This infamous 2011 is nearly gone and here it is the last post for this year concerning the 2011 Cyber Attacks Timeline. As you will soon see from an infosec perspective this month has been characterized by two main events: the LulzXmas with its terrible Stratfor hack (whose effects are still ongoing with the recent release of 860,000 accounts), and an unprecented wave of breaches in China which led to the dump of nearly 88 million of users for a theoretical cost of nearly $19 million (yes the Sony brech is close). For the rest an endless cyberwar between India and Pakistan, some hactivism and (unfortunately) the usual amounts of “minor” breaches and defacement. After the page break you find all the references.
Last but not least… This post is my very personal way to wish you a happy new infosec year.
Christmas has just gone and here it is my personal way to wish you a Happy New Year: the second part of my personal chart (first part here) of Main 2011 Cyber Attacks covering the time window from August to November 2011 (December is not yet finished, and featuring remarkable events, so expect an update very soon). This memorable year is nearly over and is time, if you feel nostalgic, to scroll down the second part of the list to review the main Cyber Events that contributed, in my opinion, to change the landscape and the rules of the (information security) game. Many events in this period among whom, IMHO, the most noticeable is the one carried on against Diginotar. Since then our trust in conventional authentication models is not (and will not be) the same anymore.
Of course this is my personal selection. Suggestions are well accepted and if you need more details about the cyber events in 2011, feel free to consult my 2011 Cyber Attacks Master Index. As usual after the page break you find all the references…
It looks like that Christmas approaching is not stopping hackers who targeted a growing number of organizations including several security firms (Kaspersky, Nod 32 and Bitdefender) even if in secondary domains and with “simple” defacements.
Cyber chronicles report of Gemnet, another Certification Authority Breached in Holland (is the 12th security incident targeting CAs in 2011) and several massive data breaches targeting Finland (the fifth this year, affecting 16,000 users), online gambling (UB.com affecting 3.5 million of users), Telco (Telstra, affecting 70,000 users), and gaming, after the well known attacks to Sony, Sega and Nintendo, with Square Enix, which suffered a huge attacks compromising 1,800,000 users (even if it looks like no personal data were affected).
Online Payment services were also targeted by Cybercrookers: a Visa East European processor has been hit by a security breach, but also four Romanian home made hackers have been arrested for a massive credit card fraud affecting 200 restaurants for a total of 80,000 customers who had their data stolen.
As usual, hacktivism was one of the main trends for this first half of the month, which started with a resounding hacking to a Web Server belonging to ACNUR (United Nations Refugees Agency) leaking more than 200 credentials including the one belonging to President Mr. Barack Obama.
But from a mere hactvism perspective, Elections in Russia have been the main trigger as they indirectly generated several cyber events: not only during the election day, in which three web sites (a watchdog and two independent news agencies) were taken down by DDoS attacks, but also in the immediately following days, when a botnet flooded Twitter with Pro Kremlin hashtags, and an independent forum was also taken down by a further DDoS attacks. A trail of events which set a very dangerous precent.
Besides the ACNUR Hack, the Anonymous were also in the spotlight (a quite common occurrence this year) with some sparse attacks targeting several governments including in particular Brazil, inside what is called #OpAmazonia.
Even if not confirmed, it looks like that Anonymous Finland might somehow be related to the above mentioned breach occurred in Finland.
Other interesting events occurred in the first two weeks of December: the 0-day vulnerability affecting Adobe products, immediately exploited by hackers to carry on tailored phishing campaigns and most of hall, a targeted attack to a contractor, Lockheed Martin, but also another occurrence of DNS Cache Poisoning targeting the Republic of Congo domains of Google, Microsoft, Samsung and others.
Last but not least, the controversial GPS Spoofing, which allegedly allowed Iran to capture a U.S. Drone, even the GPS Spoofing on its own does not completely solve the mistery of the capture.
Other victims of the month include Norwich Airport, Coca Cola, and another Law Enforcement Agency (clearusa.org), which is currently unaivalable.
As usual after the page break you find all the references.
It is time of huge dumps in Italy. Yesterday Cyberwarnews reported of 9000 accounts leaked from qualitapa.gov.it, a website linked to Italian Minister of Public Administration and Innovation. It is not the first time a similar occurrence happens in “Belpaese” (you will remember the Hot Summer with the controversial hack of CNAIPIC, The Italian Cyber Police and the subsequent hack of some contractors), for sure it is the first time such a huge number of accounts is dumped in Italy.
I would not prefer to comment, I only noticed in particular one account that looks familiar, extremely familiar and dangerously reminds the name (and the initial of the surname) of the former Minister of Justice. I hope it is only a coincidence… On the other hand if even the UN Account of The President Barack Obama is dumped, why should not it happen for the account of a former Italian Minister…
Update December 26: 2011 is nearly gone and hence, here it is One Year Of Lulz (Part II)
This month I am a little late for the December Cyber Attacks Timeline. In the meantime, I decided to collect on a single table the main Cyber Attacks for this unforgettable year.
In this post I cover the first half (more or less), ranging from January to July 2011. This period has seen the infamous RSA Breach, the huge Sony and Epsilon breaches, the rise and fall of the LulzSec Group and the beginning of the hot summer of Anonymous agsainst the Law Enforcement Agencies and Cyber Contractors. Korea was also affected by a huge breach. The total cost of all the breaches occurred inthis period (computed with Ponemon Institute’s estimates according to which the cost of a single record is around 214$) is more than 25 billion USD.
As usual after the page break you find all the references.
Yesterday I posted evidence about the presence of the infamous Carrier IQ Software in Italy. Today another episode (I presume will not be last) of what it si becoming an endless Saga. Following the forthcoming investigations of privacy regulators in the U.S. and Europe, and the last-minute speculations concerning the fact Carrier IQ technology has been used by FBI, Carrier IQ has just published a 19 pages document trying to explain in detail what the IQ agent does. After reading the document, it is clear that the affair will not stop here.
The documents analyzes what the software really does, tries to confute Trevor Eckhart’s assertions and, most of all, admits that some SMS may have been collected (even if not in human readable form), because of a software flaw.
Interesting to mention, there are three ways in which Carrier IQ’s customers (the operators, not the end users!) install the IQ Agent: pre-load, aftermarket and embedded. The pre-load and embedded versions which differ among themselves for the fact that the pre-loaded agent may not provide RF data, cannot “typically” be deleted by an end user.
In any case Network Operators and handset manufacturers determine whether and how they deploy Carrier IQ software and what metrics that software will gather and forward to the Network Operator.
Several Remarkable Points:
In typical deployments, the IQ Agent uploads diagnostic data once per day, at a time when the device is not being used. This upload, which averages about 200 kilobytes, contains a summary of network and device performance since the last upload, typically 24 hours.
The profile, written by Carrier IQ based on information requested by operators, defines which of the available metrics may to be gathered and contains the following information:
- Should information be collected in anonymous mode or with the hardware serial number and the subscriber serial number being used (e.g. IMEI & IMSI)?
- The frequency of metrics uploads and instructions on what to do if the user is roaming or not on the network
- The specific metrics from which to gather data
- Instructions for pre-processing of metrics to create summary information
Profiles may also be subsequently updated.
As far as Trevor Eckhart’s video is concerned, and his findings related to the fact that the agent logs SMS and keystrokes in clear text, Carrier IQ indicates this log log essentially as a consequence of debug enabled, which is not a common (and recommended) situation in normal usage. Moreover the only captured keystroke is a specific numeric key code entered by the user to force the IQ Agent software to start an upload.
Our privacy is safe? Not at all, few lines after the above quoted statement the company declares that:
Carrier IQ has discovered that, due to [....] bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent. These messages were encoded and embedded in layer 3 signaling traffic and are not human readable.
Although the company states that no encoded content of the SMS is available to anyone.
As far as phone numbers and URLs are concerned, this kind of information is collected by the agent if selected on a profile by the Network Operator. In any case, according to the company:
The metrics gathered by the IQ Agent are held in a secure temporary location on the device in a form that cannot be read without specifically designed tools and is never in human readable format.
About the gathered data, Carrier IQ has no rights to the data that collected into its Mobile Service Intelligence Platform.
Did you find the clarifications enough satisfactory? At first glance I am not able to understand how the collected data may be considered anonymous (as supposed from the first statement of Carrier IQ), if the operator may select a profile in which it can grab (and correlate) IMSI, IMEI or Phone Number together with the URLs visited by the (unaware) user. In this moment I cannot tell if, with a clause hidden between the lines of the contracts, mobile operators advise their customers that some personal information may be collected to improve the user experience. In any case the user should be at least provided with the option to choose. Some Device Manufacturers ask for user consent to perform similar operations. I am not aware of a similar approach by operators.
Mmh… The story will not finish here, indeed I guess the affair will soon spread to Mobile Carriers.
- Breaking: First Known Detection of Carrier IQ in Italy (paulsparrows.wordpress.com)
I have dedicated several posts to NG-IPS, the next step of the evolution in network security (or better to say context security). I have pointed out that one of the main features of this kind of devices is the capability to enforce Location Based security services. Now it is time to make some practical examples indicating how Geo Protection features may be helpful and why they are needed in this troubled days.
Few days ago I had the opportunity to analyze the data collected from a network security equipment, placed at the perimeter of an important Italian customer, with IPS engine turned on and Geo Protection feature enabled. I show here a brief summary of the collected data, that span approximatively a thirty days period ranging from 1 to 27 November 2011.
As you may easily notice, collected data show Geo Protection events undoubtedly at number one with 713,117 occurences. The enforced Geo Protection Policy blocked traffic from and to several “bad countries”. Just try to Guess which country was detected by the Geo Protection Policy with the highest rate of attacks? The top attack source report contains the answer to this question, but if yoy want I can suggest you a quick hint: one of the countries which appeared in the unwelcomed list of Geo Protection Policy was just China.
The top 5 attack sources generated together nearly 150,000 events. I was not that surprised when I looked up the IP Addresses (which I did not explicitly report on the graph) and realized that all of them came from China. These addresses were blocked a priori by Geo Protection.
The tabular report is also more explicit: 9 out of 10 sources at the top for the number of attacks, came from China whilst 1 was shown to be an internal address (revealed to be a misconfigured device generating bogus events). Together the 9 top sources generated nearly 260,000 on a total of 800,000 events collected from nearly 90,000 addresses.
As far as the impacted services are concerned, traditional protocols ranked at the first positions of the chart with some strange occurrences (TCP/0 or UDP/0 that might mean malformed packets or also the attempt to exploit old attacks targeting security devices). It is worthwhile to notice the presence of the well-known TCP port 1433 (MS-SQL).
While I was analysing these data I could not help but think to the recent post by Brian Kerbs suggesting that the same attack perpetrated against RSA targeted more than 760 other organizations (almost 20 percent of the current Fortune 100 companies were on the alleged list). The same post indicated that the location of 299 (on more than 300) command and control networks used in these attacks were located in China.
Besides some concern regarding the Chinese Cyber Strategy, the parallelism suggested me that Geo Protection might provide a valuable support for thwarting APTs or, more in general, for thwarting attacks phoning home to C&C Server located in “bad” countries, provided that Geo Protection Service Database is constantly updated. Unfortunately I am afraid that attackers will not take so long to learn and enforce some workarounds using (un)secure compromised C&C servers in “good” (i.e. not classified by the Geo Protection) countries. In any case Geo Protection cannot be considered the only cure, but at the end this is the reason why NG-IPS are capable to enforce different algorithms to provide a context base security model.
- The China Cyber Attacks Syndrome (paulsparrows.wordpress.com)