Ramblings of this guy you know!

Tech Stuff and random observations on life as I see it….

Category Archives: Security

Suspected Lulzsec spokesperson, charged

Last week, as part of a pre-planned operation an 18 year old male from Shetland was arrested. Jake Jarvis was accused of being ‘Topiary’, the spokesperson for Anonymous and Lulzsec and was transferred to London for questioning. Most recreantly Topiary was considered to be the one behind the Lulzsec Twitter account which now only shows one tweet: “You cannot arrest an idea”.

Shortly afterwards a group named the Web Ninjas announced that Topiary was not a teenager from Scotland but a 23 year old Swedish man instead. This was considered to be simply misinformation spread about by the hacktivist groups and Jake was to appear before court this Monday.

Oddly enough, the evidence that incriminates Jake are the 750K ID’s on his PC along with drafts of the fake Murdoch death tweets. After all the sites Anonymous and Lulzsec have hacked, don’t you think that a member of that group wouldn’t keep his own information secure?

The court released him on bail. He has been ordered to live with his mother and is banned from accessing the Internet. He faces a curfew from 10pm until 7am each night, and he must wear a monitoring device to verify his compliance. His next court date is set for August 30.


Mobile phones – the next malware focus point?

if you use your mobile to manage your finances then you may be putting yourself at risk according to event reports from security experts. The desktop PC has been the exploited tool of choice for malware but the smartphones of today are more powerful than ever and practically mobile computers in their own right. As we carry so much information on these devices and do more on them, it was only a matter of time before they got exploited.

A recent example of this with the new Zeus for the mobile, nicknamed ‘Zitmo’. Zeus on the PC has been a plague on Microsoft for the past four years and now it has surfaced on Android. Zitmo works in a new way; It is downloaded as malware on the desktop PC and sleeps till it recognises that a financial transaction is in place, intercepts the request and informs the user that as part of new security procedures, verification is required via mobile phone. The downloaded software however is simply malware to take control of the phone,

Zeus is just one example of malware on phones and Trojans can get onto phones in a myriad of ways; clicking a link or downloading an attachment with a virus that takes control of the phone. Connecting up to public Wifi spots can leave a phone vulnerable to attack too.

“The mobile phone industry is not fit for purpose, especially for financial transactions,” says Alex Fidgen of MWR InfoSecurity, one of the biggest cybercrime-busting outfits in The UK. “The evidence is irrefutable. You cannot be assured of security with modern smartphones. As soon as the handset is compromised, then any data is up for grabs.”

Android is seen as the most vulnerable of the mobile environments due to the amount of variations in OS versions across phones and because there is no vetting of submitted applications, it is quite trivial to distribute malware in the marketplace. Apple has a much tighter control over the distribution of apps but has no application sandboxing like Android, Jailbreak the device though and the possibility of malware increases. RIM by it’s very nature is deemed as the most secure mobile platform,

Recommendations from MWR on how to stay secure:

  • Don’t trust links or attachments from people you don’t know. If a person you do know has sent you a link or attachment, check with them that it is legitimate before opening it.
  • Don’t use public Wi-Fi, especially for financial transactions or other secure personal transactions.
  • Do apply any updates that are made available for your devices.
  • Do only install applications from reputable publishers.
  • Don’t “jailbreak” your iPhone.
  • Do set an unguessable pin in case your phone is stolen


The trouble with passwords…

… Is that there is never a happy medium. Ether you have to enter in (at least) a 32 character password that contains multiple capital letters, numbers and symbols that you have no chance to remember or if you do enter one that is memorable, chances are it’ll be hacked in five minutes. On top of that many companies insist that passwords are changed on a regular basis which is just asking for those passwords to have an incremented number for each change of your ‘ilovecats1’ password or it is written on a sticky-note on the monitor.

It is estimated that one in four users in the UK use weak passwords and that same weak password is used for every service signed up for… Well, let’s face it, it is either that or you will be hitting the “forgotten password” link the next time you access it. Hotmail, this week rolled out a feature to stop users from choosing very common passwords when signing up for an account or changing your password and quite right too… Gone will be the classic ‘password’ or ‘123456‘.

So, what’s the answer to allow people the ability to create secure passwords but still keep them memorable? Here are two possible suggestions that I use myself.

The first is called haystacking and involves taking a default, reusable stock phrase and then obfuscating that with something unique but memorable for each site or service. The key to the masking needs to be something that you will also remember say for example:

Hotmail is 7 characters long so you type 1234567ilovecats7654321

No, it’s not what I do, not going to tell you that… Nor do I recommend just using numbers, it’s still too simple. Even saying that, the length of it does extend the length of time it would take to brute force it.

The second suggestion is to use a password vault. You can either use a locally installed piece of software like 1password or an Internet service such as LastPass. With either of these, you only need to remember one master password which autofills your login details to sites on successful master password entry. The advantages of each are obvious, with 1Password you keep everything local so unless your machine is compromised, your other passwords are safe. With LastPass you can access your vault wherever you have access to a wireless network. Of course with both, there is the risk here that if a weak master password is used, all your login details are compromised whether the items inside are local or Internet based.

Google warning users of malware infection

Google has started to issue warnings to users that they have been infected with malware. During routine maintenance of a data Center they noticed a particular repeating pattern of traffic that warranted further investigation. From the post on the Google blog, the traffic is being generated by scareware, fake AV software Which aims to funnel search requests through intermediate sites that promote fake security programs and other scams.

As a result of this activity Google is able to detect those users that are infected and will now post the following message at the top of the search results.

Along with the warning there is a link pointing to the Google Help Center offering advice on how to get rid on the infection. The question is, with so many messages in headers that we routinely ignore every day, will anyone take any notice of this message.

Anonymous Hackers in FBI Arrests

After months of AntiSec activity, which as been barely tolerated by the authorities and courted by the media, may well have stepped over the mark when they took over the Fox News political twitter account and announced the assassination of the US president. It raised the ire of the FBI who have recently been trying to crack down on the groups activities.

Fox News reported first that suspected group members were arrested on Tuesday in Florida, New Jersey and California. The raid was described as a “major” operation and that arrests have been made across the country. 14 arrests were originally reported with two additional arrests were made with regard to separate criminal complaints that were filed in Newark and Tampa.

Anonymous and Lulzsec, which police believe are connected, issued a joint statement on Thursday to the FBI following a number of arrests of people with suspected involvement in the groups.

“We are not scared any more,” said the Anonymous statement. “Your threats to arrest us are meaningless to us as you cannot arrest an idea. Any attempt to do so will make your citizens more angry until they will roar in one gigantic choir. It is our mission to help these people and there is nothing — absolutely nothing — you can possibly to do make us stop.”

Despite some security experts questioning whether these arrests will have any lasting effect, law enforcement maintains that they are gathering a “treasure trove” of information that may lead to further arrests.

Unfortunately, these crimes are often thought of as being mostly harmless by those that are taking part and hiding behind anonymity makes them feel secure that they won’t get caught. Many don’t realise the risks of prison time and prosecutors are very likely to go for severe penalties. Those arrested, if convicted, could face up to 10 years in prison for trying to gain access to a protected computer.

Recent Security attacks

July 12th – Booz Allen Hamilton
Anonymous accessed up to 90,000 emails and password hashes from US military contractor Booz Allen Hamilton. They also claimed that they still had more but had not released them. The information was pulled from an unprotected server.

The release of the email addresses opens the company up to future malware and social engineering attacks and the password hashes are likely to be brute forced offline to allow access to people’s accounts and potentially data.

July 14th 2011 – Pentagon hacked, 24,000 files stolen
Only reported now, the Pentagon was hacked earlier this year in March this year by what was described as ‘foreign intruders’. In this attack 24,000 files were stolen in one of the biggest cyber-attacks ever on the U.S. military, according to a Department of Defense official.

William Lynn, the deputy secretary of defense, acknowledged the brazen theft during a speech while detailing a plan to strengthen the country’s cyber-security; details on what kind of files were stolen was not disclosed.

The aim for the future is aimed less at simply reducing the chances of attack but also to lessen the value of what could be taken:

“Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way. If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place.”

18th July 2011 – UK Lady Gaga site hacked.
Retrofuzz, the Manchester firm that designed the UK Gaga site didn’t do a very good job at securing the site as on the 27th June hackers from the Swagsec group broke in and stole thousands of personal details, according to the Guardian. Universal Music told the paper that not financial details were taken but all those affected had been contacted and advised to change passwords

July 19th 2011 – Sun website hacked.
LulzSec disbanded? Think again. Part of the News International group the Sun newspaper were hacked by the AntiSec group who tampered with the news website. Readers were redirected to a hoax story which said Rupert Murdoch had been found dead in his garden. People trying to access thesun.co.uk were taken to new-times.co.uk and a story entitled “Media mogul’s body discovered”.

The group of hackers claimed responsibility via Twitter.

July 21st 2011 – Anonymous hacks NATO
Anonymous members claim to have hacked Nato servers, and to have gained access to restricted documents.
The hacker group claimed to have approximately one gigabyte of Nato data in a Twitter post on Thursday.

“Yes, #NATO was breached. And we have lots of restricted material. With some simple injection. In the next days, wait for interesting data :),” the AnonymousIRC Twitter feed said. “We are sitting on about one Gigabyte of data from NATO now, most of which we cannot publish as it would be irresponsible. But Oh NATO….”

Later that same day NATO replied downplaying the security of the information taken stating that RESTRICTED is the lowest of the five grades of information. The scale runs on up through CONFIDENTIAL to SECRET and then TOP SECRET. Really hot stuff is usually compartmentalised under a special codeword

Bluetooth vulnerability fixed in latest Patch Tuesday update

Microsoft recently fixed an issue that allowed an attacker to exploit a weakness in the Bluetooth stack in Windows 7 and Windows Vista machines which would most likely crash a users machine. A remote code-injection attack would also be possible but difficult to execute. For once Windows XP users are safe as the problem has only existed since the Bluetooth stack was updated in Vista.

The exploit requires the PC to be in Discovery mode (which is not the default setup) which will broadcast the adaptor address out. If executed correctly, an attacker could exploit the vulnerability by constructing a series of specially crafted Bluetooth packets and sending them to the target machine. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights and take complete control of a system without any user notification at any time

There is also the chance of a non-bluetooth enabled laptop or desktop machine being compromised with the insertion of a USB dongle as Vista and Windows 7 come Bluetooth ready and will auto-initiate. If you don’t use Bluetooth and never intend to then the best defence is to totally disable the service.

This vulnerability is of course now fixed but the possibility of drive-by attacks has now been proven. Expect more similar exploits soon.

Global team to fight global cybercrime

Up till now, the best treaty across Europe for joint tackling of cybercrime has been the European Convention on Cybercrime which was ratified by the UK in 2009. In 2010, the Government said that cybercrime and terrorism were among the key dangers to UK security. Earlier this year, significant attacks on the likes of Lockheed-Martin have made governments sit up and take notice. Now as of Tuesday we have the International Cyber Security Protection Alliance (ICSPA) which has been set up to fight cybercrime on a global scale.

David Cameron welcomed the alliance.

“Our government has already injected an additional £650m to help improve our national infrastructure and protect against cybercrime, but the very nature of this threat calls for more than a national response; it demands a truly global response and that is what the International Cyber Security Protection Alliance is all about,” he said.

Funding for the alliance is expected to come from the EU and a number of governments through the European Union with later plans to apply for funding to the US, Canada and Australia.

Crime Prevention Minister James Brokenshire said that although the internet has brought great opportunities for individuals and businesses, it has also enabled criminals to operate “across national boundaries”.

“Cybercrime is a truly global problem and to tackle it we need strong partnership between countries and across private and public sectors,” he said.

Facebook gets video calling.. Half a week later, Spammers swoop in

A feature that has been rumoured for a while now was released last week ending the speculation about the ‘awesome new product’ event; Facebook now has video calling integrated in the form of Skype. The event seemed to be announced after Google+ was with many tech bloggers suggesting that Facebook was scared of what the search companies new social networking product was and had pushed this forward to try and steal some of the thunder. Google+’s own video chat feature is called ‘Hangouts’ which is a revolutionary group chat. Facebook’s video chat doesn’t support group chats yet, but when asked if Facebook will be rolling out group video calling, Zuckerberg said not to rule anything out. He added that one-to-one calling makes up the vast majority of video calling.

Now, whenever you browse to a friend’s profile, you’ll see a new button nestled between the ‘Message’ and ‘Poke’ buttons that says ‘Call’. Click that, the other user will see a popup asking if they want to accept a call, and you’ll be immediately connected. You will need to install a small plugin the first time you use the service which is a java based applet that connects to Skype.

However, In a number of days the spammers were at it already. This first one doesn’t do any real malicious damage but no doubt others will in the days and weeks to come.

This particular scam doesn’t use the actual Facebook video service itself but relies on peoples current unfamiliarity with the new service.There’s a legitimate way to sign up for Facebook Video Calling, where you’re asked to download a program from the official Facebook Video Calling page, and then the chat window asks you to configure a few Flash settings.

don't accept, if you see this page

This one behaves as if the Video Calling is just simply another app installed in the usual way. It asks for your personal information, the ability to post messages to your wall, read your posts(?) and to do all of this any time it likes… If you accept then it simply spams your friends and leads you to the ubiquitous surveys to fill out and generate referral fees for the criminals. So if you see a wall post referencing “Enable video calls.”, don’t click it! Send your friend a message that they have been tricked.

AntiSec Attacks – The gathering storm?

Since Lulzsec downed their tools, those in the security community have been waiting for the AntiSec community and now we have the first warning shots across our bows. The LulzSec group were highly active for a period of 50 days claiming that this period of activism was planned to wake up the AntiSec community.

Monday 4th July – Apple servers hacked.
Hacker group Anonymous claims it has hacked one of Apple’s servers and posted usernames and passwords to prove it on their Twitter account, together with a warning that Apple could be a target of one of their attacks.

“Not being so serious, but well (…) #Apple could be target, too. But don’t worry, we are busy elsewhere”, tweeted @AnonymousIRC

Along with the tweet there was a link to a text file on Pastebin reported to be from one of Apple’s servers that contained a list of user names and passwords. As the passwords are encrypted so it will require some work to try to extract information from the tables (it would be possible for instance if someone has used a weak password for that to be recovered through a brute force hack… This may give hints to the encryption key). The server hacked was related to managing surveys and has been taken offline since the attack.

At the same time that the Anonymous tweet was posted there was another post from a lone hacker named Idahc claiming the he had found an SQL vulnerability in Apple’s servers but did not release any data from the hack.

It may well be that the upcoming cloud storage solutions of iTunes and iCloud may be looking like rich pickings from hacking groups.

Tuesday 6th July – Fox news political Twitter account hacked.
On Tuesday, the Fox News political Twitter account began posting suspicious messages including tweets that said that the US president had been fatally wounded in a shooting. A hacker group calling themselves Scriptkiddies claimed responsibility for gaining access to the account. The group gained control of @foxnewspolitics, bragging about it on several Twitter accounts (now suspended).

“BREAKING NEWS: President @BarackObama assassinated, 2 gunshot wounds have proved too much. It’s a sad 4th for #america. #obamadead RIP

Fox News said that they were working with Twitter to address the situation “We will be requesting a detailed investigation from Twitter about how this occurred, and measures to prevent future unauthorized access into FoxNews.com accounts”, said Jeff Misenti, vice president and general manager of Fox News Digital.

The US Secret Service are also looking into the attack.

Tuesday 5th July – PayPal UK Twitter Account Hacked
Also reported on Tuesday was news of another hack, the Twitter account of Paypal UK this time. The hacked account was then used to post links to a. Anti-Paypal site called paypalsucks.com which describes itself as “exposing the nightmare of doing business ‘the PayPal way.”

“This account was hacked earlier. We have it in our control now. Your personal data is still 100% safe, hack occurred on Twitter not PayPal,” tweeted PayPal UK after regaining control of the account late Tuesday.

The tweets were later removed by PayPal UK.

%d bloggers like this: