Archive

Posts Tagged ‘hack’

TAO Inside

January 5, 2014 Leave a comment

This graphic is lifted from a leaked NSA/TAO document published by Spiegel last week.

In case you still don’t know, TAO is the Tailored Access Operations group within the US National Security Agency. It is the heavy lifting – or we should say, the heavy hacking – arm of the NSA. It hacks the difficult targets; and very successfully. So successfully that it feels able to use this graphic:

spacer

tao inside

spacer

Need anyone say more?

Categories: All, Politics, Security Issues

What ties Microsoft, surveillance, Syria and the Syrian Electronic Army together?

January 2, 2014 Leave a comment

The Syrian Electronic Army (SEA) yesterday hacked Skype’s WordPress and Twitter accounts. The likelihood is that the pro-Syrian group got hold of the password used by Skype’s media people, probably through its usual method of spear-phishing. My report on the incident for Infosecurity Magazine is here.

But this hack was a little different to SEA’s normal escapades. The group’s whole raison d’être is to deliver pro-Assad messages to counter what it believes is anti-Assad propaganda controlled and delivered by western governments. This is the reason that it has concentrated on attacking high-profile media companies.

Well, Skype is certainly high-profile — but the message is not ‘Syrian’. On both the Skype Twitter account and its WordPress blog the SEA message was this:

spacer

SEA's message via Skype's Twitter account

SEA’s message via Skype’s Twitter account

spacer

It’s a message you might more likely expect from Anonymous protesting against NSA surveillance and Microsoft complicity in that surveillance rather than a pro-Assad movement.

I asked SEA if it marked a change in its targets and tactics; and got this reply:

We can confirm that attack was done by us. and we gained access to important documents about monitoring accounts/emails by Microsoft.

It’s still about Syria. And we will detail that soon.

So that’s the big question now: what ties Microsoft, surveillance and Syria together?

Categories: All, Politics, Security Issues

Reckz0r’s at it again – another hack that hasn’t happened yet

December 2, 2013 Leave a comment

Like many bloggers I watch my logs, trying to work out what appeals to readers. One thing that has continually surprised me is the popularity of a little posting I did almost 18 months ago: Reckz0r hacks MasterCard and Visa. Anonymous says no.

Reckz0r had just claimed two major hacks. Wrongly. In fact an Anonymous contact told me at the time, “He [Reckz0r] is considered the village idiot in Anonymous circles. He pretended he hacked Sony for LulzSec; he pretended he hacked sites that UGNAZI hacked. He has just faked another hack like he always does. Pure Bieber Hacker.”

But for 18 months visitors have been landing on that page. Is Reckz0r popular? I doubt it. But what it does tell me is that he is probably much better than I am at self-publicity. And now he’s at it again. This time he claims to have hacked the PS4 — well, not personally, but he almost provides a tutorial on how to implement someone else’s hack.

“Voila! JAILBROKEN!” he concludes. “You now have the ability to run unassigned/assigned code and pirated games on your PS4.” Only, naturally, the link to the actual exploit doesn’t work.

But to support his assertion he also published a Twitter conversation between himself and Sony.

spacer

Sony chastises Reckz0r, right?

Sony chastises Reckz0r, right?

spacer

Doesn’t really sound like Sony, does it? And in the first one they have very cleverly got slightly more than 140 characters into the message.

So, once again we can say with a fair degree of certainty that this is a faking hoax. But, if you’ll pardon the vernacular, it is lame. It is lame beyond even Reckz0r’s traditional lameness. It is so lame, you even have to wonder if it’s a lame joke. But that would be cleverness beyond Reckz0r — so is it even Reckz0r?

Bugger. He’s just proved the point — he really is better at self-publicity than I am.

Categories: All, Security Issues

Did GCHQ hack Belgacom? It certainly looks like it

October 4, 2013 Leave a comment

Well, I guess that’s as official as we’re likely to get: GCHQ hacked Belgacom.

The reasoning is this…

The European Parliament’s Civil Liberties, Justice and Home Affairs committee (LIBE) is conducting a series of hearings to investigate the ‘Prism scandal’. Yesterday it held the latest in the series: “Allegations of ‘hacking’ / tapping into the Belgacom systems by intelligence services”. Statements were expected from two high-ranking Belgacom executives, and Sir Iain Lobban, director of GCHQ.

After the event, LIBE issued its statement. In full, it reads:

Civil Liberties Committee MEPs expressed their regret on Thursday that the British Government Communications Headquarters (GCHQ) had declined their invitation to take part in a hearing on the alleged hacking of Belgian telecoms firm Belgacom’s servers. Belgacom’s top managers would not confirm or deny media reports that UK intelligence services were behind the attack.

First of all I consider it grossly discourteous for Lobban to fail to attend. This committee comprises elected representatives of the people who pay his wages and on whom he spies.

And then – forgive me for being simplistic – but I have a general principle on such matters: The innocent will never say they are guilty, but can always say they are innocent. The guilty cannot admit guilt, cannot lie, and therefore say nothing.

By avoiding have to say anything, Lobban did not say he didn’t do it – therefore the huge likelihood is that he did. And as for Belgacom, by not saying it wasn’t GCHQ, the huge likelihood is that it was. It’s called the science of gut feeling; and is usually pretty accurate.

But there’s another issue here. The UK is a member of the European Union. What is the point of having a legal union if individuals can simply ignore the elected representatives of the union? And by what moral, if not legal, right does Lobban decline an interview to attend a hearing being held by one of the most important political committees in Europe?

Categories: All, Politics, Security Issues

Why do we get hacked? A combination of arrogance and denial is one reason

October 3, 2013 Leave a comment

Have you ever wondered why we hear of a new hack every day? Well, here’s one reason – the arrogance and denial of some of our security managers.

A couple of months back I was speaking to Ilia Kolochenko, the CEO of a pentesting firm called High Tech Bridge. I asked him if pentesting was really necessary. Well, he said, just this morning I found flaws in [several high-profile media websites] that could, if cleverly exploited, lead to the complete owning of the networks concerned.

Needless to say I was interested. I asked him if he could find more, and laid down a few conditions to ensure that these weren’t old vulnerabilities that he already knew about. He delivered the goods, and the full story was published in Infosecurity Magazine: Infosecurity Exclusive: Major Media Organizations Still Vulnerable Despite High Profile Hacks.

Before publishing the story, all of the companies were notified and given a period of time to correct the flaws. Here’s a sample of the notifications:

Last week I have accidentally found an XSS vulnerability on your website that allows to steal visitors’ sensitive information (e.g. cookies or browsing history), perform phishing attacks and make many other nasty things… [details of the flaw and proof]

Please forward this information to your IT security team, so they can fix it. They may contact me in case they would need additional information and/or any assistance – I will be glad to help.

In some cases, where no vulnerability reporting address could be found, this or similar was sent to as many addresses as could be found.

Point one. Only one of the companies replied to the notification emails. This company basically said, thank you, fixed it. In reality it was only partly fixed and easily by-passed. So at the time of publishing the story, all of the websites had been contacted and given time to fix the flaw – but none of them had.

Point two. Shortly after publishing the story I received the following comments from one of the featured companies:

However try as I might I have found no-one at xyz inc who has ever heard of or from Mr Kolochenko, or yourselves, regarding any testing of our systems, vulnerabilities found, or in fact comments upon our security. Could you therefore please forward me [a copy of the several emails we had already sent].

Needless to say we did this, including an automated receipt email that proved that xyz inc had been sent and had received the email.

This head of xyz’s security then went on to accuse me of writing an advertorial for Kolochenko. He added,

…the vast majority of reported attacks on media broadcasters and press organisations so far in 2013 have had nothing to do with external attacks on websites or online presence, and the Syrian Electronic Army in particular have never used this attack vector – every one of their successful breaches has been the result of a phishing attack, which Mr Kolochenko’s tools will do nothing whatsoever to obviate.

This, of course, is both wrong and irrelevant – how the SEA’s preference for phishing (which could have been made easier by exploiting this vulnerability anyway) somehow protects xyz inc is beyond me.

The simple fact is this head of security was more concerned with deflecting any blame from himself, denying any vulnerability in his system and accusing me of lacking professional standards than in actually finding and fixing said vulnerability. A little humility and acceptance of help from security researchers might go a long way to making the internet a safer place.

Postscript. Following publication of the article, the websites in question fixed the flaws. As far xyz inc is concerned, Ilia subsequently received a further email:

We have now pushed out a fix for this vulnerability. Thanks very much for bring this to our attention.

Regards

xyz inc

Categories: All, Security Issues

To protect and serve: the police and breach notification

August 10, 2013 Leave a comment

I sometimes wonder what is the purpose of the police: is it to protect the public or to catch criminals. The problem is that these two functions are often mutually exclusive — definitely in the short-term.

You could argue that by catching criminals you are protecting the public from their potential future crimes. You could also argue that catching this actual criminal might deter that potential criminal — and that again you are protecting the public from potential future crimes.

The weakness in this argument is that a criminal doesn’t become a criminal until after the crime is committed. By definition, catching a criminal means that you have failed to protect the public.

A clear definition of primary purpose will therefore affect basic police operations, and have a fundamental effect on the public.

Here’s an example; but it will involve a small leap of faith to begin with — I forget the precise source. I hope, however, you can trust my memory. It was a chat between two very successful hackers. One of them said words to the effect, “I watch the news because that’s how I learn when my hack has been discovered.”

Basically, that’s the time for him to get out, cover his tracks and lie low.

It follows that if there is no news of the breach, law enforcement has a greater opportunity to apprehend the criminal who might just hang around on the network long enough for the forensic investigators to gather incriminating evidence.

But at what potential cost to the public? Bill Snyder got caught up in the Vendini breach earlier this year, and wrote about it on CIO:

I got an email from Vendini on May 23 that says: “We regret to inform you that on April 25, 2013, Vendini, Inc. detected an unauthorized intrusion into its systems.” Excuse me? April 25? That’s nearly a month between the discovery of the hack and the arrival of that email, which means the bad guys had weeks to pillage my accounts, and hundreds of thousands, maybe millions, of people who have used the service. (Vendini also posted the message online.)

Why didn’t the company notify us? Says Vendini: “We are actively cooperating with federal law enforcement, and this notification to you was delayed specifically to support law enforcement’s investigation.”
Online Ticketer Vendini Hit by Hack, Warns Customers a Month Later

If this is true, it is an example of police action that prioritizes apprehension of the criminal over protection of the public. Had protection been the priority, then the breach notification would have been instant, regardless of making the potential apprehension potentially more difficult.

It’s a difficult one.

Well, actually, for me — no it is not. The absolutely prime, overriding, fundamental purpose of the police should be to protect the public. I would suggest that the loss of focus by the police — where success is now viewed as a league table of people locked up rather than the fulfillment of protecting and serving the public — is key to the increasingly macho and manipulative law enforcement agencies we now have.

Categories: Politics, Security Issues

A hack by any other name tastes just as bad

June 23, 2013 Leave a comment

What is a hack? No, seriously, I need to know.

Last weekend the People/Mirror reported that Scout7 had been hacked and Manchester City’s scouting database compromised.

Scout7 came back and said it hadn’t been hacked and the integrity of its systems was sound. But City’s database was accessed by someone other than City.

Scout7 was saying that as far as its systems were concerned, it was a legal access via genuine credentials — implying that City must have lost, mislaid, or had its password stolen. It’s an interesting idea. The implication is that if you lose your house-keys and someone finds them, gets in while you’re out, and reads your personal, private diary, you haven’t been burgled.

That, of course, is emotionally absurd. But Scout7 is saying that it (the housebuilder) cannot be blamed for the burglary and doesn’t need to do anything about it. We’ll come back to that.

Meantime, how does this apply to ‘breach notification’? Is a breach a hack? Is the illegal use of legal credentials by a clear bad guy something that will require notification? Will companies be able to claim, we weren’t breached because the hackers got in through legitimate passwords, therefore we don’t need to tell anyone?

Incidentally, Kurt Wismer has an interesting story equally hinging on lack of semantic clarity: was the poor targeting in Stuxnet down to some lax manager saying , ‘make me a virus’, when he really meant, ‘make me a trojan’? Worth reading.

But back to Scout7. No, it cannot avoid its liability by implying it was a customer’s fault for losing his/her password. We all know that passwords do not provide adequate access security. So relying on them, and not adding a second factor to the access control, is effectively building something not fit for purpose. So as far as I am concerned, it got hacked.

Categories: All, Security Issues

LivingSocial got hacked; 50 million passwords stolen, but it still hasn’t learnt all the right lessons

April 30, 2013 Leave a comment

We learnt over the weekend that LivingSocial got hacked, and 50 million passwords were compromised (I reported on the story for Infosecurity Magazine here: 50  million LivingSocial passwords stolen. We know that the passwords were salted and hashed with SHA1. And we know that LivingSocial thinks that’s enough, because talking about the hack it said, “The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.”

It is, of course, far from enough. SHA1 hashed passwords will take only a few seconds to crack using standard rainbow tables. Salted SHA1 hashed passwords will take a little longer, but not much. The only ‘correct’ thing LivingSocial has done has been a forced password reset for its users, and a subsequent shift to the more secure bcrypt hashing algorithm. But frankly that’s too late for any users that have had their passwords stolen if they’re re-used on other accounts (statistically highly probable).

LivingSocial has so far given no details on who perpetrated the hack, with what, or when. That last is important since all of the users’ other accounts using the same password have been vulnerable since the moment the hackers exfiltrated the data. Nor do we know if the hackers gained access to any salting scripts on the server – which would largely nullify any benefit from the salt process.

I don’t have a LivingSocial account, so I’m OK. But I decided to sign up after the hack. The sign-up page wanted an email address. I gave it ‘yougottabejoking’. It also wanted a password. I entered ‘12345678’. It accepted both, and gave me an account – this account:

spacer

My LivingSocial Account – no prizes for guessing the password...

My LivingSocial Account – no prizes for guessing the password…

spacer

Had I done this before the hack, said hackers would now be in possession of both my email address and my password – a password that even salted and hashed would not take long to crack. If I used the same password elsewhere – as many users do – then all of those other accounts would also be cracked.

My point is this. Salting and hashing is pretty useless if the password is weak. Salting and hashing (especially with bcrypt) is very good if the password is strong. So rather than allowing me to enter a 12345678, LivingSocial should be imposing a strong password policy that forces all users to use a strong password.

Categories: All, Security Issues

israel-trade.org got hacked – israeltrade.org did not

April 7, 2013 Leave a comment

There’s a really nice hack of israel-trade.org – visually very, well, nice. And coming at the beginning of the ‘Anonymous’ war on Israel, I suppose it is only to be expected.

spacer

Nice hack design on israel-trade.org

Nice hack design on israel-trade.org

spacer

Thing is, I’m not sure whether saying ‘you’re hacked’ on your own website is genuine hacking…

There is a very similar sounding site called israeltrade.org – and that site is still (at least at the time of writing this) running fine.

spacer

israeltrade

israeltrade.org still running…

spacer

But israel-trade.org got got – and oh look – it only took the hacker a couple of hours from registration to hack…

spacer

israel-trade whois

spacer

A rather late April Fool joke on the media, I suspect.

Categories: All, Security Issues
Follow

Get every new post delivered to your Inbox.

Join 127 other followers