This awful infosec July is over, and finally we can sum up the Cyber Attacks reported during this month. I collected all the available information and inserted it inside the following chart. Where possible (that is enough information available) I tried to estimate the cost of the attacks using the indications from the Ponemon’s insitute according to which the average cost of a Data Breach is US $214 for each compromised record. The total sum (for the known attacks) is around $7.6 billion, mainly due to the “National Data Breach” of the South Korean Social Network Cyworld.
Approximately 16 attacks were directly or indirectly related to Antisec or Anonymous, they promised an hot summer and unfortunately are keeping their word…
Useful resources for compiling the (very long) chart were taken from:
- 2011 Cyber Attacks (and Cyber Costs) Timeline (Updated) (paulsparrows.wordpress.com)
- 2011 CyberAttacks Timeline (paulsparrows.wordpress.com)
- 50 Days of Hunt (paulsparrows.wordpress.com)
- LulzSec hacking: a timeline (telegraph.co.uk)
- Anonymous Denies Paternity For the CNAIPIC Hack (paulsparrows.wordpress.com)
The storm which hit the media empire of Rupert Murdoch has rapidly spread over the web. Yesterday night I was fighting against my summer insomnia, when the silence of a quiet July summer night has been broken by a storm of tweets from the LulzSec boat (immediately followed by a predictable bunch of Anonymous echoes).
I could not help typing http://www.thesun.co.uk, but when I detected this first storm of tweets and consequently went to SUN Home page, the defacement was already completed, so I missed the bogus story on Rupert Murdoch’s death, which the hacker group posted on the home page of the SUN.
But this does not mean that I was not able to taste the the hacking ability of the LulzSec boat as well: with great surprise I noticed that the front page was only apparently correct, since after few sconds I was redirected to the LulzSec Twitter account. Few after a new storm of tweets from the Lulz Boat flooded the Internet:
Not satisfied with the defacement, the Hacker Group also decided to divulge the email, password info and phone numbers for one Rebekah Wade—Brooks’ maiden name—along with many others from Murdoch’s tabloid crew.
So it looks like the #antisec wave has hit the shores of the Murdoch Media Empire under the new declination of #MurdochMeltdownMonday. This is probably due both to the huge echo raised by the phone hacking scandal involving News Of The World, another piece of the Murdoch Empire, but another possible reason may rely on the critical and ironical position held by Murodoch’s tabloids against the hacking group: see for instance the article describing Ryan Cleary’s arrest from The Sun perspective.
Probably the group did not like the excessive use of terms such as geek or nerdy teenager, and hence decided to have a memorable revenge…
It looks like that the Perfidious Albion is not what one should exactly define a Paradise for Mobile Security. Not only the echoes of the Scandal concerning “voicemail hacking” led the infamous tabloid News Of the World to close on Sunday, the 10th of July 2011, and Rebekah Brooks to resign as CEO of News International today; but also the flow of events has unexpectedly brought mobile security issues to the attention of a wider audience, no more confined to the sole and exclusive attention of information security professionals.
This is partially due to the relative easiness in implementing similar hacking techniques in mobile communications, which is raising doubts and misgivings in many other countries. As a matter of fact, as actually happened, voicemail hacking is relatively easy to implement and is based, as usual, on two factors:
- From the user perspective, on the poor attention for default (in)security settings;
- From the operator perspective, on the necessary trade-off between security, user experience, and convenience, (almost) always favoring the latter, which turns out not to be an optimal choice from a security perspective.
A lethal mix wich may be quite easily exploited by a balanced blend made of (little) hacking and (a lot of) social engineering. At this link a really complete and interesting description very helpful to understand how relatively easy is to perform voicemail hacking with some U.K. operators (but keep in mind that procedures vary from Operator to Operator). Accorrding to the above quoted article, in theory, it is possible to elude the meshes of the security procedures of the operators, simply calling the voicemail of the victim impersonating the legitimate user, claiming to have forgotten the PIN and voila, that’s it!
Voicemail hacking does not need further components, but unfortunately is not the only issue that may happen: in theory entire conversations may be hijacked (and unfortunately it is something we are quite familiar to, here in Italy). The Security Process of a phone conversations is an end-to-end chain, inside which technology is only a component, and the human factor is the weakest link. In this context weak means leak so that often it happens that some information that should not be disclosed are delivered to media (even if irrelevant to any ongoing investigations) with devastating aftermaths for investigations themselves and for victims’ privacy.
The scenario is further complicated with the new generation of smartphones, where technology (and the ongoing process of Consumerization of Information Technology) leaves virtually no limits to the imagination of attackers: not only voicemail hacking, but also mobile malware (a threat which does not need the unintended cooperation of the Operator) capable of extracting any information from devices. The dramatic events in U.K. involved using stolen data for squalid journalistic purposes, but, since mobile devices are nowadays indispensable companions of our everyday lives, nothing prevents, in theory, to use the same or different methods to steal other kinds of information such as confidential data, banking transaction identifiers, etc… Do you really need a confirm? For instance the recent evolution of the Infamous ZiTMo mobile malware that has just landed on Android (the continuing metamorphosis of this malware is really meaningful: born on the Windows platform, it has rapidly spread on Windows CE, Symbian, and now, last but not least, Android). Since it is expected that 5.6% of iPhones/Android handsets is going to be infected in the next 12 months, there is much to worry. In this context what happened in U.K. may constitute a dangerous precedent and a dramatic source of inspiration for organized cybercrime.
Fears that similar occurrences could happen in other countries are rapidly spreading. As a consequence some countries are moving fast to prevent them.
In the U.S., in wake of U.K. Hacking, Representative Mary Bono Mack, a California Republican who chairs the House subcommittee on commerce, manufacturing and trade, is contacting handset manufacturer companies including Apple, Google, Research in Motion, and wireless companies as well, such as AT&T, Verizon Wireless and Sprint Nextel, to determine if there are any vulnerabilities in cell phones or mobile devices which can be exploited by criminals and other unscrupulous individuals. Clearly the final target is to prevent similar events from ever happening in the United States.
For the Chronicle, on June 13 Bono Mack released draft legislation which aims to tighten data security for companies victims of data breaches. Under the proposal, companies that experience a breach that exposes consumer data would have 48 hours to contact law enforcement agencies and begin assessing the potential damage.
Immediately after U.S. Attorney General Eric Holder is considering investigation into News Corp. for the same reson.
Anyway U.S. is not the only country worried about, as similar concerns are raising in Canada, and I may easily imagine that other countries will soon deal the same stuff.
A final curious notice: a further confirm that U.K. is not the paradise for mobile security came this morning when I stumbled upon this wiki which happily shows how to hack a Vodafone femto cell (just released to public) in order to, among the other things, intercept traffic, perform call frauds (place calls or send SMS on on behalf of somebody else SIM card).
The best (or the worst, it depends on the points of view) is yet to come…
- How not to get your phone hacked (blogs.journalism.co.uk)
- Hacking into U.S., U.K. phones easier than in Canada, but remain wary (canada.com)
- Lawmakers Question Cell Phone Privacy In Wake Of Hacking Scandal (techdailydose.nationaljournal.com)