Category Archives: News

Cyber: The Achilles’ Heel of Drones?

As Unmanned Aerial Vehicles (UAVs) continue to advance and play an ever growing role in modern warfare, could cyber vulnerabilities pose a potential pitfall? With drone technology rapidly advancing and allowing for the production of truly autonomous UAVs, concerns over these flying terminators being hacked become more legitimate. Here are a couple of articles to give you a little flavor on the topic. 1) Flying Hacker Contraption Hunts Other Drones, Turns Them Into Zombies, an article by Dan Gooding for Ars Technica released in December, discusses how “hacker drones” are being developed and tested to target and gain control of other UAVs. 2) Hacking the Drone War’s Secret History by Wired details how rudimentary programming and hacking skills can allow access to drone’s communication feeds. Having friendly drones falling into the control of opposition forces is a scary thought.

- by Ben Volcsko, Research Assistant

NSA operations in the World… of Warcraft.

A recent revelation from the Snowden leaks has disclosed the significant efforts by intelligence personnel to infiltrate supposed terrorist networks communicating over online games and virtual environments such as Linden Lab’s Second Life, Blizzard/Activision’s World of Warcraft title, and Microsoft’s XBOX Live service. The spying operations were apparently based on concerns within security circles that these online environments could be used by enemy parties to communicate in an obscure way, and the limited security and hardening of these platforms presented a significant collection opportunity for intelligence agencies.

While Blizzard issued a flat denial of any cooperation with intelligence collection or of opening backdoors for spies in World of Warcraft, Linden Labs and Microsoft both declined to comment. Given recent revelations about the scope of private cooperation with spy agencies, declining to comment often raises more questions that it answers, and may indicate the presence of a secret legal gag order. Additionally, the CTO of Linden Labs had previously held a Top Secret clearance and served with the Navy on detachment to the NSA at Fort Meade, and would later present at a brown bag lunch at the NSA on the opportunities present in virtual worlds.

Apparently there were so many NSA and GCHQ operatives playing in these virtual worlds on the taxpayer dime that it became necessary to stand up a deconfliction group to ensure that the agents were not simply chasing their own tails and spying on each other’s collection efforts. However, there is no evidence that collection on gaming environments actually foiled any terrorist plots or provided usedful intelligence on terrorist operations. This quibble aside, GCHQ also noted opportunities beyond communications collection in their online operations, identifying foreign government professionals that they intended to target for recruitment in something of a virtual human intelligence program.

 

Dan Gifford – MCySec Media Manager

Healthcare.gov Gets Fuzzed Amid General Condemnation by Security Professionals

As the flagship effort of President Obama’s terms in office, and a massive new repository of personal financial and medical information, Healthcare.gov was already a huge cyber attack target before the site even went live. The technical difficulties many users have experienced have been mostly due to inadequate testing during the site’s development, however, there are signs of very severe cyber attacks on the horizon.

A recent House hearing on security vulnerabilities on the website ended with the panel of experts; including Morgan Wright, CEO of Crowd Sourced Investigations; Fred Chang of Southern Methodist University; Avi Rubin of John’s Hopkins University; and David Kennedy, CEO of TrustedSEC, all declaring it was unsafe for Americans to trust their personal data to the website in its current form, and three of the four saying that the website should be pulled immediately and the implementation of the healthcare program delayed in order to address the website security issues.

Recently an implementation problem in the site’s search bar autocomplete function was revealing the ongoing “fuzzing” attacks being made on the site’s forms and databases.  A “fuzzing” attack is part of a technique called SQL injection, wherein an attacker uses the outward facing elements of a website, such as forms that feed into the site’s databases, to input commands to the database, potentially revealing or deleting confidential data. The autocomplete issue has been solved, however the attacks are certainly ongoing, with an unknown level of success.

The bottom line of this entire incipient misadventure is that website initiatives, especially ones that are juicy targets for political and personal data reasons, must be designed with security in mind first and foremost, and extensive security testing must be employed before the sites and their vulnerabilities are released on an unsuspecting public.

Dan Gifford – MCySec Media Manager

Adobe’s Credential Security Failure is Impacting Other Web Services, Becoming Password Cracker’s Dream Come True

The breaches in Adobe’s databases, which were exposed by Hold Security and publicized by security journalist Brian Krebs have continued to have significant impacts beyond the company itself. In addition to the public release of extensive amounts of source code for flagship Adobe products such as CloudFlare, the usernames, passwords and password hints of upwards of 150 million users were exposed. This exposure is especially problematic because instead of using a one way hash with individual salts (which is the industry standard method of securing password data within a database), Adobe encrypted the entire password database with Triple DES, and did the entire database with the same key. What this means is that anyone can assemble this database for themselves, and sort by the encrypted password to find groups of users that used the same password, then use the groups of associated password hints to crack the passwords of entire groups of users.

Eventually, once enough of the plaintext password data is known, it may be possible to mount a “known plaintext attack” and recover the Triple-DES key, exposing the rest of the passwords. It is also possible that the original hackers who scooped the database were able to obtain the key, given that they successfully overcame many other security features within Adobe’s network. This would potentially release an unprecedented number of currently used passwords into the public domain, but even if the key is not recovered cryptoanalytically, the addition of password hint data to the database has potentially exposed millions of users to having their passwords found out. In addition to this, the release of so many organically created passwords into the public sphere means that password crackers suddenly have much more information for their attack dictionaries, further improving their position vis-a-vis login security.

Of course, after the breach Adobe required all users of their site and services to change their passwords. However, since so many people reuse password and login credentials across multiple sites, Adobe is not the only provider that has had to deal with the results of their truly epic blunder. Already Facebook, Diapers.com and Soap.com have analyzed the breach and informed users that were using the same login credentials on Adobe that their accounts have been compromised and that they must change their passwords.

This incredible security failure has inspired much-warranted derision within the computing world, with comics luminary XKCD describing it as “The Greatest Crossword Puzzle in the History of the World”

Dan Gifford – MCySec Media Manager

Red October(?) Evolves, Hits Finnish Foreign Ministry

The Red October RAT (Remote Access Tool) which has been extensively analyzed by Kaspersky appears to have continued its development. The Finnish Foreign Ministry has disclosed that they were the victims of a penetration attack going on over four years. The tool used in the attack was specifically described as “not Red October”, however there were similarities.  The research and analysis of the attack is ongoing, but it appears to have first been detected earlier this year. The attack targeted data traffic between the Ministry and the EU, and the Finns have rather nebulously said that they believe “China or Russia” is the originating actor.

The Malware of Things

A pair of dueling intelligence exploitation revelations have given the ongoing Snowden releases a run for their money. The first is the allegation that Russia provided poisoned gifts to delegates at the G20 summit. The complementary USB sticks and telephone chargers which they distributed to attendees came with trojan software installed (in the case of the USB sticks) while the cell phone chargers had the ability to slurp data from phones connected to them and send it onward to quarters unknown. Apparently the malware accessories were first recognized as hacking devices by Herman Von Rompuy’s staff. There have been official statements that the devices were not used by any heads of states, but there are indications they may have been picked up by various members of their staffs. Russia has made an official denial of any involvement with the hacking attack, instead stating that this revelation is merely an attempt to distract the world from the NSA spying scandal. There has also been a report published (first in Russian media) that Russian customs officials had seized a number of electric coffeepots, imported from China, which when plugged in search for unlocked wireless networks and then start distributing malware and sending spam emails.

Undoubtedly this sort of situation is not what futurists predicting an “Internet of Things” anticipated. However, we must come to the conclusion that with ubiquitous computing will come ubiquitous malware and exploitative software. It may not yet be time to lie awake at night worrying if your toaster is hacking into your email and changing the controls on your fridge and your TiVo, but the hour certainly draws near.

Admiral Stavridis Advocates for a Leadership Separation of the NSA and Cyber Command

Admiral (USN ret.) Stavridis has written an article in Foreign Affairs assailing the current leadership structure for US Cyber Command. Under the current regime, General Keith Alexander is the head of both the NSA and the DoD’s Cyber Command. Stavridis argues that in the coming months after General Alexander’s planned retirement it would be good for both organizations if there were separate leadership. Given the substantial operational overlap between the two groups, and their shared location at Ft. Meade the decision was made to have both of them headed by the same individual. However, given the rise of importance of cyber issues in government national security policy-making, it may well be a good idea to head off bureaucratic problems by bringing in separate leadership.

 

Dan Gifford MCySec Media Manager

Novel Fingerprinting Technique Identifies Phones Using Accelerometer Data.

Hristo Bojinov and other researchers at Stanford have discovered a new way of digitally fingerprinting mobile devices. The method works off the fact that the accelerometers used in  smart phones all have unique measurement errors after rolling off the assembly line. These errors can be found by setting the phone on a flat surface, tapping it, then flipping it over. The researchers have stood up a proof of concept site where users can find the accelerometer fingerprint of their own device.

The technique could be used by advertisers and by surveillance agencies as a method of tracking and identifying mobile devices. The current favored method for this operation, putting tracking cookies on the piece of hardware, is subject to a number of constraints. Not the least of these being that the users can delete the cookies to give themselves a fresh start in the tracking system.

Dan Gifford – MCySec Media Manager