About these ads

Archive

Posts Tagged ‘Creech Air Force Base’

Exclusive Infographic: All Cyber Attacks on Military Aviation and Aerospace Industry

February 22, 2012 2 comments

Cross Posted from TheAviationist.

2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).

But, if Information Security professionals are quite familiar with the idea that military contractors could be primary and preferred targets of the current Cyberwar, as the infographic on the left shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting, for instance, the multirole Joint Strike Fighter is still something hard to accept.

However, things are about change dramatically. And quickly.

The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.

For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.

Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean: Predator and Reaper Drones.

As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.

Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof products ab initio.

While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.

Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow @pausparrows on Twitter for the latest updates.

As usual the references are after the jump…

Read more…

About these ads

One Year Of Lulz (Part II)

December 26, 2011 1 comment

Christmas has just gone and here it is my personal way to wish you a Happy New Year: the second part of my personal chart (first part here) of Main 2011 Cyber Attacks covering the time window from August to November 2011 (December is not yet finished, and featuring remarkable events, so expect an update very soon). This memorable year is nearly over and is time, if you feel nostalgic, to scroll down the second part of the list to review the main Cyber Events that contributed, in my opinion, to change the landscape and the rules of the (information security) game. Many events in this period among whom, IMHO, the most noticeable is the one carried on against Diginotar. Since then our trust in conventional authentication models is not (and will not be) the same anymore.

Of course this is my personal selection. Suggestions are well accepted and if you need more details about the cyber events in 2011, feel free to consult my 2011 Cyber Attacks Master Index. As usual after the page break you find all the references…

Read more…

October 2011 Cyber Attacks Timeline (Part I)

October 16, 2011 2 comments

October has come and here it is, also for this month, the first part of my Cyber Attacks Timeline covering the cyber events occurred in the first half of the current month.

Three events in particular have marked this month: The German Trojan R2-D2 (that is raising many questions and concerns inside the infosec community), the keylogger hitting U.S. Drones and a new cyber attack to Sony involving this time “only” 93,000 accounts (oops! They did it again).

Except for a couple of isolated occurrences (in Austria and UK), the Cyber Attacks by Anonymous and Antisec had a break, maybe because hacktivism efforts are being focused on the #OccupyWallStreet operation that is rapidly spreading all over the World (I wonder why in here in Rome yesterday it has not been possible to have peaceful protests as happened in all the other Capitals). Besides, albeit not directly related with Anonymous, several Syrian log files were leaked showing the control of the Government on the Internet.

Other events of the month: a couple of fashion related websites were hacked, the Cyber-Guerrilla between India and Pakistan was particularly active with the cyber armies of the two nations facing themselves in the cyber space with continual mutual defacements, @SwichSmoke was also particularly active against Venezuela Government Web Sites. Other “minor” leaks were performed by @FailRoot and @ThEhAcKeR12 but one of the victims of the latter was Camber Corporation, an U.S. Contractor.

Anyway, Camber Corporation was not the only targeted Contractor, also Raytheon Corporation (a survivor of the RSA Breach) was targeted with a cloud based spear-phishing campaign, again the attack was thwarted but, in my opinion, has deserved a mention as well. Chronicles also reports of a claimed hack to Infragard (again).

Moreover the aftermaths of the RSA breach are not completely over: this month the security firm’s CEO claimed that a couple of different Cyber Crews, under the flag of an enemy nation (and the suspects were immediately directed to China), are behind the Cyber Attack in March and acted to perform it.

But a very special mention for this month (and the consequent lowly desiderable prize), is undoubtedly deserved by Mr. Oliver Letwin, Her Majesty’s Cabinet Minister, who was caught by The Daily Mirror  in the habit of dumping private correspondence and sensitive documents detailing Al-Qaeda activities and secret service operations into park bins in St James’s Park, Westminster, close to Downing Street. Security, logical and physical, may have many unpredictable implications…

From a technical point of view SQLi and defacements were the most used lethal weapons for this month, even if a massive ASP.NET based attack, targeting 300,000 web sites,  is also worth mentioning.

This Timeline was compiled with Useful Resources by:

And my inclusion criteria do not take into consideration simple defacement attacks (unless they are particularly resounding) or small data leaks.

Last but not least: you may find all the timelines for 2011 in my Master Index. Enjoy the list(s) and share and retweet to encourage me to keep it up2date!

Date Author Description Organization Attack
Oct 1 Neatstuffs

Filmradar.com

NeatStuffs hacks filmradar.com a movie review and information site/community and releases on Mediafire a 6mb txt file containing 95167 accounts with hashed passwords. Estimated cost of the breach is $ 20,365,738.


SQLi?
Oct 2
Venezuela National Statistics Institute

SwichSmoke crew hacks the Venezuela National Statistics Insitute during the 2011 Census.


SQLi?
Oct 2

Camber Corporation (US Contractor)

Once again a US Government contractor is target of cyber crime. This time is the turn of Camber Corporation, targeted by a small hack by @ThEhAcKeR12, which releases 3 admin accounts with encrypted passwords. and admin full name.

  ?
Oct 2

wrestlegame.co.uk

Again @ThEhAcKeR12, this time the crew dumps 1500+ accounts (in encrypted format) and a database from wrestlegame.co.uk. Estimated cost of the breach is around $321,000.

wrestlegame SQLi?
Oct 2
A student arrested few days later
Thailand Prime Minister

Thailand’s Prime Minister, Yingluck Shinawatra, had her Twitter account hacked flooding her followers with a stream of messages criticising her leadership with statements like this: The final post read: “If she can’t even protect her own Twitter account, how can she protect the country?

Account Hacking
Oct 4 Austrian Economy Chamber (WKO)

WKO confirms that its webserver was infiltrated by unidentified cyber criminals. More than 6,000 data sets of customers of the chamber were published on the internet. Although Anonymous Austria leaked the data, they stressed they had not carried out the attack on WKO themselves, but had been provided with the records by someone else, adding that the security leak was exposed by using online search engine Google. Estimated cost of the Breach is around $1,284,000.

  Vulnerability on The Target Platform
Oct 5

funniestvideosonline.com

@ThEhAcKeR12 does not stop here and dumps 3300 accounts from funniestvideosonline.com and are all encrypted passwords. Estimated cost of the Breach is around $706,200.

SQLi?
Oct 5 www.xvidonline.com

@FailRoot hacks and leaks  several accounts from www.xvidonline.com putting the websits offline.

xvidonline.com SQLi?
Oct 5 Optik Fiber Gmail (Claimed)

Optik Fiber releases several gmail accounts claimed to have been hacked via a known security flaw in gmail. It is not sure if this is real or not but it is meaningful as well of the global level of (in)security, real or psychological.

Known Security Flaw in Gmail (N/A)
Oct 5 ? Fashion TV India

Unknown hackers hacks Fashion TV India with the injection tool havij and obtain a list of accounts dumping usernames and passwords in clear text.

SQLi via havij
Oct 6
Syrian Internet Log Files

Internet activists from Telecomix release 54 GB of log files allegedly created by Syrian internet censors between 22 July and 5 August 2011. The data were found on a third party server.

?
Oct 7

unijobs.com.au

An Australian University website that lists jobs is hacked by @BlackHatGhosts and has data dumped, included user logins and passwords.

SQLi?
Oct 7 Several Hackers

Department of Public Enterprises South Africa

Department of Public Enterprises, south Africa is hacked and had its database dumped

SQLi
Oct 7 Same authors above

Ministry of Culture and Tourism, Republic of Indonesia

Another day, another government website hacked, (and its data leaked).

Indonesia SQLi
Oct 7  ? University Of Georgia

The University of Georgia discovers a data file on a publicly available Web server that contained sensitive personnel information on 18,931 members of the faculty and staff employed at the institution in 2002. The file included the social security number, name, date of birth, date of employment, sex, race, home phone number and home address of individuals employed at UGA in 2002. Estimatec Cost of the Breach is around $4,051,234.


Internal Accidental Error
Oct 8 ?
U.S. Military Drones

Wired reports that a computer virus has infected Predator drones and Reaper drones, logging pilots’ keystroke during their fly missions over Afghanistan and other warzones. The virus was detected nearly two weeks ago at the Ground Control System (GCS) at Creech Air Force Base in Nevada and has not prevented drones from flying their missions, showing an unexpected strength so that multiple efforts were necessary to remove it from Creech’s computers.


USB Stick?
Oct 8 German law Author. and Customs Dep.
German Citizens

A very strange (un)lawful Cyber Attack, against German Citizens. Chaos Computer Club discloses a “state malware”: a backdoor Trojan horse capable of spying on online activity and recording Skype internet calls. They declare the malware is used by the German police force. The malware was allegedly installed onto the computer as it passed through customs control at Munich Airport.

Germany Flag
Troian Horse
Oct 9 Turkish Energy Team
Several Government Websites

Turkish Energy Team performs (and keeps on to perform) a massive defacement against several governments websites (in certain cases some sub domains). The list (in continuous growth) is published on Zone-H.

Defacement
Oct 9 MCA-CRB
Other Government Websites

Different Crew, same result: a massive defacement against several governments websites. Also in this case the list (in continuous growth) is published on Zone-H.

Defaced Domains 2 Defacement
Oct 9
justonehost.com

Another Web site hosting company defaced: this time it is the turn of justonehost.com that is hacked by @FailRoot, that also dumps its Database online. The leak contains all users informations, emails, paypals and much more is 11.86mb and has been uploaded to megaupload.


Defacement SQLi
Oct 10
 

Congress of the State of Chihuahua

Another government website hit and leaked by @FailRoot: Congress of the state of Chihuahua Mexico. The leak contains administration usernames and (easy guessable) passwords.

Congreso del Estado de Chihuahua SQLi?
Oct 10 Q!sR QaTaR

Turkish Government Websites

A cybercriminal from Quatar defaces a large number of websites belonging to the Ankara government, leaving them non-operational.

Margent
Oct 10

40 Zimbabwe Government Websites

A crew called ISCN hacks and defaces 40 Zimbabwe government based websites leaving a polical message.

Zimbabwe Defacement
Oct 10
UKGraffiti.com

UKGraffiti is hacked by Anonymous_DR (Anonymous Dominicana) who also dumps usernames, emails and encrypted passwords.


SQLi?
Oct 11 ?
RSA

RSA reveals that it believes two groups, working on behalf of a single nation state, hacked into its servers during the infamous Breach of March and stole information related to the company’s SecurID two-factor authentication products used to attack some defense contractors. Although people are likely to assume that China might have been involved in the attack, they did not reveal the name of the nation involved.

RSA
APT
Oct 11 ?
Sony (Playstation Network, Sony Entertainment Network and Sony Online Entertainment)

Back tho the future! Sony under cyber attack… Again! The Company reports of unauthorized attempts to verify valid user accounts on Playstation Network, Sony Entertainment Network and Sony Online Entertainment. A total of 93,000 accounts have been affected (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000). In these cases the attempts succeeded in verifying valid sign-in IDs and passwords, so the accounts were temporalily locked.


SQLi?
Oct 11 ?
blueHOMES.com

Unknown Hackers hack the European property Dealers website blueHOMES.com . About 500,000 Users data claim to be hacked including database with customer passwords in plaintext, full addresses, skype account, and mailboxes of bluehomes. Specified data leaked on pastebin with sample data of some users.


SQLi
Oct 11 ?
Find2Trade.com

Another website hit by Havij. This time is the turn of Find2Trade, an internet portal whose goal is to help small and medium enterprises to reach much higher profits while reducing costs. UserID, email and passwords, which are encrypted, were leaked.


Havij
Oct 12 ?
Raytheon

The U.S. Defense Contractor reveals that it was the victim of a cloud-based attack for the first time, with the incident occurring one week before. Nothing new but the fact that this was the first cloud based attack. The firm usually blocks 1.2 billion attacks a day in addition to four million spam emails each day.


N/A
Oct 12 ? WineHQ

Another Linux Project hacked! Jeremy White, Codeweavers Founder announces that access to the WineHQ database has been compromised. It looks like attackers have used phpMyAdmin to access the WineHQ project’s database and harvest users’ appdb and bugzilla access credentials.

WineHQ SQLi
Oct 13 ?
300,000 Websites

Google reveals another mass infection which affected hundreds of thousands of sites that relied on ASP or ASP.NET: A malicious script got injected into several locations targeting English, German, French and other language speakers surfers.

Asp.Net ASP Vulnerability
Oct 13 ?
Genentech

The biotechnology company suffered a data breach on August, 17 which may have resulted in the theft of information belonging to 3,500 of the million patients who utilize the company’s support programs. Estimated Cost of The Breach is around $750,000

Unlegitimate Access
Oct 14 ?
Chili’s Grill & Bar Restaurant

Ok a Chili Breach is not a big deal, except the fact that the computer server Hackers broke into, is placed at Yokosuka Naval Base. According to Navy officials, hackers stole credit card information and run up erroneous charges.

Credit Card Thieft
Oct 14 ?
Fedora Project

This is not a direct cyber attack but a consequence of the hacks to Linux projects (Kernel.org and Linux). ThreatPost reveals that Fedora Project contacted users to change their password and SSH public key before November 30 to avoid having their accounts marked as inactive.

Fedora Logo N/A
Oct 14
Barinas State, Venezuela

Another dump of sites from @SwichSmoke coming from the state “Barinas” and the government for that state. The release note, in Spanish states that the original password is 123456, fairly lame for a government website.

Barinas SQLi
Oct 14 Vicky Singh
Pakistan Embassy in China

Another episode of the Cyberware between Pakistan and Indian Crew: Vicky Singh defaces the Pakistan Embassy in China.

?
Oct 14 Team Dexter
Contrexx.com

An European Content Management System provider is hacked and has a dump of administration details leaked online.

  N/A
Oct 14 Oct 15 Several Authors
Club Music CPPS

Club Music CPPS is hacked: the leak contains account emails, usernames and decrypted passwords. Note: on Oct 16 the site is still defaced :(

SQLi Defacement
Oct 14
Venezuela National Graduate Advisory Council

Another cyber attack by @SwichSmoke, this time they leak the Venezuela National Graduate Advisory Council and release the leaked data on pastebin.

SQLi
Oct 14 ?
Infragard Atlanta (claimed)

It seems that Infragrad has been hacked again and had a dump of accounts leaked and decrypted even if there is no source or reason or even proof that this is 100% real in anyway. Anyway it still shows that Infragard is still in the eyes of some people. The alleged leak contains emails, usernames, encrypted passwords and the decryption of the password as well.

Infragard N/A
Oct 14 ?
NSEC (Netaji Subhash Engineering College)

The Netaji Subhash Engineering College NSEC is hacked and has a fair amount of member accounts dumped on pastebin. This comes from an unknown source and unknown reasons. The leak contains full user information, emails and passwords in clear text.

SQLi
Oct 14

Chinese Government

Barbaros-DZ hacks over 1,700 sites belonging to the Chinese Government defacing them and leaving a message against the Goverment itself. THe list of the sites is available on Zone-H.

 Defacement
Oct 14

UK Government

Special mention this month for Her Mayesty’s Cabinet Minister Oliver Letwin, who has got himself into hot water, after The Daily Mirror reported him in the habit of dumping private correspondence and sensitive documents detailing Al-Qaeda activities and secret service operations into park bins in St James’s Park, Westminster, close to Downing Street. The documents contained the personal details of the minister’s constituents, including names, phone numbers, email contacts and postal addresses.

UK Flag Defacement
Oct 15 SA3D HaCk3D
16,000+ websites

SA3D HaCk3D shows on Zone-H the results of his work of the past years: a total of 16,000+ websites defaced.

SA3D HaCk3D Defacement
Oct 15 p0xy
iCPPS

For an alleged personal revenge, a hacker called p0xy leaks usernames, emails and hashed passwords from the iCPPS online platform.

icpps SQLi
Oct 15 iolaka
World Miss Photogenic

This time is the turn of a fashion/model based website, which is attacked and suffers a dump of accounts leaked containing 1000+ accounts including usernames, emails and encrypted passwords by iolaka.

SQLi
Oct 15
India Cyber Crime Investigation Cell

Another episode of the Cyber-Guerrilla between India and Pakistan: Pakistani hacker Shadow008 hacks and defaces India’s Most Important website of Cyber cell located at Mumbai.

Defacement
Categories: Cyber Attacks Timeline, Cyberwar, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Oops, My Drone Was Infected!

October 8, 2011 3 comments
UAV Operators at Joint Base Balad (LSA Anacond...

Image via Wikipedia

Do you remember the intrepid Jeff Goldbum injecting malicious code on the Alien mothership during one of the most famous scenes of  Independence Day? Easy, no alien invasion is happening, simply a similar event occurred for US drones which were targeted with a common Key-Logger “civil” malware.

Of course no foreign country plugged any malicious ship to US facilities, indeed what has really happened was much more simple and common, an hard-drive which accidentally infected the Ground Control System at Creech Air Force Base in Nevada.

This does not sound surprising to me since I wrote several posts about the growing use of Consumer Technologies for military purposes (but I should have included consumer anti-malware software as well), moreover I also predicted specific malware targeting military planes. Although this is not exactly what happened, there are several points in common with my prediction, essentially the fact that consumer technologies (as simple PCs are) open security doors inside sophisticated military weapons.

So, at this point it should not be surprising, as Wired reports, that a computer virus has infected Predator drones and Reaper drones, logging pilots’ keystroke during their fly missions over Afghanistan and other warzones.

The virus was detected nearly two weeks ago at the Ground Control System (GCS) at Creech Air Force Base in Nevada and has not prevented drones from flying their missions. Nevertheless it has shown an unexpected strength so that multiple efforts were necessary to remove it from Creech’s computers, network security, Wired reposts.

Although Fox News quotes a senior Air Force source according to whom, Wired’s story is “blown out of proportion” and “vastly overwritten.”, this event points out the risks associated with the use of standard technologies to control sophisticated military weapons that play a central role in both its conventional and shadow wars, allowing U.S. forces to attack targets and spy on its foes without risking human lives.

Although they suffer of native security holes (for instance the footage is transmitted in clear), that they are just computers, after all, and hence controlled by standard PCs, that may get virtually sick like any other civil companion.

Although the malware seemed benign, it is still not clear how it could make its way inside the systems and most of all, since it affected classified and unclassified system, if it was able to leak information and send it to a remote source. On the other hand a key-logger is able to steal whatever information is typed on the keyboard to control the drone. As the famous aviation expert David Cenciotti said:

Do you want to know what a keylogger can grab fm a Predator control station? Think to your keyboard inputs when playing w/ Flight Simulator.

Maybe the virus could have accidentally spread: the Ground Control Stations handling more exotic operations are top secret and none of the remote cockpits are supposed to be connected to the public internet, this should make them immune to viruses and other network security threats.

Unfortunately hard disks and pen drives may build bridges connecting public and classified networks, and this could have possibly have happened at the base at Creech since the Predator and Reaper drone crews use removable hard drives to load map updates and transport mission videos from one computer to another. The same hard drives could have spread the malware and, as a consequence, drone units at other Air Force bases worldwide have now been ordered to stop their use.

This is not the first time that an infection has been spread through an hard drive: in late 2008, for example, the drives helped introduce the agent.btz worm to hundreds of thousands of Defense Department computers. It looks like the Pentagon is still disinfecting machines, three years later.

Curiously the virus showed to be very resistant to digital vaccines, and after several attempts to remove it with standard procedures (following removal instructions posted on the website of the Kaspersky security firm), the only safe method to clean it was to wipe the infected hard drives and rebuild them from scratch: a time consuming operations. As to say: sophisticated military weapons and technologies suffer the same issues than civil users (how many Windows installations from scratch after a malware infection), on the other hand the drone virus was detected by the military’s Host-Based Security System, a flexible, commercial-off-the-shelf (COTS)-based application. If you look carefully at the HBSS web site you will also be able to identify the commercial security technology which lays behind the HBSS.

Is it times for drones to be natively equipped with anti malware?

Follow

Get every new post delivered to your Inbox.

Join 2,996 other followers