Expert Jacob Appelbaum’s keynote at CCC describes the deep catalog of hacks and backdoors at the NSA’s disposal.
Archive for December, 2013
The university hired a computer forensic company to remove the malware and investigate the extent of the breach. While affected files have been restored, the university has not been able to determine if patient information was acquired by an unauthorized party as a result of the malware.
The at-risk information includes patient names, dates of birth, medical record numbers, health insurance information, diagnoses, treatment information, driver’s license numbers, bank account numbers, credit and/or debit card numbers, and Social Security numbers. Affected patients are being offered a free year of credit monitoring services.
It is unclear as to why it took the university seven months to notify patients of the incident. The school has not released the number of patients affected by the breach, but noted that there had been no reports of information misuse. The university has since worked to secure its computer system.
As business owners, we know that we could be doing a better job protecting our data. We should be more responsible, have better controls and be more secure. Like the big companies, right? Hmmm.
Right before Christmas, someone hacked into Target Target’s system and stole encrypted customer security debit card PINS on top of 40 million credit card numbers of the retail giant’s customers. Oh, and by the way, this was before ZDNet reported on other enormous breaches of security that were suffered in 2013 by the world’s biggest names in media, government and technology from the New York Times and Wall Street Journal to The U.S. Federal Reserve, Facebook, Adobe, Apple Apple and Twitter. In all cases, private and confidential data was taken. Although there are suspicions, no one really knows who is taking the data or what it’s being used for. And after the furor dies down, no one can say for sure that the same won’t happen again.
These are not dipsy-doodle, little, tiny companies. These are some of the largest, most well known companies and government organizations in the world who supposedly specialize in technology. And they couldn’t even protect themselves from getting hacked. So yes, we can take solace that we’re not alone. But we must also admit: this is serious. And that our smaller businesses are not just as vulnerable. We’re more vulnerable. Why?
For starters, most of us are accepting and storing more credit card and social security numbers now more than ever. We’re accepting online and mobile payments. We’re sending out and receiving fewer checks and transacting more virtually. And when we accept this information our customers are entrusting us to keep it on file so that they don’t have to give it to us more than once. So we’re responding to that request by storing it…both in on-premise and hosted databases that require nothing more than a simple password to access. Our security is terrible. And the hosted ecommerce services that we rely on (judging by the examples above) clearly aren’t much better.
And who will be to blame if our customers’ info is stolen? We will. Our customers will stop doing business with us. Some may sue us. Others may tell others or report their problems to the media. Our credibility would be challenged. Our reputations may be lost. We are unable to be trusted. We are embarrassed. And we are potentially facing enormous liabilities. Would you like to be the subject of the next ZDNet slide show featuring businesses that were hacked? I didn’t think so.
So how do you protect against this? There are ways. For example:
- You should always make sure your customer data is stored in an encrypted database.
- You should have multi-levels of passwords to access any database storing customer information and change these passwords frequently.
- You should periodically and regularly run background checks on employees handling customer data.
- You should make sure to have malware detection software running on both your servers (hosted or not) and workstations and ensure that your firewalls are up and secure.
- You should review and implement the standard network security health check controls like the ones suggested here.
- You should make sure your Disaster Plan (you have one, right?) has a plan for if a breach occurs.
- And you should have your attorney update your terms and conditions to hold you harmless in the event of a stolen data incident (although that still can’t stop anyone from suing you, you losing that suit or at the very least suffering the same lack of credibility and reputation issues).
It’s a brand new year. And with it will come even more hacks of private information. We’ll hear about the big ones from the big companies. However, the thousands of small companies who will be hacked this year will not make the national headlines. And unfortunately they will suffer the most. Let’s hope that you and I are not one of them.
A version of this column previously appeared on my blog for AVG Technologies, a client of mine.
One of the revelations from latest Snowden document leaks described how the U.S. National Security Agency was able to intercept Microsoft Windows Error Reporting logs in order to fingerprint machines for potential compromise.
The German publication Der Spiegel says the documents indicated the NSA uses its XKeyscore tool to intercept the Windows crash reports. Making matters worse, the reports are sent unencrypted to Microsoft and Windows machines post-XP have this feature turned on by default. Windows admins must change a Group Policy setting in order to force encryption upon the initial transmission.
Reports of XKeyscore, meanwhile, surfaced in July hours before NSA Director Gen. Keith Alexander delivered the keynote address at the annual Black Hat Briefings in Las Vegas. Whistleblower Edward Snowden shared training materials with The Guardian that instruct agency analysts how to mine the agency’s vast intelligence databases for terrorism targets in the U.S. and abroad.
The crash reports, also known as Dr. Watson reports, are a wealth of system data, similar to what some strains of malware use in targeted attacks in order to identify potential system, network and application weaknesses that can be used to move laterally through an enterprise or government agency network.
Not only are these reports sent when there is a Windows crash, but also when there is a hardware change—and that includes the first-time use of a new USB device, including mobile devices. Researchers at Websense said the reports are sent over HTTP and the information includes the timestamp information, device manufacturer, identifier and revision, along with host computer information such as default language, operating system service pack and update version, hardware manufacturer, model and name, as well as BIOS version and unique machine identifier.
The Der Spiegel report says the NSA’s Tailored Access Operations (TAO) unit, a team of elite and young hackers, will use these identifiers to monitor for system crashes and learn about potential vulnerabilities that can be exploited.
Microsoft has more than one billion PCs on the planet reporting this information, and according to Websense director of security research Alex Watson, 80 percent do so in the clear. The reports aid Microsoft in improving the user experience but also identify bugs in Windows code that need attention. While IT security teams can leverage this information to understand soft spots on their networks, government agencies and nation state attackers can do the same.
“What these crash reports are—when you get enough of them—they create a blueprint of the applications running on a network that could be used by a skilled adversary to develop or deliver very specific attacks with a low chance of getting detected,” Watson said.
These Windows Error Reporting logs are different from the application crash reports that users are familiar with. For example, when Outlook or Internet Explorer crashes, users are presented with a dialog box and have the option of sending a crash report to Microsoft and asking Microsoft to find a solution. The Windows Error Reporting feature is different and is on by default; admins must opt-out of sending them to Microsoft, Watson said.
“This is for hardware changes or plugging in a USB device—which is considered to be a hardware change—it could be a thumb drive, anything you could think of and that will send that information to Microsoft without requiring that user to click ‘Yes,’” Watson said. “That is assuming the default setting [is on]— that you’re participating in the error program.”
Microsoft can reach back to the computer in question for a memory dump or core dump of the application when it crashed in order to further research the problem. Those requests and transmissions are encrypted using TLS 1.1 or 1.2 if available, protecting any sensitive information stored by Windows or an application such as log-in credentials. The first stage, however, is likely sent in the clear for performance reasons, Watson said.
The risk is, however, not necessarily if an attacker is on your computer or whether the machine is infected; chances are the attacker has already fingerprinted the compromised machine in order to hack it. Where the data is vulnerable is upstream as it’s sent between the machine and Microsoft, for example through a proxy or untrusted ISP used by multinational organizations.
“You would know exactly what applications were running on a network,” Watson said. “You could craft specific exploits or just pick the highest chance of likelihood of success of exploit and get the application and OS environment of your target.”
Watson said he hopes the revelations will raise awareness of the problem—which he believes is low in regard to IT managers being aware of the content of the reports and that they’re sent in the clear. He also hopes to encourage admins to look at these logs as a tool in the fight against advanced threats and use them as means of finding indicators a network has been compromised.
“When you’re executing an attack, there is going to be evidence or collateral damage happening as you move through the network,” Watson said. “You’re forcing a program to crash and then execute code in an order that’s not meant to happening. Exploits generate error report logs so we’ve been doing a lot of research into error report logs that are indicators of an advanced attack versus IE crashing on a webpage it doesn’t know how to render. This could be the first indicator of an attack.”
Websense said it has reported the issue to Microsoft through its MAPP partner sharing program, and added that it is also working with other vendors on similar reporting weaknesses in other massively distributed applications.
“By no means is Microsoft the only culprit that’s leaking information,” Watson said. “A lot of widely deployed applications, browsers and things like that, are at risk of leaking information.”
Latest Tweet from: Michael Mimoso
Leave A Comment Cancel Reply
A Turkish hacking group compromised and defaced the website of OpenSSL, an open-source SSL and TLS encryption implementation resource.
Rather than trying to rank the NSA revelations on any sort of scale, we’ve put together an admittedly simplified list of some of the more interesting NSA-related stories to emerge in 2013.
Researchers demonstrated yesterday at the Chaos Communication Congress in Hamburg that they could write arbitrary code onto various SD memory cards, a hack that could give attackers the ability to perform man-in-the-middle attacks on devices housing the cards, as well as give users access to an inexpensive source of powerful and programmable microcontrollers.
Sean Cross, who goes by the hacker handle of xobs, and Dr. Andrew Huang, aka Bunnie, focused on managed flash devices including microSD, SD, MMC, eMMC, and iNAND devices. These are generally soldered onto the mainboards of smartphones for the purpose of storing operating system and other private user data, according to Huang. Similar vulnerabilities exist in related USB flash drives and SSDs.
More specifically, the researchers examined Appotech’s AX211 and AX215 products.
Flash memory has a number of performance issues, but it’s also inexpensive–0.1 nanodollars-per-bit to be exact. Huang claims that flash memory devices almost always contain bad memory blocks. The manufacturers work around this problem by implementing computation error correction algorithms that essentially create the illusion of perfect data to the user.
Huang explained at the conference that with flash memory you are not really storing your data; what you are storing is a probabilistic approximation of your data.
“The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions,” Huang explained in a related blogpost. “This is the result of a constant arms race between the engineers and mother nature; with every fabrication process shrink, memory becomes cheaper but more unreliable. Likewise, with every generation, the engineers come up with more sophisticated and complicated algorithms to compensate for mother nature’s propensity for entropy and randomness at the atomic scale.”
Problematically, the algorithms that create this illusion are highly customized depending on the quality of the flash memory in each chip. Because of this, the manufacturers can’t correct the imperfections on the operating system or application level. Instead, they install fairly powerful microcontrollers onto each flash memory disk. In this case, the researchers worked with Intel 8051 microcontrollers.
“It’s probably cheaper to add these microcontrollers than to thoroughly test and characterize each flash memory chip,” Huang wrote, “which explains why managed flash devices can be cheaper per bit than raw flash chips, despite the inclusion of a microcontroller.”
The quality of flash memory chips varies widely from chip to chip. Sometimes companies build the chips with high-quality, new silicon. Sometimes the companies build flawed chips with recycled parts. In either case, these computational error correction algorithms are designed to make up for whatever level of deficiencies are present in the chips.
As the researchers said in their demo, if a company has a 16 GB flash SD card with 14 GB of bad memory blocks, then the manufacturer will apply their ECC algorithm, determine where the bad blocks are located, and sell the chip as a 2 GB SD card.
These microcontrollers must be able to handle vast numbers of hardware abstraction layers in order to accept firmware updates and ultimately process the unique algorithmic requirements of each flash implementation, especially for cases where third parties are handling the chips.
Huang and Cross discovered they could send a “knock” sequence with a manufacturer-designated command they found on a spec-sheet after searching around on the Chinese search engine Baidu. The command itself, followed by ‘A.P.P.O’ (the first four letters of Appotech) initiated the firmware loading mode on the chip. Once that process began, the chip would accept 512 bytes and run that data as code.
In other words, the maker of these particular chips, and likely a whole slew of others, is not adequately securing the firmware update process.
From this point, the researchers reverse engineered the 8051 controller and managed to build new applications for the controller without access to the manufacturer’s documentation.
“Most of this work was done using our open source hardware platform, Novena, and a set of custom flex circuit adapter cards (which, tangentially, lead toward the development of flexible circuit stickers aka chibitronics)” Huang explained on his blog.
The controllers also process SD commands with interrupt-driven callbacks, which the researchers claim are an ideal location to perform man-in-the-middle attacks. These attacks Huang says, would be difficult to detect because there is no standard protocol to inspect the contents of the code running on these microcontrollers.
“Those in high-risk, high-sensitivity situations should assume that a “secure-erase” of a card is insufficient to guarantee the complete erasure of sensitive data,” Huang warns. “Therefore, it’s recommended to dispose of memory cards through total physical destruction (e.g., grind it up with a mortar and pestle).”
In terms of practical attacks, the vulnerability could offer an attacker the ability to eavesdrop. For example, an attacker could program a chip to report a smaller data-capacity than the actual capacity of the chip. While a seller of counterfeit chips may want to do the opposite of this (have the chip report a capacity larger than the actual capacity), a would-be eavesdropper may want to keep a user in the dark about the chip’s full storage capacity in order to sequester data to hidden, not erasable sections of the chip. A chip with more storage than advertised could be programed to secretly copy all its data to a hidden store that would be nearly impossible to remove from a chip other than by physically destroying it.
During the demo, Huang also warned of a potential time-of-check to time of use attack. A knowledgable attacker could present one version of a file for verification and a totally different (read: malicious) file for execution. An attacker could also perform selective modification attacks as well, swapping secure random number generators, binaries, or keys for unsecured ones.
On a less malicious note, Huang writes that the research opens up a cheap avenue for hackers and hardware enthusiasts customize the controllers for heir own purposes.
“An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price. While SD cards are admittedly I/O-limited, some clever hacking of the microcontroller in an SD card could make for a very economical and compact data logging solution for I2C or SPI-based sensors.”
You can find a link to the demonstration slides here and watch the actual demo itself below:
Latest Tweet from: Brian Donohue
Leave A Comment Cancel Reply
A number of previously unreported vulnerabilities in Super Micro IPMI firmware were disclosed today that could put servers at hosting providers at risk.
The BEAST attacks, once thought mitigated, may again be viable because of weaknesses in RC4 rendering server-side mitigation moot, and Apple’s reluctance to enable a 1/1-n split client-side mitigation by default.
Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan.
SUMNER– The City of Sumner is mailing letters to 3,600 residents today, warning them of a security breach.
According to Sumner spokesperson Carmen Palmer, a temporary municipal court clerk sent hundreds of city files to her personal computer, including resident names, addresses and dates of birth. The files did not include any financial information.
The City of Sumner is contacting each individual on the list, apologizing for the situation.
The breach was discovered on Dec. 16.
The employee told police that she wanted to learn more about her job and had planned to review the information at home.
“The big information to add is that today we received the results on the forensic analysis of her personal computer, and they confirmed she did not access the data emailed on her personal system,” said Palmer.
“While we’re thankful this incident did not compromise anyone’s financial information, any personal information leaving our control gives us great concern, ” said Police Chief Brad Moericke. “We’re hoping, as she claimed, that this was just a stupid mistake made by an overzealous individual, but we’re not taking any chances.”
The employee has been terminated. The case is still being investigated, and the Pierce County Prosecutor will decide if formal charges will be filed.
© Copyright 2013 The Washington Times, LLC. Click here for reprint permission.
- Contact Us
- Traffic Light Protocol
- Privacy Use
- Get a PDF Reader
US-CERT is part of the Department of Homeland Security.
Digital Producer- Jacksonville Business Journal
About 58,000 credit union members in Jacksonville will receive new credit/debit cards after their information was compromised in Target’s security breach.
Earlier this month, Target said the theft occurred between Black Friday and Dec. 15 and compromised the information of about 40 million customers. Target later confirmed PIN numbers were stolen, but said they were encrypted.
The Northeast Florida Chapter of the League of Southeastern Credit Unions said Monday that local credit unions are issuing replacement cards this week to an estimated 58,000 members.
The credit unions researched card data and identified every member who used a card at a Target store during the breach period and compared the information with alerts received from Visa noting the card compromises. The credit unions began the process of notifying the members whose accounts could be at risk.
The local credit unions are bearing the full cost of issuing new cards and new card numbers.
Local credit unions in the Northeast Florida Chapter of the League of Southeastern Credit Unions include:
- 1-2-1 Financial Credit Union
- Alive Credit Union
- Anchor Seven Federal Credit Union
- City Police Federal Credit Union
- Coastline Federal Credit Union
- Community First Credit Union of Florida
- Container Mutual Credit Union
- Ducote Federal Credit Union
- Duval Federal Credit Union
- Farmers Federal Credit Union
- First Baptist Church Oakland Federal Credit Union
- First Coast Federal Credit Union
- First Florida Credit Union
- Florida Baptist Credit Union
- J M Associates Federal Credit Union
- Jacksonville Firemen’s Credit Union
- Jacksonville Postal Professional Credit Union
- Jax Federal Credit Union
- Jax Glidco Federal Credit Union
- Jax Metro Credit Union
- Metro North Federal Credit Union
- State Employees Credit Union
- VyStar Credit Union
Michael handles our digital coverage (including the website, social media accounts and videos) and covers sports business.
Information from 1,918 Colorado Medicaid patients was breached after a temporary employee from outside contractor Colorado Community Health Alliance (CCHA) sent the information to his or her own personal email address, according to reports from The Denver Channel and The Pueblo Chieftain. The Colorado Department of Health Care Policy and Financing (the Department) believes that the information may have been intended for the employee’s use in another business.
The information, which is protected under HIPAA, includes patient names, date of birth, addresses, telephone numbers, health conditions, and Medicaid identification numbers. Social Security numbers were not involved. Based recent changes with the HIPAA Omnibus Rule, CCHA, though not a healthcare provider, is responsible for protecting patient information as a Colorado Medicaid business associate (BA) or subcontractor. Because of that connection to the patient data, CCHA should have had a business associate agreement (BAA) in place.
Business associates are third parties that provide services involving the use of protected health information (PHI) for a covered entity. All BAs must have a business associate agreement with the covered entity, and under the contract are prohibited from further disclosing PHI. BAAs also determine which party is responsible for notifying patients, the government, and media in the event of a breach, as well as the party responsible for paying associated penalties. A BAA between CCHA and Medicaid, if they do have one, could leave CCHA responsible for HIPAA violation fines.
The email was sent on November 21, and found during an audit the next day. The employee was immediately terminated. It is not clear if he or she will face charges.
Affected patients are being notified by mail. Both the Department and the CCHA are investigating the incident, and are adding undisclosed email communication and employee conduct policies to avoid future breaches.
PHIPrivacy.net also reported on the situation.
This transcript is automatically generated
EN TEXAS SENATOR CRUZ IS TAKING STEPS TO RENOUNCE HIS CANADIAN CITIZENSHIP.
HIS MOTHER WAS AMERICAN ANSWER HE RETAINS CITIZENSHIP IN THOSE HE WAS NOT BORN IN THE CONTINENTAL UNITED STATES MAYBE THIS SETS UP FOR A RUN FOR THE OF WHITE HOUSE? LET’S BRING IN A LAWYER AND FELLOW TEXAN.
YOU ARE A TEXAN BUT WHAT DO HE THINK ABOUT SENATOR CRUZ RENOUNCING THE CANADIAN SIDE OF HIS CITIZENSHIP? IT IS PRETTY CLEAR.
EVERYBODY IN TEXAS IS WELL AWARE HE IS A MARVELOUS POLITICIAN WITH GREAT POLITICAL AMBITION.
HE CANNOT RUN FOR THE PRESIDENCY IF HE HAS A CANADIAN CITIZENSHIP.
ONE OF THE REQUIREMENTS IS U.S.
CITIZENSHIP OF COURSE, .
HE SAYS IT IS NOT WHY BUT, ON.
STUART: IS THAT THE FEELING IN TEXAS? ABSOLUTELY.
NO QUESTION HE IS RUNNING.
STUART: I JUST WANTED YOUR THOUGHTS.
JOHN McCAIN WAS BORN IN THE PANAMA CANAL ZONE AND SENATOR CRUZ WAS BORN IN CANADA BUT BOTH HAVE CITIZENSHIP.
ALMOST ONE DOZEN CUSTOMERS ARE PURSUING CLASS-ACTION AGAINST A TARGET FOR THE DATA BREACH.
THEY CLAIM TARGET WAS NEGLIGENT.
MARK? THIS IS A CLASS-ACTION SUIT.
TELL THE THE LEGAL STATUS SO FAR? MULTIPLE SUITS HAVE BEEN FILED LAWYERS ARE COMPETING TO SEE WHO IS IN CHARGE OF LITIGATION.
THE GOAL IS PROBABLY TO FOLD TO ENRICH THE LAWYER THERE IS A PROFIT MOTIVE BUT ALSO TO TRY TO REGULATE INDUSTRY THAT THE GOVERNMENT CANNOT DO TO PROTECT THE AMERICAN CITIZEN AND THE SHOPPERS.
STUART: SO SOOTHING ON THE GROUND TARGET WAS NEGLIGENT BECAUSE IT LOST INFORMATION? IT IS A NICE WAY.
MAYBE THERE IS A UKRAINIAN SOURCE BEHIND THAT HACK WE CANNOT GO AFTER THE UKRAINIAN BUT WITH THE NEGLIGENCE CASE YOU HAVE TO PROVE THEY FAILED TO WIN HERE TO IMPRUDENT STANDARDS.
DID THEY ALLOW ACCESS TO THEIR COMPUTER SYSTEM TO PEOPLE WHO DID NOT NEED IT? TO THEY ROUTINELY CHANGE PASSWORDS OR EVER GETS OFF OF THE DEFAULT PASSWORD OR ANTI-VIRUS? STUART: WILL TARGET LOSE MONEY IN YOUR JUDGMENT? ABSOLUTELY.
IT SHOULD LOSE IT.
I WOULD TAKE THIS ON IF I WAS NOT BUSY ELSEWHERE.
STUART: TARGET WILL LOSE 200 MILLION BUT WHAT ABOUT THE PEOPLE THAT LOST INFORMATION THEY JUST GET A COUPON? THAT IS IT.
I THINK PEOPLE WHO LOSE IDENTITIES COULD PROVE IN TO BE STOLEN SHOULD GIVE MORE THAN A CUBOID BUT REALISTICALLY IT IS A KEYBOARD CASE THAT YOU WILL GIVE ME GRIEF OVER A MAJOR.
THIS AFFECTS ME PERSONALLY AND ONE OF MY FAMILY MEMBERS TRIED TO USE A CARD IN CALIFORNIA WAS USED AT TARGET AND THAT CARD COULD NOT BE USED WITH AN ATTEMPT TO BUY CHRISTMAS PRESENTS WAS DECLINED TO PUT US THROUGH SEVERING HER TO ARRANGE PURCHASES AT THE LAST MINUTE AND I LIVE IN NEW JERSEY WHAT COMPENSATION TO I GET FOR THE TROUBLE? HOPEFULLY THEY WILL GET A COUPON OR SOMETHING.
IT HAS TO BE A CLASS ACTION NOBODY WILL BRING A CASE.
JUST TO GET A RECOVERY BUT TO PUT IT TOGETHER WITH THAT PROBM IT IS SOMETHING SIGNIFICANT AND TARGET SHOULD BE HELD ACCOUNTABLE.
THE LAWYERS GET CASHMAN OF THE SUFFERING PUBLIC WILL GET A KEY POINT DISCOUNT.
THE LAWYERS TO INVEST MILLIONS WILL BE PAID IN CASH.
[LAUGHTER] I SEE THE LEGAL SYSTEM TO ENSURE FAIR PLAY.
I DO NOT SEE IT AS A MONOPOLY INDUSTRY RUN BY LAWYERS.
IT IS THE ENFORCEMENT AGENCY OF THE AMERICAN PUBLIC IN ORDER TO KEEP RATES AND INJUSTICE AGAINST A SLANTED BALL FIELD AGAINST THEM.
STUART: IS IT FAIR YOU GET CASH AND I GET THE KEY BOND? IF YOU WANT CASH THIN PAY THE LAWYER TO PURSUE THE CASH.
YOU HAVE THAT RIGHT YOU WILL NOT DO THAT.
YOU ARE THE GUY THAT WE HATE TO LOVE.
[LAUGHTER] I LOVE TO LOVE YOU.
MARK, ALWAYS A PLEASURE.
WATCH OUT 2014 AFTER THE BREAK AGAINST SAYS A CRASH