It looks like that security issues for US Military contractors never end. The consulting firm Booz Allen Hamilton is only the last which has fallen under the blows of anonymous. In the name of the #AntiSec operation hackers claimed today that they compromised a server released internal data, including about 90,000 military e-mail addresses. Due to the huge amount of data leaked, the operation was called #MilitaryMeltdownMonday.
We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!). We also added the complete sqldump, compressed ~50mb, for a good measure.
The entire statement is available on pastebin, while the leaked data have been inserted into a torrent at The Pirate Bay, and are also already available on pastebin, although password are hashed (but not salted).
We also were able to access their svn, grabbing 4gb of source code. But this was deemed insignificant and a waste of valuable space, so we merely grabbed it, and wiped it from their system.
It was clear that something was in the air since a couple of days, as some tweets announced “the biggest day in #anonymous‘ history according to sabu”:
This might be an indication that the ghost of the infamous group LulzSec played a crucial role in the attack to Booz Allen Hamilton. As a matter of fact Sabu, is the alleged leader of the infamous group LulzSec, and also the alleged author of the hack to HBGary Federal, another military contractor hacked earlier this year becouse of its CEO Aaron Barr claimed to have unmasked some Anonymous members. In response to his actions, the hackers dumped 71,000 emails which revealed, among the others things, that HBGary had worked with Booz Allen Hamilton to develop a response plan for Bank of America based on what the bank feared might be an upcoming leak of its internal documents by WikiLeaks.
The Anonymous statement also paints the contractor as another player involved (together with HBGary) on a military project, dubbed Operation Metal Gear by Anonymous (for lack of an official title) designed to manipulate social media, and as a revolving door of military-related conflicts of interest, and argues that the firm has been involved in mass surveillance projects.
The company wrote on its Twitter feed that “as part of @BoozeAllen security policy, we generally do not comment on specific threats or actions taken against our systems.”
This is only the last attack to a U.S. Contractor. On July, the 9th, Anonymous attacked IRC Federal, an FBI contractor, and dumped the content of the attack on a torrent available once again at The Pirate Bay. The dumped content apparently included databases, private emails, contracts, development schematics, and internal documents for various government institutions. The attack was performed as a sequel to the first one against Infragard, another FBI affiliate, on June, the 3rd performed (what a coincidence) from LulzSec.
After HBGary Federal, between April and May 2011 three U.S. Defense contractors: L-3, Lockheed Martin and Northrop Grumman were attacked by using compromised RSA seeds, although in this case no one has been identified as the author of the attacks, and also no connection with anonymous has been found.
- Hackers claim they exposed Booz Allen Hamilton data (news.cnet.com)
- 50 Days of Hunt (paulsparrows.wordpress.com)
As already suggested, I considered the original 2011 Cyber Attacks Timeline graph by Thomson Reuters not enough complete since it did not show some important attacks occurred during this tremendous 2011. This is the reason why I decided to draw an enhanced version which shows, according to my personal opinion (and metric), the list of 2011 major cyber attacks both for size and impact. Moreover in this version I added the cost of the breaches (where possible), and the alleged kind of attack perpetrated.
All the data were taken from the bulletins or statements released by the victims, or from the tweets released by the attackers.
Costs were calculated, where possible, using the indications from the Ponemon’s insitute: the average cost of a Data Breach is US $214 for each compromised record, if the targeted company decided to respond immediately the cost is around UD $268 for each compromised record, which drops to US $ 174 if the company takes longer to react.
The Total Cost is an incredible number: nearly US $ 18 billion.
Useless to say, Sony achieves rank #1 with US $ 13.4 billion. In this unenviable chart, Epsilon gains the second place with an estimated cost for its breach, of US $ 4 billion.
The others breaches, although not comparable with the previous ones, if summed, allow to achieve the grand total.
Even if smaller in size, and apparently in importance, I decided to insert in the chart also the attack to Comodo Certificates, happened in March, the 24th. In this annus horribilis, it came immediately after the RSA affaire and it has decreed, together with the RSA breach, the fall of the modern bastions of Strong Authentication (in few days tokens and certificates have proved to be vulnerable). Moreover I consider the message of the author a memorable declaration of Cyberwar. On the trail of the RSA breach the wave of attacks towards US contractors is noteworthy as well.
Hackers focused on Media Sites (Fox, PBS, Sony, Sony BMG), with a clear message against censorship (and probably the neverending problem of copyright). Interesting the second attack to PBS made to show the poor skill of LuzSecs by Warv0x, one of their enemies. In the last part of June Videogame industry was the preferred target (also Epic suffered a breach) with different intentions: LulzSec attacked Nintendo and Bethesda (the second attack resulted in data breach for the victim), but offered to avenge Sega (the manufacturer of Dreamcast), after the disastrous breach.
Direct attacks to governments focused essentially on LOIC based DDoS, albeit some infamous breaches to related sites (as in case of Infoguard/FBI and NATO) lead to Data Breaches.
Last but not least, please notice the intense activity from LulzSec in their intense “50 days of living dangerously”, just before the sudden dissolution of the group happened on June, the 25th.
- What do RSA, Epsilon and Sony breaches have in common? (paulsparrows.wordpress.com)
- It was only a matter of time… (paulsparrows.wordpress.com)
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- 2011 CyberAttacks Timeline (paulsparrows.wordpress.com)
Another crucial episode in the affair of the RSA Breach. In a letter published yesterday by mean of the Executive Chairman Art Coviello, letter that will probably go into the annals of computer security, RSA has confirmed that information taken in March had been used as an element of an attempted broader attack on Lockheed Martin. This evidence was obtained, according to the company, on June the 2nd, and so far, the Lockeed Martin attack is the only one, among those (alleged) aimed to other contractors, which has been confirmed directly related to the use of compromised seeds.
Finally this letter indirectly confirms that, given the stolen information, SecureID tokens have been comprimised (but this was implicitly said in the original letters as well):
While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack
and moreover, as was quite clear from the beginning, RSA believes that certain characteristics of the original attack indicated that the perpetrator’s most likely motive was to obtain an element of security information to be used to target defense secrets and related IP. For this reason, the Company worked with government agencies and companies in the defense sector to replace their tokens on an accelerated timetable as an additional precautionary measure.
Another interesting (and shareable) point of the letter is the fact that the unprecedented wave of cyber attacks against Epsilon, Sony, Google, PBS, and Nintendo have commanded widespread public attention. Albeit totally unrelated to the breach at RSA, this events, and this is a really important point, delineate a changing threat landscape and hence have heightened public awareness and customer concern: a landscape in which Cybercrime and Cyberwar dangerously overlap.
As a result, the Company is expanding its security remediation program including two offers for assuring SecureID users’ confidence:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
Is this a new dawning age for two-factors authentication?
With the alleged Northrop Grumman Cyber-attack, we have experienced three attempts, unleashed in few days, to leverage the compromised RSA seeds in order to steal data from U.S. Contractors.
Albeit the above mentioned events are characterized by two evident points in common: all the targeted companies are U.S. Defense Contractors, and all of them use RSA tokens; there is a point that seems confusing, and it is the timeline with which the attacks were carried out and subsequently unleashed (we will see that the two are very different and somehow confusing).
Analyzing the timeline: the first attack unleashed was the one led against Martin Lockheed. According to the sources, remote access to internal resources was disabled late on Sunday, May, the 22nd, just immediately after the attack was detected. The first details, although the target was not immediately revealed, were given few days after, on May, the 26th.
The second cyber-attack targeted L-3 and was unleashed few days after , on May, the 31st. According to the information revealed, the event occurred at the beginning of April (more exactly on April, the 6th, that is more than a month and a half before) and described into an e-mail sent by an executive to the 5000 group’s employees belonging to the division affected. Nothing strange apparently: the late disclosure was unintended for the target company and probably a consequence of the huge echo raised after the Lockheed Martin affair which led an anonymous source to reveal details to Wired.
On June, the 2nd, an alleged third attempt to attack a U.S. Defense Contractor using compromised seeds was unleashed, this time against Northrop Grumman. According to the revealed timeline, this attack was held on May, the 26th, that is nearly in contemporary (4 days after) the event of Lockheed Martin.
So definitively although the three attacks were revealed nearly in contemporary, only two of them were (i.e. the ones towards Lockheed Martin and Northrop Grumman), while the second one, to L-3 happened a couple of weeks after the RSA Breach and almost one month and half before the others. This sounds not clear to me.
If I had been in the attackers’ shoes, I would have attacked all at once in order to prevent the spreading of the information, and definitively to avoid the possibility for the others victims to organize themselves, for instance immediately replacing the tokens as made by Raytheon immediately after the RSA Breach.
Let us suppose (as it seems clear) that the alleged theft of the seeds was only the first step of the “perfect plan” to attack the U.S. Defense contractors, let us also suppose that the attackers took some time to obtain the missing pieces of the puzzle, that is to link the tokens to users, and eventually to obtain the PINs, by mean of keylogger trojans or phishing e-mails as suggested by by Rick Moy, president of NSS Labs. Do you really think that they would have left one month and a half between one attack and the other? Honestly speaking I do not think so. Of course I can imagine that obtaining all the PINs or user to token mappings at once was simply impossible, for reasons of time because it is impossible that all the victims to a specific targeted phishing campaign could reply simultaneously, but also because a massive “vertical” campaign of phishing targeting all the U.S. Contractors (and aimed to obtain information about RSA tokens) would have probably raised too much attention, so that I do not exclude that the necessary information to perform the attack had to be obtained with “evasion” techniques.
Nevertheless, provided the above depicted scenario is real, even if it is unlikely the attackers could attack all the target simultaneously, one month and half between one wave and the other seems actually too much: I doubt they already knew that the information concerning the first alleged attack to L-3 would have been revealed only many days after, of course it is easy to predict that L-3 and the eventual other victims would not have been happy to do it immediately after; but if they really had the perfect plan, relying on a similar occurrence would have been a huge hazard capable to put at risk the entire operation.
I seriously fear the truth is different. Of course this is a mere personal speculation, but I am more and more considering the hypothesis that a first wave of attacks was really held at the beginning of April (more or less in contemporary with L-3), that is after a short interval the original breach, short enough to catch the most part of the victims unprepared, most of all in case of very big companies. The consequence could be that many others attacks have not been revealed or simply were not detected at all, since, as I said a couple of days ago:
I wonder if military contractors are really the only targets or if they have been the only ones capable to detect the attempts because of their strict security protocols and policies.
How to explain the alleged second wave of May? It might be that the attackers have tried once, since the result was successful (it is not clear if they were able to steal sensitive data, but for sure the information was not immediately revealed) so they decided to try a second and a third chance (and who knows how many others). Otherwise, it might be that after the first wave they decided to sell the seeds on the black market (probably at a lower price since at that point the seeds would have been considered a good of second choice), and this could explain the late attack to Lockheed Martin and Northrop Grumman (and who knows who else). In this case I am afraid we will see many other attacks, unless other potential targets (that so far refused to comment the events) will not decide to follow the example of Raytheon and replace the tokens.
Hard Times to come for U.S. Defense Contractors: it looks like each new day reveals information of a new cyber-attack to military technology companies using (alleged) compromised SecureID seeds.
This time Fox News reports that Northrop Grumman, another Defense Contractor has been the victims of a Cyber Attack, on On May 26, when the company shut down remote access to its network without warning, catching even senior managers by surprise and leading to speculation that a similar breach had occurred.
Even if there is no evidence so far that the cyber attack could be the consequence of the RSA Breach on March, there are at least two strange coincidences: the fact that this is the third attack to a U.S. Defense Contractor unleashed in less than a week (after Lockheed Martin and L-3), and the fact that Northrop Grumman is an RSA SecureID customer.
If the attack should be confirmed to have been carryed out by mean of compromised seeds, this would undoubtely confirm the RSA Breach was only the first stage of a (vertical) cyber-operation targeted to steal U.S. Military secretes (at this point I would not be surprised if other institutions belonging to different verticals are already under attack without realizing it).
Probably, as David Cenciotti said in a post of ysterday, it is time to rethink Strong Authentication: “something you know and something you have” is revealing to be a too weak paradigm if compared with the strenghts of Ciberweapons (because we are talking of Cyberweapons) who have shown to be capable to subtract any kind of data, sometimes leveraging users’ naivety with old-school techniques).
Morevoer also the users should be educated to face the new shape of cyberwar phishing if it is true, as it supposed to have happened in case of Lockheed Martin, that phishing techniques were used to map users to their token.
I just finished reading this interesting article that seems to offer a different view for the attack at Lockheed Martin (actually, a lone voice which does not consider the attack related to compromised seeds), that here it is another bolt from the Blue. As a matter of fact Wired reports that a second Defense Contractor, L-3, has been targeted with penetration attacks leveraging information stolen from the infamous RSA Breach. This information was contained into an E-mail, dated April 6, sent to the 5000 group’s employees. t’s not clear from the e-mail whether the hackers were successful in their attack, or how L-3 determined SecurID was involved.
Protecting our network is a top priority and we have a robust set of protocols in place to ensure sensitive information is safeguarded. We have gotten to the bottom of the issue.
Is the only comment of the company.
This revelation occurs few days after the explosive news pertaining the attack led with similar methods to another Defense Contractor, Lockeed Martin.
Maybe all the defense contractors should have followed the wise example of Raytheon (another Defense Contractor) which declared to have taken immediate companywide actions in March when incident information was initially provided to RSA customers, to prevent a widespread disruption of their network.
If confirmed, this event is a further corroboration of the fact the real target of the Hackers was not RSA but their customers, event if at this point I wonder if military contractors are the only targets or if they have been the only ones capable to detect the attempts because of their strict security protocols and policies.
- Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks (wired.com)
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- Some Random Thoughts On RSA Breach (paulsparrows.wordpress.com)
One of the most surprising things I noticed concerning the Lockheed Martin Affair, was the affirmation contained in the Reuters Article, made by Rick Moy, president of NSS Labs, indicating that the initial RSA attack was followed by malware and phishing campaigns seeking specific data to link tokens to end-users (an indirect evidence of the same authors behind the infamous RSA breach and the Lockheed Martin attack.
My initial surprise only lasted few seconds, since, this year is showing us a brand new role for the phishing attacks which are more and more targeted to steal corporate sensitive data, and constitute the first level of attack for Advanced Persistent Threats.
At first sight could be quite difficult to believe that users are still tricked by old-school phishing techniques, but a deeper analysis could show in my opinion, a possible (in part psychological) explanation relying on the fact that the users themselves are still used to think to phishing as something targeted to steal personal information (often with pages crafted with gross errors), and seems to be unprepared to face the new shape of phishing which targets corporate information with cybercrime purposes and industrial methods, which definitively means to perpetrate the attack with plausible and convincing methods, and most of all leveraging arguments the user hardly doubts about (I could doubt of an E-mail from my bank asking me to provide my account and credit card number, maybe, most of all in case I am not an infosec professional, I could feel more comfortable in providing my username to a (fake) provisioning portal of my Company).
But my information security beliefs are falling one after the other, and after reading this really interesting article by Adrienne Porter Felt and David Wagner of the University of California (the marvelous LaTeX layout!) I can only confirm that mobile devices will be next frontier of phishing.
According to this paper the risk of a success of a phishing attack on mobile devices is dramatically greater than traditional devices due to some intrinsic factors such as the smaller size of the screen, the fact that many applications embed or redirect to web pages (and vice versa some or web pages redirect to applications), the fact that mobile browsers hide the address bar, and most of all the absence of application identity indicators (read the article and discover how easily a fake native application can resemble completely a browser page) which makes very difficult to discover if a certain operation is calling a fake application on the device or it is redirecting the user to a fake application resembling a legitimate login form.
Moreover, the intrinsic factors are worsened by (as usual) the user’s behavior: as a matter of fact (but this is not a peculiarity of mobile devices), users often ignore security indicators, do not check application permissions and are more and more used to legitimate applications continuously asking for passwords with embedded login forms and. Last but not least I would add the fact that they are not still used to think to mobile applications as targets of phishing (Zitmo Docet).
Guess what are the ideal candidates for Mobile Phishing attacks? Easy to say! Facebook and Twitter since they are the most common linked applications used by developers to share their creations (the power of free viral marketing!).
Given the speed with which these devices are spreading in the enterprise (see for instance this GigaOM infographic), there is much to worry about in the near future. An interesting solution could be the operating system to support a trusted password entry mechanism. Will SpoofKiller-like trusted login mechanisms be our salvation as the authors of the paper hope?
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- Mobile Phones Are Great for Phishers, Researchers Find (pcworld.com)
Probably it was a quite easy prediction, however it looks like what I suggested on my random thoughts on the RSA Breach has definitively come true: RSA was not the target, probably its customers were.
On this front, the last two days were quite turbulent, and what seemed initially a simple speculation of an attack using compromised SecureID seeds targeted to “a very large U. S. defense contractor”, is revealing to be one of several attacks towards military contractors of U.S. Defense, using the data stolen during the famous breach of March.
According to a source with direct knowledge of the attacks, quoted in the above linked Reuters article:
The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.
In any case EMC, the parent company of RSA, and the other main U.S. defense contractors possibly involved refused to comment.
I was not surprised by these details, more than one month ago I delineated a possible attack scenario which seems to be very close to what happened, at least for Lockheed Martin. Since the token on its own it is not enough to carry on a successful attack (it must be linked to the owner and very often the real password is also combined with a PIN), other combined actions must be performed to obtain the missing pieces of the puzzle.
I suggested a possible scenario of exploiting the weakness of software tokens, for instance by mean of specific keylogger malware to grab user details and the PIN. It is not exactly what happened in case of Lockheed Martin, but the real attack scenario is quite close since a keylogger was involved as well and used to access the intranet and consequently to get access to the internal network: as a matter of fact, for security reasons many companies use a double layer of authentication for remote access and internal resources. In this case the company forced 100.000 users to reset their passwords.
In reality, as stated by Rick Moy, president of NSS Labs, the initial RSA attack was followed by malware and phishing campaigns seeking specific data that would link tokens to end-users, suggesting that the current attacks may have been carried out by the same hackers. And the game is not over.
Unfortunately the use of phishing to lure the users (and to attack an organization for cybercrime purposes) is not surprising as well. Nowadays this technique, to initially target the users with phishing, leading them to download malware, is the “main engine” of APTs (Advanced Persistent Threats) and it is revealing to be the common denominator of the main breaches and huge scale attacks of this annus horribilis for Information Security. The fact that in this circumstance it was used in combination with the duplicated key of SecureID is only the last unedited variant, and I am afraid it will not be the last.
Fortunately, in any serious situation there is always a flash of humor: according to this article of NYT, the intruders had been detected as they were trying to transfer data by security software provided by NetWitness Corporation, a company that provides network monitoring software. Does NetWitness Corporation sound familiar to you? Of course It does indeed! In April, just after the breach, NetWitness was acquired by RSA’s parent company, EMC.
As Morpheus stated: “Fate, it seems, is not without a sense of irony”, and this is worthwhile for Information Security as well.