspicious email as Hurricane Irene was approaching New York. The email came from an unknown sender with the subject “Hurricane Alert” and the message:

Ryan, You need to get off Twitter immediately and protect your family from the hurricane. That is an order.

Osborn wrote back “I’m sorry. Who is this?” and the sender then replied:

I’m the girl next door

with an attachment. Osborn said he mistakenly clicked on the attachment and it contained a Christmas tree.

Probably that click was fatal and injected a Trojan Keylogger on Osborn’s PC, which was used to steal the password.

The FBI is investigating the NBC News Twitter account hacking but one thing is clear: Twitter accounts are becoming a preferred target for this kind of hacks, they allow to reach a wide audience in few seconds with the double result to quickly (and virally) spread panic among followers and amplify the echo (and visibility) of the attack. Moreover, there is no need to perpetrate huge attacks to compromise the server infrastructure since the entry point is human and human defenses have proven to be extremely much weaker and easy to penetrate (a simple email is enough) than digital defenses.

Last but not least, this is only the latest occurrence of an attack carried on via malicious attachments which are being deployed to carry on complex multilayered attacks (as in case of RSA Breach), or simple questionable pranks (as in case of NBC News or Fox News).

I miss the good old days when the threat via e-mail could be at most spam…

An Industry Wide Attack

September 9, 2011 3 comments

9/9/2011: Globalsign admitted evidence of a breach to the web server hosting the www website:

Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the http://www.globalsign.com website. At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.

Starting from March 2011, one might say that the authentication bastions have been crumbling one after another. In hindsight, one event in particular occurred during March 2011 has been mostly underestimated. Of course I am not referring to the RSA affair, but to the Comodo Hack, whose only blame was to happen too close in time to the RSA Breach, which ended up obfuscating its impact for the Information Security Landscape … At least until August 2011.

As a matter of fact when, immediately after the Comodo Hack, the so called Comodo Hacker published on pastebin his declaration of Cyberwar, no one considered the hypothesis that other Certification Authorities could have been equally compromised. Consequently, although the hack was classified as a serious cyberattack, driven by a political matrix and capable to establish a new (unwelcome) record, it was considered an isolated episode, mainly due to the scarce attention to application security by the targeted Comodo partner. Moreover the final target (Google) and the political reasons behind the attack deserved much more attention than the means used to perpetrate the attack itself: the first-time compromission of a Certification Authority, a completely inedited attack vector.

Nearly four months later, the Diginotar hack (again an attack with alleged political reasons behind although according to Trend Micro it targeted Iranian Internet users) has shown to the world the weaknesses of our authentication model and its chain of trust. Not only the hacker was able to forge more than 500 fake Code Sign and SSL certificates, but he also claimed to have access to other four CAs, quoting explicitly GlobalSign, and indirectly another one StartCom, which was able to avoid the hack since its CEO was sitting in front of the HSM during the attack, although the Comodo Hacker claims to own email, DB Backup and Customer data.

Trust in Diginotar Certificate Authority has been revoked from all browsers and OSes, permanently from all Mozilla Products, but not from Smartphones, with heavy consequences for the Dutch government’s PKIoverheid (PKIgovernment) program. Of course, easily predictable, the assertions from Comodo Hacker triggered panic between cert providers. On September the 6th GlobalSign decided to temporary cease issuance of all certificates as a precautionary measure and appointed Fox-IT to perform an intensive audit (Fox-IT is the same Dutch Cybsersecurity Company which performed the audit on Diginotar); on September the 7th Symantec released a statement to reassure their customers their infrastructure has been audited and it is not compromised. A similar announcement has been published by Thawte after an erroneous report from a Dutch Government agency according to which the Security firm had been breached. Unfortunately the story does not end here and although the Comodo Hacker promises further disclosures.

If I can spend few words on the question, the best way to describe it is to quote a statement from GlobalSign: “these claims (from Comodo Hacker) represent an industry wide attack”. Said in simple words: the aftermaths of the Diginotar hack will force to rethink the current authentication model and chain of trust (even because authentication technologies and vendors are increasingly tied) even if we seriously risk to run out of ammo: in this year we lost tokens and CAs… Now What Else?

Just For Reference…

September 7, 2011 2 comments

I built a brand new web page which I called master index, collecting all the Main Cyber Attacks for 2011 according to my personal Criteria. You can find it in the top menu bar or at this explicit link. Of course I will keep it up-to-date as soon as I will publish my monthly reports.

Have a nice read and please… Retweet if you feel like doing it!

Date Description Original Article Preview
Jun 22 2011 2011 Cyber Attacks Timeline (Jan-Jun 2011), original chart by Thomson Reuters 2011 CyberAttacks Timeline
Jun 28 2011 2011 Cyber Attacks Timeline (Jan-Jun 2011), enhanced version based on the Thomson Reuters chart 2011 Cyber Attacks (and Cyber Costs) Timeline (Updated)
Aug 2 2011 July 2011 Cyber Attacks Timeline: List of Main Cyber Attacks from 1 to 31 July 2011.

July 2011 Cyber Attacks Timeline

Sep 2 2011 August 2011 Cyber Attacks Timeline. List of Main Cyber Attacks from 1 to 31 August 2011.

August 2011 Cyber Attacks Timeline

Is It Time for DNSSEC?

September 5, 2011 2 comments

DNSSEC in European Country Code Top Level Domains (green=deployed, yellow=planning to deploy) Source RIPE NCC

The media are in a frenzy today, reporting a wave of attacks against popular websites such as Daily Telegraph, The Register, UPS, Acer, Vodafone.com and others. All the attacks utilized the same method (DNS Hijacking) and have been carried on by the same Turkish Group: Turkguvenligi.

Turkguvenligi is not new to such similar actions (early this August, the same crew defaced the web site of HSBC Korea), what is really new is the fact that in this last month the current DNS protocol is showing all its limits and security issues, recalling the need for a quick adoption of DNSSEC, the well known and long awaited evolution of the Domain Name System Protocol, which aims to prevent attacks such as DNS Hijacking or DNS Cache Poisoning by mean of digitally signing the records for DNS lookup using public-key cryptography.

Looking back to the last cyber attacks, DNS has been under pressure and has become a privileged direct and indirect target: at the end of August Anonymous Sri Lanka claimed (although not confirmed) to have hacked into the DNS servers of Symantec, Apple, Facebook, Microsoft, and several other large organizations by mean of DNS Cache Poisoning. Moreover DNS protocol was also involved on the propagation of the infamous RDP capable W32.Morto worm which established, according to Symantec, a new (DNS) record, since the researchers of the security firm discovered on the malware a communication mechanism using the DNS TXT records towards hard coded domains a customary to receive binary signature and an IP address where to download a file (typically another malware) for execution.

Of course not even the dramatic Diginotar affair (whose impact is much greater than expected since it looks like the attackers forged fake SSL certificates for more than 200 domains including Mossad, CIA, etc.) can be considered completely unrelated to the question since, if used in combination (and as a complement) with SSL, although not perfect, DNSSEC could provide an alternative method to validate that the surfer is connecting to the correct site (this attack is particularly meaningful, today we do not have DNSSEC and we cannot trust CAs anymore…).

Unfortunately, although designed to be fully backward compatible with the current protocol implementation, DNSSEC is not something which can be enabled by the user, but involves a reconfiguration at the server level (and introduces new concerns such as Zone Enumeration Issue and Key Management).

Nevertheless more and more ISPs and agencies are adopting this technology since 2005 (for instance RIPE NCC). A crucial step has been made on 2010 with the DNSSEC adoption at the root level, and also client applications are offering DNSSEC validation, as Google Chrome does, which provides full DNSSEC Validation in version 14.

And Italy? It looks like we will be slave of DNS Security issues for a long time: in the “DNSSEC Deployment Today” Document issued by NCC RIPE, Italy is sadly marked gray, indicating there is no adoption plan so far.

Follow

Get every new post delivered to your Inbox.

Join 2,898 other followers