Month: November 2013

As the flagship effort of President Obama’s terms in office, and a massive new repository of personal financial and medical information, Healthcare.gov was already a huge cyber attack target before the site even went live. The technical difficulties many users have experienced have been mostly due to inadequate testing during the site’s development, however, there are signs of very severe cyber attacks on the horizon.

A recent House hearing on security vulnerabilities on the website ended with the panel of experts; including Morgan Wright, CEO of Crowd Sourced Investigations; Fred Chang of Southern Methodist University; Avi Rubin of John’s Hopkins University; and David Kennedy, CEO of TrustedSEC, all declaring it was unsafe for Americans to trust their personal data to the website in its current form, and three of the four saying that the website should be pulled immediately and the implementation of the healthcare program delayed in order to address the website security issues.

Recently an implementation problem in the site’s search bar autocomplete function was revealing the ongoing “fuzzing” attacks being made on the site’s forms and databases.  A “fuzzing” attack is part of a technique called SQL injection, wherein an attacker uses the outward facing elements of a website, such as forms that feed into the site’s databases, to input commands to the database, potentially revealing or deleting confidential data. The autocomplete issue has been solved, however the attacks are certainly ongoing, with an unknown level of success.

The bottom line of this entire incipient misadventure is that website initiatives, especially ones that are juicy targets for political and personal data reasons, must be designed with security in mind first and foremost, and extensive security testing must be employed before the sites and their vulnerabilities are released on an unsuspecting public.

Dan Gifford – MCySec Media Manager

The Federation of American Scientists has published a paper detailing threats to the global oil supply chain. Rounding out a list of major regional and geopolitical threats to the global oil infrastructure, the risks of SCADA and other attacks on pipelines, tanker ships, and refineries does seem substantial. The author is a little off base in suggesting that STUXNET type weapons could be used to attack oil systems- the sophistication of oil systems is much less than that seen in the Iranian nuclear enrichment program, and as such a STUXNET level weapon would probably be overkill. Even still, Despite significant vulnerabilities of the often unprotected systems to the internet and other venues of attack, major SCADA attacks have not yet become prevalent. The author is also somewhat mistaken in assessing that groups such as the Syrian Electronic Army could have the capabilities to conduct major SCADA infrastructure attacks. SEA capabilities are simply not on that level, and they have concentrated primarily on hacking email accounts by abusing password resets and other social engineering methods, rather than the technical expertise that would be necessary to deploy custom attack tools on SCADA. These technical quibbles aside, the author is entirely correct in his assessment that the complexity of the logistics operations involved in global oil systems provides a major avenue of attack, and I must agree that these sorts of attacks are waiting over the horizon.

Dan Gifford – MCySec Media Manager

The breaches in Adobe’s databases, which were exposed by Hold Security and publicized by security journalist Brian Krebs have continued to have significant impacts beyond the company itself. In addition to the public release of extensive amounts of source code for flagship Adobe products such as CloudFlare, the usernames, passwords and password hints of upwards of 150 million users were exposed. This exposure is especially problematic because instead of using a one way hash with individual salts (which is the industry standard method of securing password data within a database), Adobe encrypted the entire password database with Triple DES, and did the entire database with the same key. What this means is that anyone can assemble this database for themselves, and sort by the encrypted password to find groups of users that used the same password, then use the groups of associated password hints to crack the passwords of entire groups of users.

Eventually, once enough of the plaintext password data is known, it may be possible to mount a “known plaintext attack” and recover the Triple-DES key, exposing the rest of the passwords. It is also possible that the original hackers who scooped the database were able to obtain the key, given that they successfully overcame many other security features within Adobe’s network. This would potentially release an unprecedented number of currently used passwords into the public domain, but even if the key is not recovered cryptoanalytically, the addition of password hint data to the database has potentially exposed millions of users to having their passwords found out. In addition to this, the release of so many organically created passwords into the public sphere means that password crackers suddenly have much more information for their attack dictionaries, further improving their position vis-a-vis login security.

Of course, after the breach Adobe required all users of their site and services to change their passwords. However, since so many people reuse password and login credentials across multiple sites, Adobe is not the only provider that has had to deal with the results of their truly epic blunder. Already Facebook, Diapers.com and Soap.com have analyzed the breach and informed users that were using the same login credentials on Adobe that their accounts have been compromised and that they must change their passwords.

This incredible security failure has inspired much-warranted derision within the computing world, with comics luminary XKCD describing it as “The Greatest Crossword Puzzle in the History of the World”

Dan Gifford – MCySec Media Manager

Cyber-security research firm FireEye has published a new report alleging that there may be a single actor providing important code development resources to as many as 11 separate APT campaigns. All of the tools have been written using a Chinese language character set, pointing to the likely national origin of this tool provider. FireEye alleges that this “Quartermaster” may be something of a digital arms dealer, enabling various APT teams to construct attack tools using point and click interfaces rather than advanced coding skills.

FireEye first discovered the digital breadcrumbs leading to their conclusion while examining the Sunshop water-holing attack which took over legitimate websites and used them to redirect browsers to malware sites. The 11 APT groups that they connected through their investigation were found to share resources in various combinations, among them: Portable executable resources, Pilfered Digital Certificates, API import tables, Compile times, and C2 (Command and Control) Infrastructure. FireEye’s highest confidence assessment is that a “Sunshop Digital Quartermaster” (SDQ) exists which supports a variety of separate APT campaigns as part of a “formal offensive apparatus”. While some of the APT campaigns are also using malware obtained from the digital black market, most of them are heavily reliant on tools which are not available on the criminal internet underground and almost certainly originated with a single source, this “SDQ”.  FireEye does acknowledge that it is still possible that the APT groups simply share these programs informally, but there is substantial evidence that there is a single originating source of the tools within the code examples they have analyzed in the report.

Dan Gifford – MCySec Media Manager