Iranian Hackers Target US Professors

On March 23rd the Justice Department charged nine Iranians with multiple counts of identity theft and conspiracy to commit computer intrusions.  The main targets of the attack were professors at both US and foreign universities. Also targets were several US and European based private companies as well as multiple government agencies. The hackers were accused of being affiliated with the Mabna Institute and acted under behest of an Iranian intelligence agency. The attorney who brought the case claims that the Mabna Institute may seem legitimate, but that it only exists for the sole reason of stealing scientific resources from around the world. They used phishing emails that appeared to come from other universities to target more than 100,000 accounts belonging to professors worldwide and compromised about 8,000. They also compromised at least 37 US based companies, 11 based in Europe, and at least 5 government agencies including the Labor Department, the Federal Energy Regulatory Commission, and the UN. With this attack dating back to 2013, the hackers were able to steal more than 31 terabytes of information, worth about $3 billion in intellectual property. The justice department has recently said that the nine hackers are still at large.

–  Owen Ryan

Sources:

https://www.cnbc.com/2018/03/23/us-indicts-iranian-nationals-in-iran-government-backed-scheme-on-us-universities.html

https://www.wired.com/story/iran-cyberattacks-us-universities-indictment/

Advertisements

2020 Online Census

In two years the United States will be conducting the census like they do every 10 years. This time though will be different. The United States will be doing a primarily online census. This could be a giant security risk.

Back in 2016, Australia decided to try an online census. As soon as the survey was posted hackers performed a giant denial-of -service attack that caused the system to go down for 2 days. Though no information was breached it still was an embarrassment for the country and proved that they weren’t ready.

The United States has been toying around with the idea of doing an online census since 2000 but it wasn’t used in 2010 do to a lack of trust in data collection effectiveness and security. It seems that the lack of trust hasn’t gone away but the pressure to move digital has caused this change.

Problems are already popping up in this census. The bureau is rushing it out which has prevented thorough testing of the security. In the tests that were conducted the data had issues being transmitted and received.

Not receiving the data could be the least of our worries though. Hackers could flood the census with phony data or breach data and release it. Both of these outcome won’t look good on our government and will further a distrust people already have since the election. Maybe it is best to wait another 10 years until our platform is more secure and trustworthy.

—- Bailey Pearson

Sources:

https://www.motherjones.com/politics/2018/03/the-2020-census-is-a-cybersecurity-fiasco-waiting-to-happen/

Orbitz’s Centralize Storage Security Breach

Image result for Orbitz

Orbitz, a travel booking company, has revealed that one of their old websites have been hacked and around 880,000 accounts, including payment information, were compromised. The breach was only recently detected (within the last month) and took place around December 2016 to October 2017.

This old website was built on a legacy system that was poorly monitored and contained minimal security. All of the website’s data was stored in a centralized location as well. With minimal security and almost no monitoring, hackers easily penetrated the system and gained access into the servers. From there, hackers were able to access such a variety of data because Orbitz stores many of its credentials in the same database. A single database means that a single point of failure, would allow a hacker to compromise everything. It was an easy target for hackers. Nowadays, large enterprises are moving towards decentralized authentication in order to prevent large-scale breaches, eliminate fraud and ensure user privacy.

“We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners,” Orbitz said in a statement. Orbitz is currently working to notify the thousands of affected customers and plans to offer one year of free credit monitoring and identity protection service.

-Tik Ho Chan

 

Sources:

https://www.marketwatch.com/story/this-data-breach-affected-880000-people-and-it-has-nothing-to-do-with-facebook-2018-03-24

https://securityboulevard.com/2018/03/weekly-cyber-risk-roundup-orbitz-breach-facebook-privacy-fallout/

https://thehackernews.com/2018/03/expedia-data-breach.html

POS Software Exploit

For those who don’t know what a point-of-sale program is, it is a program that allows vendors and clients to easily complete transactions in modern retail stores. They are the programs that make a (hopefully) seamless payment from scanning and item, calculating the total, payment options and payment fulfillment. This means they have access to information such as, sale totals, customer information, and credit card information.

Recently, POS software has been under attack by multiple instances of malware in order to retrieve the information they record. In 2017, Kroll Cyber Security uncovered a new POS malware family named PinkKite, named for their small size and their significant impact on point of sale endpoints, which they presented at Kaspersky’s 2017 Security Analyst Summit.

PinkKite Malware differs from past iterations of POS malware due to its newer, more modern features found in larger malware, while still maintaining a small size. Most POS malware, like PinkKite, are very small in size, allowing it to avoid detection by most software. However, in the 6K payload, comes features like memory-scraping, data validation, double XOR encryption, a backend infrastructure to export data to, and persistence mechanisms. These tools are large improvements over previous versions of malware because of the obfuscation, and persistence it provides. By providing a backdoor into retail machines with point-of-sale software, PinkKite can continuously scrap hundreds of client numbers from each machine even after a day’s reboot. This means that the volume of data collected for later use is much more than previous malware that were erased upon rebooting the system. Also, by then double XORing the stolen credit card information, the data is harder to locate within the hacker’s backend infrastructure.

According to Kroll Analysts, the malware propagated from a single infected network machine that then self replicated. Most likely, from the compromised machine, used psExec to move across the company’s network until it identified the Local Security Authority Subsystem Service (LSASS) and extracted information using Mimikatz. The information was then sent to one of three known clearinghouses in Canada, Korea or the Netherlands. From there, the hackers manually pulled the data to later sell on the Black Market.

POS malware is a pressing issue that not many people (including me) know of because the software it attacks seems so trivial it slips out of many people’s minds. However, this malware could prove detrimental for not only the customers but for the company as well. Even though the customers could lose their credit cards, companies could lose reputation, customers, and could become completely compromised with different payloads using POS as an entry point.

Source

Spring, Tom. “New POS Malware PinkKite Takes Flight.Threatpost , 14 Mar. 2018, threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/.

Equifax Breach Impacts An Additional 2.4 Million

Equifax has managed to come back into the news. Three weeks ago (March 1), Equifax released an update to the hack that happened over 6 months ago (June 2017). For those of you who do not know, Equifax is one of three credit reporting agencies in the United States. All financial information passes through at least one of these agencies. This includes bank accounts, loans, credit cards, etc. Almost everyone in the United States has used one of these companies in their lifetime, if not all of them. I will go further in depth about the several security issues Equifax dealt with back in June as well as in September, but for now I’m going to provide information on the most recent update.

Originally Equifax released the news that 143 million people had their personal information stolen. This information includes names, SSNs, birthdates, addresses, driver’s license numbers, and credit card numbers. The population of the United States is 325.7 million (2017), meaning nearly half of all Americans (44.67%) had their information stolen. If you consider the fact that this hack really only affects adults as children haven’t necessarily needed to use Equifax in the past, the percentage goes up to over 50%. When they released the new update, an additional 2.4 million people have been said to be affected by the breach. While that number is much smaller than the original, this number is also coming 6 months after the initial announcement. Hackers have had the personal information of 2.4 million people for 9 months (6 plus the 3 that it took them to mention it to the public, more on that later) without those people knowing. With this new information, the number rises to ~58% of all adult Americans who have had their information stolen through the Equifax breach. It is one of the largest hacks of personal information in history.

The attack itself happened somewhere between May and July and came from a flaw in the web application back-end Apache Struts. This allowed the hackers initial access to the Equifax computer system. By the time they were finished, the hackers had 30 separate entry points into Equifax’s systems. The only reason they were caught is because they were so deeply embedded in the systems that the company was forced to shut down a consumer complaint portal for 11 days while the security team figured out what was happening.

There are also reports that the company was notified 6 months in advance (December 2016) of the threat of a potential attack due to the security measures in place. An anonymous hacker found a flaw in the website that would allow anyone to pull information from all people in the database in a couple of minutes. This information included SSNs, names, and birthdates of all the individuals. This could be done through forced browsing, a technique that plugs various strings into a browser. Not only that, but the hacker also managed to find ways to get shell access to several Equifax servers, as well as several SQL Injection vulnerabilities. From reading several articles, it seems like Equifax’s main security policy was “Security by Obscurity”.

Now, most people think that the only issue was the breach that happened between mid-May to July. This is only part of Equifax’s downfall. Besides announcing 2.4 million people had been hacked 9 months after the incident happened, Equifax is credited with many mistakes that a student in CSEC 101 could’ve prevented. But first, let’s go over how Equifax handled the situation.

In July 2017, Equifax learned that it had been breached. The company then waited 6 weeks to tell the public that the breach had taken place. This meant that hackers had the personal information of hundreds of millions of people for 3 months and Equifax failed to announce it for over a month. Before announcing the company had been hacked, the top level executives at Equifax sold millions of dollars worth of stocks. Perhaps the one good practice they had was to provide a one year protection plan for anyone affected by the breach. However, this too had its downsides. In most cases, a year of protection isn’t enough. Because of the information that was leaked and how long it can take to decipher it, the attacks on the individual people may not even happen for another 5 to 10 years. What’s more, once the one year free trial runs out, you are automatically enrolled into the paid protection plan regardless of if you asked to be or not. You have to manually cancel your plan after the year of protection expires. Also, by agreeing to this protection plan, you enter an agreement with Equifax stating that you can no longer sue the company. However they did update this, by allowing the people who signed up to send a written letter within 30 days to Equifax to opt out of the agreement.

In order to find out if you have been hacked, they require you to go to their site (https://www.equifaxsecurity2017.com) and sign up to find out if you have been affected by the breach. And I wish I could say that Equifax stopped messing up there, but the story continues. Cyber security experts criticize Equifax for creating this website. They say it would have been more secure for them to have instead used their own website and provide an additional subdomain where people could enroll. And Equifax should have listened… A software engineer decided to show the world the security disasters that could derive from this situation. A new website securityequifax2017.com (it has since been taken down) was created to show how this affects the people trying to use Equifax’s website. The site copied the actual Equifax site, but added the line “Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?” to the title of the page (shown below).

Now this site was so “convincing” that Equifax tweeted to the fake website, not once, no that’s not the Equifax way, but seven times. The official Equifax twitter account tweeted to a fake website made to specifically demonstrate the security risks involved with making a long url with the title “Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”. 200,000 people had signed up on the fake website before the creator took it down, proving his point about the security concerns involved.

Next on the list, Equifax’s website in Argentina. This is actually a separate hack that just happened to come about at the same time the news was being released about the previous hack. A cybersecurity firm was testing the strength of Equifax’s website and found that the username and login information for the database storing all the South American employee information was admin/admin. With this information, the firm was able to figure out Argentine SSN equivalents, names, and emails of over 100 employees of Equifax.

– Michael

Links: