So here it is, also for this month, the first part of My Cyber Attacks Timeline covering the first half of September.
Apparently It looks like the wave of the Anonymous attacks that characterized August has stopped. Even if several isolated episodes occurred, their impact was slightly lower than the previous months.
Probably the most important security incident for this month was the Diginotar Hack, not only because the Dutch Certification Authority has been banned forever by the main browsers and OSes but also because all the authentication model based on CAs is under discussion. Moreover once again a cyber attack has been used as a mean of repression. This incident is a turnkey point for information security but in my opinion also the DNS hacks by Anonymous Sri Lanka and Turkguvenligi are noticeable since they reinforce the need for a quick adoption of DNSSEC.
For the first time not even the Linux Operating System (an open world) was immune from hackers: both the Linux Kernel and the Linux Foundation Web Sites were hacked during this month, two episodes that Penguin Lovers will remember for a long time.
Easily predictable an attack recalling 9/11 carried on against the Twitter Account of NBC News was also reported.
Other noticeable events: three huge data breaches were reported, four attacks with political motivations targeting India, Nigeria, Colombia, and the Russia Embassy in London were perpetrated and another security vendor (Panda Security) was indirectly targeted.
The remainder of the month was characterized by many smaller attacks (mostly defacements and data leaks) and an actress (Scarlett Johansson) was also victim of data leaks.
Useful Resources for compiling the table include:
- Cyber War News
- CNET Hackers Chart
- Naked Security
- Office Of Inadequate Security (DataBreaches.net)
- The Hacker News
And my inclusion criteria do not take into consideration simple defacement attacks (unless they are particularly resounding) or small data leaks.
The site of Kernel.org suffered a security breach leading which caused the server to be rooted and 448 credential compromised. Although it is believed that the initial infection started on August the 12th, it was not detected for another 12 days.
|Sep 1||Apple, Symantec, Facebook, Microsoft, etc.
The Sri Lankan branch of Anonymous claims to have hacked into the DNS servers of Symantec, Apple, Facebook, Microsoft, and several other large organizations over the past few days, posting the news and records of its exploits on Pastebin.
|DNS Cache Snoop Poisoning|
||Birdville Independent School District
Two students hack into their school district’s server and accessed a file with 14,500 student names, ID numbers, and social security numbers. Estimated cost of the breach is around $3,000,000.
|Sep 2||Texas Police Chiefs Association
As usual happens on Fridady, Texas Police Chiefs Association Website is hacked by Anonymous for Antisec Operation. Hacker defaced their website and posted 3GB of data in retaliation for the arrests of dozens of alleged Anonymous suspects. According to Hackers the site has been owned for nearly one month.
|Sep 2||EA Game Battlefield Heroes
|Sep 2||vBTEAM Underground
Vbteam.info, the underground vBulletin Hacking website is hacked by “Why So Serious?“, who leaks 1400+ accounts of the Vbteam.info forum in pastebin.
An Indian Hacker named “nomcat” claims to have been able to hack into the Indian Prime Ministers Office Computers and install a Remote Administration Tool) in them. He also Exposes the Vulnerability in Income Tax website and Database Information.
Popular websites including The Register, The Daily Telegraph, UPS, and others fall victim to a DNS hack that has resulted in visitors being redirected to third-party webpages. The authors of the hack, a Turkish group called Turkguvenligi, are not new to similar actions and leave a message declaring this day as World Hackers’ Day.
|Sep 5||Mobile App Network Forum
One of the Sub domain of European Union (Institute for Energy) is hacked and Defaced by Inj3ct0r. Hackers deface the web page, release some internal details and leave a message against Violence in Lybia and Russian influence in Ukraine.
|Sep 5||Cocain Team Hackers||United Nations Sub Domain of Swaziland
United Nations Sub-Domain of Swaziland is hacked and defaced by Cocain Team Hackers.
|Sep 5||Uronimo Mobile Platform
The Uronimo Mobile platform is hacked by Team Inj3ct0r. They leak the web site database and release on Pastebin internal data including Username, Hash Password, emails and Phone Numbers of 1000 users. Estimated Cost of the Breach is $214,000.
|Sep 6||Comodo Hacker
The real extent of the Diginotar breach becomes clear: 531 bogus certificates issued including Google, CIA, Mossad, Tor. Meanwhile in a pastebin message Comodo Hacker states he own four more CAs, among which GlobalSign which precautionally suspends issuance of certificates.
||Beaumont Independent School District
The superintendent of schools for Beaumont Independent School District announces that letters are being mailed to parents of nearly 15,000 of its 19,848 students to inform them of a potential breach of data that occurred recently. Inadvertently, private information including the name, date of birth, gender, social security number, grade and scores on the Texas Assessment of Knowledge and Skills (TAKS) exam of students who were in the third through 11th grades during the 2009-2010 school year–were potentially exposed. Estimated cost of the breach is $3,210,000.
||Stanford Hospital, Palo Alto, Calif.
A medical privacy breach leads to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes. The information stayed online for nearly a year from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork. Estimated Cost of The Breach is $4,280,000.
|Sep 9||Comodo Hacker
After suspending issuing certificates, GlobalSign finds evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the http://www.globalsign.com website.
|| Comodo Hacker
As consequence of the infamous Diginotar Breach Google advises its users in Iran to change their Gmail passwords, and check that their Google accounts have not been compromised. Google also indicates that it is directly contacting users in Iran who may have been hit by a man-in-the-middle attack.
|Man In The Middle|
|Sep 9||NBC News
The NBC News Twitter account is hacked and starts to tweet false reports of a plane attack on ground zero. The account is suspended and restored after few minutes.
|Trojan Keylogger via Email|
Data of up to 800,000 Samsung Card clients may have been compromised after an employee allegedly extracted their personal information. The Breach was discovered on Aug. 25 and reported to police on Aug. 30. It is not clear what kind of information has been leaked, maybe the first two digits of residence numbers, the names, companies and mobile phone numbers were exposed. Estimated cost of the breach is $171,200.000.
||BuyVIP (Amazon Owned)
Although not officially confirmed, BuyVIP users received an e-mail informing that their database had been hacked. Apparently, the website had been offline for a couple days and it looks like that not only names and email addresses were retrieved, but also birth dates, real shipping addresses as well as phone numbers.
Few weeks after the kernel.org Linux archive site suffered a hacker attack, the Linux Foundation has pulled its websites from the web to clean up from a security breach. A notice posted on the Linux Foundation said the entire infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011.
Anonymous leaks the complete database from a well known nazi website AryansBook.com and posts the content on The Pirate Bay. This is a fight towards racism of any kind.
|0-day exploit in SMF|
||Nigerian Government Website
Nigerian Government Website is hacked and defaced by Brazilian Hackers that leave a message in the main page.
A hacker gains unauthorized access to the card processing systems at Wilderness Waterpark Resort and improperly acquires 40,000 credit card and debit card information. Estimated Cost of the Breach is $8,560,000.
|Sep 12||X-Nerd||Panda Security
Another Security Company Hacked: a hacker going by the name of X-Nerd hacks and defaces the Pakistan Server of a very well known security software website: Panda Security.
||Russian UK Embassy
Just before Prime Minister David Cameron’s first visit to Moscow, the website belonging to the Embassy Of The Russian Federation in London was taken down by hackers. It seems as the attack was launched in sign of protest to the upcoming visit after a 5-year break in which no British leader went to Moscow.
Cyb3rSec dumps a list of 3500+ Accounts from the forum thetvdb.com.
|Sep 14||President of Bolivia (presidencia.gob.bo)
SwichSmoke crew hacks the site belonging to President of Bolivia and dumps the leaked data on pastebin.
||Bright House Networks
Bright House Networks, the sixth largest owner and operator of cable systems in the U.S., has sent a letter to customers warning that they may have been exposed after servers used to process Video on Demand (VOD) were breached.
Also an actress may be victim of hackers: The FBI investigate reports that nude photos of a famous celebrity (allegedely Scarlett Johansson) have been leaked onto the web. The day before Twitter was flooded with messages claiming to link to naked pictures of her, which were allegedly stolen from her iPhone by a hacker earlier this year.
More than 101 sites, with huge amount of data and personal information which ranges from emails, phone numbers, to full names and addresses, have been hacked by an hacker dubbed Stohanko. At this link a list of the hacked sites and the links to dumped data.
Update May 12: TCP Split Handshake: Why Cisco ASA is not susceptible
Update May 11: The Never Ending Story
Update April 21: Other Considerations on TCP Split Handshake
Few days ago, independent security research and testing NSS Labs, issued a comparative report among six network security technologies. The controversial results created a comprehensible turmoil among the security vendors involved in the tests, and more in general inside the infosec landscape. As a matter of fact it turned out that that five of the six tested platforms were susceptible to TCP Split handshake attack.
As a security professional, I am pretty much involved with at least five of the six tested technologies, consequently, although I never heard about TCP Split Handshake before, I must confess I was really curious to learn which was the only platform capable of surviving the test (the answer is indirectly provided by the vendor – Checkpoint – missing from the list contained on the remediation report subsequently released). Fortunately the scientific side of me took over and instead of making judgments and drawing conclusions about the results, I decided to learn more about TCP Split Handshake and the reasons why a security equipment may be vulnerable.
TCP Split Handshake in RFC 793
Since TCP is a connection-oriented protocol, every connection begins with a “handshake” defined in RFC 793. The handshake defines three well defined steps and for this reason it is called “TCP Three Way Handshake.”
The host initiating the connection, referred as the client, send to its peer, referred as the server, a synchronization packet, or SYN. In order to correctly identify the beginning (and the subsequent “state” of the session, the SYN packet contains an initial Sequence Number (ISN) which corresponds to a pseudo-random number.
Upon reception of the SYN packet, the server acknowledges that, and generates its own SYN. This “SYN/ACK” packet contains both the server’s Initial Sequence Number, as well as an acknowledgment number equal to the client’s Sequence Number plus 1. The fact that the server sends a single packet to initiate the connection on its side and to acknowledge the initial SYN sent from the client is known as piggy-backing and, as explained later, is the fundamental aspect in which TCP Split Handshake differs from Three Way Handshake.
At this point, in order to establish the session, the client concludes the Three Way Handshake and acknowledges the server’s SYN/ACK, sending a packet with its own ISN incremented by one, as well as its acknowledgement number equal to the server’s ISN plus 1.
As mentioned above, in the second phase of the handshake, the piggy-backing allows the server to use a single packet to send its own SYN and to acknowledge the SYN packet received from the client (ACK). However, let us assume that the server could decide to split the second phase of the handshake and send a dedicated ACK packet to acknowledge the client SYN, and a further dedicated packet with its own SYN. This is exactly what is stated at section 3.3, page 27, of RFC 793, which introduces an intriguing four-step process:
1) A --> B SYN my sequence number is X 2) A <-- B ACK your sequence number is X 3) A <-- B SYN my sequence number is Y 4) A --> B ACK your sequence number is Y
As a consequence, one might expect that an RFC 793 perfectly compliant client be capable to silently accept packet two, explicitly ACK packet 3, and hence complete the handshake more-or-less normally. At least in theory…
In reality, in such similar circumstances, NSS test have shown that some network security devices, with the sole firewall function enabled, get confused and behaves in a stateless manner. In few words, if even the client behaves as stated in the RFC, that is it is able to correctly establish the session even if it accepts separated ACK and SYN packets from the server, the network security device, on receiving the SYN from the server (packet 2), loses the awareness of the session and lets the traffic flow without enforcing any security control as if it belongs to an uncontrolled session (in theory an unknown or out-of-state session should be blocked). This means that a malicious payload conveyed through a TCP Split Handshake intiated session could go through the firewall and as a consequence, an attack scenario is quite straightforward: an attacker could think to use a server-side malicious script to establish the session by mean of a TCP Split Handshake and consequently install an executable on the client (a very fashionable event in the last days), for instance, by mean of an ActiveX Buffer Overflow on the target client browser.
The bad news is that this kind of attack is not new, and a similar attack scenario was reported for the first time approximately one year ago (with different behaviours reported for clients and security devices). The strange side of the story relies on the fact that this behaviour may not be considered a real vulnerability, but rather an occurrence covered by RFC not correctly implemented or not enabled on the default configuration by security vendors (please consider that RFC 793 also includes a further method for establishing a TCP connection dubbed “TCP Simultaneous Open” in which two TCP hosts simultaneously attempt to open a connection to each other via a SYN packet).
Last but not least…
For the record, as previously stated, NSS Labs released a remediation report containing the indications needed to mitigate (where necessary) the occurrence of the TCP Split Handshake for the affected technologies. Moreover two vendors (Cisco and Fortinet) added some indications as reported in the following:
- According to an official blog post, Cisco was not able to reproduce the issue occurred in NSS Labs Test and is further investigating the TCP Split Handshake attack on its devices.
- According to an official response in a blog post, Fortinet is not susceptible to TCP Split Handshake attack if IPS and Antivirus protections are enabled. A special IPS signature has been developed and a firmware update is scheduled for May in order to block TCP Split Handshake attack with only firewall enabled:
- For Juniper devices the line “set security flow tcp-session strict-syn-check” must be inserted into configuration (this option affects all the traffic, so it must be set with caution);
- Palo Alto is working to release an official fix between mid-April and early May;
- For Sonicwall devices, the option “Enforce Strict TCP Compliance” must be enabled (also in this case this option affects all the traffic and must be set with caution).
- Other Considerations On TCP Split Handshake (paulsparrows.wordpress.com)