Tag Archives: hack

Paranoia Made Me a Better Computer User, at Defcon – a reporters perspective

Defcon hacked elevator image

Having awareness of fraud, scams, and mischief is generally enough to raise the bar of safety for all consumers of technology. Certainly there are attacks and actions that criminals can take against technology that an end consumer has little protection against, but this is the proverbial “higher hanging fruit”. These days all the hacks, breaches, and news headlines are basically the low hanging fruit – common error, poor development practices, and misconfiguration. Imagine when the consumer is armed the required effort for criminals to succeed.

An entertaining and honest article on Gizmodo (honest for all the feelings he shares, and if you have ever been in a hostile environment, you’ll be able to relate) on a reporter touring the best hacker convention in the world – DefCon.

He takes most things in stride until…

The hacked elevator bothered me quite a bit actually

Preparation had made the idea of having the phone and computer hacked beyond reasonable, but expected … the concept of hacking a physical machine, like an elevator, was not. Cars hacked don’t receive the same paranoia, while I bet if you were in that car when it was electronically shut down … the feeling of trappedness of an elevator will translate to the car quite easily.

There is a good takeaway in the article and I wanted to highlight it below … check out the top “hacks” of this reporter to really understand the challenge of being in such environments:

the weird glitches that had defined my day at DEF CON — the fake wifi network, the iPhone error, the weird TV channels, the scary elevator, the garbled headphones — weren’t as bizarre and terrifying as they’d seemed.

In fact, on any other day and in any other place, I’d take the glitches in stride. I’ve joined fake wifi networks before. My iPhone does weird stuff pretty often. Hotel TV is weird in general. All elevators are scary. And Bluetooth sucks on most headphones.

A realization flooded over me in the hot Las Vegas night. Despite my mounting paranoia and in spite of my own faults, I probably hadn’t been hacked at all. If anything I was a little bit safer at DEF CON, because I was paying closer attention to my security. Much more so than in my daily life in New York City, I was aware that I could be hacked at any moment at DEF CON. At that moment I saw these wily hackers as optimists, knights in nerd armor who believe that we can be safer — if only we truly understand the dangers out there, inside our machines. They’re the ones paying attention when you’re not.

via Paranoia Made Me a Better Computer User, Gizmodo

Good luck out there!

James

U.S. Identifies Insider Trading Ring With Ukraine Hackers – Bloomberg Business

Good reporting on Bloomberg about a criminal enterprise that had hackers break into the news wire services and then share those details for trading ahead of their release. See the links below for the full details, but I want to highlight two areas of prevention that could/should have mitigated/prevented/discovered this attack:

  1. Mandatory system refreshes within the environment – It is very common these days for end-user and server support systems to be refreshed periodically (I see in some organizations end user systems are refreshed annually up to 3 years and server support systems refreshed as frequent as every 15 minutes up to a year). For the attackers to have remained so entrenched in such a cycle there would have to been other ‘tells’ that the environment was compromised.
  2. Vendor / Third party security requirements – If you are a business and rely upon a third party, you must establish and ensure sufficient security practices are in place. If you do business with Amazon Web Services you can dive into tremendous detail on what they are doing to protect you, and what is your duty. For providers, such as news wires, the same vigilance and attention is required. This is not simple, and it is work to get this level of detail. If you are trusting your sensitive information though – it must be worth it.

There are many other actions that could be taken and I’d love to grab a coffee with friends to discuss … but in the meantime, check out the highlighted quote below and article:

Ukraine hackers…allegedly infiltrated the computer servers of PRNewswire Association LLC, Marketwired and Business Wire, a unit of Warren Buffett’s Berkshire Hathaway Inc.

Over several years, they siphoned 150,000 press releases including corporate data on earnings that could be used to anticipate stock market moves and make profitable trades. The hackers passed the information to their associates in the U.S., who allegedly used it to buy and sell shares of dozens of companies, including Panera Bread Co., Boeing Co., Hewlett-Packard Co., Caterpillar Inc. and Oracle Corp., through their retail brokerage accounts.

via U.S. Identifies Insider Trading Ring With Ukraine Hackers – Bloomberg Business.

GPS implementation flaw allows hackers to “intercept, spoof, or jam”

Interesting article about how GPS has been applied as a communication mechanism beyond transport to monitoring / management of SCADA and regions w/o internet connectivity. The researchers highlight that the implementation by integrators have not deployed any kind of security that would prevent creative attackers to manipulate the data flows:

the Simplex data network that Globalstar uses for its satellites doesn’t encrypt communication between the tracking devices, orbiting satellites, and ground stations, nor does it require the communication be authenticated so that only legitimate data gets sent. As a result, someone can intercept the communication, spoof it or jam it.

“The integrity of the whole system is relying on a hacker not being able to clone or tamper with a device,” says Moore. “The way Globalstar engineered the platform leaves security up to the end integrator, and so far, no one has implemented security.”

via This security flaw allows hackers to “intercept, spoof, or jam” GPS tracking communication..

Given the amount of unsecured communication platforms from Drones to IoT, this problem is probably easily repeated across a broad number of consumer and commercial situations.

Best,

James

Author of How Not To Be Hacked

Attribution & Intent challenges: Comparing Regin module 50251 and “Qwerty” keylogger

Kaspersky Labs (a pretty wicked good set of researchers) published an analysis on the Snowden shared source code and found it identical in part to a piece of malware known as Regin. Regin has been in the digital space for nearly 10 years and has been attributed to a number of infected systems globally.

I would encourage everyone to read and understand the analysis as it is quite thorough and interesting .. go ahead, I’ll wait .. Comparing the Regin module 50251 and the “Qwerty” keylogger – Securelist.

While I cannot speak to the course and reason behind this tool, beyond the obvious conjectures, I would stress one critical point.  Attribution and intent.

Attribution is hard and of little value

As we find with other digital attacks, attribution is very difficult and I often tell clients to not focus on that as a basis for sanity and response. This is obvious in the difficulty in attributing such attacks, but also the problems with incorrectly making such assertions. I.e., JP Morgan’s “Russian attack on the bank due to their activities” during Ukraine incident was in fact a breach due to simple human error on configuring a server.

Intent

We as the observers do not know the intent of the operatives with the malware. In this case with the NSA we have identified malware in various locations, but as we all know … malware code spreads pretty freely without much direction. The concept that one system was infected unintentionally or without purpose from the operators is pretty high.

This comes to the forefront with our own internal analysis of attacks and breaches in our corporate environments. We must seek out all of the possible vectors, and not allow our bias or evidence on hand sway us incorrectly.

Spiegel.de article on Kaspersky report and other thoughts

Thoughts?

James

Sony PSN hack of 100M+ accts executed from Amazon EC2

The playstation breach for Sony has gotten reasonable publicity, but little intelligence on the attack, methods, and results have been shared sufficient to enable others to learn and be more resilient. A nice article on The Register details information indicating that the attackers leveraged the power of Amazon EC2 to execute the attack as paid customers.

The article can be found here http://ow.ly/1sY8TW with links to the Bloomberg article here (http://www.bloomberg.com/news/2011-05-13/sony-network-said-to-have-been-invaded-by-hackers-using-amazon-com-server.html)

While not new to leverage these cloud services, what is intriguing and worth deeper consideration is how much can we extend cloud beyond what is already being applied by companies and security researchers. Super computer processing; rapid instant access, and globally accessible yet still being used uncreatively to host web sites and such?!? Using the example from the article, if one can spend less than a dollar to break good encryption, could we not also leverage that for rotating keys at a similar cost benefit model?

I digress, the consideration of clouds being weaponized harks to the day of defense by blocking entire country IP address blocks. Perhaps naive in simplicity, but when customers become robots (like Amazon’s Mechanical Turk) then these cloud IP addresses need to be reconsidered. Looking forward to a greater discussion here…

Best,

James DeLuccia

(produced on iPad)