Our company recently discovered a cyberattack that comprised [sic] a small number of employee log in credentials, allowing unauthorized access to eBay’s corporate network. As a result, a database containing encrypted password and other non-financial data was compromised. There is no evidence of the compromise affecting accounts for Paypal users, and no evidence of any unauthorized access to personal, financial or credit card information, which is stored separately in encrypted formats. The company is asking all eBay users to change their passwords.
The attack resulted in unauthorized access to a database of eBay users that included:
Date of birth
I changed my eBay password today. When I read through my keepass database.kdb file, I was chagrined to find that I’d used the same password for my accounts on several other sites. I changed them all. You should do the same if you have an eBay account. Here’s why, according to eBay:
I use the same password for multiple accounts. Do I now need to change all of them?
If you used the same password for eBay and any other site, we encourage our customers to change their passwords for those sites too. As a matter of good practice, the same password should never be used across multiple sites or accounts.
I’ve never been comfortable with Universal Plug and Play (UPnP). It was dreamed up by Microsoft in an attempt to make networking easier for end-users and first appeared in Windows Millenium Edition (“Win ME”). I didn’t trust it then, and I still don’t trust it. The name “Universal Plug and Play” leverages Microsoft’s successful implementation of MS-Windows’ (benign) “Plug and Play” service, which first appeared in Windows 95. The UPnP name continued Microsoft’s tradition of confusing terminology and poor corporate communications in general.
UPnP has always skated on thin ice. For one thing, it contains no provision for authentication. It assumes that all UPnP objects reside behind a firewall and that no UPnP packets can traverse any public-facing router. These are naïve assumptions. I always disable UPnP, or at least I think that I disable it. (Some routers expose UPnP to the Internet no matter what the router’s admin instructs it to do!)
Recently researchers, over a five month period, port scanned the entire IPv4 Internet multiple times, recording the IP address of each network device with exposed UPnP. They found 81 million vulnerable devices. Read the results:
Are you vulnerable?
Check your Internet-connected local area network’s devices for exposure of UPnP capability to the outside world by using Steve Gibson’s ShieldsUP!.
UPnP bugs history
Apparently Intel, many years ago, published reference code in a library that demonstrated UPnP implementation. Most router manufacturers incorporated Intel’s UPnP library into their routers’ firmware. Intel’s UPnP library apparently contains bugs that can expose UPnP capability to the router’s WAN (Wide Area Network) port(!).
On Friday, South Carolina’s Governor Nikki Haley announced that about 3.6 million taxpayers’ Social Security numbers and related taxpayer data were downloaded by an unknown outside hacker. The Governor reassured worried South Carolina residents that “the problem has been fixed”.
Unfortunately, that’s like locking the barn door after the horses have fled. For the 3.6 million SSN theft victims, it’s too late to fix it.
According to a Computerworld news article, “Another 387,000 credit and debit card numbers were also exposed in the September attack, the state Department of Revenue said in a statement Friday.”
It sounds like the Social Security numbers were stored in unencrypted form. (The I.T. department may have thought that the server and database systems’ authentication procedures provided sufficient security.) I’d guess that this could expose the state to liability for breach of fiduciary responsibility. South Carolina’s failure to encrypt these critical numbers is about as dumb as Yahoo’s recently exposed failure to encrypt users’ passwords.
Cracking of passwords has moved from an esoteric exercise for geeks to something that any kid can do.
Three developments in cracking passwords for fun and profit:
Hash Cat, a new open-source GPU-based cracking program has become available for free download at HashCat.net. It’s available in both Windows and Linux versions and can run 16 graphics processing units in parallel.
Do you recall last June’s theft of 6.5 million password / email pairs from LinkedIn? Those passwords weren’t in plaintext — they had been hashed by Linkedin using the (now discredited) SHA-1 hashing algorithm, so were presumably still pretty secure. Hash Cat was let loose on the purloined Linkedin hashed passwords by Jeremi Gosney. Using a homebrew PC with multiple GPUs, he was able to crack 20 percent of the 6.5 million hashed passwords within thirty seconds. He used a dictionary attack with a 500 million word dictionary. His machine makes 15.5 billion guesses per second. Two hours later, he had cracked an additional 33 percent of the passwords. After one day, he had cracked 64 percent of the passwords. After five days, he had cracked 88 percent of the passwords.
Jeremi benchmarked Hash Cat on his $12,000 machine containing eight AMD Radeon HD7970 GPU cards. He ran a brute force attack on an 8-character password, trying all 96 characters for each character, in twelve hours. Add one more character, and it will require 96 times as much time to crack, or 1,152 hours. Add another character (making a ten-character long password) and it will require 110,592 hours to crack by brute-force.
And the conclusion is?
Use completely random passwords whose characters are drawn from the a-z, A-Z, 0-9 and punctuation mark character set (which contains 96 characters).
Use passwords that are at least ten characters long.
The best way to create and manage strong passwords is with a password management program. I like Keepass.
Graphics Processor Unit: restricted instruction set single-chip processor that’s dedicated to graphics functions. GPUs may be used for other dedicated tasks, such as decryption.
For four months, Java has been vulnerable to attack. Oracle responded recently with Java version 7, which patched the holes in version 6. Java version 7 adds two functions; unfortunately those functions include new improved vulnerabilities.
Java has been with us since 1996. I recall the joy that greeted its introduction by Sun Microsystems: a Java program could be written once and then execute on Windows, Mac, and a variety of Unix machines. The slogan was write once, run anywhere. As malicious attacks have intensified, we’ve learned that the architecture of Java makes it vulnerable to attack. It includes file system access and acquires the same rights as the currently logged-on user. That means if you are logged on to your PC as Administrator, a malicious Java program can do whatever it pleases on your PC.
The vulnerability in Java version 7 means that if a website contains malicious Java code, all that you need do is visit that website — you need not click on any links — and your Windows, Mac, or Linux machine is taken over (if you have Oracle’s Java installed on it). And you probably wouldn’t know it.
The open door to your PC is provided by having Java execute within your web browser. Until Oracle gets their Java act together, I recommend that you uninstall Java. Using Mozilla Firefox web browser with the NoScript add-in will also protect you. These days, few websites use Java anyway. Some multi-user games require Java, and a few financial reporting sites use Java. I don’t even have it installed on this Windows XP machine.
Sept 7 2012 update: Oracle has resorted to accepting payments from McAfee: when you download the Java update from Oracle, it defaults to installing McAfee Security Scanner, unless you opt out. Oracle ought to stop trying to maintain Java by themselves. As far as I know, it’s not generating revenue for them, so their heart isn’t in maintaining the code. Oracle and the user community would be better served by re-branding Java as open-source.
Reportedly many European bank sites use Java to provide on-line banking. I’d recommend that these users make certain that they keep their Java updated and use Mozilla Firefox with the NoScript add-on. The Safari browser on Macs prompts you before executing Java code, and disables it afterwards, so this should be okay for European banking users.
A good workaround would be to boot from a Ubuntu (Linux) live DVD/CD, and do your banking with it. It includes its own JRE (Java runtime environment), which is not vulnerable to Oracle’s Java vulnerabilities — or any Windows’ vulnerabilities, either.
The sad story of what happened to Mat Honan has been big news for the past ten days or so. All of his devices and data were interconnected via Apple’s iCloud, and they all got wiped clean within minutes. Here’s his story, in his own words. Excerpts:
Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification . . .
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
GET OFF OF MY CLOUD
(M. Jagger/K. Richards)
Hey! You! Get off of my cloud
Hey! You! Get off of my cloud
Hey! You! Get off of my cloud
Don’t hang around, baby, two’s a crowd
No technical skill was requs guy’s e-life. The hacker(s) just needed patience, knowledge of customer service procedures at each provider, a method, a couple lucky guesses, and convincing telephone presence. We worry about the security of 128-bit encryption, or the virtues of SHA-2 (secure hash algorithm) versus SHA-1, when the most vulnerable part of any system is the humans who use it.
The fact that the authentication value of a credit card’s last four digits is zero at Amazon and significant at Apple is worrying. Apple claimed that a service rep didn’t follow its password reset procedure. In fact, the procedure WAS followed; it was just a flawed procedure. Apple has reportedly changed their customer service procedure for authenticating an account owner over the phone.
Users can learn from this breach, and Yahoo! can, as well.
Last week, a group of allegedly benign attackers downloaded about 450,000 Yahoo! users’ passwords. (To see if your Yahoo! password was compromised, go to labs.sucuri.net.) This worries me: did Yahoo! store unencrypted passwords on its servers, and they were simply downloaded intact? I sure hope not! Or were the 450,000 password hash keys downloaded, attacked with cracking programs, and the passwords were recovered from the password hash keys?
How sites should handle passwords:
diagram showing how a hashed password is used by companies to secure user details
Trustworthy sites will, when you create a password, submit your password to a one-way algorithm to create a “password hash key”, and then discard your password. The site stores this password hash key — not your password. When you next attempt to login to your account, the password that you type on your keyboard is submitted to the one-way algorithm to create a password hash key, and that is compared to your account’s stored password hash key. The beauty of this system is that even if someone steals your password hash key, they still don’t have your password. To recover it from your password hash key, they’ll try three methods:
The most popular way to obtain the original password from a password hash key is the dictionary attack: common words are tried until the password hash keys match. (This is why you shouldn’t use common words for your password. If you have, it will be discovered within seconds.)
Next, the crackers will try an attack that exploits known weaknesses in older hashing algorithms. This succeeds only if the site has used a weak hashing algorithm.
If the first two attacks fail, the cracker next tries a brute force attack. This just tries every character in every position, sequentially, until the password hash keys match. If your password is 3 characters in length, this won’t take long. Each time you increase your password length by just one character, you exponentially increase the time required by the cracker.
After stealing the 450,000 password hash keys, did the crackers then crack all of the password hash keys? Or <shudder> did Yahoo! store the unencrypted passwords on its servers? I find that hard to believe. Maybe Yahoo!’s password hashing algorithm was weak. I don’t know. In any case, this breach isn’t good for Yahoo!’s public relations.
Of the 450,000 compromised passwords, the most popular were:
Don’t use these easily guessed passwords! They’re like leaving your house key under the door mat. And use a different password on each site. That way, if your email password is compromised, it can’t be used to login to your bank account. To manage all of my passwords, I use Keepass. Roboform and LastPass also have plenty of fans.
Update, 21 July: My worst fears confirmed
Apparently all of these passwords remained in clear text and were stored in a Yahoo! SQL database. This is a real no-no. No wonder Yahoo! has replaced its CEO.
I guess that all 450,000 passwords were associated with a Yahoo! voice service. A well-known SQL injection attack “liberated” them.
Remote support is great, when you initiate it and the support person is
not a crook.
You may have received a phone call from an earnest-sounding “representative of Microsoft” who offered a free security scan and then warned you that your computer was at risk. The friendly voice at the other end offers to save your data for a nominal fee . . .
A new client of mine reported that he fell for this scam six months ago. Another told me that she almost did, before she called me. Microsoft reports that the average loss is $875. The exact ploy varies, but there is a common theme: deception; what hackers call “human engineering”.
Don’t accept unsolicited technical support. (If you’re in doubt, call me at 954 873-4695.)
We’re used to Facebook’s violations of users’ privacy. LinkedIn has joined the fun.
Yesterday, I became aware of two LinkedIn privacy concerns:
Users of LinkedIn’s 6-month old LinkedIn app for iPhone and iPad have been, without their knowledge, uploading their entire calendars to LinkedIn’s servers.
A Russian hacker announced that he had downloaded usernames and passwords for 6.5 million LinkedIn accounts. To prove it, he published the passwords on the web.
LinkedIn presents itself as a site where professionals meet, unlike the unwashed slobs on Facebook. Its business model is similar to Facebook’s: collect every byte of information about its users and sell that data to advertisers. I wonder if LinkedIn’s professional users will be as unconcerned by LinkedIn’s lack of diligence as Facebook’s naïve users seem to be?
This scam rewarded hard work with huge income, while it lasted.
I’m not smart enough to have dreamed up this scam: hi-jack millions of users’ clicks and redirect them to ads that pay the crooks for each click. Allegedly, over 14 million dollars of income was collected since 2007. Six of the 7 indicted people reside in Estonia, where they have been arrested by the Estonian police. The US Department of Justice (DOJ) is seeking their extradition for trial in US federal court on charges of wire fraud and computer intrusion. The seventh suspect has not yet been located.
Part of the scheme employed a piece of malware that’s named DNSChanger. These guys spent serious time fabricating this scam: they had to first set up 2 bogus DNS (Domain Name Service) servers in the U.S., create and propagate the malware, create affiliate relationships with advertisers, create bogus websites, arrange payment with advertisers, etc. Basing the bogus DNS servers in the U.S. would guarantee fast DNS lookups for hijacked American victims.
Last year I wrote about one instance (of many that I see) of DNS hijacking (Malware hi-jack of DNS address). A computer whose DNS record points to a malicious DNS server is “owned” by the bad guy who installed the redirection. My first thought was that the bad guy could harvest on-line banking login credentials. These Estonians fabricated a much more elaborate scheme, which was probably harder to detect than the scam that I’d imagined.
Is your anthem the 1984 pop single “I always feel like somebody’s watching me“? You may be right. Dmitri Alperovitch, in his recent article Revealed: Operation Shady RAT states, “. . . I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly).“
He should know. Mr. Alperovitch and McAfee have been studying what they call “Operation Shady RAT”. (RAT is an abbreviation for remote access tool.) Its depth, breadth, and audacity are impressive. They coyly call the perpetrator “a state actor”, but it’s an open secret that China uses the Internet to aggressively spy on governments, defense contractors, and even seemingly benign targets.
Most commercial organizations — especially banks — are reluctant to publicize any security breaches, so it’s unlikely that we’ll ever know just what’s been compromised, damaged, or stolen by Operation Shady RAT.
If you think that this isn’t really happening, just check the unfiltered log files of an Internet-facing router / firewall that protects any organization. It’s amazing to see how many port scan attempts hammer these routers 24 hours a day. And a fair number (maybe 50 percent) originate from IP addresses within China. Not convinced? Log into your own router as its admin and check activity on its WAN port: you’ll see many uninvited guests knocking on its door all day long. Most are just random testing of defenses, roughly the same as a burglar who walks down the street, knocking on doors to find a weak target to break into.
(My apologies to UB40 for my allusion to their reggae hit, Rat in Mi Kitchen. Great tune.)
More bad guys than ever are launching cyber-attacks for fun and profit.
I’ve recently encountered an old enemy: a Trojan Horse that’s been around for 3 years or more. It’s recently calling itself XP Total Security 2012 and it’s gotten nastier and more tenacious than its earlier incarnations. I no longer spend much time trying to remove this bad boy: I just backup the infected computer’s data, format the hard drive, re-install Windows, and restore the (scanned) data. Most security experts agree with this tactic.
Elinor Mills, in an article that appeared in CNet News, June 17, 2011: Keeping up with the hackers, included a chart of recent major break-ins.There are some surprising headliners in the Victims column: RSA, who specialize in security, Sony makes multiple appearances, payroll giant ADP, Citigroup, US Senate,et al.
Finally, Microsoft disables Windows’ AutoRun facility for USB devices.
With Tuesday’s update, Microsoft has removed the AutoRun feature (for USB devices anyway) from Windows. It’s about time. AutoRun has been a feature of Windows going back to Windows 95: you can insert a CD or CD-ROM, and Windows will play the music CD or execute the (setup, usually) program that it finds on the CD-ROM. This is convenient, but very insecure, because it removes control of what executes from the computer user. Bad guys have used the AutoRun feature to trick users into unknowingly installing malware.
To say that Microsoft has removed AutoRun isn’t accurate. It has disabled AutoRun for USB devices. AutoRun (unfortunately) is still enabled by default for CD-ROMs and DVDs. The update — KB971029 — is optional(!) Why? I guess that Microsoft finds it hard to admit that AutoPlay and AutoRun were bad ideas.
This is ironic, since Ubuntu (a very popular Linux distro) has recently been demonstrated to be vulnerable to attack due to its recent incorporation of AutoRun. Once again, we’re confronted with the tension between convenience and security.
Symantec (who own Norton) has done a good job of producing videos that discuss threats from the Internet. They’re entertaining and easy to follow. The animated Symantec Quick Guides to Scary Internet Stuff is just the thing for people who are new to the Internet. There are 9 video clips in this playlist.
There’s a little bit of advertising at the end of each clip, but it’s not objectionable.
Symantec has also produced a series of videos that discuss threats in more detail. There are 34 clips in this playlist. I’m especially flipped out by their excellent presentation on using Zeus for fun and profit. It is indeed Scary Internet stuff.
I applaud Symantec for producing these series of videos.