About these ads

Archive

Posts Tagged ‘RSA Breach’

One Year Of Lulz (Part I)

December 15, 2011 2 comments

Update December 26: 2011 is nearly gone and hence, here it is One Year Of Lulz (Part II)

This month I am a little late for the December Cyber Attacks Timeline. In the meantime, I decided to collect on a single table the main Cyber Attacks for this unforgettable year.

In this post I cover the first half (more or less), ranging from January to July 2011. This period has seen the infamous RSA Breach, the huge Sony and Epsilon breaches, the rise and fall of the LulzSec Group and the beginning of the hot summer of Anonymous agsainst the Law Enforcement Agencies and Cyber Contractors. Korea was also affected by a huge breach. The total cost of all the breaches occurred inthis period (computed with Ponemon Institute’s estimates according to which the cost of a single record is around 214$) is more than 25 billion USD.

As usual after the page break you find all the references.

Read more…

About these ads

An E-mail Attack to Ground Zero

September 11, 2011 1 comment

Easily Predictable, the 10th 9/11 anniversary turned out to be a too tempting opportunity for unscrupulous hackers and cyber pranksters. Probably the NBC News Twitter account (and its 130,000 followers) will remember this anniversary eve for a long time after, late on Friday September the 9th, the Twitter account started to tweet false reports of a plane attack on ground zero.

Original Image by Naked Security

Although there were some misplaced details on the tweets, few minutes later the Company Chief Digital Officer, admitted the account was hacked, asking their followers not to retweet the bogus tweets:

The account was suspended and restored after few minutes, and you will probably remember that the misplaced detail, that is The Script Kiddies who claimed to have hacked the account, are not new to such similar actions since they already hacked the FOX News political account on July, the 4th 2011, announcing a bogus report on Mr. Obama death.

This is not a coincidence, probably the hacker(s), a splinter cell of Anonymous and LulzSec have exploited the same (human?) vulnerability. The NBC News account is tightly controlled and only three NBC News executives have the password.

One of them, Ryan Osborn, the NBC director of social media, said he was monitoring the account at the time and noticed the bogus messages within seconds, noticing that the password to NBC News’ Twitter account had been altered. He immediately contacted Twitter, which shut the account down eight minutes after the tweets appeared.

But there is a further particular: although the warning on easily predictable 9/11 scams, Osborn said he recently received a suspicious email as Hurricane Irene was approaching New York. The email came from an unknown sender with the subject “Hurricane Alert” and the message:

Ryan, You need to get off Twitter immediately and protect your family from the hurricane. That is an order.

Osborn wrote back “I’m sorry. Who is this?” and the sender then replied:

I’m the girl next door

with an attachment. Osborn said he mistakenly clicked on the attachment and it contained a Christmas tree.

Probably that click was fatal and injected a Trojan Keylogger on Osborn’s PC, which was used to steal the password.

The FBI is investigating the NBC News Twitter account hacking but one thing is clear: Twitter accounts are becoming a preferred target for this kind of hacks, they allow to reach a wide audience in few seconds with the double result to quickly (and virally) spread panic among followers and amplify the echo (and visibility) of the attack. Moreover, there is no need to perpetrate huge attacks to compromise the server infrastructure since the entry point is human and human defenses have proven to be extremely much weaker and easy to penetrate (a simple email is enough) than digital defenses.

Last but not least, this is only the latest occurrence of an attack carried on via malicious attachments which are being deployed to carry on complex multilayered attacks (as in case of RSA Breach), or simple questionable pranks (as in case of NBC News or Fox News).

I miss the good old days when the threat via e-mail could be at most spam…

An Industry Wide Attack

September 9, 2011 3 comments

9/9/2011: Globalsign admitted evidence of a breach to the web server hosting the www website:

Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the http://www.globalsign.com website. At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.

Starting from March 2011, one might say that the authentication bastions have been crumbling one after another. In hindsight, one event in particular occurred during March 2011 has been mostly underestimated. Of course I am not referring to the RSA affair, but to the Comodo Hack, whose only blame was to happen too close in time to the RSA Breach, which ended up obfuscating its impact for the Information Security Landscape … At least until August 2011.

As a matter of fact when, immediately after the Comodo Hack, the so called Comodo Hacker published on pastebin his declaration of Cyberwar, no one considered the hypothesis that other Certification Authorities could have been equally compromised. Consequently, although the hack was classified as a serious cyberattack, driven by a political matrix and capable to establish a new (unwelcome) record, it was considered an isolated episode, mainly due to the scarce attention to application security by the targeted Comodo partner. Moreover the final target (Google) and the political reasons behind the attack deserved much more attention than the means used to perpetrate the attack itself: the first-time compromission of a Certification Authority, a completely inedited attack vector.

Nearly four months later, the Diginotar hack (again an attack with alleged political reasons behind although according to Trend Micro it targeted Iranian Internet users) has shown to the world the weaknesses of our authentication model and its chain of trust. Not only the hacker was able to forge more than 500 fake Code Sign and SSL certificates, but he also claimed to have access to other four CAs, quoting explicitly GlobalSign, and indirectly another one StartCom, which was able to avoid the hack since its CEO was sitting in front of the HSM during the attack, although the Comodo Hacker claims to own email, DB Backup and Customer data.

Trust in Diginotar Certificate Authority has been revoked from all browsers and OSes, permanently from all Mozilla Products, but not from Smartphones, with heavy consequences for the Dutch government’s PKIoverheid (PKIgovernment) program. Of course, easily predictable, the assertions from Comodo Hacker triggered panic between cert providers. On September the 6th GlobalSign decided to temporary cease issuance of all certificates as a precautionary measure and appointed Fox-IT to perform an intensive audit (Fox-IT is the same Dutch Cybsersecurity Company which performed the audit on Diginotar); on September the 7th Symantec released a statement to reassure their customers their infrastructure has been audited and it is not compromised. A similar announcement has been published by Thawte after an erroneous report from a Dutch Government agency according to which the Security firm had been breached. Unfortunately the story does not end here and although the Comodo Hacker promises further disclosures.

If I can spend few words on the question, the best way to describe it is to quote a statement from GlobalSign: “these claims (from Comodo Hacker) represent an industry wide attack”. Said in simple words: the aftermaths of the Diginotar hack will force to rethink the current authentication model and chain of trust (even because authentication technologies and vendors are increasingly tied) even if we seriously risk to run out of ammo: in this year we lost tokens and CAs… Now What Else?

Finally I Saw One!

August 26, 2011 1 comment

Update: F-Secure posted in their blog the complete description on how the patient 0 was found: And here it is the infamous “2011 recruitment plan message”.

Have a look to the fake sender: a message from beyond…

Original Post follows:

I am working hard for the August 2011 Cyber Attacks Timeline (stay tuned it is almost ready! Meanwhile you may check the previous ones) while I stumbled upon this very interesting article. Yes, I may say that finally I saw one of the Emails used for spear phishing attacks against RSA customers, using compromised seeds.

As you will probably know everything started on March 17, 2011, when RSA admitted to have been targeted by a sophisticated attack which led to certain information specifically related to RSA’s SecurID two-factor authentication products being subtracted from RSA’s systems.

Of course the sole seed and serial number of the token (the alleged information subtracted) is not enough to carry on a successful attack, so the attacker (whose possible target were presumably RSA customers) had to find a way to get the missing pieces of the puzzle, that is the username and the PIN. And which is the best way? Of course Spear Phishing!

And here the example of a fake spear phishing E-mail targeting one of the One of America’s Most Secret (and Important) Agencies and in the same Time RSA customers:

Likely the same attack vector was utilized against three Contractors (RSA Customers) which were targeted by attacks based on compromised SecurID seeds between April and May (Lockheed Martin, L-3, and Northrop Grumman). What a terrible year for Contractors and DHS related agencies!

By chance today F-Secure revealed to have discovered the patient zero, that is the mail (“2011 Recruitment Plan”) used to convey the APT inside RSA. Someone (who decided to follow the best practices for anomalous e-mails) submitted it to Virus Total, a cloud based service for scanning files, and it looks like that F-Secure antimalware analyst Timo Hirvonen discovered the e-mail message  buried in the millions of submissions stored in this crowd-sourced database of malicious or potentially malicious files.

Original Source of Spear Phishing E-mail: http://www.cyveillanceblog.com, Kudos to @yo9fah for reporting me the link.

And The Winner Is…

July 28, 2011 1 comment

The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the security community.

The awards are given out once an year. The fifth annual ceremony will take place on Aug 3rd, 2011 in Las Vegas at the BlackHat USA security conference.

In 2011 there will be nine award categories:

  • Pwnie for Best Server-Side Bug
  • Pwnie for Best Client-Side Bug
  • Pwnie for Best Privilege Escalation Bug
  • Pwnie for Most Innovative Research
  • Pwnie for Lamest Vendor Response
  • Pwnie for Best Song
  • Pwnie for Most Epic FAIL
  • Pwnie for Lifetime Achievement
  • Pwnie for Epic Ownage

Do you remember the hacking matrix I posted several days ago, emphasizing impact and innovation as two key factors in hacking? Well, it looks like the panel of the judges did recognized the value of these two factor (together with a certain amount of shallowness in case of Sony).

(Nearly) all the events drawn in the matrix, which happened in 2011 deserved a nominee for the prize, with the exception of Epsilon Data Breach, whose likely category, Most Epic Fail, has been literally monopolized by Sony with 5 nominations.

RSA deserved a nomination as well in the category “Lamest Vendor Response”, while the category Epic Ownage has been monopolized by LulzSec. Even if LulzSec has been appointed only once for “hacking everyone”, there is also a nomination for Anonymous for “hacking HBGary Federal”, probably this is a mistake since it looks clear that HBGary Federal was hacked by the Lulz Boat as well (as also ironically stressed by the LulzSec group itself).

The other two nominations for the Epic Ownage? Bradley Manning and Wikileaks (but I would also have inserted Lady Gaga since a fake Lady Gaga CD was used to perform the leak, and… most of all Stuxnet, who ranked at the top for impact an innovation in this matrix. Stuxnet is considered the first of a new generation of Cyber-weapons even if, so far, no other malware of similar sophistication has been detected (but U.S. Department of Homeland Security fears a modified Stuxnet variant could soon attack U.S. Infrastructure).

Interesting to notice, as suggested by Network World, whoever will win the Epic Ownage prize will be, in theory, a criminal for the law, consequently Law enforcement could be seriously interested to see if anyone actually shows up to this year to accept the prize for Epic Ownage at Black Hat, since all the nominees will face possible criminal charges.

At this link a complete list of the nominations.

The Two Faces of Hacking

July 20, 2011 1 comment

My colleague Massimo Biagiotti suggested me this interesting matrix from IEEE which originally indicated some of the biggest and best stories assessed along two dimensions: innovation and impact.

Actually I cleaned it up a little bit in order to show only some of the events happened in 2011, which were inserted in the original matrix. As a reference I left some events of the previous years (inserted in the original matrix as well) in order to have a kind of normalization. They include the infamous Ufo Hacker, the Greek Cellphone Caper, and finally the Palin’s Email Hacking.

As you may easily notice, Stuxnet deserves the Top of the Rock for Innovation and Impact. The infamous malware (the terror the nuclear power plants) has divided the infosec community in different factions: those who consider the malware as the first example of next-gen cyber-weapons developed (maybe by Israel and the U.S.) to seriously damage and delay the Iranian nuclear program (whose development took at least ten years of work), or those who consider it the work of an amateur, a script kid, possibly an astronomer with knowledge of the Holy Bible. Regardless of the real origin, because of its huge exploitation of 0-day vulnerabilities (which make it really contagious) the malware has established a new level, and probably a new standard for the information security landscape.

The RSA breach ranks in a considerable position as well. As known, compromised seeds were used to attack several main contractors of U.S. Defense (L-3, at the beginning of April but disclosed at the end of May, Lockheed Martin, on May, the 22nd, and Northrop Grumman on May, the 26th). As I told in one few posts ago I am afraid that also the Mother of All Breaches, that is the breach of 24,000 files by a Contractor, happened in March but disclosed by Pentagon last week, may be somehow related to the RSA Breach. As a consequence of the latter breach, a classified US military weapons system will have to be redesigned. Because of the impact, this breach should also be included in the matrix.

Probably the effects of the Epsilon Data Breach have been underestimated, since it is likely that security concerns, in terms of phishing, for the owners of breached e-mail addresses will last for years.

Obviously the matrix could not miss the infamous Anonymous and LulzSec Hacking groups. Their actions are considered quite simple with a major impact for the Lulz Boat. The Anonymous group is perhaps unfairly considered only for DDoS, and probably the matrix was drawn before the events of the last days such as the Monsanto Hack performed by Anonymous (whose impact is quite huge and denotes a growing interest of the group towards social problems), or the Sun Hacking (at this link some technical details on the hack).

Finally a quick consideration, of course it is a coincidence, but I could not help noticing that the author of the Ufo Hack, Gary McKinnon, has been diagnosed with the Asperger’s Syndrome, a form of Autism. Curiously the same disease has been diagnosed to Ryan Cleary, the alleged LulzSec member arrested in U.K. on June, the 21st. Probably some individuals suffering of autism spectrum disorders establish with machines the links and relationships they are not able to establish with the other human beings. This explains in part why they are so able with hacking…

Again, thanks to Massimo for reporting this really interesting (and enjoying) link.

Application (In)Security in the Citi

Today some more details about the Citi breach were revealed and it looks like it is not connected with the RSA breach.

The investigation is still in place, but data collected so far show the kind of attack performed is pretty much more “traditional” then a SecureID clonation: the attackers were able to bypass the perimeter security systems by logging on the site reserved for credit card customers (but no one has explained so far how) were they were able to exploit some vulnerabilities on the Home Banking Web Site.

Probably they performed an SQL Injection or XSS attacks, (Interesting the non-technical description by NYT):

Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.

It looks like application and database security is a curse and a bless for the infosec arena. Although not fully mature in my opinion, it is one of the most promising sectors (in which there are grand maneuvers under way by the vendors), but in the same way, application in(security) has been the indirect reasons for several events this year: Sony (in some of the suffered breaches) and Epsilon have been victims of SQL Injection, and if for a moment we forget the breaches (real leading actors of this 2011) and pass to consider malware, we must necessarily mention LizaMoon which has flooded an impressive number of databases all over the world with SQL Injection, infecting more than 1,500,000 URLs.

Unfortunately these kinds of attacks are not simple exercises in style but are often the first stage of more complex Cybercrime operations. If the stolen Data immediately usable (such as Credit Card Numbers and corresponding CVV codes), they are sold in the Black Market Bazaar. In other circumstances, when the stole information is not enough to gain immediate profit, the targets become victims of tailored spear-phishing campaigns (which could potentially last for several years) aimed to gain the missing pieces of the puzzle (read information) necessary to perform the malicious actions.

That is the reasons why, if not already done, Enterprises need to make application security a key foundation for the development of secure business application and services: educating the developers with secure development guidelines, implementing adequate countermeasures with Web Application/Database Firewall, periodically probing the security level of the infrastructure with Vulnerability Assessment and Penetration Test and, last but not least, performing a constant patching.

This corresponds to implement an application oriented modern form of the Deming Cycle, more poetically summarized by the expression “performing Application Housekeeping”.

Follow

Get every new post delivered to your Inbox.

Join 3,172 other followers