Attack on German Industrial Plant Reminiscent of Stuxnet

On December 17th, 2014, the German Federal Office for Information Security reported on an attack on an industrial iron plant. The official report explained that through targeted email phishing and subsequent social engineering, attackers were able to gain access to the plant’s outward Windows-based system. From there, attackers were able to access production networks and cause serious issues with system controls, resulting in furnaces being unable to shut down properly and causing serious damage to the entire system.

This attack shares many similarities with the Stuxnet worm, which caused issues with a number of Iranian nuclear plants in June 2010. The worm, which the US and Israel have since claimed credit for, was typically installed via an infected flash drive. Using four different zero-day exploits, Stuxnet would propagate and conceal itself throughout the network, searching for compromised control units and modifying their code whenever possible. Stuxnet caused irreparable damage to the uranium refinement centrifuges of over one fifth of Iran’s nuclear plants before being resolved.

German officials say they do not know the reason behind this attack at present, but that they are investing this and a number of related incidents thoroughly. A number of security experts note that an official statement about an attack of this magnitude is uncommon, and may indicate a paradigm shift in the way governments handle cyber-to-physical attacks.

Sources:

State Department’s Email Compromised

The State Department’s unclassified email systems were hit by cyberattacks in recent weeks.  Sections of the system have been shut down to improve security and no classified systems were effected.  Maintenance is being performed on the system and will affect unclassified email traffic and employee access to public websites from the unclassified system, and it should be back up soon.  Analysis of the incident reports by the Department of Homeland Security show a common element of social engineering attempts.  This breach was part of the attack on the White House’s Executive Office of the President.  This is one of many breaches in the past few months.  Other incidents include the White House , the Office of Personnel Management, and just this week the U.S. Postal Service and National Oceanic and Atmospheric Administration.

The USPS said that more than 800,000 employees may have been compromised along with the information of customers who contacted the call center during the first eight months of the year.  At NOAA four agency’s websites were affected but no further information was given.

The State Department has agreed to brief lawmakers on the cyberattack.  A letter was sent to Secretary of State John Kerry on Monday from House Oversight Committee Ranking Member Elijah Cummings seeking more information by January 5 to help Congress as it considers cybersecurity laws and other ways to protect government and consumer information.  He is also seeking what the State Department is doing to improve its security since the breach.

Sources:

http://www.politico.com/story/2014/11/state-department-cybersecurity-hacking-112951.html

http://www.reuters.com/article/2014/11/17/us-cybersecurity-statedept-idUSKCN0J11BR20141117

iPhone ATM PIN code hack

There is now a way from people to steal your ATM PIN code. All it takes is a add on to your phone. What this add on does is that it makes your camera on your phone inferred. This means that you can now see the heat signature’s of things through your camera. How this is a problem is that after someone types their PIN in a ATM if you walk up and take a picture of the keypad with this inferred camera you can see what keys they pressed before they left. You can also tell for the most part in what order the keys where pressed by how bright the color that is left. There is only 2 ways that you can protect yourself from this. One thing that would make this difficult would be if the PIN had the same number in it 2 or more times. The other would be rub you hand on the keypad after you are done putting in you PIN so that the heat of your hand would get on all of the keys making it impossible to know which ones you really used. There is a 80% accuracy if the image was taken right after the PIN was typed in. After 1 minute there is about a 50% of getting the PIN right. The case that has the infrared camera on it is only about 200$ and you can get it at any Apple store. Also this does not work on metal keypads because it reflects and dissipates the heat to fast. Rubber and plastic keypads work the best for retaining the heat signature.

Duqu – Stuxnet part 2?

Duqu malware is making waves in the security world at the moment. It is an attack that uses a zero-day to exploit a vulnerability in the windows kernel, more specifically it targets the Win32k TrueType font parsing engine. The reason why its big news is because its a highly sophisticated attack on specific organisations that steals digital certificates, keystrokes, and other systems information. While the specific organisations that have been targeted haven’t been made public, they all dealt with highly sensitive things such industrial control systems. The infection usually began with a .doc dropper file that was emailed and socially engineered to be something that the targeted user would open.

So security experts have began to conjecture that Duqu was developed and executed by the same people responsible for Stuxnet. The reason being that they share a lot in common. They both exploited zero-days relating to the windows kernel, both are signed using stolen certificates, and they both have been highly sophisticated attacks directed at specific organisations. Not only does the profile of the attack match Stuxnet but so does the source code. Where Stuxnet and Duqu start to differ is that Stuxnet was created to act autonomously while Duqu is reliant on command and control servers. Stuxnet targeted industrial machines while Duqu is attacking computer systems.

There are many features that add to Duqu’s sophisticated nature that raises it above the level of ordinary malware. One is that its able to communicate through server message blocks, the protocol that allows networked resources to interact. This allowed Duqu to infect systems that weren’t connected to the internet but were on a network with devices that were. On top of that it was able to receive and transmit message from the C&C server by transmitting the data to a computer connected to the internet and then through SMB to the device on the network that didn’t have internet access. Even the C&C servers themselves show a high level of dedication because they used a unique C&C server for each individual attack. So far only two have been discovered with one in India and one in Belgium. To avoid detection on infected systems it uses 54×54 jpeg files as containers to store stolen data. This way the network traffic wouldn’t show important data moving around just jpeg files. After 30 days of running on the system Duqu deletes itself hiding anyway of detecting it had been there.

So what I most likely think is that Duqu was created and used by the same people who did Stuxnet, and due to the level of sophistication and scale it was most likely a state actor. The state actor probably being a collaboration between the USA and Israel. As of right now Microsoft still hasn’t fixed the vulnerability that allows it. For most users this isn’t that big of a deal because the exact method of the zero-day isn’t known so Duqu’s the only one using it. So unless you happen to be part of large organization then the threat and danger from Duqu is minimal.

Further reading:
http://www.informationweek.com/news/security/vulnerabilities/231902121
http://www.theregister.co.uk/2011/11/11/duqu_analysis/
http://en.wikipedia.org/wiki/Duqu

 

 

 

Facebook’s security woes: 600K accounts compromised per day

Facebook’s security woes: 600K accounts compromised per day

By Kara Reeder

November 2, 2011, 7:49 AM PDT

Takeaway: Kara Reeder reports on the latest security mishaps from the Facebook camp.

With more than 800 million active users, there’s no shortage of people looking for loopholes in the social network. The latest vulnerability has been discovered by Nathan Powers, who works for technology consultancy CDW. Powers has discovered a way for a user to send an executable file to another user who is not their friend. The risk, as Computerworld points out, is that “a hacker [could] send, for instance, a key logging program to another user in a kind of spear-phishing attack.”

Facebook’s Security Manager Ryan McGeehan is downplaying the flaw, noting that “an additional layer of social engineering” would be required for the scam to work.

Security issues are nothing new for Facebook. In fact, as msnbc.com reports, buried deep in a recent security announcement, Facebook revealed that 600,000 accounts are compromised every day. Of course, Facebook put a different spin on it, saying “only 0.06 percent of 1 billion logins per day are compromised.” Still, 600,000 a day is nothing to scoff at as hijacked Facebook accounts lay the foundation for a number of misbehaviors, including cyber bullying and scams designed to trick unsuspecting users into coughing up money.

Editor’s Note: Facebook has clarified what they mean by “compromised.” According to TechCrunch:

Facebook wants it known that these accounts weren’t hacked or compromised on Facebook itself, they are compromised off site, such as through phishing scams, for example.

Facebook blocks access to accounts when they have reason to believe someone other than the true owner is trying to access it. Here is Facebook’s original infographic (PDF), which includes the numbers cited (.06% of 1 billion logins per day).

 

I am astonished that Facebook down plays such a large number of compromised accounts.  600,000 accounts a day are compromised!  I can’t even begin to wrap my head around that figure.  Many of these users are not in the information technology field and most likely don’t have a healthy sense of skepticism when using a social networking site like Facebook.  IF attackers are able to compromise user’s accounts, they can harvest useful information that user’s post on Facebook assuming their information is safe and secure.  They need a password to access their profile so they assume no one else is able to access the profile without their knowledge.  This is definitely not a safe assumption to make.  The stat of 600,000 compromised accounts a day clearly prove that.

The discovery of the latest vulnerability of Facebook was made by Nathan Powers of CDW.  The vulnerability makes it possible for an attacker to send an executable file to another user that they are not friends with.  Programs like key loggers and bonnets could be sent in attempts at a spear fishing attack.  This presents a major security risk for the end users of Facebook.  Their personal information including passwords, pin numbers, web surfing activity, and bank account numbers to name a few could now be possible accessed remotely by another Facebook user.  The victim would have no idea that this was happening until it was too late.  The attacker could also make fraudulent entries on the victims Facebook profile and damage their reputation with friends, family and colleagues.

I myself am a Facebook user, but after reading this article I am going to have to think long and hard if continuing to do so is just too risky.  It is wonderful that I am able to keep in touch with friends and family that live far away and see pictures of them; but is that really worth possibly exposing myself to an attacker looking to hack my account and cause havoc?