Cross Posted from TheAviationist.
2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).
But, if Information Security professionals are quite familiar with the idea that military contractors could be primary and preferred targets of the current Cyberwar, as the infographic on the left shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting, for instance, the multirole Joint Strike Fighter is still something hard to accept.
However, things are about change dramatically. And quickly.
The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.
For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.
Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean: Predator and Reaper Drones.
As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.
Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof products ab initio.
While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.
Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow @pausparrows on Twitter for the latest updates.
As usual the references are after the jump…
Update December 26: 2011 is nearly gone and hence, here it is One Year Of Lulz (Part II)
This month I am a little late for the December Cyber Attacks Timeline. In the meantime, I decided to collect on a single table the main Cyber Attacks for this unforgettable year.
In this post I cover the first half (more or less), ranging from January to July 2011. This period has seen the infamous RSA Breach, the huge Sony and Epsilon breaches, the rise and fall of the LulzSec Group and the beginning of the hot summer of Anonymous agsainst the Law Enforcement Agencies and Cyber Contractors. Korea was also affected by a huge breach. The total cost of all the breaches occurred inthis period (computed with Ponemon Institute’s estimates according to which the cost of a single record is around 214$) is more than 25 billion USD.
As usual after the page break you find all the references.
A week ago, the Office of the National Counterintelligence Executive published a report to Congress concerning the use of cyber espionage to attempt to gain business and industrial secrets from US companies. Easily predictable, the results present a frightening picture!
With no surprise it turned out that the biggest dangers and perpetrators of cyber-espionage operations against American business are China and Russia.
- Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the Intelligence Community cannot confirm who was responsible.
- Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.
- Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence tactics. Some of these states have advanced cyber capabilities.
Unfortunately the predictions for the near future are not encouraging: the authors of the report judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.
This is mainly due to three factors: a technological shift with a growing number of devices connected to the Internet (according to a Cisco Systems study, the number of devices connected to the Internet is expected to increase from about 12.5 billion in 2010 to 25 billion in 2015). An economical shift driven by the Cloud Paradigm which requires the information to be ubiquitous and always available and, last but not least, a cultural shift which bring users to a growing use of social media for personal and professional use with a dangerous overlapping.
With these considerations in mind I decided to concentrate on a single table all the attacks with cyber espionage implications reported in 2011 for which China was directly or indirectly (or allegedly) considered responsible. The details (and links) of each single attack can be found on my 2011 Cyber Attacks Timeline Master Index (of course the list does not include the infamous Operation Aurora and the attack to G20 during the French Leadership since these events occurred during 2010).
U.S., Canada, Japan and Korea are among the countries hit by the Cyber Attacks from Far East. The most known attack is for sure the one perpetrated against RSA, whose wake affected several U.S. Contractors. Moreover the same attack was not an isolated episode, but the tip of an iceberg hiding 760 affected organizations worldwide.
Shady Rat and the IMF attack were other noticeable events as also the breach reported against the Cyworld the Korean Social Networks in which 37 million users were affected.
A frightening scenario that also generated some resounding fake attacks during 2011 (do you remember the Renault affair?)
A new cold (cyber)war at the gates?
- Cyber-espionage attempts on US businesses are on rise (arstechnica.com)
A couple of weeks ago, during the RSA Conference in London, Tom Heiser, president of RSA declared that two separate hacker groups already known to authorities were behind the serious breach affecting tbe Security Firm early this year in March, and were likely working at the behest of a government. Heiser also declared that the attackers possessed inside information about the company’s computer naming conventions that helped their activity blend in with legitimate users on the network, concluding that, due to the sophistication of the breach:
“we can only conclude it was a nation-state-sponsored attack.”
In a statement issued after the breach, the Security Firm declared that some information related to their two-factor authentication technology SecurID had been extracted during the attack, and that information could be used, as part of a broader attack, to decrease the effectiveness of the two-factor authentication.
Curiously RSA refused to name the involved nation, so not confirming the suspects directed to China. Regardless of the nation, among Security Professional it was immediately clear that the true target of the attack was not RSA but its customers: SecurID tokens are used by 40 million people in at least 30,000 organizations worldwide to allow secure access to IT systems. So it was not a surprise the fact that few weeks after the breach three Defense Contractor were attacked using compromised seeds, and although in two cases (L-3 Communications and Northrop Grumman) there was no direct evidence of a direct involvement of compromised tokens but only rumors, in one case (Lockheed Martin), RSA admitted the use of compromised tokens and offered to replace the tokens to affected customers.
Today another interesting piece of the puzzle: in his blog Brian Kerbs publishes a list of companies whose networks were shown to have been phoning home (i.e. connect to the C&C Server) to some of the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010. According to the list 760 other organizations had networks compromised with some of the same resources used to hit RSA and almost 20 percent of the current Fortune 100 companies are on this list.
Scroll down the names on the list and you will find many interesting and surprising firms, even if the author correctly advises that:
- Many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit;
- It is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims;
- Some of the affected organizations (there are also several antivirus firms mentioned) may be represented because they intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.
So at the end, what’s the matter with China? Simple, at the bottom of the article there is a chart reporting the location of more than 300 command and control networks that were used in these attacks. Guess where 299 of them were located…
(Thanks to @MasafumiNegishi for reporting the original blog post).
Update: F-Secure posted in their blog the complete description on how the patient 0 was found: And here it is the infamous “2011 recruitment plan message”.
Have a look to the fake sender: a message from beyond…
Original Post follows:
I am working hard for the August 2011 Cyber Attacks Timeline (stay tuned it is almost ready! Meanwhile you may check the previous ones) while I stumbled upon this very interesting article. Yes, I may say that finally I saw one of the Emails used for spear phishing attacks against RSA customers, using compromised seeds.
As you will probably know everything started on March 17, 2011, when RSA admitted to have been targeted by a sophisticated attack which led to certain information specifically related to RSA’s SecurID two-factor authentication products being subtracted from RSA’s systems.
Of course the sole seed and serial number of the token (the alleged information subtracted) is not enough to carry on a successful attack, so the attacker (whose possible target were presumably RSA customers) had to find a way to get the missing pieces of the puzzle, that is the username and the PIN. And which is the best way? Of course Spear Phishing!
And here the example of a fake spear phishing E-mail targeting one of the One of America’s Most Secret (and Important) Agencies and in the same Time RSA customers:
Likely the same attack vector was utilized against three Contractors (RSA Customers) which were targeted by attacks based on compromised SecurID seeds between April and May (Lockheed Martin, L-3, and Northrop Grumman). What a terrible year for Contractors and DHS related agencies!
By chance today F-Secure revealed to have discovered the patient zero, that is the mail (“2011 Recruitment Plan”) used to convey the APT inside RSA. Someone (who decided to follow the best practices for anomalous e-mails) submitted it to Virus Total, a cloud based service for scanning files, and it looks like that F-Secure antimalware analyst Timo Hirvonen discovered the e-mail message buried in the millions of submissions stored in this crowd-sourced database of malicious or potentially malicious files.
The Antisec Typhoon seems unstoppable and has apparently hacked another Defense Contractor. Continuing their campaign against law enforcement agencies and related organizations, driven by the infamous hash #FFFriday, this time they have targeted Richard Garcia, the Senior Vice President of Vanguard Defense Industries (VDI). During the Breach nearly 4,713 emails and thousands of documents were stolen.
According to TechHerald, AntiSec targeted VDI’s website due to their relationship with several law enforcement agencies from Texas and other parts of the U.S., as well as their relationship with the FBI, the DHS, and U.S. Marshals Service. Moreover, with this hack Antisec (in)directly targeted FBI since Richard Garcia is the former Assistant Director in Charge of the FBI’s field office in Los Angeles. To those supporting AntiSec, this alone is reason enough to target VDI and release Garcia’s corporate email to the public.
As usual the attack had been anticipated by an enigmatic and threatening tweet:
The emails were taken after AntiSec breached VDI’s website, based on the popular WordPress platform. According to Antisec source, VDI had two outdated plugins installed on their website, which had its development outsourced to a local marketing company in Texas. Although the person from AntiSec did not disclose the exact method used to access Garcia’s email, he stated that the hack was performed through the VDI website, and that his password was rather weak.
VDI is the responsible for ShadowHawk, an unmanned helicopter that can be tasked with aerial surveillance or equipped for military usage. At its base, the ShadowHawk comes with CCD TV optics, or an upgraded version includes CCD TV optics and FLIR optics. A third version, for military or law enforcement usage only, can be equipped with a single or multiple shot 37 mm or 40mm grenade launcher, as well as a 12g shotgun, and thermal cameras.
The is only the last leak to Defense Contractor, scroll down the list for attacks targeting Defense Contractors in this very troubled year:
| Feb 5
Anonymous hacks HBGary Federal Web Site, copies tens of thousands of documents, posts tens of thousands of emails online and usurps CEO Aaron Baar’s Twitter Account.
| Apr 6
An E-mail dated April 6, sent to 5,000 employees of U.S. Defense Contractor L-3 warns of an attack attempt made with compromised SecureIDs. It is not clear if the attack was successful (it was revelead half a month later). This is in absolute the first attack perpetrated with RSA Seeds.
This is the first known (and the only officially recognized so far) attack perpetrated with compromised SecureID seeds targeting a U.S. Defense Contractor. This Attack was detected before any sensitive information could be stolen. 100,000 accounts were locked as a precaution.
Third U.S. Defense Contractor attacked using Compromised RSA Seeds. Attacked detected before any sensitive data was stolen.
| Jun 3
As part of the FFFriday campaign, LulzSec steals 180 usernames, real names, hashed and plain text passwords, are acquired and posted publicily
| Jul 8
Anonymous attacks IRC Federal and dumps the content of the attack on a torrent available at The Pirate Bay. The dumped content include databases, private emails, contracts, development schematics, and internal documents for various government institutions.
Anonymous attacks consulting firm Booz Allen Hamilton and releases details of internal data including 90,000 military emails and passwords. Estimated cost of the breach is around $5,400,000.00.
The Pentagon reveals to have suffered a breach of 24,000 documents in March, during a single intrusion believed to have been perpetrated by a Foreign Country. As a consequence of the Intrusion, a classified U.S. Military Weapon System will need to be redesigned after specs and plans were stolen during the breach.
| Jul 28
Anonymous hacks Mantech International Corporation, another FBI Contractor, as a consolidated tradition on Friday, and releases details of internal data and documsnts.
| Jul 29
As part of the Antisec operation and in retaliation for the raids and the arrest again alleged Anonymous and LulzSec members, Anonymous attacks 77 U.S. Law Enforcement Institutions, defacing and destroying their servers.
| Aug 1
||PCS ConsultantsAnother U.S. Government contractor, PCS Consultants gets hacked by Anonymous & Antisec. Hackers extract website Database and leak it on the internet via Twitter on Pastebin (as usual!). Leaked Data include Admin’s and 110 users emails, plus passwords in encrypted hashes.||?|
| Aug 16
Antisec targets Richard Garcia, the Senior Vice President of Vanguard Defense Industries (VDI). During the Breach nearly 4,713 emails and thousands of documents are stolen. As consolidated tradtion, the torrent is released on Friday, August the 19th.
|Vulnerability in WordPress Hosting Platform|
- Vanguard Defense Industries compromised by AntiSec (thetechherald.com)
As already suggested, I considered the original 2011 Cyber Attacks Timeline graph by Thomson Reuters not enough complete since it did not show some important attacks occurred during this tremendous 2011. This is the reason why I decided to draw an enhanced version which shows, according to my personal opinion (and metric), the list of 2011 major cyber attacks both for size and impact. Moreover in this version I added the cost of the breaches (where possible), and the alleged kind of attack perpetrated.
All the data were taken from the bulletins or statements released by the victims, or from the tweets released by the attackers.
Costs were calculated, where possible, using the indications from the Ponemon’s insitute: the average cost of a Data Breach is US $214 for each compromised record, if the targeted company decided to respond immediately the cost is around UD $268 for each compromised record, which drops to US $ 174 if the company takes longer to react.
The Total Cost is an incredible number: nearly US $ 18 billion.
Useless to say, Sony achieves rank #1 with US $ 13.4 billion. In this unenviable chart, Epsilon gains the second place with an estimated cost for its breach, of US $ 4 billion.
The others breaches, although not comparable with the previous ones, if summed, allow to achieve the grand total.
Even if smaller in size, and apparently in importance, I decided to insert in the chart also the attack to Comodo Certificates, happened in March, the 24th. In this annus horribilis, it came immediately after the RSA affaire and it has decreed, together with the RSA breach, the fall of the modern bastions of Strong Authentication (in few days tokens and certificates have proved to be vulnerable). Moreover I consider the message of the author a memorable declaration of Cyberwar. On the trail of the RSA breach the wave of attacks towards US contractors is noteworthy as well.
Hackers focused on Media Sites (Fox, PBS, Sony, Sony BMG), with a clear message against censorship (and probably the neverending problem of copyright). Interesting the second attack to PBS made to show the poor skill of LuzSecs by Warv0x, one of their enemies. In the last part of June Videogame industry was the preferred target (also Epic suffered a breach) with different intentions: LulzSec attacked Nintendo and Bethesda (the second attack resulted in data breach for the victim), but offered to avenge Sega (the manufacturer of Dreamcast), after the disastrous breach.
Direct attacks to governments focused essentially on LOIC based DDoS, albeit some infamous breaches to related sites (as in case of Infoguard/FBI and NATO) lead to Data Breaches.
Last but not least, please notice the intense activity from LulzSec in their intense “50 days of living dangerously”, just before the sudden dissolution of the group happened on June, the 25th.
- What do RSA, Epsilon and Sony breaches have in common? (paulsparrows.wordpress.com)
- It was only a matter of time… (paulsparrows.wordpress.com)
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- 2011 CyberAttacks Timeline (paulsparrows.wordpress.com)
Today some more details about the Citi breach were revealed and it looks like it is not connected with the RSA breach.
The investigation is still in place, but data collected so far show the kind of attack performed is pretty much more “traditional” then a SecureID clonation: the attackers were able to bypass the perimeter security systems by logging on the site reserved for credit card customers (but no one has explained so far how) were they were able to exploit some vulnerabilities on the Home Banking Web Site.
Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.
It looks like application and database security is a curse and a bless for the infosec arena. Although not fully mature in my opinion, it is one of the most promising sectors (in which there are grand maneuvers under way by the vendors), but in the same way, application in(security) has been the indirect reasons for several events this year: Sony (in some of the suffered breaches) and Epsilon have been victims of SQL Injection, and if for a moment we forget the breaches (real leading actors of this 2011) and pass to consider malware, we must necessarily mention LizaMoon which has flooded an impressive number of databases all over the world with SQL Injection, infecting more than 1,500,000 URLs.
Unfortunately these kinds of attacks are not simple exercises in style but are often the first stage of more complex Cybercrime operations. If the stolen Data immediately usable (such as Credit Card Numbers and corresponding CVV codes), they are sold in the Black Market Bazaar. In other circumstances, when the stole information is not enough to gain immediate profit, the targets become victims of tailored spear-phishing campaigns (which could potentially last for several years) aimed to gain the missing pieces of the puzzle (read information) necessary to perform the malicious actions.
That is the reasons why, if not already done, Enterprises need to make application security a key foundation for the development of secure business application and services: educating the developers with secure development guidelines, implementing adequate countermeasures with Web Application/Database Firewall, periodically probing the security level of the infrastructure with Vulnerability Assessment and Penetration Test and, last but not least, performing a constant patching.
This corresponds to implement an application oriented modern form of the Deming Cycle, more poetically summarized by the expression “performing Application Housekeeping”.
- Application Security: What’s Next? (paulsparrows.wordpress.com)
- Citigroup Breach and RSA Breach: A Possible Connection? (paulsparrows.wordpress.com)
Today Citigroup revealed that the company has been victim of a breach of its online banking platform, which might have exposed sensitive data belonging to about hundreds of thousands of Citi customers.
Citigroup owns approximately 21 million card customers, which means, in turn, that data of 200.000 cardholders have been impacted.
According to Sean Kevelighan, head of communications and public affairs for Citigroup: “A limited number – roughly 1 percent – of Citi North America bankcard customers’ account information [such as name, account number and contact information, including e-mail address] was viewed, the customer’s Social Security number, date of birth, card expiration date and card security code [CVV] were not compromised. We are contacting customers whose information was impacted.”
Apparently the credit cards and Social Security Numbers are safe, but this will not prevent the Cardholders from the real risk of scams, phishing and fake phone calls from Citibank or its subsidiaries…
At first glance Citigroup is only the last breach following the notorious similar events occurred to RSA, Sony, Epsilon, so definitively nothing new under the sun of this really troubled (from an infosec perspective) 2012.
However, the more (scant so far) information I read, the stronger the suspicion became that the Citigroup and RSA breaches could somehow be linked.
Of course it is right to emphasize that what follows is a mere personal speculation (I would rather say a personal curiosity) based on the few information unleashed so far.
My concern comes from the fact that, according to the original statement, the breach was originated by an unauthorized access to the systems of Citi Account Online discovered during routine monitoring in early May. Citigroup is one of the main RSA customers, and most of all has been one of the first (together with Bank of America, JPMorgan Chase, Wells Fargo) to immediately ask to replace the tokens as soon as RSA declared the direct involvement of compromised SecurIDs in the Lockheed Martin breach (and consequently offered to replace SecurID tokens). Since I am not a Citigroup Customer, I do not know how the Citi Account Online Service works (in this moment the site is not completely visible, at least from Italy, but from what I have understood OTP is used only for transactions), so I cannot definitively trace a direct a connection between the unauthorized access and the use of compromised seeds (OK this is the weak point of my theory J), nevertheless if the coincidence of factors appears quite strange. For sure, to compromise data of 200.000 users it is likely (I would say obvious) that the attackers exploited other vulnerabilities.
Also the timeline of the breach is clearly noteworthy: it looks like the Citigroup breach happened at the early May, nevertheless the customers were notified Sunday JUne the 5th : said in few words, a month later. Maybe Citigroup has decided not to warn its customers of too many breaches at the same time (I wonder how many owners of SecurID or PSN members there are between them). Anyway few hours after the notification to Citigroup customers, RSA would have officially announced the evidence of a direct connection between its breach and the one to Lockheed Martin (and the consequent decision to replace the tokens); equally curiously, according to RSA, this evidence was obtained on June the 2nd, that is approximately three days before the notification by Citigroup to replace the cards to its customers. It is possible (but I repeat this is only a mere personal speculation) that at the moment of notifying its customers, Citigroup was already aware of the direct involvement of the compromised seeds on the Lockheed Martin affair (if I were in RSA’s shoes I would have immediately advised the affected customers), and probably also aware of the RSA offer to replace the compromised tokens. Consequently at that point the Bank realized the true extent of the breach and decided it was the right moment to take adequate countermeasures, first of all notifying the customers, and then finally replacing the tokens, but only after the official RSA statement.
Why Citigroup did not decide to replace the tokens before? The answer is pretty much simple: RSA security breach might cost banks $100 million, so who knows what would have been the cost if Banks should have purchased the new tokens from their own?
In the coming days I will try to follow developments closely, since I am really curious to see it a real involvement of compromised seeds will be identified. For sure we will have to face other similar events in the near future, and I do not exclude other “sons of a (RSA) breach” to come (or better to be unleashed).
- Citigroup Admits Being Hacked in May: Coy About Extent of Impact (spectrum.ieee.org)
- Citigroup Hack of the Day (geeks.thedailywh.at)
- Citigroup Helpfully Notifies Customers It Was Hacked a Month Ago [Hackers] (gawker.com)
- Citigroup hacked: data for 200,000 or more US Citibank customers breached (boingboing.net)
- Citigroup breach exposes data on 210,000 customers (infoworld.com)
Another crucial episode in the affair of the RSA Breach. In a letter published yesterday by mean of the Executive Chairman Art Coviello, letter that will probably go into the annals of computer security, RSA has confirmed that information taken in March had been used as an element of an attempted broader attack on Lockheed Martin. This evidence was obtained, according to the company, on June the 2nd, and so far, the Lockeed Martin attack is the only one, among those (alleged) aimed to other contractors, which has been confirmed directly related to the use of compromised seeds.
Finally this letter indirectly confirms that, given the stolen information, SecureID tokens have been comprimised (but this was implicitly said in the original letters as well):
While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack
and moreover, as was quite clear from the beginning, RSA believes that certain characteristics of the original attack indicated that the perpetrator’s most likely motive was to obtain an element of security information to be used to target defense secrets and related IP. For this reason, the Company worked with government agencies and companies in the defense sector to replace their tokens on an accelerated timetable as an additional precautionary measure.
Another interesting (and shareable) point of the letter is the fact that the unprecedented wave of cyber attacks against Epsilon, Sony, Google, PBS, and Nintendo have commanded widespread public attention. Albeit totally unrelated to the breach at RSA, this events, and this is a really important point, delineate a changing threat landscape and hence have heightened public awareness and customer concern: a landscape in which Cybercrime and Cyberwar dangerously overlap.
As a result, the Company is expanding its security remediation program including two offers for assuring SecureID users’ confidence:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
Is this a new dawning age for two-factors authentication?