Steam server attackers grabbed passwords, credit card data

As Bethesda Software was preparing to release Skyrim, the latest installment of its mega popular Elder Scrolls series, news that the forum of Steam, the online platform/distribution network of Valve Corporation, have been defaced and possibly breached.  The users were alerted to the fact that something was amiss with the appearance of a promoted discussion thread within which a site offering cracks for games was being promoted. Suspicions that the breach went beyond common defacement begun to pop up as users began sharing on the forum that they were receiving spam emails promoting the very same site.

The company took down their own game servers to try to resolve the issues causing for a lot of unhappy premature users.  By the time of the actual release day of Skyrim the game was back online to users with access to the platform.  They are unsure if encrypted credit card information was taken or not but they are sure that usernames and passwords were taken.  They advise that users change passwords and possibly usernames and also check credit card statements very closely in case the hackers did in fact steal credit card information.

Co-founder Gabe Newell released a statement ”We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information,” he wrote. “We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.”

 

 

http://www.net-security.org/secworld.php?id=11933

Focusing on new technologies instead of security threats

I have a question to ask most companies today.  Why do you lack in security?  With the ever expanding market of technology comes responsibility to keep your users and employees safe from outside attackers.  Many companies are expanding on their security departments, funding, and creating new and updated security policies for their emplyees to follow.  ”The best-protected companies are those that are proactive, detecting and managing minor issues before they become major incidents, and for many companies, this means the current mind-set needs to change from a focus on short-term fixes to a holistic, strategic approach” said Bernie Wedge, Americas Information Technology Risk and Assurance leader at Ernst & Young LLP

Securing cloud computing is expected to be a pretty big topic by big businesses for the upcoming year.  A study found that while 80% of organizations currently are using or considering using mobile tablets and 61% are using or considering the use of cloud computing services within the next year, the threat of security breaches has become an after-thought as companies adapt to the rapidly changing landscape.  The survey of 1700 organizations around the world in more than 25 sectors also found that cloud computing is the top security funding priority for the next year.  Although not many companies that took part in the study (1700 to be exact) are planning on using cloud computing, there are enough companies out there that are taking part in the ongoing fight against information security and protecting the cloud.

 

Hackers attacked U.S. government satellites

Two U.S. satellites were tampered with in 2007 and 2008 by supposed Chinese hackers, according to the soon released U.S.-China Economic and Security Review Commission.  The two satellites, Landsat-7 and Terra AM-1, had been interfered with on four separate occasions, allowing the attackers to be in command of the satellites for two to over twelve minutes each time.

Luckily for the U.S. the two satellites are only used to observe climate patterns and terrain.  These hacks are suspects in case of an open war with China.  We are unclear if the Chinese hackers are states sponsored or not meaning that the hackers weren’t payed by the Chinese government to hack into U.S. satellites.

Just think, hackers were able to hack into a device hundreds of thousands of miles away.  They didn’t even hack into a very important, but if they did, results could potentially be catastrophic.  Having China in control of our military satellites could be devastating because we would be sitting ducks in an open war with China.

According to the article, the hackers were permitted to destroy or block communication of the satellite.  The satellites are controlled from the Svalbard Satellite Station in Norway which often uses the Internet to transfer and access files, it is highly likely that the hackers have managed to break themselves into the station’s system through its Internet connection.

 

http://www.net-security.org/secworld.php?id=11853

 

 

Which mobile OS is most hit by malware?

Although everyone boasts about the performance of their smart phones, they regret to inform you that their smart phone may possibly be one of the most vulnerable devices on the market.  According to the article from http://www.net-security.org/malware_news.php?id=1883, ios users are the least vulnerable.

There are a surprising amount of new attacks that are used to try and harm smart phones.  So far, it seems that users with Symbian-running devices are getting hit with a bigger number of threats than those targeting other operating systems. During August, Microsoft detected around 42,000 of them.  ”In the past, the main intent of Symbian-specific malware was to spread via Bluetooth and SMS (by distributing a URL leading to a copy of the malware), or to overwrite the mobile device’s system files, rendering the device unusable. However, malware on this platform seems to be evolving,” says Microsoft’s Marianne Mallen, and says that Zeus-in-the-mobile (“ZItmo”) and SpyEye-in-the-mobile (“Spitmo”) are the most recently detected and arguably the most dangerous for the user.

The Java ME platform takes second place, with nearly 24,000 threats detected in August, mostly apps sending text messages to premium rate numbers. When it comes to Android malware, the numbers are rather low when compared to those for the previous two platforms; around 2,800 hits in August.

At the end of the list are iOS and RIM. No new threats for Apple’s mobile OS have been discovered this year, and the total number of threats detected in August was around 590. RIM brings up the rear with only 5 malicious apps detected during that month, and can boast of only one completely new threat springing up for it this year: Zitmo.

Trojanized Netflix app steals account login credentials

When Netflix released an Android client app earlier this year, it also witnessed the attempts of various app developers who tried to make a pirated copy of it work on other devices and platforms.  The difference between the actual GUI and the fake app, was barely anything.

Both apps were pretty identical except for some troubleshooting tips that were on the bottom of the login screen asking is they forgot their username or password.   Cyber criminals have also taken advantage of this gap between supply and demand and have pushed out a Trojanized version of the app bent on stealing the users’ account login credentials.

“Despite the fact that there are multiple permissions being requested at the time of installation – identical to the permissions required by the actual app – our analysis shows that this is, in fact, a red herring, probably used to add to the illusion that the end user is dealing with the genuine article,” point out Symantec researchers.

Once the victim enters his account credentials, the information is automatically sent to a remote server which is, luckily, currently offline. Also, the Trojanized app doesn’t react any differently when the incorrect email/password combination is entered.  So, if a client enters in a totally fake and made up username and password, the server would recognize that as an acceptable username password combination.

After the “Sign In” button is pressed, the user is faced with a screen saying that the app is incompatible with his device and urges him to download a different app, but doesn’t link to it or attempt to download it automatically.  A click on the “Cancel” button below that explanation triggers the uninstall process. “Any attempt to prevent the uninstall process results in the user being returned to the previous screen with the incompatibility message,” say the researchers.

I’d say that the android market in general is a dangerous app store, compared to the apple app store.  Apple thoroughly checks every app for any malicious content and then rejects the app if found to be inappropriate.

Facebook scammers exploit death of Steve Jobs

Since we recently talked about social engineering in class, I think this post has a great deal to how people were socially engineered through Facebook, and ignorance.  PandaLabs, a popular internet security blog, recently found a Facebook page that was claiming to give away 50 free iPad 2′s in honor of Steve Jobs’ death.  The page gained five new fans every second and gained more than 90,000 fans since late yesterday.

As of approximately 8:00 AM PDT October 6th, the page has been disabled, but it’s unknown as to how many users’ PCs have become infected since more than 25,000 users clicked the link in less than eight hours.

Luis Corrons, technical director of PandaLabs said, ”Unfortunately, as soon as we learned of Steve Jobs’ death, we knew scammers would start to figure out how to exploit it.  It is not unusual for cyber-crooks and fraudsters to take advantage of headline-grabbing events to spread their creations and affect the maximum number of victims possible in a short period of time.”

This security issue is primarily dealing with how any type of internet user, whether they are social media users, or general internet users, can be manipulated and persuaded easily.  Social engineering is a process, it’s the art of manipulating people into performing actions or divulging confidential information.  In this case, Facebook users were manipulated into getting free iPad’s, but without them knowing they were on their way into being spammed and taken to sites where users were prompted to fill out surveys for their “Free iPads.”

These scammers actually make a profit, as sick as that sounds.  They get money from the ads displayed every time someone follows the instructions.  The scammers profit when users click through those links, by earning commissions based on the amount of traffic they bring to the websites.  The formula is simple for profit:  more traffic = More income.

Social engineering is used by almost everyone for a purpose.  Whether this purpose is malicious, or helpful, it is scary to see that people can be manipulated because there’s a chance that they can “Gain an iPad” or “Click here for a free iPhone 5.”  The class discussion on social engineering could have included the Facebook scam of Steve Jobs, because users were tricked into clicking on the false advertisement of the iPad.  Unfortunately, these scammers can make a pretty penny for doing these kinds of manipulations and its terrible.

These types of scams are not rare, but on the contrary they are seen all over the internet.  Just this year with the death of Amy Winehouse, these scammers were on the prowl for internet suckers when they broadcasted on the internet a link for a shocking video of Amy Winehouse before she died.  Eventually, this video traveled to e-mail form, and when a user tries to open the attachment of the so called “shocking video” they were attacked by malware.

http://nakedsecurity.sophos.com/2011/10/06/steve-jobs-death-facebook-scam/

http://www.thetechherald.com/article.php/201130/7446/Amy-Winehouse-scams-jump-from-Facebook-to-email

Malware Munches on Mitsubishi, and Certificates Can Lie

After numerous attacks on United States defense contractors, Mitsubishi, Japans largest defense contractor, has been breached.  Mitsubishi’s submarine, missile and nuclear power plant factories were reportedly targeted by the attackers.

My last post was about SSL being hacked and possibly untrusted for the time being because an SSL certificate organization, DigiNotar, has been breached.  An iranian hacker named “ComodoHacker” compromised several certificates of DigiNotar and has been using them for his advantage.

Some security experts are now expressing concern that the widely used public key infrastructure, which lies at the heart of digital certificates, may not be secure enough.

About 80 computers were reportedly infected with at least eight different kinds of malware in the attack on Mitsubishi.  The infected computers are reportedly located at the company’s headquarters in Tokyo and manufacturing and research and development sites in Kobe, Nagasaki and Nagoya.

The Kobe site reportedly builds submarines and makes components for nuclear power stations, the Nagasaki site makes escort ships, and the Nagoya plant makes guided missiles and rocket engines.  Recently Mitsubishi has been working with Boeing, but it is not certain that that organization was the root of the attack.

After the result of the the DigiNotar attack, Iranian hacker ComodoHacker has claimed that he owns about 300 code signing certificates and “a lot” of SSL certificates with code-signing permission. As crazy as it sounds, he also claimed to be able to issue fake Windows updates.  However, those claims are false, Jerry Bryant, group manager of trustworthy computing at Microsoft, told TechNewsWorld.  Bryant explained ”Windows Update is not at risk from fraudulent certificates, as the update client will only install binaries signed by our own root certificate authority certificate.”

That’s backed up by Don DeBolt, director of threat research at “Total Defense.”  Based on publicly available information, I believe ComodoHacker can issue fraudulent certificates, but not manipulate the Windows Update process as he claims,” DeBolt told TechNewsWorld.  However, in security, “there is no such thing as 100 percent secure,” DeBolt warned.

http://www.technewsworld.com/story/73317.html

Another SSL Hack – A Deadly Internet Trend

There are companies, SSL certification agencies, whose role it is to act as the middle man, whispering unique encryption codes (SSL certificates) to you and your bank so that only the two of can decipher the information passing back and forth. When your browser starts a bank website conversation, it talks to one of these SSL certification agencies to get a unique encryption code that only you and the bank website can use.  This process has become increasingly popular and important to web shoppers.  There are several security agencies that serve out unique encryption codes located all over the world. Popular SSL agencies such as VeriSign, a well-known american agency that supplies unique encryption codes to banks.

In addition to encrypting transmitted data, SSL certificates are used to verify the identity of a person or device, authenticate a service or encrypt files, allowing a fraudulent certificate to spoof web content (present fake web pages), perform phishing attacks (maliciously act as a legitimate website) and perform man-in-the-middle attacks (spy on all information passed between a browser and its target server).

Unfortunately, there have been several cases recently where the unthinkable (the compromising of SSL certification agencies) has happened.  The two recent SSL certification agency compromises that have occurred in recent months included Comodo, a New Jersey based company with offices around the world, and DigiNotar, a Dutch-based certificate authority.  In March of this year, hackers gained access to Comodo’s SSL certificate generation system to fabricate nine fraudulent credentials for big name sites like Google, Yahoo, Skype and Microsoft’s Hotmail.  It is believed that as many as 300,000 Iranians may have had their online communications tapped into as a result Comodo’s and DigiNotar’s falsified SSL certificates.

The hacker of Comodo, a 21 year old Iranian student recently told the New York Times that his country (Iran) should have control over Google, Skype, Yahoo, etc.  he specifically states “I’m breaking all encryption algorithms and giving power to my country to control all of them.”  

The good news is that these hacks are very rare and companies such as Comodo and DigiNotar provide many checks to maintain their security policies.  Although these SSL hacks are very rare, they are now know to man to be hackable and our hope of having a safe and secure internet are now postponed.  As expected all of the ruling bodies that control the Internet have rallied to identify the root causes of these breaches and are working on future preventable methods.

AT&T iPad site hacker to fight on in court

A good-willed hacker has been caught by the FBI in trying to secretly fix a hole in the AT&T network.  The hacker, Auernheimer, said he has done “nothing ethically wrong” and is being persecuted for “telling the truth” by exposing a security hole in AT&T’s Web site that was leaking e-mail addresses and unique device numbers for about 120,000 3G iPad users last year, including government and high-profile corporate customers.

The hackers are part of a group called Goatse Security which consists of 9 core members that are scattered around the U.S. and one European member located in France.  The FBI claims that Auernheimer was planning on using the security hole for a profit, but Auernheimer strongly denied the claim.  He states ”I’ve never once made a dime off embarrassing a large corporation. I’ve never attempted to make a dime and AT&T is basically a public figure that is open to criticism. I think it’s fair,” he said. “Embarrassing somebody by telling the truth is not malice. It’s necessary speech.”

The Justice Department released Internet Relay Chat (IRC) of the hackers e-mailing and communicating with spammers about selling the AT&T e-mail addresses.  Auernheimer, 26, said he is barred from using IRC, communicating with anyone in his hacking group or any potential witnesses or co-defendants, and doing random Web browsing, but can use the Internet for “commerce.”  He was forced to leave his Fayetteville, Ark., home because of a bail condition requiring him to stay in the jurisdiction, he added, and as a result, he is living in Jersey City, N.J.  He currently is learning Erlang programming language and is “open to security work.”

I think that the news story has a great deal to do with the ACM Code of Ethics and Professional Conduct.  Auernheimer did break the law when he tried to “fix” the hole in the AT&T website, and according to the Justice Department they have evidence of him trying to sell the stolen e-mail addresses to spammers.  He claims that he didn’t do anything “ethically wrong” but that’s just his opinion and in my opinion he is wrong.  He should have contacted AT&T about the hole and then wait for them to respond.

Read more: http://news.cnet.com/8301-27080_3-20105097-245/at-t-ipad-site-hacker-to-fight-on-in-court-exclusive/#ixzz1YKb6EZro

U.S. taxpayers Risk Data Breach

So while wandering around itsecurity.com, I found a very important blog post that relates to literally every single American citizen.  The IRS is leaving our tax information vulnerable for attack by hackers.  The Treasury Inspector General for Tax Administration requests that the IRS boosts their security policies, because an expert and experienced hacker can steal and use tax payers information just by tapping into the IRS’s database.  Over 300 million tax records are stored in the government for their personal use and if their security standards are not increased, these records can be accessed and there will be some pretty upset taxpayers.  According to the article investigators found that of the 374 accounts for IRS employees and contractors with access to perform system administration duties, 141 accounts were expired or were not properly authorized.

The IRS lacks security in many different areas.  For example they have no central and main security agency to watch over the everyday operation of their systems.  Also, They use weak passwords, they do not delete inactive accounts for employees or contractors that do not work for the government anymore, and lastly the agency allows user and administrator login information to be transmitted without encryption, fails to install patches in a timely matter, and ineffectively verifies that even the most basic security actions are complete.  According to the Government Accountability Office (GAO), in 2008, the GAO identified 89 weaknesses and deficiencies in the IRS, but only resolved 69 percent of them.  The GAO quotes firmly, “Information security weaknesses — both old and new — continue to impair the agency’s ability to ensure the confidentiality, integrity, and availability of financial and taxpayer information.”