Anonymous and society, supposedly anarchy incarnate but is the cake a lie?

Anonymous and society, supposedly anarchy incarnate...

but is the cake a lie?

Recently anonymous has been trying to prove to society, and by extension each individual that it is more than just a force of anarchy.  They have started investigating the cyber mysteries that seem to elude authorities.  The first instance of this happening is the following.  

From: http://www.nytimes.com/2012/12/17/sports/high-school-football-rape-case-unfolds-online-and-divides-steubenville-ohio.html?pagewanted=1&_r=2&hp&

"Evidence of a gang rape committed by members of an Ohio high school football team, including video, was, in the way of digital native teenagers today, put online on various social media sites — and was quickly taken down as students began realizing the magnitude of the situation. The activist group Anonymous has been able to find archived and cached versions of the damning content, which may help prosecutors make their case."

Obviously helping find rapists is a lofty goal, but does this really help erase the sins of their past.  The damage  anonymous has done with hacking banks and other businesses or even government records has been astounding.  Well maybe if they pitched in a bit more.

From: http://www.huffingtonpost.com/2013/02/19/anonymous-hackers-chinese-army_n_2717352.html?utm_hp_ref=cybersecurity

An American computer security company released an explosive report Tuesday linking a Chinese military unit to a growing number of cyber attacks against American companies, organizations and government agencies.

But some of those connections -- including profiles of the individual hackers in China -- could not have been made without the work of the hacker group Anonymous,according to the report by the security firm Mandiant.

Security researchers and government officials have long claimed that China is behind a growing number of cyber attacks against American computer networks, a charge that China has repeatedly denied. But Mandiant's 73-page report was unusual in its level of detail, going so far as to profile the identities of three hackers who are believed to be working for the Chinese military. Mandiant said it was able to find connections between two of those hackers and China's People’s Liberation Army by relying on public data first revealed by the hacker group Anonymous.

The ability for them to assist with national security, will make it interesting to see how and when they are prosecuted for their other offenses.  The real question becomes, will groups of online hackers be a force for good or evil in the future?

The Stuxnet attack and legality

Were we in the right?

The stuxnet attack is one of the first, large scale critical system targeting attacks to date. The Stuxnet worm might have gone unnoticed, but unfortunately an employee took home the bug on his laptop. The result was stuxnet was unleashed on the world. But why was it developed in the first place?

From: http://www.wired.com/threatlevel/2013/03/stuxnet-act-of-force/

Stuxnet was launched in 2009 and 2010, and possibly 2008 as well, and targeted cascades and centrifuges at the Natanz uranium enrichment plant in Iran. The cyberweapon was reportedly designed by Israel and the U.S. in an effort to set back Iran’s ability to produce a nuclear weapon, though the U.S. has not officially acknowledged its role in the attack. Until the attacks occurred, intelligence agencies speculated that Iran would be able to produce a nuclear weapon by 2010. The attacks by Stuxnet are believed to have set back the program by an estimated three years.

The 300-page legal manual was produced by 20 researchers, including legal scholars and senior military lawyers from NATO countries, with assistance from cybersecurity analysts.

It was thought out, but the question as always becomes... were we right? The morality aside, diplomacy functions within a strong worldwide legal framework. Were we legally right? Unfortunately there just isn't enough data or law yet to establish legality yet.

James A. Lewis, a researcher at the Center for Strategic and International Studies, said the researchers were getting ahead of themselves and there had not been enough incidents of cyberconflict yet to develop a sound interpretation of the law in that regard.

“A cyberattack is generally not going to be an act of force. That is why Estonia did not trigger Article 5 in 2007,” he said, referring to the coordinated DDoS attacks that took down the computer networks of banks, government agencies and media outlets in Estonia that were blamed on Russia, or hackers sympathetic to the Russian government.  Unfortunately, not only is the legality of cyber warfare not declining, its getting better:

From: http://www.nextgov.com/cybersecurity/2013/03/yes-cyberattacks-are-perfectly-legal-under-laws-war/62015/

This makes a recent study from a group of NATO experts very, very welcome. Called the Tallinn Manual, it seeks to adapt the existing laws of war to cyberspace, laying down 95 new ideas over 282 pages. Many of them are just common-sense extensions of current international principles: According to one rule, cyberwarriors must take care not to hit the same targets that are off-limits to conventional forces.

...These include civilians, albeit with a crucial caveat: If you’re a civilian who’s decided to join the fight, you become a legitimate target even if you aren’t affiliated with a government or a military.

This unfortunately not only makes cyber attacks legal, but any entity can join in, even civilians. The interesting part of this is that the Geneva convention is setting the stage for this, instead of preventing it. Hopefully, advances will be made to prevent these kind of attacks from being legal in the future.

Sometimes a wrench is just a wrench... until its a bomb

Teamviewer a great tool for fixing things...

till its a hacking tool

The Team Viewer application is an awesome tool that can be used to allow network administrators to fix problems remotely. Since it and similar tools inceptions, individuals can use remote diagnostic and fixing tools to address problems without having to leave their desk. This has led to the IT field having remote centers that can even remove root-kit viruses from computers remotely. However, recently there has been a new application for team viewer.

From: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240151544/how-teamspy-turned-legitimate-teamviewer-app-into-cyberespionage-tool.html

TeamSpy is a cyberespionage operation targeting government agencies, businesses, and activists that may stretch back as far as roughly a decade. Many of its victims appear to be from Europe. The crew took advantage of the functionality of the TeamViewer application, which is used for remote control, Web conferencing, desktop sharing, online meetings, and transferring files between computers.The malware installs a version of TeamViewer on infected systems. The attackers then extend TeamViewer's functionality to provide additional stealth, dynamically patching it in memory to remove indications of its presence.

This attacks allows for complete remote access and control of individuals computers.  The computer can then be used to remotely access other computers on the network and infect them.  This attack was extremely successful in Eastern Europe. Since then, many organizations have asked, "what can I do about this?"

From: http://www.securelist.com/en/blog/208194185/The_TeamSpy_Crew_Attacks_Abusing_TeamViewer_for_Cyberespionage

1. Scan for the presence of the “teamviewer.exe” application.
2. Block access to the known command-and-control domains and IP addresses. (see our full technical paper)
3. Implement a rigid patch-management plan throughout the organization. This operation includes the use of popular exploit kits that targets known desktop software security vulnerabilities.

But this doesn't solve how to fix this for agencies that actually USE the team viewer software program currently.  What do these organizations do?  This tool is a crucial part of their infrastructure.  Unfortunately, I don't see a solution coming soon, until team viewer patches their software.

iPhones and Smartphones: A Growing Threat to Network Security

iPhones and Smartphones:

A Growing Threat to Network Security

Recently with the growing rise of iPods, tablets and smartphones network security specialists have had a whole new way their networks can be compromised.  The obvious threat of someone taking data from the network using these storage and mobile computing devices is more obvious than is the threat of viruses now that can spread to iPhones and other smart devices:

From: http://www.csoonline.com/article/714053/iphone-sms-bug-said-to-be-serious-threat

The hacker, who calls himself "pod2g" and is best known for jailbreaking iPhones, said Friday that the vulnerability could let an attacker send a message pretending to be from a bank, credit card company or other trusted source.

Because the flaw does not involve code execution, an attacker does not need to get malware pass Apple, which approves all mobile apps before they are sold on the App Store, the only legitimate site for downloading software for Apple mobile devices.

Pod2g, a self-professed iPhone security researcher, said the flaw is "severe" and affects all current versions of iOS and iOS 6 beta 4. IOS is the iPhone and iPad operating system.

This is a serious threat to network security, if a virus can be spread by SMS to smartphones, what if it can be spread to computers as well?  Then anytime a computer had this iPhone plugged into it, even to just download a song, that computer would be infected.  How do you manage the computer access when these devices are just a USB port away from compromising the security of the whole network?  

From:  http://www.darkreading.com/security-monitoring/167901086/security/security-management/240151594/monitoring-the-nomads-in-your-network.html

At the most basic level, companies can monitor the devices that connect to their network. Companies can track which devices connect to their internal systems, which means treating a phone no differently than a laptop, desktop, or server, says Tyler Lessard, chief marketing officer at Fixmo, a mobile-device security firm.

"You can allow any user to access the network, but then say, 'I'm going to watch what devices are coming in, and if any of them look like they are potentially malicious or bad, then I might go out and react to it,'" Lessard says.

This most basic level of monitoring has the benefit of being inexpensive. The necessary data could be culled from firewall logs, but companies would benefit from more tailored systems designed to alert in real time.

Unfortunately, as stated above, firewalls aren't the most reliable form of security. So network admins are looking for new tools to deal with this.  

Traveling further up the security food chain, companies can focus on both the users and the devices. Companies that do not allow their users to access sensitive data on their devices--limiting access, say, to ActiveSync's e-mail and calendar services--could potentially just register each device with a mobile-device management (MDM) system and assign each user a certificate to access the network.

Companies that want to control the devices, but not necessarily the applications on the devices, should require that each user register their device with the MDM software. While turning off access for all unregistered devices may work in theory, IT departments will be more successful using a carrot-and-stick approach: Giving each user, say, 30 days to register their devices before cutting them off, and granting additional benefits--such as VPN access or to users that finish the enrollment process, says Ahmed Datoo, vice product of product marketing at Citrix.

"So there is no way for them to get e-mail unless they enroll their device--that is the stick approach," Datoo says. "You give them a warning, and there is an amnesty period."

This with the added ability to allow users to only access certain data under certain user accounts, restrict ports and also prevent users from using unauthorized devices on the network this is a very strong solution.  The only problem is this solution isn't cheap.  This solution should come down in cost as Moore's law progresses.  

Visa and credit card theft... oh my!

The relatively recent policy by visa to fine shops that are compromised is going to be in court next week.  Genesco,  a sports and shoes shop will be taking visa to court next week due to the hack of its credit data base that went undetected from 2009 to 2010.  More information on this from http://www.computerworld.com/s/article/9237588/Retailer_hauls_Visa_to_court_over_13.3M_fine_for_payment_card_data_breach?taxonomyId=17 

After the intrusion was discovered, Visa issued an alert to affected card issuers, informing them that every Visa card that was processed by Genesco over a one-year period between Dec. 2009 and Dec. 2010 had been compromised. Visa later collected a total of $13.29 million in fines from Wells Fargo Bank and Fifth Third Bank, the two "acquiring banks" that had authorized Genesco's participation in the Visa payment system.

Visa insists that the fines are a necessary way of dealing with shops that have lax security, and has built it into contracts  However, Genesco stated:

None of these situations applied with the 2010 intrusion, Genesco said in its complaint. The company noted that it was fully compliant with PCI requirements at the time of the breach. As required under PCI, no card data was ever stored on Genesco's systems at any time during the intrusion.

But why are all of these rules necessary, well unfortunately credit card theft is way up.  From http://krebsonsecurity.com/

Sadly, Social Security numbers and even credit reports are not difficult to find using inexpensive services advertised openly in several cybercrime forums. In most cases, these services are open to all comers; the only limitation is knowing the site’s current Web address (such sites tend to move frequently) and being able to fund an account with a virtual currency, such as WebMoney or Liberty Reserve.

Case in point: ssndob.ru, a Web site that sells access to consumer credit reports for $15 per report. The site also sells access to drivers license records ($4) and background reports ($12), as well as straight SSN and date of birth lookups. Random “fulls” records — which include first, middle and last names, plus the target’s address, phone number, SSN and DOB — sell for 50 cents each. Fulls located by DOB cost $1, and $1.50 if searched by ZIP Code.

These attacks demonstrate that not only are online breaches of databases realistic, they're on the rise and cheap.    Should Visa be fining people for this?  Maybe, most people do think with their wallets.  No  matter what though this needs addressed.

Social Speaing, I mean Phishing

The idea of social engineering is not unique to computers, and is certainly not new to the world.  Con-men have been squeezing information out of people with a courteous smile and willing ear for hundreds of years, and now the internet is starting to see the mixture of con-art and coding.  This technique is known as phishing.  Phishing is defined as:  a party who misrepresents themselves as a reputable 3rd party site, to garner information that comprises one or both parties.  If this was too wordy, its when someone (con-artists) pretends to be someone else (aka your bank) to get information they should have(your account name, password and routing number).  In a study by Gartner, it was found about 1/5 users had clicked on a phishing link in their history.  

Even worse, phishers are getting smarter.  Some are using public records to discern commonly used security questions. As per: http://threatsim.com/2013/01/29/call-it-2013-year-spear-phishing/

We all know that Facebook, LinkedIn, and the Internet in general make it really easy to find personal info that can be used to spear phish your end users. If an attacker is that motivated to get someone at your company, then it’s only a matter of time before they are successful.

 Especially with facebook and myspace making information so available, the ability to find especially personal information is at an all time high (thanks picture of ... fluffy, thats right fluffy was my old dogs name!).  A study conducted by Indiana University showed that people who had a lot of information posted on social networking pages were MUCH more vulnerable than other potential victims.  They also found that gender had an affect on if a user would fall for this type of attack, with women typically being more trusting than men.

Just basic spoofing with the addition of this social phishing has lead to an alarming rate of compromised users.  The victims of these attacks, once they find out often are incredibly upset, but often for the wrong reasons.  After being contacted by the University of the previously referenced study,  some victims believe there email has been hacked (how else could we spoof?  oh wait its really easy), which in fact had not been the case, but they did not have the technical knowledge to understand this.  Some went into denial, and would not acknowledge that they had been hacked.  This is dangerous as a user will not correct their behavior to fix the issue.  The last reaction is understandable anger at having their privacy violated.  

Sadly these messages can often be prevented, and the largest one is education.  With the rise of computers, an ethical or safe computer use class should probably be mandatory in high school or at the very least college. Even telling users to check to make sure the URL is correct, and to check for HTTPS:  would be a huge step in the right direction.  Education beyond this would help users be aware of threats to them and their online identity.

As per: http://newswatch.nationalgeographic.com/2013/03/06/hacking-the-mind-social-engineering/

Earlier today I was listening to one of my favorite podcasts, The Drill Down, and Dwayne D.mentioned how frustrating it is for many people to juggle multiple passwords, especially those that need to change frequently.

One of the other co-hosts suggested using a two-pronged security system, which requires a code to be sent to a device for access. Another suggested using a virtual vault to store passwords behind encryption. Dwayne was skeptical, arguing that access needs to be as simple as possible for users, while still being secure.

The other way to prevent these attacks is to require digitally signed email addresses, so that we can actually tell who is sending what.  Another way is to develop software that detects websites that are likely phishing, or even emails that are likely spoofed.  This software would not be hard to develop, such as a way to tell the difference between www.Iightscibe.com and www.lightscribe.com ( iightscribe and Lightscribe if you wouldnt tell).  Amazon has had a number of attacks conducted against it, and its users.  I’m sure they’d be all about solving this.  

In addition, the industry really does need to be less lazy, per: http://www.infosecurity-magazine.com/view/24356/successful-bank-phishing-attacks-target-compromised-infrastructure/

Agari found that system administrators aid phishing attacks by deploying unprotected infrastructure. Systems administrators could have prevented one-quarter of successful phishing attacks against banks by patching known vulnerabilities, the company judged.

In addition, Agari found that botnets no longer pose a significant phishing threat, with only 0.5% of successful bank phishing attacks sent by botnets.

Realistically, without education, further study and people actually caring; there is no way this problem is going to get solved.  We need to as a society start giving a damn, and start educating our end users.  Phishing is such a profitable scheme that it sure isn’t going away.

DDoS attack against small bank

What do you mean the websites down, Oh Noes...

The number of companies that have been hit by DDoS attacks is simply astounding.  Now cyber criminals are using a new technique to take advantage of this old way of doing business.  The "Bank of the West" and contracting firm "Ascent Builders" found out the hard way that DDoS attacks are now being used to cover up actual financial fraud and theft.  The way it works is simple:

1)  Hack an account through either social engineering or a software exploit

2)  Access that account and give a fund transfer authorization

3)  Initiate a DDoS attack against the institution, thus making the website unusable for the victim and the bank

4)  Transfer the funds from the original account to another, then another, then another to prevent tracking

5) ???

6) Profit

Well, obviously that ??? isn't necessary but who doesn't like a good joke.  Unfortunately for Ascent Builders, this is not really a funny joke.  From the article DDoS Attack on Bank Hid $900,000 Cyberheist:

But a law enforcement source working the case and speaking on condition of anonymity confirmed that the bank was subjected to a DDoS attack at the time of the robbery. The law enforcement official added that Ascent may not have been the only victim that day at Bank of the West, and that several other businesses and banks in the local area had been similarly robbed on or around Christmas Eve.

Unfortunately for these victims, the DDoS attack makes it incredibly hard for the FBI to sort out the traffic on the banks website and identify the perpetrators.  Sadly, these DDoS attacks can be mitigated and you'd think that a financial institution would try to secure its website.  From DDoS attack methods and how to prevent or mitigate them

The easiest, although a costly way to defend yourself, is to buy more bandwidth. A denial of service is a game of capacity. If you have 10,000 systems sending 1 Mbps your way that means you’re getting 10 Gb of data hitting your server every second. That’s a lot of traffic. In this case, the same rules apply as for normal redundancy.

In addition from:  http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml

Behind a [corrupt] Client is a person that orchestrate an attack. A Handler is a compromised host with a special program running on it. Each handler is capable of controlling multiple agents. An Agent is a compromised host that runs a special program. Each agent is responsible for generating a stream of packets that is directed toward the intended victim.

Attackers have been known to use these four programs to launch DDoS attacks:
Trinoo
TFN
TFN2K
Stacheldraht

In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; but, the tools can be ported to other platforms as well.

It goes on to say that you can there are ways to tell if a computer is infected with these viruses, and deny traffic based on that.  These attacks can also be mitigated in other ways, such as:

1) Limiting the number of failed queries allowed by an ISP

2) Getting multiple DNS servers to help handle the increased capacity.  

3) Caching Servers also can help mitigate this by allowing your servers to not need to "exchange" even more information for every request.

4) Having traffic management be setup

Google, as always is a great resource, and googling DDoS or how to prevent a DDoS can get you valuable information.  In addition, security websites like dark reading, or local security professionals can help get you up to speed.  These are just a few ways to educate yourself, and obviously for people or businesses really serious about security, you should be contacting someone who is a professional to help you mitigate these attacks immediately.