Tabloid Phone Hacking

Scores of celebrities are claiming damages from Mirror Group Newspapers resulting from phone and voice mail hacking incidents.  Address books, messages, and voice mails were stolen, and stories were published using the information.  Four Sunday Mirror journalists have been arrested, and in November of 2014, former Sunday Mirror investigations editor Graham Johnson pleaded guilty to intercepting voicemail messages.  He was the second Mirror Group Newspapers journalist to admit to phone hacking.

In September of 2014 the owner and publisher of the Daily Mirror and the Sunday Mirror, Trinity Mirror admitted that some of its “journalists” had been involved in phone hacking, and apologized for the unlawful activity.  MGM also printed the following apology:

“It was unlawful and should never have happened, and fell far below the standards our readers expect and deserve.  We are taking this opportunity to give every victim a sincere apology for what happened.”

MGN has informed its shareholders that it would set aside funds to pay for the cost of settling phone hacking claims as costs have exceeded initial estimates.  Both criminal and civil penalties are expected.

As I dug into this story I found that this was more widespread.  It would appear that journalists began to rely on phone hacking to make news throughout the 2000s.  Several resources were used including black hat hackers and private investigators.  One journalist admitted to hacking one hundred celebrities every day for eighteen months.

http://www.bbc.com/news/uk-england-24059941

http://en.wikipedia.org/wiki/List_of_alleged_victims_of_the_News_International_phone_hacking_scandal

Bill Edwards

Phishing Leads to Man-In-The-Middle Attacks

Krebs on Security reported that a security company called Proofpoint had detected a 4 week-long targeted phishing campaign against customers of one of Brazil’s largest ISPs who use two routers (UTStarcom and TP-Link) that are commonly used on that ISP. The emails pretended to be an account/billing message from the ISP with a link to a fake site that looked like the ISP’s site. The fake site used a cross-site request forgery exploit to start a brute force attack against the victim’s router administrator login page using default usernames and passwords for the two brands of routers. Once the script had successfully logged in it would change the router’s primary DNS (Dynamic Name Server) address to the criminal’s own malicious DNS. This allows the crooks to monitor all web traffic, hi-jack search results and redirect the victim from legitimate sites to look-alike spoofs that steal authentication credentials and sensitive data like usernames, passwords and credit card info. This could also lead to the installation of other malware.

dnshijack-600x162
I
mage of malicious iframe scripts used to hi-jack the router and DNS

This type of  attack is especially dangerous because it can bypass antivirus and security tool detection and can even lead to the router and hosts becoming part of a bot-net.

The important take away from this attack is that users need to change the default usernames and passwords on their routers and take precautions against falling victim to phishing attacks.

Sources:
http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/
https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm

Author: Charles Leavitt

Attack on German Industrial Plant Reminiscent of Stuxnet

On December 17th, 2014, the German Federal Office for Information Security reported on an attack on an industrial iron plant. The official report explained that through targeted email phishing and subsequent social engineering, attackers were able to gain access to the plant’s outward Windows-based system. From there, attackers were able to access production networks and cause serious issues with system controls, resulting in furnaces being unable to shut down properly and causing serious damage to the entire system.

This attack shares many similarities with the Stuxnet worm, which caused issues with a number of Iranian nuclear plants in June 2010. The worm, which the US and Israel have since claimed credit for, was typically installed via an infected flash drive. Using four different zero-day exploits, Stuxnet would propagate and conceal itself throughout the network, searching for compromised control units and modifying their code whenever possible. Stuxnet caused irreparable damage to the uranium refinement centrifuges of over one fifth of Iran’s nuclear plants before being resolved.

German officials say they do not know the reason behind this attack at present, but that they are investing this and a number of related incidents thoroughly. A number of security experts note that an official statement about an attack of this magnitude is uncommon, and may indicate a paradigm shift in the way governments handle cyber-to-physical attacks.

Sources:

State Department’s Email Compromised

The State Department’s unclassified email systems were hit by cyberattacks in recent weeks.  Sections of the system have been shut down to improve security and no classified systems were effected.  Maintenance is being performed on the system and will affect unclassified email traffic and employee access to public websites from the unclassified system, and it should be back up soon.  Analysis of the incident reports by the Department of Homeland Security show a common element of social engineering attempts.  This breach was part of the attack on the White House’s Executive Office of the President.  This is one of many breaches in the past few months.  Other incidents include the White House , the Office of Personnel Management, and just this week the U.S. Postal Service and National Oceanic and Atmospheric Administration.

The USPS said that more than 800,000 employees may have been compromised along with the information of customers who contacted the call center during the first eight months of the year.  At NOAA four agency’s websites were affected but no further information was given.

The State Department has agreed to brief lawmakers on the cyberattack.  A letter was sent to Secretary of State John Kerry on Monday from House Oversight Committee Ranking Member Elijah Cummings seeking more information by January 5 to help Congress as it considers cybersecurity laws and other ways to protect government and consumer information.  He is also seeking what the State Department is doing to improve its security since the breach.

Sources:
http://www.politico.com/story/2014/11/state-department-cybersecurity-hacking-112951.html
http://www.reuters.com/article/2014/11/17/us-cybersecurity-statedept-idUSKCN0J11BR20141117

iPhone ATM PIN code hack

There is now a way from people to steal your ATM PIN code. All it takes is a add on to your phone. What this add on does is that it makes your camera on your phone inferred. This means that you can now see the heat signature’s of things through your camera. How this is a problem is that after someone types their PIN in a ATM if you walk up and take a picture of the keypad with this inferred camera you can see what keys they pressed before they left. You can also tell for the most part in what order the keys where pressed by how bright the color that is left. There is only 2 ways that you can protect yourself from this. One thing that would make this difficult would be if the PIN had the same number in it 2 or more times. The other would be rub you hand on the keypad after you are done putting in you PIN so that the heat of your hand would get on all of the keys making it impossible to know which ones you really used. There is a 80% accuracy if the image was taken right after the PIN was typed in. After 1 minute there is about a 50% of getting the PIN right. The case that has the infrared camera on it is only about 200$ and you can get it at any Apple store. Also this does not work on metal keypads because it reflects and dissipates the heat to fast. Rubber and plastic keypads work the best for retaining the heat signature.