Archive
December 2011 Cyber Attacks Timeline (Part II)
This infamous 2011 is nearly gone and here it is the last post for this year concerning the 2011 Cyber Attacks Timeline. As you will soon see from an infosec perspective this month has been characterized by two main events: the LulzXmas with its terrible Stratfor hack (whose effects are still ongoing with the recent release of 860,000 accounts), and an unprecented wave of breaches in China which led to the dump of nearly 88 million of users for a theoretical cost of nearly $19 million (yes the Sony brech is close). For the rest an endless cyberwar between India and Pakistan, some hactivism and (unfortunately) the usual amounts of “minor” breaches and defacement. After the page break you find all the references.
Last but not least… This post is my very personal way to wish you a happy new infosec year.
One Year Of Lulz (Part II)
Christmas has just gone and here it is my personal way to wish you a Happy New Year: the second part of my personal chart (first part here) of Main 2011 Cyber Attacks covering the time window from August to November 2011 (December is not yet finished, and featuring remarkable events, so expect an update very soon). This memorable year is nearly over and is time, if you feel nostalgic, to scroll down the second part of the list to review the main Cyber Events that contributed, in my opinion, to change the landscape and the rules of the (information security) game. Many events in this period among whom, IMHO, the most noticeable is the one carried on against Diginotar. Since then our trust in conventional authentication models is not (and will not be) the same anymore.
Of course this is my personal selection. Suggestions are well accepted and if you need more details about the cyber events in 2011, feel free to consult my 2011 Cyber Attacks Master Index. As usual after the page break you find all the references…
December 2011 Cyber Attacks Timeline (Part I)
As usual, here it is my compilation of December Cyber Attacks.
It looks like that Christmas approaching is not stopping hackers who targeted a growing number of organizations including several security firms (Kaspersky, Nod 32 and Bitdefender) even if in secondary domains and with “simple” defacements.
Cyber chronicles report of Gemnet, another Certification Authority Breached in Holland (is the 12th security incident targeting CAs in 2011) and several massive data breaches targeting Finland (the fifth this year, affecting 16,000 users), online gambling (UB.com affecting 3.5 million of users), Telco (Telstra, affecting 70,000 users), and gaming, after the well known attacks to Sony, Sega and Nintendo, with Square Enix, which suffered a huge attacks compromising 1,800,000 users (even if it looks like no personal data were affected).
Online Payment services were also targeted by Cybercrookers: a Visa East European processor has been hit by a security breach, but also four Romanian home made hackers have been arrested for a massive credit card fraud affecting 200 restaurants for a total of 80,000 customers who had their data stolen.
As usual, hacktivism was one of the main trends for this first half of the month, which started with a resounding hacking to a Web Server belonging to ACNUR (United Nations Refugees Agency) leaking more than 200 credentials including the one belonging to President Mr. Barack Obama.
But from a mere hactvism perspective, Elections in Russia have been the main trigger as they indirectly generated several cyber events: not only during the election day, in which three web sites (a watchdog and two independent news agencies) were taken down by DDoS attacks, but also in the immediately following days, when a botnet flooded Twitter with Pro Kremlin hashtags, and an independent forum was also taken down by a further DDoS attacks. A trail of events which set a very dangerous precent.
Besides the ACNUR Hack, the Anonymous were also in the spotlight (a quite common occurrence this year) with some sparse attacks targeting several governments including in particular Brazil, inside what is called #OpAmazonia.
Even if not confirmed, it looks like that Anonymous Finland might somehow be related to the above mentioned breach occurred in Finland.
Other interesting events occurred in the first two weeks of December: the 0-day vulnerability affecting Adobe products, immediately exploited by hackers to carry on tailored phishing campaigns and most of hall, a targeted attack to a contractor, Lockheed Martin, but also another occurrence of DNS Cache Poisoning targeting the Republic of Congo domains of Google, Microsoft, Samsung and others.
Last but not least, the controversial GPS Spoofing, which allegedly allowed Iran to capture a U.S. Drone, even the GPS Spoofing on its own does not completely solve the mistery of the capture.
Other victims of the month include Norwich Airport, Coca Cola, and another Law Enforcement Agency (clearusa.org), which is currently unaivalable.
As usual after the page break you find all the references.
One Year Of Lulz (Part I)
Update December 26: 2011 is nearly gone and hence, here it is One Year Of Lulz (Part II)
This month I am a little late for the December Cyber Attacks Timeline. In the meantime, I decided to collect on a single table the main Cyber Attacks for this unforgettable year.
In this post I cover the first half (more or less), ranging from January to July 2011. This period has seen the infamous RSA Breach, the huge Sony and Epsilon breaches, the rise and fall of the LulzSec Group and the beginning of the hot summer of Anonymous agsainst the Law Enforcement Agencies and Cyber Contractors. Korea was also affected by a huge breach. The total cost of all the breaches occurred inthis period (computed with Ponemon Institute’s estimates according to which the cost of a single record is around 214$) is more than 25 billion USD.
As usual after the page break you find all the references.
Again On The Carrier IQ Saga
Yesterday I posted evidence about the presence of the infamous Carrier IQ Software in Italy. Today another episode (I presume will not be last) of what it si becoming an endless Saga. Following the forthcoming investigations of privacy regulators in the U.S. and Europe, and the last-minute speculations concerning the fact Carrier IQ technology has been used by FBI, Carrier IQ has just published a 19 pages document trying to explain in detail what the IQ agent does. After reading the document, it is clear that the affair will not stop here.
The documents analyzes what the software really does, tries to confute Trevor Eckhart’s assertions and, most of all, admits that some SMS may have been collected (even if not in human readable form), because of a software flaw.
Interesting to mention, there are three ways in which Carrier IQ’s customers (the operators, not the end users!) install the IQ Agent: pre-load, aftermarket and embedded. The pre-load and embedded versions which differ among themselves for the fact that the pre-loaded agent may not provide RF data, cannot “typically” be deleted by an end user.
In any case Network Operators and handset manufacturers determine whether and how they deploy Carrier IQ software and what metrics that software will gather and forward to the Network Operator.
Several Remarkable Points:
In typical deployments, the IQ Agent uploads diagnostic data once per day, at a time when the device is not being used. This upload, which averages about 200 kilobytes, contains a summary of network and device performance since the last upload, typically 24 hours.
The profile, written by Carrier IQ based on information requested by operators, defines which of the available metrics may to be gathered and contains the following information:
- Should information be collected in anonymous mode or with the hardware serial number and the subscriber serial number being used (e.g. IMEI & IMSI)?
- The frequency of metrics uploads and instructions on what to do if the user is roaming or not on the network
- The specific metrics from which to gather data
- Instructions for pre-processing of metrics to create summary information
Profiles may also be subsequently updated.
As far as Trevor Eckhart’s video is concerned, and his findings related to the fact that the agent logs SMS and keystrokes in clear text, Carrier IQ indicates this log log essentially as a consequence of debug enabled, which is not a common (and recommended) situation in normal usage. Moreover the only captured keystroke is a specific numeric key code entered by the user to force the IQ Agent software to start an upload.
Our privacy is safe? Not at all, few lines after the above quoted statement the company declares that:
Carrier IQ has discovered that, due to [....] bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent. These messages were encoded and embedded in layer 3 signaling traffic and are not human readable.
Although the company states that no encoded content of the SMS is available to anyone.
As far as phone numbers and URLs are concerned, this kind of information is collected by the agent if selected on a profile by the Network Operator. In any case, according to the company:
The metrics gathered by the IQ Agent are held in a secure temporary location on the device in a form that cannot be read without specifically designed tools and is never in human readable format.
About the gathered data, Carrier IQ has no rights to the data that collected into its Mobile Service Intelligence Platform.
Did you find the clarifications enough satisfactory? At first glance I am not able to understand how the collected data may be considered anonymous (as supposed from the first statement of Carrier IQ), if the operator may select a profile in which it can grab (and correlate) IMSI, IMEI or Phone Number together with the URLs visited by the (unaware) user. In this moment I cannot tell if, with a clause hidden between the lines of the contracts, mobile operators advise their customers that some personal information may be collected to improve the user experience. In any case the user should be at least provided with the option to choose. Some Device Manufacturers ask for user consent to perform similar operations. I am not aware of a similar approach by operators.
Mmh… The story will not finish here, indeed I guess the affair will soon spread to Mobile Carriers.
Related articles
- Breaking: First Known Detection of Carrier IQ in Italy (paulsparrows.wordpress.com)
Breaking: First Known Detection of Carrier IQ in Italy
Update December 13: Carrier IQ issued an updated statement, new concerns for an endless saga…
I am proud to post here the first known detection in Italy of the infamous Carrier IQ software!
As you will probably know, everything started on Nov. 28, on the other side of the Atlantic, when Trevor Eckhart, an Android developer posted a video on YouTube showing the hidden software Carrier IQ interacting oddly with his mobile phone activity. Eckhart subsequently alleged his keystrokes and data were being collected without his permission.
Easily Predictable, speculation and accusations have immediately begun, concerning the kind of data collected by Carrier IQ and presumably transmitted to Wireless Mobile Operators: as a matter of fact subsequent investigations have shown that the Carrier IQ software is embedded on nearly every mobile phone and operator, at least in the U.S where concerns of consumer privacy led Massachusetts congressman Rep. Edward Markey to ask the Federal Trade Commission to investigate the company over concerns of consumer privacy.
But although many believed the software was logging keystrokes and collecting sensitive data, a subsequent more reasonable analysis carried on reversing the code, has shown a different scenario: the software “only” collects anonymized metrics data, although there are hooks inside the code to events such as keystrokes, possibly suggesting the implementation of this kind of functionality for future versions. Essentially the analysis confirmed the content of a statement by the company which attempted to clarify how information was being collected:
We measure and summarize performance of the device to assist Operators in delivering better service.
While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.
Nevertheless, since the clarifications did not mitigate the fact that Carrier IQ is s a potential risk to user privacy, and users may not choose to to disable it, As a consequence a bunch of Class Actions lawsuits have been filed against the main handset manufacturers and carriers including, besides the obvious Carrier IQ, AT&T, Sprint Nextel, T-Mobile USA, HTC, Apple, Samsung, and Motorola Mobility.
Of course European regulators could not remain indifferent, and started immediately to investigate Carrier IQ. Germany’s Bavarian State Authority for Data Protection was the first to contact Apple, which publicly declared to have included Carrier IQ in earlier version of iOS, with support ceased with iOS 5 and completely removed for previous versions in future software updates. The German Example has immediately been followed not only by other regulators in the U.K., France, Ireland and Italy, but also from organizations like BEUC, the European Consumers’ Organisation that defend the users’ right to be told how their data is used.
I was wondering if Europe’s concerns were exaggerated (since so far the scandal seemed to be contained in the U.S.) until a friend of mine decided to test one of the available Carrier IQ detection tools on his Samsung Galaxy Tab, which was purchased from 3, an Italian Mobile Operator belonging to the H3G Giant.
Of course the results are shown above: the tool detected the Carrier IQ software in an inactive state. The bad thing is that, although apparently inactive, my friend told me he was not able to remove the software following the different procedures available on the web even if he did not spend so much time in its removal. So far I can only show the screenshot but he told me he will give me his device for a deep analaysis (with caution since it is his work device).
Thinking at this strange encounter, I admit I could not help but think to Samsung’s official statement concerning Carrier IQ (and reported by Engadget):
Some Samsung mobile phones do include Carrier IQ, but it’s very important to note that it’s up to the carrier to request that Samsung include that software on devices. One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ.
Since it is up to the carrier to request the software to be included on Samsung devices, I presume that 3 could have decided to install it on all the devices for the Italian Market. I tested the tool on My HTC Desire and Sensation XE (both belonging to Telecom Italia Mobile) with no result.
Francesco Pizzetti, Italy’s Protection of Personal Data Guarantor will have a lot to do… meanwhile he opened an investigation into how Carrier IQ works and is checking Italian mobile phones to verify where the software is in use.
Mobile devices are more and more becoming inseparable companions for our personal and professional life, and deadly enemies for our privacy…
Related articles
- European regulators start investigating Carrier IQ (macworld.com)
- Carrier IQ: What You Should Know (mylookout.com)
- European Regulators Start Investigating Carrier IQ (pcworld.com)
Another Certification Authority Breached (the 12th!)
This year is nearly at the end but it looks like it is really endless, at least from an Information Security Perspective. As a matter of fact this 2011 will leave an heavy and embarassing heritage to Information Security: the Certification Authority authentication model, which has been continuously under siege in this troubled year; a siege that seems endless and which has shown its ultimate expression on the alleged compromise of yet another Dutch Certification Authority: Gemnet.
Gemnet, an affiliate of KPN, has suspended certificate signing operation after an intrusion on its publicly accessible instance of phpMyAdmin (a web interface for managing SQL Database) which was, against any acceptable best practice, exposed on the Internet and not protected by password. As in case of Diginotar, another Dutch Certification Authority which declared Bankrupt few days after being compromised by the infamous Comodo Hacker, Gamnet has the Dutch government among its customers including the Ministry of Security and Justice, Bank of Dutch Municipalities and the police.
After the intrusion, the attacker claimed to have manipulated the databases, and to allegedly have been able to gain control over the system and all of the documents contained on it, although KPN, claims the documents contained on the server were all publicly available. Moreover the attacker claimed the attack was successful since he could obtain the password (braTica4) used for administrative tasks on the server. As a precaution, while further information is collected about the incident, Gemnet CSP, KPN’s certificate authority division, has also suspended access to their website.
The breach is very different, in purpose and motivations, from the one occurred to Diginotar, at the end of July, which led to the issuance of more than 500 bogus Certificates (on behalf of Google, Microsoft, and other companies). In case of Diginotar the certificates were used to intercept about 300,000 Iranians, as part of what was called “Operation Black Tulip“, a campaign aimed to eavesdrop and hijack dissidents’ emails. For the chronicles, the same author of the Diginotar hack, the Infamous Comodo Hacker, had already compromised another Certification Authority earlier this year, Comodo (which was at the origin of his nickname). In both cases, the hacks were performed for political reasons, respectively as a retaliation for the Massacre of Srebrenica (in which the Comodo Hacker claimed the Dutch UN Blue Helmets did not do enough to prevent it), and as a retaliation for Stuxnet, allegedly developed in a joint effort by Israel and US to delay Iranian Nuclear Program.
But although resounding, these are not the only examples of attacks or security incidents targeting Certification Authorities: after all, the attacks against CAs started virtually in 2010 with the infamous 21th century weapon Stuxnet, that could count among its records, the fact to be the first malware using a driver signed with a valid certificate belonging to Realtek Semiconductor Corps. A technique also used by Duqu, the so called Duqu’s son.
Since then, I counted 11 other breaches, perpetrated for different purposes: eavesdropping (as is the case of the Infamous Comodo Hacker), malware driver signatures, or “simple” compromised servers (with DDoS tools as in case of KPN).
At this point I wonder what else we could deploy to protect our identity, given that two factor authentication has been breached, CAs are under siege, and also SSL needs a substantial revision. Identity protection is getting more and more important, since our privacy is constantly under attack, but we are dangerously running out of ammunitions.
(Click below for references)
Beware Of The Red Dragon
I have dedicated several posts to NG-IPS, the next step of the evolution in network security (or better to say context security). I have pointed out that one of the main features of this kind of devices is the capability to enforce Location Based security services. Now it is time to make some practical examples indicating how Geo Protection features may be helpful and why they are needed in this troubled days.
Few days ago I had the opportunity to analyze the data collected from a network security equipment, placed at the perimeter of an important Italian customer, with IPS engine turned on and Geo Protection feature enabled. I show here a brief summary of the collected data, that span approximatively a thirty days period ranging from 1 to 27 November 2011.
As you may easily notice, collected data show Geo Protection events undoubtedly at number one with 713,117 occurences. The enforced Geo Protection Policy blocked traffic from and to several “bad countries”. Just try to Guess which country was detected by the Geo Protection Policy with the highest rate of attacks? The top attack source report contains the answer to this question, but if yoy want I can suggest you a quick hint: one of the countries which appeared in the unwelcomed list of Geo Protection Policy was just China.
The top 5 attack sources generated together nearly 150,000 events. I was not that surprised when I looked up the IP Addresses (which I did not explicitly report on the graph) and realized that all of them came from China. These addresses were blocked a priori by Geo Protection.
The tabular report is also more explicit: 9 out of 10 sources at the top for the number of attacks, came from China whilst 1 was shown to be an internal address (revealed to be a misconfigured device generating bogus events). Together the 9 top sources generated nearly 260,000 on a total of 800,000 events collected from nearly 90,000 addresses.
As far as the impacted services are concerned, traditional protocols ranked at the first positions of the chart with some strange occurrences (TCP/0 or UDP/0 that might mean malformed packets or also the attempt to exploit old attacks targeting security devices). It is worthwhile to notice the presence of the well-known TCP port 1433 (MS-SQL).
Of course the attempts to exploit Microsoft Ports and (maybe) to harvest the network were detected by the geo protection engine as shown in the following table.
While I was analysing these data I could not help but think to the recent post by Brian Kerbs suggesting that the same attack perpetrated against RSA targeted more than 760 other organizations (almost 20 percent of the current Fortune 100 companies were on the alleged list). The same post indicated that the location of 299 (on more than 300) command and control networks used in these attacks were located in China.
Besides some concern regarding the Chinese Cyber Strategy, the parallelism suggested me that Geo Protection might provide a valuable support for thwarting APTs or, more in general, for thwarting attacks phoning home to C&C Server located in “bad” countries, provided that Geo Protection Service Database is constantly updated. Unfortunately I am afraid that attackers will not take so long to learn and enforce some workarounds using (un)secure compromised C&C servers in “good” (i.e. not classified by the Geo Protection) countries. In any case Geo Protection cannot be considered the only cure, but at the end this is the reason why NG-IPS are capable to enforce different algorithms to provide a context base security model.
Related articles
- The China Cyber Attacks Syndrome (paulsparrows.wordpress.com)
About The Author
Support My Work!
Share:
News
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
Visitors from…
