Category Archives: Hacks

DNI announces CTIIC leadership

Posted on February 12, 2016 | 1 comment

DNI_Ugoretz_Tonya_370Director of National Intelligence James Clapper has named a career FBI analyst and an Iraq War veteran to head up the cyber intelligence center that the White House ordered created after the massive hack of Sony Pictures Entertainment.

Tonya Ugoretz, the FBI’s former chief intelligence officer, will head the Cyber Threat Intelligence Integration Center. She has done stints at the CIA, Department of Homeland Security and National Intelligence Council, and is listed as an adjunct associate professor at Georgetown University.

Maurice Bland, who most recently was the National Security Agency’s associate deputy director for cyber, will serve as Ugoretz’s deputy. Bland has done two combat tours in Iraq and Afghanistan, according to his official biography.

Ugoretz and Bland could be talking face-to-face with President Obama following the next large-scale hack of U.S. assets.

Clapper also tapped Thomas Donahue, a nearly three-decade veteran of the CIA with a PhD in electrical engineering, as CTIIC’s research director. The center will “build understanding of cyber threats to inform government-wide decision-making,” Clapper said in a statement.

The White House announced the creation of CTIIC last February. It is based at the Office of the Director of National Intelligence, and is modeled after the National Counterterrorism Center in an effort to “connect the dots” on cyber threats. Michael Daniel and Lisa Monaco, respectively the top White House advisers on cybersecurity and counterterrorism, have been the driving forces behind CTIIC, according to an administration official involved in the agency’s standup.

CTIIC is meant to fill a void in the bureaucratic chain of command wherein Obama had no one entity to turn to for an all-source briefing on foreign cyber threats. That void became abundantly clear to White House officials after the digital destruction of Sony Pictures’ IT systems in November 2014.

The agency got off to a rocky start. House lawmakers were irked that they didn’t get a heads-up on its creation, and DHS officials were worried that the new agency might encroach on their own work.

But several months later, agency turf battles that appeared ready to unfold have been quieted, and there is agreement on Capitol Hill on the need for CTIIC, according to the administration official. The omnibus package funding the government this fiscal year includes money for CTIIC; the exact amount of funding is classified.

“CTIIC is vital because the foreign cyber threats we face as a nation are increasing in volume and sophistication,” DHS Deputy Secretary Alejandro Mayorkas said in a statement. “The CTIIC will help DHS better understand various cyber threats and provide targeted intelligence community support” to the department’s own cyber threat center.

Bland’s battlefield experience could come in handy, as there is increasingly a cyber dimension to kinetic war. A key to the “surge” of U.S. troops in Iraq in 2007 was an accompanying surge in cyber weapons that the NSA unleashed, as journalist Shane Harris reported in his book “@War.”

Bland’s LinkedIn profile touts his experience “leading numerous efforts regarding the organization of cyber units, policy, and authorities related to cyber operations.”

1 Comment

Posted in Data Breach, Hacking, Hacks, Network, Security, Technology

Tagged , , , , , ,

IRS Confirms It Was a Victim of an Automated Attack

Posted on February 11, 2016 | Leave a comment

 

hacker1The attack, which occurred in January, targeted the electronic filing PIN application form on the IRS.gov Website. Experts said there are lessons to be learned.

The U.S. Internal Revenue Service (IRS) is gearing up for another busy tax season, and it appears that hackers are getting ready, too. On Feb. 9, the IRS confirmed that it was the victim of an automated attack in January that targeted the electronic filing PIN application form on the IRS.gov Website.

According to the IRS, attackers made use of personal information, including Social Security numbers, that was stolen from other non-IRS Websites. The attackers then used that information in an attempt to generate fraudulent E-File PIN numbers on IRS.gov. With a PIN number, an attacker could have potentially been able to file a tax return or gain access to other taxpayer information.

The IRS investigation has found that 464,000 unique Social Security numbers (SSNs) were used in the attack, with 101,000 being successfully able to access the E-File PIN. The IRS is emphasizing that it has halted the attack and is contacting those who are affected.

“No personal taxpayer data was compromised or disclosed by IRS systems,” the agency stated. “The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application.”

In May 2015, the IRS reported that its Get Transcript service was attacked. Get Transcript enables users to get information about their tax account transactions. As is the case with the new attack against the E-File PIN, the Get Transcript service attack involved user information that was stolen from third-party sites. The success rate for the Get Transcript attackers, however, was higher than it was for the E-File PIN attackers, where 100,000 out of 200,000 hack attempts were successful.

Security experts contacted by eWEEK are not surprised that the IRS is once again reporting an attack against its systems. The fact that the IRS.gov site was attacked with SSNs stolen from other third-party sites is, however, somewhat ironic.

“One of the most successful ways hackers steal citizens’ Social Security numbers is through fraudulent phishing emails or phone calls that appear to be from the IRS,” Darren Guccione, CEO and co-founder of Keeper Security, told eWEEK.

Hackers know the public is terrified of being identity-theft victims and exploit this fear well, often by telling someone they’ve been a victim already and asking for their Social Security number, Guccione noted.

Lance James, chief scientist at Flashpoint, commented that one of the big concerns he sees with the latest IRS attack is the continued reliance on Social Security numbers. “We need to rethink what a Social Security number means these days when it comes to accessing data,” James told eWEEK. “It should not be the administrator password for a person’s life.”

Andy Hayter, security evangelist at G DATA Software, also commented on the risks associated with SSN disclosure. Every bit of an individual’s personally identifiable information that is collected via a breach is one more piece of information that can, and someday will, be used against a person, he said.
“As long as information such as Social Security numbers is used as identification, we will have bad actors trying to collect as much information about individuals to do harm, either through theft or worse,” Hayter told eWEEK.

Inga Goddijn, executive vice president at Risk Based Security, noted that taxpayers should be concerned that questionable security practices at organizations completely unrelated to the IRS have the potential of affecting their tax returns.

Though the IRS has stated that no personal taxpayer data was compromised or disclosed in the new attack, JP Bourget, CEO of Syncurity, noted that there is still a real risk.

“While maybe the IRS can in the end prevent any bad outcomes for taxpayers, I can imagine a few scenarios where a bad guy attempts to file a tax return for a refund that then holds up a valid refund to someone who is owed a refund, and even depending on that refund,” Bourget told eWEEK. “There’s also the angle of now your account is flagged and the uncertainty of how that affects a taxpayer over time and what hidden costs may arise from that.”

One potentially positive outcome that could result from the IRS attack is that lessons learned could help prevent the next attack. Goddijn said that it would be helpful if the IRS can share more detail as to how the agency detected the attack and ideas for preventing these types of enumeration attacks in the future. She added that the U.S. government has been pushing for more threat intelligence sharing and improved security practices for all organizations.

“Why not take this opportunity to lead the charge and share more about the attack with the security community,” Goddijn said. “That may help stop the next, similar assault on a high-value target.”

Leave a comment

Posted in Data Breach, Hacking, Hacks, Security

Hiding in Plain Sight – Obfuscation Techniques in Phishing Attacks

Posted on February 11, 2016 | 1 comment

Phishing
Unfortunately for the organizations and individuals they target, it’s no longer necessary for cybercriminals to code up their own sophisticated attacks. Phishing and spam kits, for example, are complete, off the shelf tools that even inexperienced cybercriminals can use to deploy fake websites and spam massive user lists to lure them to these sites. And these sites and lures are effective, especially when they resemble legitimate websites like Dropbox or Google.

These sites aren’t just effective, though. They are also increasingly difficult to detect, making use of advanced obfuscation techniques to hide their real purpose. Phishing kits use a variety of encoding and JavaScript to prevent both users and security vendors from determining that the landing pages are anything other than harmless text or benign functions for rendering HTML.

Proofpoint researchers analyzed seven different obfuscation techniques on phishing landing pages, ranging from a base64 refresh to multibyte xor encoding. The complete analysis can be found here with deep dives into the code behind these techniques that are appearing in modern phishing kits.

For individuals and organizations, the dealing with this level of sophistication requires a multifaceted approach. Not only should both endpoints and networks be protected against phishing email lures and potentially malicious web pages, but users need to be savvy about the warning signs of a phishing attack. Strange URLs and sites asking for personal information unexpectedly are both red flags, but comprehensive user education remains critical to protecting networks and users alike.

1 Comment

Posted in Hacking, Hacks, Network, Security

Skimmers Hijack ATM Network Cables

Posted on February 10, 2016 | 1 comment
ATM

Two network cable card skimming devices, as found attached to the ATM.

If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.

In an alert sent to customers Feb. 8, NCR said it received reliable reports of NCR and Diebold ATMs being attacked through the use of external skimming devices that hijack the cash machine’s phone or Internet jack.

“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” NCR warned. “A keyboard overlay was used to attack an NCR ATM, a concealed camera was used on the Diebold ATM. PIN data is then likely transmitted wirelessly to the skimming device.”

The ATM maker believes these attacks represent a continuation of the trend where criminals are finding alternative methods to skim magnetic strip cards. Such alternative methods avoid placing the skimmer on the ATM card entry bezel, which is where most anti-skimming technology is located.

NCR said cash machine operators must consider all points where card data may be accessible — in addition to the traditional point of vulnerability at the card entry bezel — and that having ATM network communications cables and connections exposed in publicly accessible locations only invites trouble.

network_Box

A closer look at the two network cable card skimming devices that were attached to the stand-alone ATM pictured at the top of this story.

If something doesn’t look right about an ATM, don’t use it and move on to the next one. It’s not worth the hassle and risk associated with having your checking account emptied of cash. Also, it’s best to favor ATMs that are installed inside of a building or wall as opposed to free-standing machines, which may be more vulnerable to tampering.

1 Comment

Posted in Data Breach, Forensic, Hacking, Hacks, Network, Security, Technology

New Report Says Connected Automobiles are Ripe for Cyber-Attack

Posted on February 10, 2016 | 1 comment

Bluetooth-compImagine your tooling down the freeway in your fancy new car when suddenly it’s being commandeered by hackers, who demand ransom or they will steer you into oncoming traffic. If you try to pull over, you can’t, the steering wheel is no longer under your control.  You slam on the breaks, but get no response.  This may sound like a script for some futuristic doomsday movie, but it’s more real than anyone would like to imagine. This scenario was actually played out by researchers Charlie Miller and Chris Valasek, who in 2014, hacked a vehicle and took over its operation.

Now an even more ominous threat reveals itself, in a new 60-page automotive report, Cyber Security in the Connected Vehicle. The report is covered in a recent Network World article that says the detailed study of car cybersecurity delves into all aspects of IoT (Internet of things) vehicle vulnerability including types of exploits, various attack surfaces, hacker heat maps and more.  According to the article, experts predict that my 2020, 75% of all cars shipped globally will be “connected cars”, meaning they will be vulnerable to a cyber-attack.

Perhaps the most revealing part of this report is that the threat goes beyond taking over some operations in your car; what hackers are really after is your data. Believe it or not, your personnel data may be accessed by hacking into your automobile and one of the main attack surfaces will be your Bluetooth.  As the report says, “Services that involve financial transactions will be a prime target, and here the supporting infrastructure is at least as much an attack point as the in-vehicle parts.”  Bluetooth is one of the infrastructures they’re talking about and according to researcher Keigo Haataja, attackers can use powerful directional antennas that can increase a cyber criminal’s ability to scan and eavesdrop on Bluetooth conversations.

Miller and Valasek have also named Bluetooth as one of the biggest and most viable attack surfaces in today’s automobiles, citing the complexity of the protocol it uses.  This is not news because as early as 2002, SANS was warning of inherent security issues with Bluetooth.  Now that this technology is integrated with your car, your phone, your tablet and countless other devices – even hearing aids – the opportunities for hackers seem endless.

The IoT and the trend toward connecting all of us with our devices and each other does not look to be waning.  And with connectedness comes the inevitable upsurge in data movement, increasing the potential for a data breach.The conveniences these developments bring sometimes makes us forget their vulnerabilities. That’s why choosing security that provides visibility across all Web traffic and continuous monitoring is critical.  Monitoring data movement with the ability to analyze and interrupt suspicious transfers are critical capabilities that should be part of every organization’s security strategy.

 

 

1 Comment

Posted in Data Breach, Forensic, Hacking, Hacks, Security, Technology

T9000 malware records Skype calls, screenshots and text messages to steal data

Posted on February 9, 2016 | Leave a comment

SkypeSophisticated Trojan can goes to ‘great lengths’ to avoid detection by security products, warn Palo Alto researchers

A new strain of sophisticated malware which can take recordings and screenshots of Skype activity – all while avoiding detection by security software – has been discovered.

The Trojan has been dubbed T9000 and researchers at security company Palo Alto Networks have warned that it goes to great lengths to avoid being detected.

T9000 represents a new variant of the T5000 malware family and poses something of a unusual threat in that it works to identify a total of 24 potential security products running on a system and then alters its installation procedure in order to avoid the relevant cyber defences.

The malware is capable of avoiding detection by a number of high profile – and commonly used – security tools, the researchers said.

Once T9000 has infected a system, its main goal is to collect information about the targeted victim which is does by compromising Skype video calling software. After the malware has hooked into Skype, it records video calls, audio calls, and chat messages then stores them in a directory specially created by the Trojan called “Intel”, which the attackers can mine for data.

A system gets infected with T9000 when the user inadvertently open an RTF file compromised with exploits for both CVE-2012-1856 and CVE-2015-1641 vulnerabilities. The malware can then be used to “automatically capture data about the infected system and steal files of specific types stored on removable media” wrote Palo Alto researchers Josh Grunzweig and Jen Miller-Osborn.

In being able to record the actions taken by victims, attackers could potentially gain access to and steal documents, files, usernames and passwords.

To ensure they’re not infected by the T9000 Trojan, Skype users have been warned to be wary of a request by ‘explorer.exe’ to use Skype, as that’s what allows the malware to record and store video, audio and text files.

According to the warning by researchers, T9000 has been used in a number of targeted attacks against organisations in the US; although the malware naturally has the potential to infect a network anywhere in the world.

Palo Alto says it’s released the information on T9000 in an effort to prevent others being compromised by the sophisticated malware.

“The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community. We hope that sharing the details of how this tool works as well as the indicators in the section below will help others defend themselves against attacks using this tool.

The warning doesn’t speculate as who’s behind the T9000 Trojan, but instances of T5000 malware detected in 2014 – which duped users into opening emails claiming to contain information about the high-profile disappearance of Malaysian Airlines Flight MH370 – were linked to a cyber espionage group suspected to have Chinese government backing.

Leave a comment

Posted in Hacking, Hacks, Security, Technology

There’s a lot of debate about how much data breaches and hacks cost companies – except when there’s not, as with the hack of UK firm TalkTalk, which put the cost at around $88 million.

Posted on February 8, 2016 | 2 comments

 

talktalk-data-breach-hack-costs-88-millionOne of the big questions that bedevil corporate executives is how much a cyber “incident” might cost the company. Indeed: the “cost of breach” as it is often termed is the subject of determined study by folks like The Ponemon Institute (and sponsors like IBM), as well as Verizon, consultancies like Kroll, and so on.

The question isn’t academic. Knowing how much a cyber incident will cost your company helps executives, board members and staff “price” risk and justify expenditures on security software and services.

But the surprisingly simple question of how much malicious cyber activity costs belies a surprisingly complex puzzle. Incidents like a denial of service attack might be easy to price: just figure out how much money you make from being online (if you’re an online retailer like Amazon.com, that’s a big number), then figure out how long the DDoS attack took you offline, add in the cost to get back online, investigate the incident and remediate, and you have it.

With other kinds of attacks – like data theft – the question is a lot more difficult to answer. Few public firms disclose “material” cyber incidents that affect them, even though the law in the U.S. would seem to mandate it. Some of the biggest cost drivers of breaches – like credit monitoring for affected customers and employees – end up costing much less than you would think. And, while corporate boards may be bracing for more cyber regulations that impost costs on breaches and data theft, there’s been little progress on that, at least at the federal level, nor is there likely to be any in an election year.

But there’s no doubt that hacks and other incidents do cost companies considerably and, every so often, the curtains part to give us a glimpse of how significant those costs are. That’s what happened this week in the case of UK telecommunications firm TalkTalk.

As you may recall, TalkTalk was the victim of a cyber attack in the final months of 2014 that resulted in the theft of personal data on 150,000 customers, including names, addresses, phone numbers and TalkTalk account numbers. At the time, the company said that some of that data was used in follow on attacks aimed at extracting bank account and credit card information from victims.

Subsequent reporting suggested that the company was the victim of a distributed denial-of-service (DDoS) attack coupled with a SQL injection attack against application servers containing customer data.

According to a report on Tuesday, however, we now know how much all that malicious activity cost the company: $88 million at current exchange rates.

Where did that figure come from? TalkTalk said that most of the costs were only indirectly linked to the breach. For example, the company lost 101,000 customers in the months following the breach, 95,000 of which it estimates were because of the hack.

It should be noted that those costs are much higher than the $35 million price tag that TalkTalk initially put on the incident, which considered the cost of recovery and additional customer support.

Is this important? It should be: firm data on the cost of hacks is notoriously hard to come by and, absent strong federal legislation in the U.S., many firms that are the victim of cyber incidents find ways to sweep the details of the incident under the rug. It’s also worth noting that the TalkTalk revelation underscores the cost to businesses of cyber incidents that have little to do with recovery from the incident itself: loss of customers, reputation damage, fines and other penalties all add to the (hidden) cost of incidents. In cases where attackers make off with intellectual property or other sensitive data, we can expect the costs to mount even more.

 

2 Comments

Posted in Data Breach, Hacking, Hacks, Network, Security, Technology

Hacker Plans to Dump Alleged Details of 20,000 FBI, 9,000 DHS Employees

Posted on February 8, 2016 | 1 comment

FBI

A hacker, who wishes to remain anonymous, plans to dump the apparent names, job titles, email addresses and phone numbers of over 20,000 supposed Federal Bureau of Investigation (FBI) employees, as well as over 9,000 alleged Department of Homeland Security (DHS) employees, Motherboard has learned.

The hacker also claims to have downloaded hundreds of gigabytes of data from a Department of Justice (DOJ) computer, although that data has not been published.

On Sunday, Motherboard obtained the supposedly soon-to-be-leaked data and called a large selection of random numbers in both the DHS and FBI databases. Many of the calls went through to their respective voicemail boxes, and the names for their supposed owners matched with those in the database. At one point, Motherboard reached the operations center of the FBI, according to the person on the other end.

One alleged FBI intelligence analyst did pick up the phone, and identified herself as the same name as listed in the database. A DHS employee did the same, but did not feel comfortable confirming his job title, he said.

A small number of the phones listed for specific agents or employees, however, went through to generic operator desks in various departments. One FBI number that Motherboard dialled did go through to a voicemail box, but the recorded message seemed to indicate it was owned by somebody else. This also applied to two of the DHS numbers.

After several calls, Motherboard was passed through to the State and Local desk at the National Operations Centre, part of the DHS. That department told Motherboard that this was the first they had heard about the supposed data breach.

The job titles included in the data cover all sorts of different departments: contractors, biologists, special agents, task force officers, technicians, intelligence analysts, language specialists, and much more.

The data was obtained, the hacker told Motherboard, by first compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place. (On Monday, the hacker used the DoJ email account to contact this reporter).

“I clicked on it and I had full access to the computer.”

From there, he tried logging into a DoJ web portal, but when that didn’t work, he phoned up the relevant department.

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”

The hacker says he then logged in, clicked on a link to a personal computer which took him to an online virtual machine, and entered in the credentials of the already hacked email account. After this, the hacker was presented with the option of three different computers to access, he claimed, and one was the work machine of the person behind the originally hacked email account.

“I clicked on it and I had full access to the computer,” the hacker said. Here the hacker could access the user’s documents, as well as other documents on the local network.

The databases of supposed government workers were on a DoJ intranet, the hacker claimed. It is not fully clear when the hacker intends to dump the databases.

The hacker also said that he downloaded around 200GB of files, out of 1TB that he had access to.

“I HAD access to it, I couldn’t take all of the 1TB,” he said. He claimed that some of the files’ contents included military emails, and credit card numbers. This supposed data was not provided to Motherboard.

This is just the latest in a series of hacks targeting US government employees. Back in October, hackers claiming a pro-Palestine political stance broke into the email account of CIA Director John Brennan. This was followed by a prank, in which calls to the Director of National Intelligence James Clapper would be forwarded to the Free Palestine Movement.

The Department of Justice did not respond to Motherboard’s request for comment, and the FBI was not reachable. Motherboard provided a copy of the apparent DHS data to the National Infrastructure Coordinating Center (NICC)which is part of the DHS, but it declined to comment. A DHS public affairs officer did not immediately respond to Motherboard’s request for comment.

Update 8 February 2016: After the publication of this article, a Twitter account with a pro-Palestinian message published the apparent details of the 9,000 DHS employees. The account also tweeted a screenshot supposedly from the Department of Justice computers that the hacker claimed to have accessed. List was posted to “cryptobin.org” last night 02-07-2016

1 Comment

Posted in Data Breach, Encryption, Hacking, Hacks, Network, Security, Technology