Canadian Government Under Attack

The Canadian government is under attack, apparently from China, giving foreign hackers access to highly classified information and forcing at least two key departments off the internet, according to CBC reports.  The attack was first detected in early January.  Hackers took over control of government computers belonging to top officials, most likely through drive-by web attacks or Trojan horse programs.  A spear-phishing email campaign was launched targeting executives and their staff with provocative messages containing malicious links or attachments.  Social engineering attacks were also used once the email system was compromised, asking staff to reveal passwords to key networks.  Once the attack was detected, security officials shut down all internet access in both affected departments in an attempt to stop the information leakage.  The containment effort left thousands of public servants without internet access.  Service has slowly been returning to normal since the attack.

The attacks were traced back to computer servers in China, but there is no way of knowing for certain if the hackers are Chinese, or using China to cover their tracks.  The Canadian government initially issued a statement dismissing it all as an “attempt to access” federal networks.  It has refused to release any further information.

CBC has confirmed that the attackers successfully penetrated computer systems at two main economic nerve centres, the Finance Department and Treasury Board, apparently taking control of computers in the offices of senior executives as part of a scheme to steal passwords that unlock entire government data systems.  It is unclear whether the attackers were able to compromise other networks and sensitive data.  The government is trying to keep the security breach under tight wraps.

 CBC Report

‘Tis The Season To Be “0wned-&-Exposed”

This time of year, criminals rely on IT vacation plans and public holidays to provide the opportunity to attack targets and to extend their reach within compromised sites.  This holiday season has been no exception.  Over the weekend, a number of sites got “Owned and Exposed”.  

It should be noted that the site used to distribute the popular backtrack Linux distribution, as well as the Ettercap project were breached.  It is not completely clear how long ago these sites were originally compromised and if any of the tools were altered.

In the second issue of the online hacker magazine (e-zine) “Owned and Exposed,” the attackers listed carders.cc, ettercap, exploit-db, backtrack, inj3ct0r, and free-hack as victims.  Free-hack was taken down for being “lame script kiddies,” while the other sites had criminal ties or were considered security experts who “fail so hard at security that we wonder why people really take their training courses”.

Exploit-db’s administrator said that damage was limited to posting the e-zine in the “papers” section.  Backtrack-linux.org shares a subnet and administrator with exploit-db.  The same root account and password was used for all Web scripts, WordPress installations and MySQL databases, making it easy prey.   Carders.cc, a German online forum dedicated to helping criminals trade and sell stolen financial data was shut down.  As part of its inaugural issue in May, “O&E” wrote “Carders is a marketplace full of everything that is illegal and bad,” including drugs, weapons and stolen credit card numbers.  Carders is back up, three days later.

The SourceForge page hosting the Ettercap message boards and files for a “white hat” penetration testing tool was another interesting target.  The tool hasn’t been maintained for five years, and the group found evidence the site had already been compromised by someone else. The group warned against downloading anything from the compromised site.

These attackers claim to be “watchmen”, quietly observing the scene, according to the newsletter.  They deny being just another “underground rival kiddy group”.   The goal was to shut down sites that “spread garbage” across the Internet, the group wrote.

More information:

• http://www.exploit-db.com/owned-and-exposed/
• http://krebsonsecurity.com/2010/12/carders-cc-linux-exploit-org-and-exploit-db-org-hacked/

NY Tour Company Hacked, 110,000 Records Stolen

The website of New York double decker bus tour company CitySights NY has been breached, and about 110,000 bank card numbers have been stolen using an SQL Injection attack, according to New Hampshire’s attorney general.  A web programmer discovered an unauthorized script uploaded to the company’s web server which is believed to have been used to compromise the security of the database and server.

In SQL injection attacks, hackers sneak database commands into the server for execution using the Web by adding specially crafted text into Web-based forms or search boxes that are used to query the back-end database.  In this incident, they were able to get names, addresses, e-mail addresses, credit card numbers and their expiration dates, and Card Verification Value 2 codes, used to validate online credit card purchases.

The company has taken steps to secure their environment, began notifying customers about the incident two weeks ago, and victims are being offered one year free credit monitoring and a 50% off coupon for another CitySights NY tour.  So, how security minded has this incident made the company?  The coupon’s security code is “012345”.  ACK!

“Gawker” Sites Compromised

This weekend, Gawker Media discovered its servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot.  If you’re a commenter on any of these sites, you probably have several questions.  Change your passwords on these sites now!   A FAQ document has been posted at LifeHacker to address users’ concerns…

http://lifehacker.com/5712785/

WikiLeaks Site Attacked Again

Wikileaks has been hit by a second distributed denial of service attack.  The renewed DDoS attack followed attempts to knock the site off the web on Sunday night as it prepared to release the controversial hundreds of thousands of US diplomatic cables.

According to The Register, the site confirmed the latest attack on its Twitter feed Tuesday afternoon.  Analysis of the first attack by experts Arbor Networks shows that the attack threw a relatively modest 2-4Gbps at the site for several hours.  Modest by the standards of other similar attacks this year, it was severe enough for Wikileaks to move its systems back into Amazon’s cloud infrastructure to seek shelter from the onslaught.

Country of Myanmar DDoS

I skimmed an article on this earlier today, and didn’t pay much attention to it, thinking “eh, some tin-pot in another far-flung dictatorship’s up for “re-election” and wants to insulate the country from the rest of the world so his influence peddaling goes un-noticed”.  When my boss comes up to me and asks if I’m aware, I know that I had better be paying attention to more than whether we have an office there or not…

This is certainly a massive DDoS attack, estimated at between 10 – 15 Gigabytes per second of bandwidth being focused on the country’s Ministry of Post and Telecommunication, the main conduit for Internet traffic in and out of the authoritarian nation.  It has effectively cut Internet connectivity in Myanmar, just 3 days before the nation’s first election in 20 years.

Slow connections and occasional outages were being reported for more than a week, but today network traffic was completely halted, according to BBC reports.  Web service providers said outside attackers were to blame, but some residents suspect the military-ruled nation’s government is behind it all.

Britain, the United States and the European Union maintain long standing economic sanctions against Myanmar to pressure the military government to improve human rights and release over 2,000 political prisoners.  Foreign journalists have not been allowed into Myanmar to cover the polls, criticized by the west as a ploy to maintain the military’s control.  British ambassador Andrew Heyn said the vote was a “badly missed opportunity” offering no hope for democratic change.  With increasing tension, the government has canceled voting in 3,400 villages in ethnic areas and has increased its military presence throughout the countryside.

The military has ruled Myanmar, earlier known as Burma, since 1962, and the international community believes  that harsh restrictions on campaigning, the repression of opposition parties and the new constitution reflect the military’s intention to continue its commanding role.

http://threatpost.com/en_us/blogs/massive-denial-service-attack-severs-myanmar-internet-110310

Data Breach & Security Incidents Continue

Time is money, but information is a blank cheque.   A number of companies have reported stolen laptops and other breaches of data security, potentially exposing personal information about thousands in recent months.  One financial company said its computer systems had been hacked, a tech company reported a laptop was stolen, and Boston insurance giant John Hancock Financial Services reported that a CD with customers’ personal information was lost.

In November, the state of Massachusetts reported that credit card numbers, medical records, or other personal information from nearly 1 million residents was stolen or exposed from 2007 through late 2009.  Since that time, the state has been notified of at least six data breaches that each potentially affected more than 1,000 residents.

Learning from these past experiences, on March 1, the state enacted new regulations requiring companies to encrypt personal data stored on laptops or sent over the Internet, so that the information would be useless to thieves if it was lost or stolen. 

It is not all FUD (Fear Uncertainty & Doubt).  These are all very real events.  Encrypt those laptops, folks.  And consider the same for your home computers.  Unless of course, you don’t really value your personal information, like tax details, bank accounts, surfing habits and other information that you take for granted, but an informed thief will take for cash. 

Despite increased knowledge about and vigilance around the problem of data theft, breaches and security incidents are still happening.  Just recently, at least 6 companies have reported stolen laptops as the root cause of their security incidents.  Other breaches of data security have potentially exposed the personal information of thousands.  Take a look at some of the biggest recent known data breach cases.

Continue reading →