It is time for the summary of the second half of February, two weeks of remarkable cyber attacks against high-tech giants, massive breaches and Twitter Account Hijackings.
Probably the most resounding events of this period (maybe more for the high profile of the victims than for the actual effects) are the two attacks, allegedly originating from China, (with a common root cause, the compromising of an iPhone developer forum) carried on against Apple and Microsoft.
But not only the two high-tech giants, other illustrious victims have fallen under the blows of hacktivists and cyber criminals. The list is quite long and includes Bank of America, American Express, Casio, ZenDesk, cPanel, Central Hudson Gas & Electric Corporation, etc.).
Last but not least, the unprecedented trail of Cyber attack against Twitter Profile belonging to single individuals (see Donald Trump) or Corporations (Burger King and Jeep). Maybe it is time to change the passwords…
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
A special thanks to Kim Guldberg AKA @bufferzone for continuously advising me about significant cyber events through the Submit Form! Much Appreciated!
On the wake of similar operations carried on by Hacktivists against Law Enforcement Agencies all over the World, the Italian Cell of the infamous collective Anonymous has decided to cross the line targeting the Italian Police with a clamorous Cyber Attack under the label of #Antisec movement.
On October, the 23rd, the Hactkivists have leaked more than 3500 private documents, claiming to own an additional huge amount of sensitive information such as lawful interception schemes, private files and e-mail accounts.
The Italian Police has indirectly confirmed the attack, downplaying its effects with a scant statement (in Italian) that (easily predictable) has raised a furious reaction by the Hacktivists. According to the above mentioned statement, no server was compromised, but the leaked data were just the consequence of several “illegitimate accesses” to private emails belonging to police officers (as to say that several compromised accounts are less severe than a hacked server).
Strictly speaking, this latest attack is not a surprise since in the past months, mainly after the infamous 50 days of Lulz of the LulzSec collective, Governments and Law Enforcement Agencies all over the world have become the preferred targets for Hacktivists under the Antisec shield. From a broader perspective this trend was apparently decreasing during 2012 because of several factors: the discovery of the double identity of Sabu (an hacktivist during the day and an FBI informant during the night), the arrest of W0rmer and ItsKahuna (two members of the CabinCr3w collective who left behind them a long trail of cyber-attacks against law enforcement agencies, and, last but not least, the arrest of the members of the Team Poison Collective.
Unfortunately This cyber-attack changes the rules and brings the things back in time to Summer 2011. It looks similar to LulzSec’s Operation Chinga La Migra, targeting Arizona Border Patrol, and to another (nearly contemporary) cyber attack that allowed LulzSecBrasil (??) to leak 8 Gb of data from the Brazilian Police.
Hopefully this cyber-attack will change the rules in Italy, it has dramatically demonstrated the real risk for public institutions and the need for a greater level of security. As a consequence it cannot be absolutely underestimated.
Here it is the usual compilation for the Cyber Attacks in the first half of September, a period which has apparently confirmed the revamping of hacktivism seen in August.
Several operations such as #OpFreeAssange (in support of Julian Assange), #OpTPB2 against the arrest of The Pirate Bay Co-Founder Gottfrid Svartholm Warg, and #OpIndipendencia in Mexico have characterized the first half of September. Curiously the hacktivists have also characterized this period for a couple of controversial events: the alleged leak of 1 million of UDIDs from FBI (later proven to be fake) and the alleged attack to GoDaddy (later proven to be a network issue, that is the reason why I not even mentioned it in this timeline). Other actions motivated by hacktivists have been carried on by Pro-Syrian hackers.
From a Cyber Crime perspective, there are two events particularly interesting (even if well different): the alleged leak of Mitt Romney’s tax returns and yet another breach against a Bitcoin Exchange (Bitfloor), worthing the equivalent of 250,000 USD which forced the operator to suspend the operations.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Update 4 Sep 23:38 GMT+2: The FBI issued a tweet denying that it ever had the 12 million Apple IDs in question:
Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE—
FBI PressOffice (@FBIPressOffice) September 04, 2012
Here the complete Statement from the FBI Press Office.
Original Post: Few hours ago, the @AnonymousIRC Twitter account has announced yet another resounding cyber attack carried on in name of the #Antisec movement:
(@AnonymousIRC) September 04, 2012
In a special edition of their #FFF refrain (literally quoting the authors of the attack: “so special that’s even not on friday”), the Hacktivists claim to have obtained from FBI 12,000,000 Apple Devices UDIDs (UDID is the short form for Unique Device Identifier, the unique string of numbers that univocally identifies each iOS device), and have consequently published 1,000,001 of them in pastebin post.
In the same post they explain how they were able to obtain them:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
Did you notice the misplaced detail? Actually I could not help but notice that the UDIDs were obtained exploiting a Java vulnerability, the AtomicReferenceArray vulnerability (CVE-2012-0507). A detail is not so important in other circumstances, if it had not disclosed only few days after the controversies following the discovery of a potentially devastating 0-day for Java, and the subsequent issues deriving from the release of a vulnerable patch.
There could be no worse moment for this event to happen, and I am afraid it will contribute to add fuel to the raising concerns regarding Java security… Hard days for Java… And for the FBI
During Summer we always try to spend our free time in a more profitable manner, for instance reading gossip chronicles.
From this point of view, July 2012 has not been a particularly lucky month for Carly Rae Jepsen. On July the 7th, her website has been the target of a DDoS attack by a member of the infamous collective @TheWikiBoat. During the second half of July, she has joined the (not so) exclusive club of celebrities who had compromising pictures and video stolen from their computers and mobile devices. This is not an isolated episode since celebrities have shown an insane predilection to make (possibly) XXX photos and store them with few or no precautions at all. With the consequence that it is not so uncommon that the private material gets stolen with the purpose to blackmail the victims or simply to sell it.
Unfortunately the experience has shown that, almost always, both ideas end up in a miserable failure and the photos get usually leaked, causing fans to run to their search engines in the hunt for the private snaps.
Honestly speaking, I do not understand how it feels to take photos of oneself in compromising positions (but I am not a celebrity, at least so far). For sure, if I were a celebrity I would be aware of my level of exposition and its consequent capability to attract the unwelcome attentions of stalkers (and addicted hackers). That level of exposition, alone, justifies the need to pay more attention for private material, most of all if it contains XXX shots. But maybe celebrities have not time for complex passwords…
To let you understand how often these events occur, I browsed the chronicles of the last years compiling the following gallery. Even if most of the leaks came from the so-called hacker ring targeting more than 50 celebrities, you will find many surprising (sometimes recurring) victims, before coming to the disappointing conclusion that “the leopard does not change his spots”.
I am afraid that this chart will soon need an update.
As usual, here is the list of the main cyber attacks for April 2012. A first half of the month which has been characterized by hacktivism, although the time of the resounding attacks seems so far away. Also because, after the arrest of Sabu, the law enforcement agencies (which also were targeted during this month, most of all in UK), made two further arrests of alleged hackers affiliated to the Anonymous Collective: W0rmer, member of CabinCr3w, and two possible members of the infamous collective @TeaMp0isoN.
In any case, the most important breach of the first half of the month has nothing to deal with hacktivism, targeted the health sector and occurred to Utah Department of Health with potentially 750,000 users affected. According to the Last Ponemon Study related to the cost of a breach ($194 per record) applied to the minimum number of users affected (250,000), the monetary impact could be at least $ 55 million.
Another interesting event to mention in the observed period is also the alleged attack against a Chinese Military Contractor, and the takedown of the five most important al-Qaeda forums. On the hacktivist front, it worths to mention a new hijacked call from MI6 to FBI, but also the alleged phone bombing to the same Law Enforcement Agency. Both events were performed by TeamPoison, whose two alleged members were arrested the day after.
For the sample of attacks I tried to identify: the category of the targets, the category of the attacks, and the motivations behind them. Of course this attempt must be taken with caution since in many cases the attacks did not target a single objective. Taking into account the single objectives would have been nearly impossible and prone to errors (I am doing the timeline in my free time!), so the data reported on the charts refer to the single event (and not to all the target affected in the single event).
As usual the references are placed after the jump.
By the way, SQL Injection continues to rule (the question mark indicates attacks possibly performed by SQL Injection, where the term “possibly” indicates the lack of direct evidences…).
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @pausparrows on Twitter for the latest updates.
Last week, while browsing the 2012 Cyber Attacks Timeline, I could not help but notice the huge amount of cyber attacks that the collective @CabinCr3w did between January and February 2012 in the name of the so-called #OpPiggyBank. You will probably remember that most of those Cyber Attacks, made in combination with @ItsKahuna, were targeting Law Enforcement Agencies in support of the occupy movements. The crew was not new to such similar actions (for instance they doxed the Citigroup CEO in October 2011), in any case I was impressed by their sudden peak and by the equally sudden disappearance in the second half of February.
Few clicks on Google were enough for me to came across an article on Threatpost that I had missed a couple of days before.
On March 20 federal authorities had arrested Higinio Ochoa, AKA @Anonw0rmer, a resident of Texas accused of working for the hacking group CabinCr3w. He had been taken into custody by FBI agents and charged with unauthorized access to a protected computer in a criminal complaint dated March 15 whose Offense Description indicates an “Unauthorized Access to a protected computer” made on February 2012 in the County of Travis, District of Texas.
The rich Resumé of the @CabinCr3w, part of which is listed on the Criminal Complaint, includes 10 cyber attacks made between January and February 2012, in particular one against the Texas Police Association, on February the 1st 2012, and one against the Texas Department of Public Safety, on February, the 8th 2012. The latter, at least according to an alleged self-written memorial that W0rmer Higinio Ochoa allegedly posted on pastebin on Mar 30 2012, is maybe the one for which he was charged.
The list of the facts contained in the Criminal Complaint and how the FBI combined them to identify Higinio Ochoa and to join his real identity with the virtual identity of W0rmer, is a brilliant example of Open Source Intelligence clearly summarized in this article by ArsTechnica. Incredible to believe for a hacker, who should be supposed to clean each trace he leaves on the cyber space, is the fact that the main security concern for a mobile device, the geo-tagging feature, was one of the elements which led Investigators to Higinio Ochoa. By mining EXIF data contained in a photo on the web page left after the defacement of the Texas Department of Public Safety (showing a woman in a bikini with the sign: “PwNd by w0rmer & cabincr3w”), the Feds were able to collect the GPS data in the image, and to consequently identify it was taken with an iPhone 4 at a location in South VIC, Australia. By browsing the (inevitable) Ochoa’s Facebook Profile, the agents also learned that a girlfriend of him, Kylie Gardner, had graduated from a high school in Australia, the same country in which the first photo was shot.
Inevitably, this event has (too) many points in common with the affaire of Sabu, the alleged leader of the infamous LulzSec Collective, arrested by the Feds approximately a month before.
Both crews, LulzSec and CabinCr3w, targeted Law Enforcement Agencies, both crews met the same destiny: hit in the heart (or better to say in the head) by those same Law Enforcements they mocked so deeply during their days of lulz.
But the points in common do not end here… Sabu was discovered to act as an informant of FBI, and the above quoted pastebin suggests that W0rmer did the same prior of his arrest.
Were you ever approached to be a confidential informant? Of course I was! Some body such as myself who not only participated in the occupy movement but knew many and knew the inner workings of the “infamous” cabin crew would not be just put away without wondering if he could be turned. I did how ever tell FBI that I would participate in the capture of my fellow crew mates
Even if it is not clear if his cooperation was really genuine. As a matter of fact in the following sentence, he refers to his role as an informant as a “play” which created confusion on FBI:
a play which undoubtfully both satisfied and confused the FBI
Maybe this is the reason why the Twitter account of the CabinCr3w on April 3, tweeted:
(Curiously it looks like at 00:04 (UTC +1) this tweet has just disappeared)
In any case the court documents indicate that Ochoa first appeared in federal court for the Southern District of Texas on March 21, subsequently released on bail and forbidden to use a computer or smart phone, hence it is possible that the post on pastebin, which is dated March 31st, has not been written directly from his hand.
Last but not least there is a strange coincidence: W0rmer had a twitter account with the nick @AnonW0rmer who ceased to tweet on March, the 20th (@ItsKahuna ceased to tweet on March, the 23rd while @CabinCr3w is the only still active). Guess what is the name associated with the @AnonW0rmer account? FBI HaZ A File on ME. A dark omen or a dissimulation?
Hacktivists and Information Security Professionals could not believe their eyes while reading the breaking news published by Fox News according to which the infamous Sabu, the alleged leader of the LulzSec collective, has been secretly working for the government for months and played a crucial role for the raids which today led to the arrests of three members of the infamous hacking collective with two more charged for conspiracy.
You will probably remember that the hacking collective which, in its “50 days of Lulz” become the nightmare for System Administrators and Law Enforcement Agencies all over the Globe, suddenly decided to give up, on June the 25th, in a completely unexpected way, leaving their supporters and followers completely surprised, but also leaving the heritage of a name which has become a synonym for hacktivism (also because of their pact with the Anonymous, with whom they are often associated, in the name of the #Antisec movement).
Even after the group left the scene, Sabu has continued to constantly tweet and comment the events through his “official” Twitter account @anonymouSabu, probably a fake or a diversionary tactic, since it looks like that Sabu had already been arrested by the FBI since June, the 7th, more than a couple of weeks before the breakdown of the group,
At that time, the hacking group was hunted by Law Enforcement Agencies and several Grayhats as well (among all @th3j35ter, the A-Team and Web Ninjas whose blog, lulzsecexposed.blogspot.com, unfortunately is no longer available).
Curiously, it looks like that Sabu had already been “doxed” since then. At that time many claimed to have revealed the identity of the members: there was no day without a new pastebin promising to expose new information. But if you have a look at them, they all have only one thing in common, and it is just the identity of Xavier Monsegur (or Montsegur), also known as Sabu. The truth was very close and before everybody eyes: on pastebin.
June, 28th 2011: http://pastebin.com/qmP7R49Y
The real identity of the other members is not still completely known, but for sure it is not a coincidence that no one of the pastebins was able to guess anyone else except Sabu, who hence was the first to be arrested, well before the rest of the group.