Friday, December 30, 2011

Ten Memorable InfoSec Stories of 2011

A question of trust: the hacking of Root CAs (Certificate Authorities)

Back in March, a root certificate authority named Comodo was hacked, and used by a self-proclaimed Iranian hacker to issue legitimate SSL certificates for a number of sites, including Google, Skype, Mozilla, and Yahoo. SSL certificates confirm that a secure site really is what it says it is; your browser has a list built into it of certificate authorities that it trusts, so when you visit an SSL site it checks the certificate against the issuer. If the issuer isn't on the list, you get a warning.

If a hacker creates a "fake" certificate from the real authority, then any site is, as far as your computer or phone knows, legitimate if it presents that certificate. The implications for shopping or other interaction are huge: you become vulnerable to a man-in-the-middle (MITM) attack, where someone operates a site using the "fake" certificate between you and the real site. From your end, it's a legitimate SSL site. For the person running it, they can see everything passing between you and the real site. Comodo's dodgy certificates were revoked, but it depended on whether people accepted a browser update as to whether or not they would be protected.

Then in July, the Dutch SSL certificate authority Diginotar (which provided the SSL certificates for thousands of sites including the Dutch government) was hacked, and a number of certificates, including one for Google, issued. These certificates were used for a MITM attack on Iranian users of Google Mail – another indication that web security really does have human consequences.

Many experts now believe that the current SSL CA system is broken. One expert in this area, Moxie Marlinspike, proposes that all of the current problems with the CA system can be reduced to a single missing property, called "Trust Agility", and he has proposed a secure replacement for the existing the SSL CA system called "Convergence".

This story is perhaps the most important thing to have happened to InfoSec in 2011 – and how it is dealt with in 2012 may be crucial.

Full story: here

Anonymous gets busy

The loose collective of hackers known as Anonymous were quite busy in 2011. The group first gained widespread attention back in 2008 with their "Project Chanology" raids on the Church of Scientology. One of their symbols, the Guy Fawkes mask (first popularized by the comic book and film "V for Vendetta) has now become instantly recognisable, as well as becoming associated with the Occupy Wall Street movement. Their self description in the form of an aphorism is: "We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us."

Here are some of their more memorable activities of the year ...

* Operations in support of the Arab Spring Democracy movements in Egypt, Tunisia and Libya - Anonymous performed DDoS attacks on eight Tunisian government websites which may have led to an upsurge of internet activism among Tunisians against their government. Anonymous also attacked the websites of the incumbent governments in Egypt and Libya along with the internet censorship methods being used in these countries.

* In February came the attack on HBGary Federal - in retaliation for the CEO's (Aaron Barr) claims of having infiltrated Anonymous, members of Anonymous hacked the website of HBGary Federal, took control of the company's e-mail, dumped 68,000 e-mails from the system into the public domain, erased files, and took down their phone system.

* Next came the attack Sony websites (Operation Sony) in response to Sony's lawsuit against George Hotz and, specifically due to Sony's gaining access to the IP addresses of all the people who visited George Hotz's blog as part of the libel action, terming it an 'offensive against free speech and internet freedom'. Although Anonymous admitted responsibility to subsequent attacks on the Sony websites, Anonymous branch AnonOps denied that they were the cause behind a major outage of the Playstation Network and Qriocity services in April 2011. On May 4, 2011, Sony confirmed that individual pieces of personally identifiable information from each of the 77 million accounts appeared to have been stolen. The outage lasted for approximately 23 days.

* In August 2011, Operation BART was launched in response to San Francisco Bay Area Rapid Transit's shutdown of cell phone service in an attempt to disconnect protesters from assembling violently in response to a police shooting, Anonymous sent out a mass email/fax bomb to BART personnel and organized multiple mass physical protests at the network's Civic Center station.

* Several contingents of Anonymous have given vocal support to the Occupy Wall Street movement, with vast numbers of members attending local protests and several blogs run by members covering the movement extensively.

* In early August, Anonymous launched Operation Syria and hacked the Syrian Defense Ministry website. In September, a group tied to Anonymous appeared on Twitter, calling themselves RevoluSec (Revolution Security). They defaced Syrian websites, including the Syrian Central Bank and other pro-regime sites. Telecomix worked with Anonymous to show Syrians how to bypass the internet censorship put in place by the regime.

* Operation Mayhem: on November 18, Anonymous released a video claiming to have released the "Guy Fawkes Virus" on Facebook and that they will release it on Twitter soon. The first reason claimed for its release was to protest the violence of the police force against Occupy Wall Street protestors, the second was to protest the Stop Online Piracy Act and the third reason was to counter anyone who claims to be against Anonymous.

* Ending off the year, on December 24th, Anonymous gained access to thousands of e-mail addresses and credit card information from security firm Stratfor and made it public. Anonymous commented that they did it because the data was unencrypted - to let the public know about their vulnerability.

Full story: here 

Hacking the power plant

At Black Hat USA, SCADA security researcher Dillon Beresford gave one of the most alarming public demonstrations of the fragility of security in power control systems. Beresford, a researcher with NSS Labs, demonstrated how a backdoor in Siemens industrial control systems let him get inside, capture passwords and reprogram PLC logic such that he could shut down the systems altogether or cause them to eventually crash. He had initially postponed a presentation earlier in the year on his vulnerability finds due to concerns about possible risk to human life. Remember that the same Siemens industrial control systems were targeted successfully by the Stuxnet worm in 2010, which infected several Iranian nuclear facilities with devastating effect by making use of custom a PLC rootkit along with several zero-day vulnerabilities and fake SLL certificates from two compromised CAs.

Full story: here

Hacking insulin pumps

SCADA security expert Jerome Radcliffe, a diabetic, had become curious about the security of the devices that keep his blood sugar in check. So he started studying how continuous glucose monitors (CGM) and insulin pumps could be hacked, and discovered that at least four models of insulin pumps sold by Medtronic can be hacked wirelessly.

An attacker could remotely disable the pumps or alter the insulin dosage that's automatically delivered to the user. Radcliffe demonstrated that a hacker could illicitly turn off the pump remotely, with the device offering only a small chirp as a response, and also remotely manipulate any setting on the pump without the user's knowledge. "It's basically like having root on the device, and that's like having root on the chemistry of the human body," he said. It was a frightening but enlightening find given the life-or-death consequences. Radcliffe was also able to disrupt and jam the GSM devices.

Full story: here

'Warflying': hacking in midair

For around US$6,000, security researchers Mike Tassey and Richard Perkins built a radio-controlled model airplane with an onboard computer running linux with 4G connectivity that could be used as a hacking "drone" to wage aerial attacks on targets that are unreachable on land. They brought their Wireless Aerial Surveillance Platform (WASP) to Las Vegas for Defcon to demonstrate the potential threat of "warflying."

Full story: here

Hacking MacBook laptop batteries

Security researcher Charlie Miller demonstrated this year that the embedded controllers on laptop batteries are hackable. Miller found that Apple's laptop battery has two hardcoded passwords that could be exploited to make changes to the smart battery system's firmware. The passwords are a way for Apple to update the firmware, but they also leave it wide open for abuse. Miller disassembled his MacBook's batteries and found that Apple uses one default password to unlock the battery and another to access the firmware. If an attacker were to obtain those passwords, then he could eavesdrop on any communication between the battery and the laptop, as well as inject malicious code.

Full story: here

The return of Google-fu

Australian security consultant Daniel Grzelak made an unexpected discovery as he searched for publicly accessible databases containing e-mail address and password pairs. The entire user database of Groupon's Indian subsidiary including cleartext usernames and passwords was accidentally published to the Internet and indexed by Google.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail". "A few hours and tweaks later, this database came up," he said. "I started scrolling, and scrolling and I couldn't get to the bottom of the file. Then I realised how big it actually was."

As a side project, he created, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised. Grzelak was searching for more compromised accounts to add to the website's database when he stumbled across the Sosasta database.

Full story: here

Pension fund shoots itself in the foot

Australian information security professional Patrick Webster had noticed his pension fund, First State Superannuation, allowed logged in members to access online statements via a "direct object reference" bug - one which is included in OWASP's infamous top ten list of Web Application security bugs. Sure enough when Webster incremented the document ID number in the URL linking to his super statement, up popped another member's statement. The details revealed on the statement were a fraudster's dream, including full names, addresses, email addresses, membership number, age, insurance information, pension amount, fund allocations, beneficiaries and employer information.

First State’s response to being quietly tipped off by Webster with his valuable information was extremely stupid, which is why it attracted a large amount of media attention ... they got police and lawyers involved to threaten Webster with arrest and also issued him a bill for the amount it would cost to fix the bug, then demanded access to his computer equipment.

After the storm of controversy following their heavy handed approach, they backed down from their stance but are now facing an investigation by the Australian Federal Privacy Commissioner as to why the security vulnerability was out there, undiscovered, for a period of 18 months or more. The fund's contracts with Australian government departments, such as ASIO (Australia's CIA), were also looking a little bit shaky.

Full story: here 

Remotely starting a car via text message

There's war driving, and then there's war texting. Security researcher Don Bailey discovered how simple it is to remotely disarm a car alarm system and control other GSM and cell-connected devices: He showed off his find by remotely starting a car outside Caesars Palace in Las Vegas during the Black Hat USA and DefCon shows.

Full story: here

Mini-hacker time-travels

A 10-year-old girl who attended the inaugural DefCon Kids conference within the DefCon show this year nearly stole the show with her hack. "CyFi" said she was getting bored with her favorite mobile gaming app, so she came up with a neat trick to switch the time on her device to make it more challenging. What she didn't realize at first was that she had actually discovered a whole, new class of zero-day bugs across multiple tablet and smartphone operating systems. "I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said. It wasn't until her mom caught wind that CyFi had found a way to game her game that things got real. Her mom, a seasoned DefCon attendee, knew this was more than just a clever child's trick: CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom said.

Full story: here

+ - - - - - - - - - - - - - - - - - - - - - - - +
| Harris Walker Real Estate, Perth, WA, AUS     |
| Specialists in residential housing sales and  |
| property management in Perth, Australia.      |
+ - - - - - - - - - - - - - - - - - - - - - - - +