The fact that SCADA systems and embedded controllers are woefully insecure is hardly news to security folk. But is is always somewhat eye opening to see how some of these systems can be compromised. One of those is in this blog post from IOActive Labs that a friend sent to me, where they used remote control drones to hack the systems that send data to the  traffic control systems.
While the specific details haven't been revealed yet, IOActive did reveal the responses they received after reporting the bugs to the manufacturers including in one case where:

(T)he vendor said that since the devices were designed that way (insecure) on purpose, they were working as designed, and that customers (state/city governments) wanted the devices to work that way (insecure), so there wasn't any security issue.

Nice to know the poor security isn't an accident, it was done on purpose due to customer demands!

We've probably all done it. I have. You know you have too. Go on, admit it!
Done what you ask? Scrounged around for some free WiFi when travelling. With data roaming costs being so high, free wifi can be a blessing - except when it's a curse!

Here's a fun article from tripwire highlighting how easy it can be to capture credentials from unwitting travellers at an airport and how poor the information security practices in some hotels can be.

What Nabil describes in his article about default passwords and poorly segmented networks pretty much matches some of the stuff I've seen when travelling. What makes it worse is when the place is charging a small fortune for daily internet access - where is that money going? Not on security apparently!

Long story short - don't let down your guard even when connected to 'safe' networks and VPN is your friend!

Oh and Nabil's http://www.toolswatch.org/ page is pretty cool too. Go check it out!

Remember when getting hacked was a bad thing? Now apparently it is a marketing opportunity!

US Food chain Chipolte faking it's twitter account being hacked to generate 'buzz' as a marketing exercise.

Of course while others have claimed twitter accounts were hacked to cover up embarrassing behavior, this is the first time I've seen someone making a claim of being hacked as marketing.....

It's a few months old, but there's an interesting article at that home of Internet satire, The Onion on how they were hacked.

It's always good to see when companies are able to disclose some of these details so the rest of us can learn from their misfortune.

Threat Post has an article about some researchers who have found that iOS 6 default mobile hotspot random passwords are not so random after all (there are 1,842 different words) and therefore not too hard to brute force. Additonally...

“It should be noted that all generated keys are only valid for the lifetime of a single session and that generation of those keys only relies on the PSK,” the paper said. “This implies that the security level of the whole mobile hotspot depends on the quality of the passphrase.”

The original paper "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots" is here [pdf]. The title says it all - this is a true example of Usability vs. Security, and as too often seems to be the case, security loses.

Best option - use a long, custom non-dictionary password....

Seeing the recent Telstra video about how amazingly internet-connected the world will be reminded me of a recent blog post by Pure Hacking CTO Ty Miller called "Hacking in the year 2030".

While the Telstra video is all 'minority report-esque', it doesn't seem too far fetched - although I can imagine the fun to be had messing up with a friend's shopping list by hacking their garbage can.

Ty's vision of the future may come off as a little grim, but I can't say I disagree with it. In the last decade we haven't managed to eliminate SQL Injection as a vulnerability, but it could be argued that we've made the impact of SQLi exploitation worse by making so much more information available through the ever-increasing plethora of vulnerable websites. As we rely more and more on the internet and our connected devices multiply exponentially (with the associated exponential growth in the number of connections those devices make with each other; and everything around them) the number of ways to subvert and compromise those systems will similarly grow, as will the impact of malicious actions.

Deleting the 1995 version of Sandra Bullock in "The Net" may have seemed ridiculously far-fetched at the time, but the social networking revolution has more and more people interacting with people they've never met than ever before - going as far as 'dating' and 'mourning the death' of a girlfriend who never existed.

Deleting Sandra in 2013 or 2030 may be easier than ever! (Expect a Hollywood remake!)

As a side note this article is a fun look at how you can blame Minority Report for far more than just being a bad film.

Came across a cool article today on NASA's firmware upgrade of Curiosity and the question of - could you hack the rover? The answer is probably yes, but it's not all that easy!

2011 has almost come to a close, and it may well be remembered as the year when data breaches truly went mainstream.

Vodafone kicked off the year, exposing customer data through shared/poor passwords on an internet accessible customer management system. Vodafone went into damage control, resetting employee passwords daily and eventually some staff were fired as a result.

Then came Sony! Sony's massive multiple breaches (aka the 'sownage') made ongoing front page news and caused plenty of concern in boardrooms around the world due to it's scope and the high-profile nature of the target (I mean, who doesn't have a Sony product at home somewhere!?!).

Less noteworthy for many outside the industry, but a bombshell for those of us in it, was the RSA data breach. When the company whose technology is used to secure millions was so easily penetrated and 'something' stolen (did they ever give a clear indication as to what?), many people started questioning the security of their multi-factor authentication provider. RSA offered new tokens and assured all was well - until Lockheed Martin was breached and pointed the finger at the RSA attackers.
Showing hacking knows no industry vertical boundaries, email marketing giant Epsilon was also popped, exposing the details of many customers of some of then world's top companies.

Closer to home, web hosting provider Distribute.IT was pwned and driven out of business in a particularly malicious and destructive attack. While the cops got their man, it was too late for many of the company's customers who lost all of their data.

Corporate 'hacking' made the mainstream news - or indeed was the mainstream news - when Rupert Murdoch's News of the World UK newspaper was outed as having been routinely hacking voicemail messages of celebrities and victims of crime. The main outrage was the claim that journalists had deleted voicemails of an abducted young girl  - a claim that has now been claimed to be inaccurate. Nonetheless the scandal was enough to have Murdoch shut down the paper, and not rule out shutting down a second.

Journalist hackers have been in trouble here in Australia as well, with the Melbourne Age Newspaper under investigation for hacking a database of a political party.

Certificate Authorities weren't immune either, with Diginotar hacked and issuing valid certificates for bad guys. The end result was game over for the Dutch CA, but with unverified claims from the hacker that he's pwned other CAs as well.

High profile data breaches came to Japan in 2011, first it was Sony (as mentioned above), followed by the Japanese parliament and defence contractor Mitsubishi Heavy Industries. Japanese Parliamentarians were reported to be using their personal devices to store confidential government data which has other implications all of their own.

Proving that no good deed goes unpunished, First State Super in Australia provided a textbook-like lesson on how not to deal with reported vulnerabilities in web applications by attempting to shoot the messenger. Thankfully a rethink meant the messenger was spared, but the public humiliation remained, along with the potential loss of a multi-million dollar deal.

Australia's biggest Telco, Telstra, helped keep data loss in the news when it was revealed an internal customer database was accidentally exposed to the internet. Perhaps having learnt the lesson of First State Super, Telsta declined to shoot any messengers and reacted fairly swiftly, taking down the site and contacting 60,000 effected customers. However, it wasn't enough to avoid an investigation by the Privacy Commissioner, nor a phishing campaign.

I'm sure there were others that escape me at the moment, but nonetheless these examples alone show that data loss and intrusion were big news in 2011. With more press comes a growing customer awareness that companies may not be securing personal data as the public expects and perhaps a growing pressure from consumers for companies to meet higher data protection standards. Or will increased awareness and reporting mean we end up with 'breach fatigue' where data breaches become so common consumers just tune out?

Here in Australia, data protection (or 'cybersecurity') recently moved from the Attorney Generals Office to the Department of Prime Minister & Cabinet (an area which has had it's own problems in the past), so it remains to be seen what (if any) legislative changes are made here and whether we end up with any kind of mandatory breach notification laws or legislated security controls.

Time will tell! Onwards to 2012!

McAfee have released an interesting piece of research called 'Operation Shady RAT'.

According to Dmitri Alperovitch (McAfee's VP of threat research):

I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.

With the recent (allegedly) state-sponsored high-profile attacks such as 'Operation Aurora' and 'Night Dragon' [pdf] it's a statement that is (depressingly) possibly more accurate than not.

Terms like 'state sponsored' or 'state actor' are often a PC way of saying 'China'. McAfee don't go as far as to name the state they suspect, but China has nonetheless taken offence to the report - slamming it (via the People's Daily) as 'irresponsible'. McAfee do point out some of the interesting attacks that occurred around the time of the Beijing Olympics on targets of "likely no commercial benefit", such as the IOC and World Anti-Doping Agency, and if there's one thing I learnt from watching too many cop shows growing up - whenever there's an investigation the first question from the detective is "who stands to benefit from the crime?"

Who indeed?

The pdf verision is also available here [pdf]

Courtesy xkcd.org

Two recent events have thrown the real potential impact of 'hacking' into a different light. The first was the attack on Australian domain name registrar and hosting provider Distribute.IT, who were attacked back in March by hackers who thoroughly trashed servers and destroyed data. Customers suffered an extended outage and much of the lost data proved unrecoverable (we'll leave any arguments about good data back practices for the time being). The attack was so malicious and targeted that an an insider or disgruntled ex-employee involvement is suspected. The attack was so devastating that Distribute.IT was sold for a song, effectively closing the doors for the original business entity. This is one of the few examples I can recall of a company being forced out of business because of a hacking attack - something that certainly didn't occur to TJ Maxx, Sony or RSA - despite any financial loss and reputational damage.

The other event is interesting for because it offers the opposite perspective. Rupert Murdoch has closed the 'News of the World' tabloid newspaper in the UK in the wake of a hacking scandal - but this time the company weren't the victims but the perpetrators of the attacks, hacking into voicemail message systems in order to get the latest scoop to feed the insatiable appetite of Joe Public for more juicy gossip.
Despite the outrage, 'no tech hacking' - such as dumpster diving or social engineering (known as 'blagging') - has long been a staple of tabloid journalists - posing as hospital staff to photograph celebrity operations or even going undercover as a staff member at Buckingham Palace. Somehow the latest antics have crossed a line (from the gutter to the sewer as a former British PM remarked), that has resulted in the closure of the News of the World (the self proclaimed 'world's greatest newspaper') after 168 years.

Two wildly different hacking events, same outcome: out of business...

We're halfway through 2011 and the breachapalooza* continues unabated!

Sony have been hit so many times in fact there's a new term for it: "Sownage". Add to the ever-growing list senate.gov, Citibank, Honda Canada and the IMF.

Although it isn't really news to Security folk, the mainstream media has picked up on it (largely thanks to the scale of Sony's woes) and are continuing to report on the never ending tide of high profile defacements and smash-and-grabs. A quick look at datalossdb shows the number of incidents so far this year (322) is only slightly up on this time last year (300) and behind 2009 (376); while Sony's 77 million records lost is still well behind Heartland's 130 million back in 2008.

With mainstream media interest undoubtably leading to increased interest in boardrooms with executive asking "Can it happen to us?" and "what do we need to do to stop it happening to us?" the question has to be asked are the actions of lulzsec good or bad for the industry? Patrick Gray ruffled a few feathers with his thought-provoking "Why we secretly love LulzSec":

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.

Which lead to an equally interesting response from Adam over at the Newschool site.

I think the answer may be a little from column A and a little from column B. In Patrick's defence, he's probably right to some degree. Every Security guy or gal who has ever been overruled or just plain ignored when explaining the need for better security testing, implementation, tools, monitoring, etc etc; probably has a little voice somewhere saying 'I told you so'.
Adam is right too when he says:

We’re being out-communicated by folks who can’t spell.
Why are we being out-communicated? Because we expect management to learn to understand us, rather than framing problems in terms that matter to them. We come in talking about 0days, whale pharts, cross-site request jacking and a whole alphabet soup of things whose impact to the business are so crystal clear obvious that they go without saying.

Although I would point out that sometimes even framing the problem in the right language to the right audience still doesn't result in the desired outcome. The old 'you can lead a horse to water, but you can't make him drink' problem exists if a mentality of 'it can't happen to us' rules. The only plus out of LulzSec actions is that they may be breaking down some of that mentality.

However the most disappointing, or possibly telling, thing is that from what has been reported, is that very little of what lulzsec has accomplished has been particularly difficult or sophisticated. This is not really surprising as it matches what Verizon revealed earlier in the year [pdf] when they reported that 92% of the breaches investigated where 'not particularly sophisticated'. SQL injection may be old school, but it's more popular than ever.

In the meantime, Paul Ducklin from Spohos issued a challenge to the LulzSec group to use their skills, and there obvious spare time, to do something worthwhile like supporting Johnny Long's Hackers for Charity.

That may have to wait until after LulzSec are done warring with 4chan/anonymous, which at the very least may provide some relief to Sony and may give other companies a break.**


*just heard Patrick Gray's risky.biz podcast from last week call it the pwnpocalypse. Why didn't I think of that?

**Edit 18/6:  or maybe they're not as they're still exposing records.

Care of Slashdot I saw this post on the potential ramifications of breaching an Acceptable Use Policy based on a recent judgement [pdf]  in Western Australia.

The defendant was a Police Officer, who would normally be held to a higher standard than Joe Public, and the system in question was a Police database, but as the blog post points out: "Ms Giles wasn't convicted for breaching police secrecy, or improper disclosure of information --- she was convicted for common cracking. She used the restricted-access system other than in accordance with her authorisation"

Nick Gifford in his book "Information Security: Managing the Legal Risks" (which I have mentioned before) describes AUAs (Acceptable Use Agreements) as "a contractural mechanism for managing the risks to the organisation associated with granting user access rights" and as a contract I can understand that there would be a legal risk to those who would breach that contract.

What about your company's Acceptable Use Policy? Is it up to date and consistent with employee duties?
Have all of your users read your organisation's AUP? What about those staff who have been there 10, 15 or 20+ years? Has your AUP changed over that period, and have those users acknowledged those changes? Do they have to re-acknowledge the AUP regularly? (yearly?)
Does it explicitly state that there should be no expectation of privacy when using email, browsing the internet or storing data on comapny assets? Does it allow for monitoring employees and clearly state potential penalties for breaches?

While it's a little late for New Year's resolutions (maybe a Chinese New Year resolution?), make it a priority to look into your AUP and how you track acknowledgement and ensure compliance. And if you don't have an AUP, the ever-useful SANS website has a sample [pdf] to help get you started.

The great Wikileaks scandal that is currently occupying the media's attention has brought to light some interesting food for thought beyond the actual leaked documents and the ultimate insider threat scenario.

Wikileaks has been under denial of service attack for a number of days now, allegedly caused by a 'hacktivist' called 'th3j35t3r' (The jester). The attack has ramped up from the 2-4Gbps that forced the site from it's original host to the Amazon EC2 Cloud Service, where it intensified to a 10Gbps+ attack. Amazon then subsequently dropped hosting of the site, succumbing to both political pressure along with the ongoing DDOS attack.

Does this add an extra wrinkle to the 'put it all in the cloud' future promoted by some organizations or individuals? It does bring up concerns about how a cloud provider would react if your organization came under sustained denial of service attack. The allegations that the attacks were the actions of a single hacker using new software called XerXes that requires no zombie network or botnet to be effective is also extremely concerning.

An aussie hacker who was arrested back in July for infecting @2500 computers with a virus to steal banking and credit card information has plead guilty but asked for a reduced sentence as his actions wee 'youthful curiosity' and he 'was interested in becoming an internet security consultant'.

Are there any hackers who got arrested who didn't pledge to go straight and become an IT Security consultant? Now there's not alot of detail in the news articles about exacly what he did (did he write his own code, is he a script kiddie running something like Zeus, etc), but regardless, asking for a more lenient sentence after you commited a crime so you can become a security consultant - is that not something like being arrested for stealing cars because you want to be a mechanic or robbing a bank because you wanted to be a security guard?


I know there is a great precedent of those who were on the wrong side of the law, who reformed and have become security consutlants or security celebrities (eg: Kevin Mitnick, Kevin Poulsen), and it is a subject that has been well debated before. Would you hire a 'reformed' blackhat? Does it always "take a thief to catch a thief"? I'm not so sure...

The interesting thing about this case from an Australian point of view is that:

"The judge was told there had been no similar cases across Australia to guide him when imposing a penalty."

It will be worth watching closely to see what kind of sentence is handed out, and to compare it against  other parts of the world where these types of prosecutions have been more common.

Did you know they made a sequel to the all-time hacking classic WarGames?
Neither did I! Having recently watched this straight-to-DVD 2008 sequel, there's a good reason you haven't heard of it...

In brief, the Government has developed a supercomputer called 'RIPLEY' that...wait for it...runs an online game that is designed to identify terrorists as only terrorists would be good at a game where slaughtering people in a city with biological weapons was the goal. Hijinks ensue when the main character (a mom's basement-dwelling hacking whizkid who commits credit card fraud for fun and can penetrate the US Government's most top secret network from any wireless access point) plays the game and is mistaken for a terrorist. In a shocking twist, RIPLEY goes haywire and decides to nuke Philidelphia but only the intervention of the reactivated WOPR - who teaches RIPLEY 'tic-tac-toe' and the concept of 'Mutually Assured Destruction' can save the day. Or something. My attention was really fading by that point...

In one amazing show of skill, the whizkid hacker plays (the now cancelled) Stargate Worlds MMO. The ability to play unfinshed cancelled games? Now that's some super-hacking! (I'd insert a Duke Nukem Forever gag here but, you know)

The classic WarGames quote: "A strange game. The only winning move is not to play" (re-used in this film) could be rephased "A strange film. The only winning move is not to watch".

I really hope the new TRON sequel is alot better...

I attended the SANS 504 Hacker Techniques, Exploits & Incident Handling here in Sydney last week, the first time I have attended a SANS/GIAC course and must say I was very impressed by both the course content and the skill of the presenter Bryce Galbraith, who was assisted by Chris Mohan.

I found the course to be a terriffic eye-opener and introduction to the ethical hacking/penetration test side of the industry with a focus on the countermeasures that can be implemented and incident investigation. The 'capture the flag' on the final day was also alot of fun and really helped tie together some of the techniques and thinking we had learned during the first 5 days.

I'm looking forward to playing with the tools and getting a better understanding of the techniques over the christmas break and hope to sit the GIAC GCIH exam in January (but for now the focus remains on the looming CISM exam that is quickly approaching!)

If you are considering doing a SANS course, I'd have to recommend it. While there is a lot to learn in a small amount of time, the hands-on nature and expertiese of the presenter make it well worthwhile (and far superior to the 'instructor reading the textbook to you' style training I have suffered in the past).

Remember Johnny Long's Google Hacking database?

Well it's back! 

The team at Exploit Database have recently resurrected the GHDB to help you harness the power of google to do reconnisance or just be nosey. Use it to check out your webservers or network and your users before the bad guys do!

The New York Times have an interesting article up on Albert Gonzalez the hacker-turned informer-turned double agent who a key part of the Shadow Crew who comitted (amongst other things) the intrustion at Heartland Payments / TJ Maxx that netted over 94,000,000 credit cards.

Although it doesn't go into technical details, it is worth a read for an interesting insider view.