Monday 11 November 2013

Bitcoin heist nets thieves $1.2 million – and site warns “don’t store your coins on the net”

Cyberthieves stole more than 4,100 bitcoins, worth $1.2 million, in a hacker “heist” on a site used to store the currency online, inputs.io. The hack is among the largest thefts in the currency’s four-year history.
The bitcoins were stolen after hackers accessed the site inputs.io, according to SlashGear.  The site offered online wallets for storing bitcoins, which also mixed up wallets to anonymize coins and speed up payments, according to Wired.
TradeFortress, who worked for the company, said in a forum post, “I don’t recommend storing any bitcoins accessible on computers connected to the internet.” Bitcoin can be stored in offline “wallets”, or even written down as a private cryptographic key, Wired points out.
TradeFortress has said he will offer partial refunds from his own funds, and from the remaining bitcoins on the site – totalling 1,540 bitcoin.
 He also said that he was worried about his personal safety. Yahoo News said that the “anonymity” of bitcoin transactions has led to speculation that the robbery may have been an “inside job”.
Some forum users taunted him with jokes such as “buy me a Rolex at least.” Tradefortress does not want to be identified, as he is “not much older than 18”, according to an ABC News report.
Slashgear’s report said the attackers compromised, “the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side. Because of this, the hackers did gain access to the wallet’s database.”
The attacks happened on October 23 and 26, according to Wired.
The hackers transferred the bitcoin backend code to another compromised server. The site said in an official message, ““I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement.”
The alleged theft is one of the largest in the currency’s four-year history, according to Yahoo. TradeFortress said that he was unlikely to report the theft to police.
 ”The police don’t have access to any more information than any user does when it comes to bitcoin. Some say it gives them control of their money,” he said in an interview with ABC.
ESET Malware Researcher Robert Lipovsky wrote in an earlier We Live Security post that Bitcoin and other crypto-currencies are being targeted by cybercriminals.
“There are numerous malware families today that either perform Bitcoin mining or directly steal the contents of victims’ Bitcoin wallets, or both,” Lipovsky writes.

Hacking for Fun and (Not) Profit

Hacking Class Thanks to a handful of commands I'd typed into the terminal window on my loaner Linux laptop, I'd managed to take over a remote Windows machine. While giggling fiendishly the entire time, I'd also added a user account for myself and remotely rebooted that computer.
I was hacking, or rather, proto-hacking, and it was a tremendous rush.
I've always considered myself a bit of a technology geek on top of an infosec journalist. I administer my own network and I like to write my own scripts and small applications. I like taking apart hardware and installing custom firmware on devices. But I've never really known how to take these skills and put them together to remotely take over a computer. I knew how to use some of the tools but I used them as a defender to protect my network. I did not know how to put the skills together to actually break in. Until now.
"One person's penetration tester is another's hacker," Mike Belton, a team lead for penetration testing company Rapid7's Assessment Services group, told our little Hacker 101 class in New York. The same tools the network administrators use to scan their networks to identify problems and malicious activity are the same ones hackers use to gain illegal access to data and computers.
"You don't have to cause damage to be a hacker," Belton reminded us.
Hacker 101: LinuxEach one of us in Belton's class had a laptop running Kali Linux, a Linux distribution designed specifically for penetration testing, and was connected to a network containing a mix of vulnerable Windows and Linux machines. Belton showed us how to use Wireshark, nmap, a few other command line tools, and Metasploit, the penetration testing suite managed by Rapid7.
We "found" a Linux machine with a mis-configured NFS file-sharing service. We exploited the flaw to copy our own SSH key to the remote Linux machine so that we could log in as root. Even though we didn't have the root password, we were able to access a user's home directory because NFS was misconfigured, and that was all we needed.
There is a lesson to be learned here. Hackers don't need to brute force the root password if administrators and users leave holes like that wide open.
I poked around and read messages in the inbox, learned that TikiWiki was installed, and found a password file hiding in the backups directory. I know this was a VM carefully created with vulnerabilities and mistakes, but it was still pretty eye-opening (and entertaining!) looking at random directories and realizing how much information a person can gather just by being curious.
In a real-world scenario, I could have used that password file buried in the backups directory to gain access to the Web server or other sensitive machines. I could have looked at the TikiWiki configuration file for the database password.
Hacker 101: Windows XPBelton also showed us how to use Metasploit to remotely exploit a Windows XP machine. From our previous reconnaissance activities, we knew the IP address of the Windows machines we could target. We configured Metasploit to look for a remote code execution vulnerability which existed in Windows 2000, XP, and 2003 Server, as well as in Windows Vista and Windows Server 2008 (CVE-2008-4250). Even though Microsoft had patched the flaw in 2008 (MS08-067), Belton said he still sees machines with this vulnerability when testing client networks.
Metasploit makes the entire experience feel like child's play. With the target computer set and a payload selected, we just typed the word "exploit" to launch the attack. I had this mental image of a catapult flying across with a flaming fireball and slamming into the castle walls.
"You've exploited an old XP VM and have an active meterpreter shell," Belton said. I wished we had sound effects to go with this exercise. We either needed a Batman-style "Pow" or canned applause, I am not sure which.
We took screenshots of the Windows box, and I rebooted the machine (something a true hacker wouldn't do, since the goal is to be stealthy). We also created user accounts on the Windows Domain Controller with administrator privileges. At this point, it was a snap to just open a remote desktop session and log in with our new accounts, and do whatever we wanted.
Tools Used for Good or BadThe tools themselves aren't bad. I use them as a network administrator and tester pretty regularly. It's the motivations of the person using them that can be suspect. And after this exercise, I kind of understand the "hacking for lulz" mindset hacking pranksters Lulz Security espoused a few years ago when they went on their destructive spree. I was disappointed when we were told classtime was up. I was just getting started!
"You don't have to know as much [as you used to have to] to do as much damage," Belton said. The tools make it easy, but you still need to know enough (or be able to search online) to understand what you are seeing on the screen.
The hacker mindset is not the technical knowledge, but rather the willingness to poke around. It's not enough to say my computer doesn't have sensitive data, so anyone who breaks in can't cause damage. The person coming in is nosy enough to see what else I've done, what other computers I am mapped to, or what files I have deleted. It's the information that requires digging that's going to be my downfall, and that's exactly what these folks are curious enough to look for.
This is why we need to be better with our defenses.
Lesson Learned
I went home and found that while my Windows XP machine was fully patched, I apparently had a Windows 2003 server with the same RCE vulnerability that we had played with in class. Oops. I'd never updated that machine because it's been years since I had done anything with it, despite having it up and running on my network. I won't be making that mistake again.
The same rules apply: we need to keep up with software patches and updates. Use VPNs whenever we are on public wireless networks. Make sure we configure applications and services correctly, such as changing default passwords and turning off services we aren't using.
Happy defending!

Women Utterly Destroy Men in Social Engineering Competition

Image via Flickr user CGP Grey
For the past five years, Chris Hadnagy, Chief Human Hacker at Social-Engineer, Inc, has run an unusual competition at Def Con. Called Social Engineering Capture The Flag, it challenges contestants to gather information on various companies (flags, if you will). This is social engineering: the art of collecting information from targets without having to break into a building or hack a network.
In the first phase, 20 contestants work to get information on target companies from publicly available sources. The last phase is a 25 minute marathon of phone calls where contestants pump victims for information. This ranges from the mundane ("Do you have a cafeteria?") to the critical ("Do you use disk encryption?") to the potentially disastrous: tricking victims into visiting fake URLs. This year's competition included ten companies, including Apple, Boeing, and General Dynamics among others.
Battle of the Sexes
"From the beginning we've always made a call for women to join," said Hadnagy. Adopting a "men vs. women" format and actively promoting the role of women in the competition helped bring better parity in the last two years. Hadnagy said that giving women more visibility in the project was critical, and encouraged others to join. "We had more women than we could take this year," he said.
How did women do against their male counterparts? "This year, the women not just won," said Hadnagy. "They obliterated men." Three of the top five slots went to women, and the top scoring social engineer had over 200 points more than the next highest scoring participant.
It's easy to draw a lot of conclusions from this data, but as far as women's success in social engineering is concerned, Hadnagy said there just isn't enough information. "I don't think it proves that people trust women inherently," he said. "The women winning shows something, but we have no data that shows they were women talking to men."
That said, the women had a broad range of scores compared to the men, which was noted in the contest's final report. It said: "variability in [women's scores] may be hypothesized from the fact that they were an extremely diverse group, coming from very different backgrounds and different experience levels." Men on the other hand tended to hang around the same range of scores with fewer outliers. "Although we ensured diversity as a group, the men tended to be more homogenous in background and experience level and perhaps this was reflected in the smaller range of scores."
I don't have the information to back it up, but I think this data shows the importance of including individuals from diverse backgrounds into any team. But that's just me.
The Information Is Already Out There
The competition's final report may be inconclusive about the role of gender, but it's clear that careful research was critical for the winners. Contestants found a shocking amount of information freely available online, and those with higher scores in the research phases tended to do much better during the actual calling.
In one case, a contestant found a public facing web portal for employees. Though it was secured with a password login, the contestant discovered that a publicly available help document provided by the target company contained a working username and password as an example. "It's 2013 and we're still seeing things like this," said Hadnagy.
But it didn't take major breaches in security to find most of the information the contestants were seeking. Much of it was available through social media, sometimes posted by individuals who linked their corporate email to a public service. One source of information surprised Hadnagy: "Myspace, believe it or not."
Better and Better Disguises
Hadnagy also noted that in addition to open source information gathering, contestants also used much more complex pretexts when calling companies in the final phase of the competition. Previous years saw many contestants posing as survey takers or students writing reports. Hadnagy actively discouraged that approach this year, reminding contestants that they would probably hang up on those calls themselves. "Why would anyone in a corporate environment answer these questions?" He asked.
These pretexts are attractive because they are more or less anonymous and have low risk for the caller. This year, however, saw more contestants posing as fellow employees or vendors that work with the target companies. While it carries more inherent risk, Hadnagy said that there was more inherent trust. "Automatically, contestants were trusted and given information right off the bat," he said.
Contestants' pretexts showed some interesting divergence along gender lines. Of the ten women, nine portrayed themselves as not being technically savvy and were looking for help from "fellow" employees. All the men in the competition posed as tech experts, and in some cases CEOs.
Know The Threat
While it's interesting to ponder the hows and whys of the competition, the indisputable fact is that ten companies gave up a huge amount of information—either over the phone or posted publicly online. While the information that contestants were after wasn't always inherently dangerous, they do read like a solid first step in a multi-tiered attack. One day you're asking about the cafeteria, and the next day you're asking for logins.
Hadnagy pins the problem on a lack of awareness among employees, usually stemming from poor education by the higher-ups. Training employees to think critically about what they post online and what they say over the phone, said Hadnagy, can pay off with fewer successful attacks.
One of his most intriguing suggestions was that companies not punish individuals who fall for scams, and encourage consequence free-reporting of possible breaches. Hadnagy told SecurityWatch that companies that follow these practices are generally better at handling these threats.
Regardless of whether you're part of a company or just an individual at home, knowing about the dangers of social engineering is critical. So the next time someone calls or emails you asking for some help, ask a few questions before you hand over the crown jewels.

The Consequences of CEOs Surfing for Porn

ThreatTrack Security Malware Analysts
Malware analysts don't exactly have it easy. Even though they already protect their companies from external threats, employees easily hinder efforts to adequately defend the company from cyberattacks. ThreatTrack Security released a report revealing the internal challenges that prevent malware analysts from keeping their company networks threat-free.
The Tools and Confidence to Fight MalwareIt's not all bad news. Malware analysts are now better equipped to take on advanced cyber threats and respond quicker to attacks.
At least 38 percent of malware analysts admitted that it's gotten easier to defend their company's network from cyberattacks because they have the necessary tools to defend their organization. A handy weapon that malware analysts in larger companies have employed is an Incident Response Team (IRT). IRTs identify, react to, and remediate threats such as zero-day attacks and Advanced Persistent Threats (APTs).
Secret Hobbies of Senior Executives?Senior executives don't make their malware analysts' lives easy. Several malware infections that plague executives' devices are easily avoidable. A fair amount of companies' senior leaders get their devices infected by clicking on malicious links in a phishing email. Nearly 50 percent of the malware analysts asked said they've removed malware from a PC because of an infected USB drive or smartphone attached to the PC.
But wait, it gets better! Nearly 40 percent of malware analysts have removed malware from senior executives' devices after the leaders visited an infected pornographic website.
The Truth Behind Data Breaches
Malware analysts face an even greater issue than cleaning up their bosses' personal malware messes. Over 50 percent of the analysts included in the survey claimed that they've investigated or addressed a data breach that the company didn't disclose to customers, partners, or stakeholders. The study revealed that larger companies are three times as likely to not disclose data breaches than smaller ones.
Manufacturing and utility companies are the two industries most likely to not disclose data breaches; 79 percent of respondents admitted to keeping quiet about compromises. Over 50 percent of respondents in the IT and Telecom and healthcare industries also admitted to not revealing data breaches.
Forty-five percent of the malware analysts said that it takes them one to two hours to complete an analysis, while it takes between two and five hours for 39 percent. It can take several days for an analyst who has to analyze samples manually. Both the complexity and volume of malware attacks are the most difficult parts of defending an organization against advanced malware. It's a good idea for companies to use more automated malware analysis tools, like sandboxes. Sandboxes can complete malware sample analyses within minutes.
Words of Wisdom for Company LeadersThere's no need to make more unnecessary problems for malware analysts; they have enough on their plate protecting the company from external threats. Internal problems, like lending corporate PCs to family members or visiting pornographic websites, which lead to malware attacks, cause preventable problems for analysts. Undisclosed data breaches are both a disservice to customers and can inhibit analysts from finding solutions to the problem. It takes the combined effort of malware analysts, company leaders, and employees to protect enterprises against cyberattacks.

Google moves to protect Windows users from malicious Chrome extensions

google-chrome-logo
Google has moved to protect Windows users of its Chrome browser from malicious extensions, reworking its strategy to require all add-ons to be hosted on its official Web Store.
Google engineering director Erik Kay announced the strategy shift in a post on the Chromium blog, confirming that the move is designed to protect businesses from the growing number of malicious Chrome extensions targeting Microsoft Windows.
Kay said that extensions are a useful way to expand the capabilites of Chrome, but many Windows users have alerted Google to the fact that these are being misused.
"Bad actors have abused this mechanism, bypassing the [install] prompt to silently install malicious extensions that override browser settings and alter the user experience in undesired ways, such as replacing the New Tab Page without approval," read the post.
"Since these malicious extensions are not hosted on the Chrome Web Store, it's difficult to limit the damage they can cause to our users. As part of our continuing security efforts, we're announcing a stronger measure to protect Windows users: starting in January on the Windows stable and beta channels, we'll require all extensions to be hosted in the Chrome Web Store."
Kay said businesses using extensions outside the store should begin migrating them now. "If your extensions are currently hosted outside the Chrome Web Store you should migrate them as soon as possible. There will be no impact to your users, who will still be able to use your extension as if nothing changed," read the post.
"You could keep the extensions hidden from the Web Store listings if you like. And if you have a dedicated installation flow from your own website, you can make use of the existing inline installs feature."
Google has been working to improve the security of its Chrome web browser for several years now. The firm pledged to issue Chrome web browser security patches for Windows XP until at least 2015, a year after Microsoft officially ends support for the operating system.

Patch Tuesday: Microsoft zero day Office vulnerability fix delayed

Office 2013 logo
Microsoft's November Patch Tuesday will not include a fix for a zero day vulnerability in its Office service being actively targeted by cyber criminals, the firm has disclosed.
Microsoft confirmed that its latest patch Tuesday fixes will address eight other security vulnerabilities. Rapid7 Security Engineering senior manager Ross Barrett explained that the fixes relate to separate issues in Microsoft Office as well as vulnerabilities in Internet Explorer and Windows.
"This is a relatively straightforward Patch Tuesday, with fixes for most Windows versions, the ever-present Internet Explorer roll-up patch, and some Office components, but nothing esoteric or difficult to patch. No SharePoint plugins, no complicated .NET patching, no esoteric office extensions," he said.

The flaw in Office was revealed earlier this week and Microsoft has confirmed that the vulnerability is being actively exploited by hackers. Security firms FireEye and Symantec have since traced the attacks to the Operation Hangover group of hackers. Operation Hangover is an espionage-focused hacking campaign that was uncovered in May.
Microsoft has released a workaround fix for the Office vulnerability but has yet to confirm when it will release a complete patch. Director of Security Research at Trustwave Ziv Mador said the critical nature of the Office vulnerability means Microsoft is likely to deliver a full fix in its December Patch Tuesday release.
"Microsoft has warned of a zero-day attack being actively exploited in the wild and directed against users of Microsoft Office. Microsoft has already released a ‘Fix it' tool to help remediate this vulnerability but we will probably have to wait until next month for a full patch. The issues centre around how some components of Microsoft Office render Tiff files and can result in remote code execution," he said.
The latest Patch Tuesday updates are due for release on 12 November. Patch Tuesday is a part of Microsoft's wider efforts to improve its product security.
As well as the monthly security fixes, Microsoft also actively encourages security researchers to alert it of flaws in its services using bug bounty reward programmes. Microsoft expanded its bug bounty reward programme to reward researchers for alerts about active cyber attacks on its services as well as theoretical exploits earlier in November.