« Archives in April, 2011

No Hacking Required to Be Prosecuted as a Hacker

Wired’s Threat Level posted “Appeals Court: No Hacking Required to Be Prosecuted as a Hacker” by David Kravets. Mr. Kravets starts his post off with the following statement.

Employees may be prosecuted under a federal antihacking statute for taking computer files that they were authorized to access and using them in a manner prohibited by the company, a federal appeals court has ruled.

The antihacking statute that he is referring to in his article is the Computer Fraud and Abuse Act. The Computer Fraud and Abuse Act is an anti-fraud and abuse statute NOT an antihacking statute. The act is not about hacking, it’s about unauthorized access. Whether we agree with the law or not, it has been in place since 1986.

Mr. Kravets points out that the courts have ruled differently under similar circumstances on different occasions. I’m not a lawyer and don’t claim to be but I would have to agree with the courts on this decision. If an employee knowingly and willfully exceeds authorized access without permission then it is punishable by law. The majority of these cases don’t see the court system though. It is most often settled with the employee being terminated from their place of employment.

Read more…

Hackers Claim to Have PlayStation Users’ Card Data

Security researchers said Thursday that they had seen discussions on underground Internet forums indicating that the hackers who infiltrated the Sony PlayStation Network last week may have made off with the credit card numbers of Sony customers.

The comments indicated that the hackers had a database that included customer names, addresses, usernames, passwords and as many as 2.2 million credit card numbers, the researchers said.

Read more…

Cisco Warns Users Of DoS, SQL Injection Flaws

Cisco released two security advisories late Wednesday, warning users about multiple vulnerabilities in its Unified Communications Manager and a denial of service flaw in its Wireless LAN Controllers that could enable hackers to launch attacks that interrupt voice services or modify data.

One advisory warned of multiple security flaws in Cisco Unified Communications Manager , including three denial of service (DoS) vulnerabilities affecting session initiation protocol (SIP) services, two SQL injection vulnerabilities and a directory transversal bug in the platform. The bugs affect Unified Communications Manager version 6x through 8x.

Read more…

ICANN Names Jeff Moss as Security Chief

Jeff Moss, a prominent computer hacker who founded the annual Black Hat and DefCon security conferences in Las Vegas, has been hired as the chief security officer for the organization that coordinates names of the world’s Web sites.

The organization, the Internet Corporation for Assigned Names and Numbers, or ICANN, plays a vital role in making sure that when you type a site name into a Web browser, your computer knows where to go to find the site you’re trying to reach. ICANN manages the domain name system that underlies that chain of communication.

Read more…

Cyberattack Hits Oak Ridge National Laboratory

A highly sophisticated cyber attack — known as Advanced Persistent Threat — forced Oak Ridge National Laboratory to shut down all Internet access and email systems over the weekend.

Those restrictions will remain in place until lab officials and others investigating the attack are sure the situation is well controlled and manageable, ORNL Director Thom Mason said Monday.

The cyberattack was initially discovered 10 days earlier on April 7, when a batch of spear-phishing emails — carefully-crafted emails purporting to be from a genuine source, in this case the ORNL’s human resources department — were sent to 10 percent of the lab’s employees, approximately 530 computers.

Out of those who received the email, about 57 clicked on it, Thomas Zacharia, ORNL deputy lab director said. The malware exploited a security flaw in Internet Explorer, and compromised two of the 57 systems. One of those two computers then spread the malware to other systems within the lab. (The flaw has since been patched.)

It’s all over the news:
knoxnews.com
securitynewsdaily.com
theregister.co.uk

Adobe Issues Update For Critical Flaws In Reader, Acrobat, Flash Player

Adobe released a slew of out-of-cycle updates Thursday for critical vulnerabilities that have already been exploited in active in-the-wild attacks against its Reader, Acrobat X and Flash Player platforms.

The Department of Homeland Security/US-CERT warned users Thursday of critical bugs in Adobe Flash Player 10.2.153.1 and earlier for Windows, Mac, Linux and Solaris, version 10.2.154.25 and earlier for Chrome; version 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; Authplay.dll in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X.

Patch up!

Read more…

Hundreds log into a rogue wireless hotspot at Infosec conference

HUNDREDS OF PEOPLE attending London’s Infosec conference logged into a rogue wireless hotspot that could have left them open to attack by hackers.
For a couple of hours on days one and two of the conference, insecurity firm Cryptocard created a wireless hotspot called ‘Infosecfreewifi’. It found that 143 people connected to the rogue network on Tuesday and 162 people on Wednesday. In the space of just two hours on each day.

This is not usual. Check out the “Wall of Sheep” at Defcon. It’s comical to see that people, after finding out that their account was compromised, will log back in on the same network to change their password.

Unfortunately, the author of this article is just as misled as the people that connected to the rogue access points with his statement:

Without decent antivirus or malware protection on your computer, you would obviously be in trouble if a criminal was looking to take advantage of you.

If you think that’s going to save you then turn your wifi off and don’t use it.

Read more…

For paranoid Androids, Guardian Project offers smartphone security

The Guardian Project is an open source initiative which aims to take advantage of Google’s Android operating system to bring smartphones the same sort of security and privacy that savvy users have come to expect from laptops and desktops. Featuring capabilities like full-disk encryption, secure instant messaging, and anonymous Web browsing, the project hopes to give people better control of their personal information on mobile devices.

Read more…

Companies fear cybercrime more than insider threats

I found this article on CNET that was released a couple of days ago. The article starts off:

External attacks from cybercriminals will soon pose a greater risk to the corporate world than insider threats, according to the results of a Cyber-Ark survey (PDF) released yesterday.

The article goes on to mention that the survey found that 57 percent of the executives believe that over the next one to three years, cybercriminals will present more of a security risk than will any insider threats. This is where they got it wrong and executives don’t have a clue when it comes to security. Insider activities are committed by “cybercriminals” and cybercriminals leverage the insider, whether passive or not, to carry out malicious activity.

Currently, the most successful attack is a phishing attack or a more targeted spear-phishing attack. This is an attack carried out by an outside cybercriminal to become that insider. If I specifically target privileged users or admins with a phishing attack, exploiting some vulnerability within the target network to use the access that the victim has, I have just leveraged the insider threat.

If you look at security from an insider perspective then you can effectively “kill two birds with one stone.” We’ve become pretty good over the years at putting up good defenses on the outside. Yet, many organizations over look the insider perspective. There are many reasons for overlooking this. Not wanting to make employees feel like you don’t trust them, making it too tough to get work done, “it doesn’t matter because we don’t have anything worth taking” (this is my favorite), etc.

Regardless of the excuses or reasons of why you are not addressing the insider threat as part of the overall security posture, looking at your defenses from the inside out is just as important as looking from the outside in. As you think about security, use the scenario that one of your most trusted and privileged employees opens the legitimate looking email that opens the door for the outside cybercriminal to become most trusted and privileged employees.

Now what do your defenses look like?

Read more…

China Accelerates Cyber Attacks

This isn’t exactly hot off the press news, but it is of particular interest to me.

The New American report mentions some of the more popular cyber attacks with code names such as Titan Rain, Aurora, and Night Dragon. These attacks have received relatively high-profile news coverage. What most people do not know is the extent and the frequency that these types of attacks are occurring.

China, as well as, the Chinese government have been persistent and patience when it comes to compromising the federal government and the many contractors the government does business with. Mandiant said it best when they quoted a report by the United States Air Force stating “There is only one Advanced Persistent Threat and that threat is China.”

The report also mentions another attack that resulted in a serious compromise in the penetration of the Defense Department’s $300 billion Joint Strike Fighter project. This was originally reported in 2009 in a Wall Street Journal report. I know a few people who know how it was discovered what information was compromised during this intrusion.

Read more…