Phishing Leads to Man-In-The-Middle Attacks

Krebs on Security reported that a security company called Proofpoint had detected a 4 week-long targeted phishing campaign against customers of one of Brazil’s largest ISPs who use two routers (UTStarcom and TP-Link) that are commonly used on that ISP. The emails pretended to be an account/billing message from the ISP with a link to a fake site that looked like the ISP’s site. The fake site used a cross-site request forgery exploit to start a brute force attack against the victim’s router administrator login page using default usernames and passwords for the two brands of routers. Once the script had successfully logged in it would change the router’s primary DNS (Dynamic Name Server) address to the criminal’s own malicious DNS. This allows the crooks to monitor all web traffic, hi-jack search results and redirect the victim from legitimate sites to look-alike spoofs that steal authentication credentials and sensitive data like usernames, passwords and credit card info. This could also lead to the installation of other malware.

dnshijack-600x162
I
mage of malicious iframe scripts used to hi-jack the router and DNS

This type of  attack is especially dangerous because it can bypass antivirus and security tool detection and can even lead to the router and hosts becoming part of a bot-net.

The important take away from this attack is that users need to change the default usernames and passwords on their routers and take precautions against falling victim to phishing attacks.

Sources:

http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/

https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm

Author: Charles Leavitt

Facebook Gives Out Bounties to White Hat Hackers

In today’s world there are dozens of big name companies being hacked every year through countless vulnerabilities in software that we all depend on.  This has created a rather bleak public opinion of the term ‘hacker.’  Yet, as Facebook is clearly aware, not all hacking is bad hacking – it just depends on how you use the holes that you have exploited.

Facebook is a company that should be very concerned about cyber security, over a billion (yes, I said a billion) people around the world use this social media behemoth – meaning they have a lot of private information to keep track of.  Recognizing this, Facebook started an ongoing public program back in 2011 to give hackers a chance to turn away from the dark side – albeit with a little monetary reward as incentive.  They give hackers a chance to quietly report any exploits that they have found directly to Facebook in exchange for a cash bounty.

Colloquially these hackers are known as ‘white hat’ hackers, and there are surprisingly a lot of them.  Facebook dished out a total of 1.3 million dollars in 2014 alone through this program, with bounties ranging from as low as $500 to as high as $30,000.  Just recently, a hacker named Laxman Muthiyah discovered a way to delete a users photos through Facebook’s graphing API.  Grateful for the find, Facebook gave him a whopping $12,500 for reporting it without making it public.

Despite this monetary reward, these hackers can’t be all in it for the money.  By exploiting Facebook’s holes on their own or by selling them, they could surely turn a much higher profit than what Facebook is offering.  Yet, the reward coupled with a sense of morality are what drive these hackers to continue to do good rather than evil.

– Keegan Parrotte

Superfish Was Not the End for Lenovo

2015 is not off to a great start for Lenovo, the world’s leading PC manufacturer.  On February 19, it was discovered that the company pre-installed their computers with a dangerous adware program known as Superfish.  The Verge reports that this piece of software would “allow anyone to unlock the certificate authority and bypass the computer’s web encryption” (The Verge).  Essentially, Superfish could allow a user on the same network as a Lenovo computer to spy on the Lenovo user or infect their system with malware.  In light of this discovery and public backlash from users, Lenovo has provided customers with a tool to completely remove Superfish from their computers.

Following this discovery that fostered deep mistrust in the company, Lenovo’s website was hacked on February 25.  Anyone that visited Lenovo’s site between 4pm EST and 5:30pm EST were greeted by a slideshow of disaffected youths and the song “Breaking Free” from High School Musical.  The attack appears to come from the hacker group known as Lizard Squad; the infected source code attributes the work to two publicly known members of the organization, Ryan King and Rory Andrew Godfrey.  However, the masterminds behind this attack have yet to be confirmed as the real hackers could just be hiding behind their names.  Due to the nature of the attack, there has been no reason to believe that these hackers breached Lenovo’s internal network.

In an attempt to due some much needed damage control, Lenovo announced, on February 27, a two part plan to “become the leader in providing cleaner, safer PCs” (Lenovo).  The first part of this plan involves scaling back the amount of pre-installed software on their computers; the company claims their computers will only include the operating system and software and drivers required for the hardware, like a fingerprint reader, security software, and useful Lenovo applications by the time Windows 10 is released.  The second part of the plan will have the company list all pre-installed software and its uses on the computer; this should help limit the amount of bloatware in their computers.

Although Lenovo is actively trying to reverse the damage, it is still an embarrassing and unfortunate series of events for a premier company.  It should be interesting to see how Lenovo’s attempts progress as well as their future attempts to move forward in the midst of deep mistrust from consumers.

– Kaitlin Keenan

Sources:

The Verge:  http://www.theverge.com/2015/2/25/8110201/lenovo-com-has-been-hacked-apparently-by-lizard-squad

Lenovo’s Plan:  http://news.lenovo.com/article_display.cfm?article_id=1934

NSA with Super malware?

Kaspersky Lab, is an international software security group, has announce that last Tuesday they have discovered a malware that they have never seen before. They have given the group a name “The Equation Group” who has been using these malware that use a technique that ordinary antivirus or antimalware can’t stop. Most of target was Windows but it has been found that some Mac OS X in China was hit as well making even the iOS vulnerable to attacks. Many attack by this Equation Group has targets government, diplomatic institutions, nuclear research facilitates as well as many gas and oil companies across 30 countries and over 500 victims. They have created many platform from which they attack those targets as well and encrypt using many form of algorithms, such as RC5 and 6, AES, and XOR. Code used by those were written back as early as 2008 making Kaspersky Lab suspect that they can be even more sophisticated by now. Also due to the targeting of this super malware by equation who happens to be also targeted by stuxnet, which was made by U.S NSA, that has led Kaspersky Lab to believe that this so called super malware was also created by NSA or at least a connect between NSA and The Equation Group. Rob Enderle tech analyst also stated that this will, ” create a huge cloud over U.S technology,[and this strategy] may have become a greater liability than a asset.” This creates an idea that what if this was used against us, can this really bring down a whole a lot more than what it was planned for? or will it be just another hick up for us and be able to adapt. I personally think that this can help us whole a lot if this is under US NSA control but if it is independent such as Equation Group, I believe us as a new cyber security personals that we can adapt and better our selves before this takes us down.

Also an interview with president Obama on cyber security. As well as explain our current situation nationally and his goal of improving this situation.

Lenovo’s Superfish

Lenovo laptops have been pre-downloaded with a software known as Superfish, created by a company called Superfish. It is a software whose main purpose is to give additional information to the user when they highlight on a search result. This could be something like the same item on a different site for a lower price. The problem comes with the way it works.

The way it works is that it installs its own self-signed HTTPS root certificate. This means that when a user visits a HTTPS site, the site certificate is signed and controlled by Superfish. This way Superfish falsely represents itself as the official website. Continuing, the Transport Layer Security certificate is the same for every Lenovo machine. Finally, that means that any laptop with a Superfish root certificate installed will fail to flag these fake sites as forgeries. Though, Superfish has said that the program doesn’t store or share personal information.

The reports go back to September of 2014, with some even going back before September 2014. Lenovo has been working with Microsoft and McAfee to fix the problem. Lenovo has created a Superfish removal tool, but the Department of Homeland security has also issued their preferred way of removal. Lenovo has sold more than 16 million computers in the fourth quarter of 2014 with the Superfish being installed on more than 11 types of computers, including the Yoga and the Flex models.

For more information: