attack

now browsing by tag

 
 

Attacking WordPress

Source: Attacking WordPress Presentation by Mark Montague

For anyone getting into the security or penetration testing field; I believe it is always recommended that you do as much reading, learning, and testing as possible. I highly recommend this very informative read from Mark Montague, called Attacking WordPress.

Using the tools commonly provided with Kali Linux, but are available to nearly every linux user: WPScan, Weevely, and Metasploit. What he shows in his presentation, is that he is not using anything he would consider advanced techniques, he is using basic skills, and basic tools to find vulnerabilities in WordPress and successfully exploit them.

In his presentation, Mark Montague, walks you through, running WPScan to determine versions of WordPress, and its plugins installed, using weevely to generate php code, that allows the hacker to remotely control the server, and metasploit for additional exploitation plugins.

Report: U.S. did carry out cyber attack against North Korea

Source: Yonhap News Agency

According to this report by the Yonhap News Agency, the U.S. did conduct a cyber operation against North Korea, in retaliation for their alleged attack against Sony.

From the article:

North Korea’s Internet connections suffered outages for days in late December after U.S. President Barack Obama blamed the communist nation for the massive hack on Sony and promised a “proportional response.”

If this is true, it is actually quite a scary situation for everyone involved. If you consider that a U.S. company, like Sony, has the U.S. Government to do its bidding for it; it really makes you think. I’m not concerned that that the U.S. has a cyber operations center, we’ve known about it for quite some time; what we haven’t known, is how, when, or why it would lead an attack against a nation. Now we know, all your nation-state has to do, is attack a very large corporation in the U.S. and it will draw the eye of U.S. cyber operations.

What do you think? Do you think the U.S. should launch a full scale cyber assault on a nation because it was behind a supposed “attack” on a large corporation. What is the precedence being set here? If my small business gets attacked by a group in North Korea, will the U.S. launch a full-scale attack against them? What size does my business need to be, where the U.S. government will carry out a full-scale cyber attack against North Korea to defend my business?

Healthcare Industry Struck Again – St. Mary’s Hacked

Source: Healthcare IT News

I don’t usually do this, but I’ll start of this post, with a quote from Health Care IT News:

Think healthcare is not a target for cyberattacks? Think again. Following a pattern of increasing attack frequency, one Indiana-based hospital is the newest target, after hackers swiped the personal data of thousands.

 

So, you look over the part of the sensationalism associated with this article, you know, the “Think healthcare is not a target for cyberattacks” portion, it really makes you wonder about that state of security in the healthcare industry. Why is the healthcare industry being struck again and again?

Having come from that field of work, I know the answer, in fact, I can 99% guarantee you, that I know the cause of the recent hacking of St. Mary’s Medical Center. Not because I have insider knowledge into the incident that occurred, but because I know the industry, I know where the weaknesses are, and I know that nobody is doing anything to combat these problems.

I’m not a betting man, but I would be willing to take a wager, that I know exactly what happened with this incident, here we go:

Hackers/Crackers/Attackers probably got St. Mary’s Medical Center on their radar from another hacked hospital/healthcare organization. Probably by scouring email from the attacked organization. I would wager that St. Mary’s did nothing to provoke the attack.

Once attackers got St. Mary’s Medical Center’s domain name, maybe a doctor or staff member’s name and email address; a little bit of simple recon occurred, scouring for more doctors and more administrator’s names and email addresses. Also, a little bit of scouting probably occurred on the website, with bad guys looking for VPN services, remote email, or something similar, that they could log into with the proper credentials.

Once a decent list of names and emails were collected, that is when the phishing attempts began. Maybe a phishing email about how to reset your password, or a phishing email offering a raise, and you need to enter your email information. They don’t need many submissions, they only need a couple, and with that, they can leverage more and more information.

Once they have working credentials for a user or two, the attacker is then able to leverage an attack into the infrastructure, by sending out emails, as a “trusted source”, requesting user’s visit a page to dish up their credentials; which leads to an avalanche effect, where they are able to gain more and more credentials.

Next revelation, will be a little bit shocking to most, but the Personal Health Information (PHI) data that was stolen, was most likely a “secondary” target of the breach. From my experience, I have seen that attackers are motivated by more substantial, quicker, and easier ways of getting money, rather than selling PHI data. What I believe the primary goal of the attackers, was to see if they could access the doctor’s HR files, and be able to modify the doctor’s direct deposit information, to a known bank account, where the attackers could take the money and run. PHI will provide some potential money for the attackers, however, the primary source could come from the doctor’s paychecks.

So, there you have it. There is my guess on what occurred at St. Mary’s. We may see, in the upcoming months what really happened, but that is my bet on what happened.

The only other option, is that St. Mary’s could hire some big name company to help them access the damage, and they could flip it around, to say it was a nation-state actor, who was trying to get there hands on super-secret formularies for a new breakthrough cure-all drug, that St. Mary’s, a 585 bed hospital bed is producing; but in the end, we all know that would be a lie.

Releasing Ten Million Passwords

Source:  Xato.net

Today, Mark Burnett is releasing 10 million passwords, available to download on his website.

This isn’t the first time passwords have been released. The current, most popular (I think no facts behind this statement) “dictionary” used for passwords is the “Rock You” list of passwords, which were uncovered from several breaches including the LinkedIn breach.

So, on the “blue team” (the defenders) side, this gives us another list of passwords to run against our databases, and ensure that users don’t use these passwords. On the “red team” (the attackers) gives us another very large database to test against passwords.

I don’t see this as being a huge hacker release, when it comes down to it, I believe Mark is releasing these passwords to test the laws.

From the post at Xato.net:

Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone. Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature. If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime.

But is it against the law? There are several statutes that the government used against brown as summarized by the Digital Media Law Project:

Count One: Traffic in Stolen Authentication Features, 18 U.S.C. §§ 1028(a)(2), (b)(1)(B), and (c)(3)(A); Aid and Abet, 18 U.S.C. § 2: Transferring the hyperlink to stolen credit card account information from one IRC channel to his own (#ProjectPM), thereby making stolen information available to other persons without Stratfor or the card holders’ knowledge or consent; aiding and abetting in the trafficking of this stolen data.

Count Two: Access Device Fraud, 18 U.S.C. §§ 1029(a)(3) and (c)(1)(A)(i); Aid and Abet, 18 U.S.C. § 2: Aiding and abetting the possession of at least fifteen unauthorized access devices with intent to defraud by possessing card information without the card holders’ knowledge and authorization.

Counts Three Through Twelve: Aggravated Identity Theft, 18 U.S.C. § 1028A(a)(1); Aid and Abet, 18 U.S.C. § 2: Ten counts of aiding and abetting identity theft, for knowingly and without authorization transferring identification documents by transferring and possessing means of identifying ten individuals in Texas, Florida, and Arizona, in the form of their credit card numbers and the corresponding CVVs for authentication as well as personal addresses and other contact information.

While these particular indictments refer to credit card data, the laws do also reference authentication features. Two of the key points here are knowingly and with intent to defraud.

In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access.

To ensure that these logins cannot be used for illegal purposes, I have:

  1. Limited identifying information by removing the domain portion from email addresses
  2. Combined data samples from thousands of global incidents from the last five years with other data mixed in going back an additional ten years so the accounts cannot be tied to any one company.
  3. Removed any keywords, such as company names, that might indicate the source of the login information.
  4. Manually reviewed much of the data to remove information that might be particularly linked to an individual
  5. Removed information that appeared to be a credit card or financial account number.
  6. Where possible, removed accounts belonging to employees of any government or military sources [Note: although I can identify government or military logins when they include full email addresses, sometimes these logins get posted without the domains, without mentioning the source, or aggregated on other lists and therefore it is impossible to know if I have removed all references.]

Furthermore, I believe these are primarily dead passwords, which cannot be defined as authentication features because dead passwords will not allow you to authenticate. The likelihood of any authentication information included still being valid is low and therefore this data is largely useless for illegal purposes. To my knowledge, these passwords are dead because:

  1. All data currently is or was at one time generally available to anyone and discoverable via search engines in a plaintext (unhashed and unencrypted) format and therefore already widely available to those with an intent to defraud or gained unauthorized access to computer systems.
  2. The data has been publicly available long enough (up to ten years) for companies to reset passwords and notify users. In fact, I would consider any organization to be grossly negligent to be unaware of these leaks and still have not changed user passwords after these being publicly visible for such a long period of time.
  3. The data is collected by numerous web sites such as haveibeenpwned or pwnedlist and others where users can check and be notified if their own accounts have been compromised.
  4. Many companies, such as Facebook, also monitor public data dumps to identify user accounts in their user base that may have been compromised and proactively notify users.
  5. A portion of users, either on their own or required by policy, change their passwords on a regular basis regardless of being aware of compromised login information.
  6. Many organizations, particularly in some industries, actively identify unusual login patterns and automatically disable accounts or notify account owners.

Ultimately, to the best of my knowledge these passwords are no longer be valid and I have taken extraordinary measures to make this data ineffective in targeting particular users or organizations. This data is extremely valuable for academic and research purposes and for furthering authentication security and this is why I have released it to the public domain.

Having said all that, I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment. I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me.

I could have released this data anonymously like everyone else does but why should I have to? I clearly have no criminal intent here. It is beyond all reason that any researcher, student, or journalist have to be afraid of law enforcement agencies that are supposed to be protecting us instead of trying to find ways to use the laws against us.

 

Read more at Xato.net

Why the Sony hack is unlikely to be the work of North Korea

Source: Marc’s Security Ramblings and Krypt3ia

I agree, that everyone jumping on the band-wagon, saying that N. Korea is behind this hack is wrong. This is the way I feel about a fair number of security ramblings coming from Mandiant/Fire Eye, Norse, and the rest of the huge companies out there. I think some of their information can be wrong. I also agree with the statements made at Krypt3ia, that we are now at “cyber-war” with North Korea. It feels like another Cold War race, with a lot more countries involved.

However, the really scary part, is that now, foreign influences have now proved, that they can hold United States (and companies within the US) at bay with attacks on there computer infrastructure.

 

From the article:

Everyone seems to be eager to pin the blame for the Sony hack on North Korea. However, I think it’s unlikely. Here’s why:

1. The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect to see in “Konglish”. i.e it reads to me like an English speaker pretending to be bad at writing English.

2. The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden. This is one of the key things that has made communication with North Korean refugees difficult. I would find the presence of Chinese far more plausible. See here – http://www.nytimes.com/2006/08/30/world/asia/30iht-dialect.2644361.html?_r=0

here – http://www.nknews.org/2014/08/north-korean-dialect-as-a-soviet-russian-translation/

and here – http://www.voanews.com/content/a-13-2009-03-16-voa49-68727402/409810.html

This change in language is also most pronounced when it comes to special words, such as technical terms. That’s possibly because in South Korea, many of these terms are “borrowed” from other languages, including English. For example, the Korean word for “Hellicopter” is: 헬리콥터 or hellikobteo. The North Koreans, on the other hand, use a literal translation of “vehicle that goes straight up after takeoff”. This is because such borrowed words are discouraged, if not outright forbidden, in North Korea – http://pinyin.info/news/2005/ban-loan-words-says-north-korea/

Lets not forget also that it is *trivial* to change the language/locale of a computer before compiling code on it.

 

Read more at Marc’s Security Ramblings and at Krypt3ia

JPMorgan Chase Details Breadth of Earlier Cyber Attack

Source: Re/Code and CNBC

JPMorgan Chase said it was fully cooperating with U.S. law officials to determine the scope of a previously disclosed security breach that compromised internal information and its clients’ contact info.

On Thursday, the company disclosed that the breach impacted about 76 million households and 7 million small businesses, but it did not find evidence of unusual fraud activity related to the incident.

“[T]here is no evidence that account information for such affected customers—account numbers, passwords, user IDs, dates of birth or Social Security numbers—was compromised during this attack,” the bank said in an SEC filing. “User contact information—name, address, phone number and email address—and internal JPMorgan Chase information relating to such users have been compromised.”

Pedestrians walk by JP Morgan Chase & Company headquarters in New York.

Emmanuel Dunand | AFP | Getty Images
Pedestrians walk by JP Morgan Chase & Company headquarters in New York.

The company moved to reassure customers that they would not be responsible for any fraudulent charges and said it was continuing to investigate the matter.

Earlier Thursday, JPMorgan Chase told CNBC it was not aware of a new cyberattack on its computer network, striking down a New York Timesreport that said it was battling its second security breach in the last three months. The Times later corrected its coverage.

Read MoreHow to tap the braintrust on cybersecurity

The banking giant plans to spend to spend $250 million annually to protect itself from cyberattacks and data protection. JPMorgan CEO Jamie Dimon said in his annual report that he plans to appoint 1,000 people to focus on the effort.

“In our existing environment and at our company, cybersecurity attacks are becoming increasingly complex and more dangerous,” Dimon said. “The threats are coming in not just from computer hackers … but also from highly coordinated external attacks both directly and via third-party systems.”

CORRECTION: JPMorgan Chase’s cyberattack reportedly started in June and was discovered in July. A headline on an earlier version of this article incorrectly stated the month of the attack.

VArmour Comes Out of Stealth With Plan to Secure Data Centers

Source: Re/Code

Barely a day goes by without a news report about a hacker attack, or the revelation of a new security vulnerability to worry about. The rise in computer breaches has sparked a new generation of startups that are thinking about security in new ways and enticing investment.

Today, vArmour, a Mountain View, Calif.-based company whose ability to attract venture capital funding we noted last month, is coming out of stealth mode. Its plan is to offer companies ways to secure their data centers against some of the new tactics that attackers use to sneak in.

While computers have evolved, the ways in which they are secured largely have not. More than half of the computing workload in a modern corporation makes use of so-called virtual machines, which uses software to allow one physical computer to act like many. Most of the servers on the Internet, in fact, make use of virtualization, a backbone technology of cloud computing.

And while virtualization has done wonders for computing efficiency and flexibility, it has also created weaknesses that an attacker could exploit and that can also hide the attack itself. On average, attackers are spending more than 240 days perusing a target’s network looking for the juicier files to take before being detected.

VArmour founder and CEO Tim Eades represents a new school of thought in computer security circles that can be best summed up like this: Determined hackers are going to get in, one way or another, so it’s better to catch them in the act and silently study their techniques and learn how they got in. We saw this in the attack against the New York Times disclosed last year.

“The thing that’s not being understood with all these breaches are sometimes the most basic questions: Where did the attackers get in? How did they navigate to it? Where is patient zero?” he said. “If you can’t tell me exactly where they came in, then you can’t shut the door.”

Eades says data centers are suffering from what he calls “invisible east-west traffic.” When virtual machines talk to each other, in the parlance of data center nerds, they’re talking “east to west,” as opposed to the “north to south” traffic between physical machines. It’s so named because servers, storage and networking gear are stacked on top of each other in a data center. (Up-down equal north-south, get it?)

Once a hacker gets inside a network, more than 80 percent of attacks on data centers, Eades says, take place in that “east to west” territory. They get inside and start sniffing around, hopping from one virtual machine to another, looking for the good stuff to take. Most security products date back to the days before virtualization and so are more focused on the “north-south” connection between physical machines, essentially guarding the perimeter. Trouble is, those tools are busy looking for trouble outside, while the attack is likely happening right behind their backs.

“It’s one thing to shut the gate, but quite another if you don’t know what side of the gate the bad guys are on,” Eades said.

The answer, according to Eades, is to create small virtual machines that can be deployed anywhere in the data center. He calls them sensors. “When the sensors see something suspicious, they can actually do something about it,” he said. “They can stop it, they can move it. But most of our customers don’t want to stop it right away. They want to observe the attack as it happens and see what the perpetrators are up to.”

Putting software sensors throughout the network puts the protection where it’s needed most: Right next to a company’s critical data. Think of the sensors as bodyguards watching over anything on a network — including the traffic between virtual machines — sounding a silent alarm if anything suspicious is going on.

It makes sense in a world that is shifting its computing resources toward the cloud. And so vArmour charges like a cloud vendor: Customers pay for what they use. “The model has to change. In the old ‘up to’ model, you pay for 100 percent of something, even if you’re only using, say, 37 percent of that something.” That allows customers the flexibility to use more sensors when they’re under attack, and throttle back down later. “The legacy security companies are going to have a hard time adjusting to that,” he said.

VArmour last month closed a $21 million C round led by Columbus Nova Technology Partners, Citi Ventures and Work-Bench Ventures, and also disclosed a $15 million B round led by Menlo Ventures which it closed late last year. It has raised a combined $42 million. Eades sold his last security company, Silver Tail Systems, to RSA, the security unit of tech giant EMC. The deal was said at the time to value Silver Tail in the neighborhood of $300 million.