As the flagship effort of President Obama’s terms in office, and a massive new repository of personal financial and medical information, Healthcare.gov was already a huge cyber attack target before the site even went live. The technical difficulties many users have experienced have been mostly due to inadequate testing during the site’s development, however, there are signs of very severe cyber attacks on the horizon.
A recent House hearing on security vulnerabilities on the website ended with the panel of experts; including Morgan Wright, CEO of Crowd Sourced Investigations; Fred Chang of Southern Methodist University; Avi Rubin of John’s Hopkins University; and David Kennedy, CEO of TrustedSEC, all declaring it was unsafe for Americans to trust their personal data to the website in its current form, and three of the four saying that the website should be pulled immediately and the implementation of the healthcare program delayed in order to address the website security issues.
Recently an implementation problem in the site’s search bar autocomplete function was revealing the ongoing “fuzzing” attacks being made on the site’s forms and databases. A “fuzzing” attack is part of a technique called SQL injection, wherein an attacker uses the outward facing elements of a website, such as forms that feed into the site’s databases, to input commands to the database, potentially revealing or deleting confidential data. The autocomplete issue has been solved, however the attacks are certainly ongoing, with an unknown level of success.
The bottom line of this entire incipient misadventure is that website initiatives, especially ones that are juicy targets for political and personal data reasons, must be designed with security in mind first and foremost, and extensive security testing must be employed before the sites and their vulnerabilities are released on an unsuspecting public.
Dan Gifford – MCySec Media Manager
The Federation of American Scientists has published a paper detailing threats to the global oil supply chain. Rounding out a list of major regional and geopolitical threats to the global oil infrastructure, the risks of SCADA and other attacks on pipelines, tanker ships, and refineries does seem substantial. The author is a little off base in suggesting that STUXNET type weapons could be used to attack oil systems- the sophistication of oil systems is much less than that seen in the Iranian nuclear enrichment program, and as such a STUXNET level weapon would probably be overkill. Even still, Despite significant vulnerabilities of the often unprotected systems to the internet and other venues of attack, major SCADA attacks have not yet become prevalent. The author is also somewhat mistaken in assessing that groups such as the Syrian Electronic Army could have the capabilities to conduct major SCADA infrastructure attacks. SEA capabilities are simply not on that level, and they have concentrated primarily on hacking email accounts by abusing password resets and other social engineering methods, rather than the technical expertise that would be necessary to deploy custom attack tools on SCADA. These technical quibbles aside, the author is entirely correct in his assessment that the complexity of the logistics operations involved in global oil systems provides a major avenue of attack, and I must agree that these sorts of attacks are waiting over the horizon.
Dan Gifford – MCySec Media Manager
The breaches in Adobe’s databases, which were exposed by Hold Security and publicized by security journalist Brian Krebs have continued to have significant impacts beyond the company itself. In addition to the public release of extensive amounts of source code for flagship Adobe products such as CloudFlare, the usernames, passwords and password hints of upwards of 150 million users were exposed. This exposure is especially problematic because instead of using a one way hash with individual salts (which is the industry standard method of securing password data within a database), Adobe encrypted the entire password database with Triple DES, and did the entire database with the same key. What this means is that anyone can assemble this database for themselves, and sort by the encrypted password to find groups of users that used the same password, then use the groups of associated password hints to crack the passwords of entire groups of users.
Eventually, once enough of the plaintext password data is known, it may be possible to mount a “known plaintext attack” and recover the Triple-DES key, exposing the rest of the passwords. It is also possible that the original hackers who scooped the database were able to obtain the key, given that they successfully overcame many other security features within Adobe’s network. This would potentially release an unprecedented number of currently used passwords into the public domain, but even if the key is not recovered cryptoanalytically, the addition of password hint data to the database has potentially exposed millions of users to having their passwords found out. In addition to this, the release of so many organically created passwords into the public sphere means that password crackers suddenly have much more information for their attack dictionaries, further improving their position vis-a-vis login security.
Of course, after the breach Adobe required all users of their site and services to change their passwords. However, since so many people reuse password and login credentials across multiple sites, Adobe is not the only provider that has had to deal with the results of their truly epic blunder. Already Facebook, Diapers.com and Soap.com have analyzed the breach and informed users that were using the same login credentials on Adobe that their accounts have been compromised and that they must change their passwords.
This incredible security failure has inspired much-warranted derision within the computing world, with comics luminary XKCD describing it as “The Greatest Crossword Puzzle in the History of the World”
Dan Gifford – MCySec Media Manager
Cyber-security research firm FireEye has published a new report alleging that there may be a single actor providing important code development resources to as many as 11 separate APT campaigns. All of the tools have been written using a Chinese language character set, pointing to the likely national origin of this tool provider. FireEye alleges that this “Quartermaster” may be something of a digital arms dealer, enabling various APT teams to construct attack tools using point and click interfaces rather than advanced coding skills.
FireEye first discovered the digital breadcrumbs leading to their conclusion while examining the Sunshop water-holing attack which took over legitimate websites and used them to redirect browsers to malware sites. The 11 APT groups that they connected through their investigation were found to share resources in various combinations, among them: Portable executable resources, Pilfered Digital Certificates, API import tables, Compile times, and C2 (Command and Control) Infrastructure. FireEye’s highest confidence assessment is that a “Sunshop Digital Quartermaster” (SDQ) exists which supports a variety of separate APT campaigns as part of a “formal offensive apparatus”. While some of the APT campaigns are also using malware obtained from the digital black market, most of them are heavily reliant on tools which are not available on the criminal internet underground and almost certainly originated with a single source, this “SDQ”. FireEye does acknowledge that it is still possible that the APT groups simply share these programs informally, but there is substantial evidence that there is a single originating source of the tools within the code examples they have analyzed in the report.
Dan Gifford – MCySec Media Manager
José de Arimatéia da Cruz has published an article in the Small Wars Journal regarding Cyberterrorism.
The Red October RAT (Remote Access Tool) which has been extensively analyzed by Kaspersky appears to have continued its development. The Finnish Foreign Ministry has disclosed that they were the victims of a penetration attack going on over four years. The tool used in the attack was specifically described as “not Red October”, however there were similarities. The research and analysis of the attack is ongoing, but it appears to have first been detected earlier this year. The attack targeted data traffic between the Ministry and the EU, and the Finns have rather nebulously said that they believe “China or Russia” is the originating actor.
The Onion Router has long been thought to be one of the best methods for maintaining anonymity of internet traffic, and has even been assailed by the NSA as a hard problem, leading them to use workarounds to circumvent the network and attack specific users However, new research presented by a team from the US Naval Research Lab and Georgetown University has found that with specific methods they designed:
“Tor faces even greater risks from trafﬁc correlation than previous studies suggested. An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50% probability and within six months with over 80% probability.”
Traffic correlation and nodes controlled by malicious actors have both been considered as a major risk to TOR for a significant amount of time. This new research quantifies the problem and the danger to users of the service, and with any luck may lead to changes in the system to mitigate said risks.
A pair of dueling intelligence exploitation revelations have given the ongoing Snowden releases a run for their money. The first is the allegation that Russia provided poisoned gifts to delegates at the G20 summit. The complementary USB sticks and telephone chargers which they distributed to attendees came with trojan software installed (in the case of the USB sticks) while the cell phone chargers had the ability to slurp data from phones connected to them and send it onward to quarters unknown. Apparently the malware accessories were first recognized as hacking devices by Herman Von Rompuy’s staff. There have been official statements that the devices were not used by any heads of states, but there are indications they may have been picked up by various members of their staffs. Russia has made an official denial of any involvement with the hacking attack, instead stating that this revelation is merely an attempt to distract the world from the NSA spying scandal. There has also been a report published (first in Russian media) that Russian customs officials had seized a number of electric coffeepots, imported from China, which when plugged in search for unlocked wireless networks and then start distributing malware and sending spam emails.
Undoubtedly this sort of situation is not what futurists predicting an “Internet of Things” anticipated. However, we must come to the conclusion that with ubiquitous computing will come ubiquitous malware and exploitative software. It may not yet be time to lie awake at night worrying if your toaster is hacking into your email and changing the controls on your fridge and your TiVo, but the hour certainly draws near.
Google has unveiled a new tool that allows real-time and historical display of digital attack traffic. Foreign Policy has done an excellent write-up on the new tool here. The tool gives you the ability to see ongoing DDOS and scanning attacks, and their source and destination countries (if known).
Admiral (USN ret.) Stavridis has written an article in Foreign Affairs assailing the current leadership structure for US Cyber Command. Under the current regime, General Keith Alexander is the head of both the NSA and the DoD’s Cyber Command. Stavridis argues that in the coming months after General Alexander’s planned retirement it would be good for both organizations if there were separate leadership. Given the substantial operational overlap between the two groups, and their shared location at Ft. Meade the decision was made to have both of them headed by the same individual. However, given the rise of importance of cyber issues in government national security policy-making, it may well be a good idea to head off bureaucratic problems by bringing in separate leadership.
Dan Gifford MCySec Media Manager