CAT | hacking
Last week the Twitter account of the Associated Press was hacked, and a message posted saying that bombs had gone off in the white house, and the president was injured.
Obviously this was false. The Syrian Electronic army a pro regime hacker group has claimed responsibility, which does not prove that they did it.
There is talk about Twitter moving to two factor authentication to reduce similar hacking in the future. While this is all well and good, it will not eliminate the problem.
The bigger issue is that these poorly secured social media sites are used by people around the world as reliable sources of news.
Apparently much of the crash came from automated trading systems parsing the tweet, and generating immediate trades without any human intervention at all.
The DOW dropped 140 points in 5 minutes.
The creators of these trading algorithms feel that news from twitter is reliable enough to be the basis of equity trades without any confirmation, or time for reflection.
Certainly very large amounts of money were made and lost in that short period.
Why make the effort to hack into what we hope is a well defended nuclear power plant or other critical infrastructure, when you can get similar amounts of financial damage from subverting a nearly undefended twitter account.
Because individual twitter accounts are not considered critical infrastructure, they are hardly protected at all, and are not designed to be easy to protect.
Nevertheless we give it, and other social media, substantial power to influence us and our decisions, financial and otherwise.
Take for example the crowd sourced search for the Boston bombers on reddit. Despite the best of intentions, many false accusations were made that had major impact on the accused, and one can imagine scenarios which could have turned out much worse. What if the accused at committed suicide, been injured in a confrontation with authorities, or been the vicim of vigilante action? Now, what if there had been malicious players in that crowd intentionally subverting the process. Planting false information, introducing chaos and causing more damage.
This is an interesting problem. There are no technical or legislative solutions. It is a social problem with only social solutions. Those are often the hardest to address.
Since relatively few of you had a chance to hear my talk at RSA, here is a re-recording I did of the presentation I uploaded to YouTube.
It runs just under 30 minutes.
The talk is the flip side of my usual presentations. I typically talk about how to be stealthy on the Internet. This time I was talking to network defenders about how to identify people using privacy technologies, and to use that information to help them strengthen their network defenses.
The short version is, if an attacker is going for you specifically, they can do enough research to craft an email and attachment that you are almost certain to open. The success rate against even very paranoid and sophisticated users is shockingly high.
In Bruce Schneier’s blog post about this he quotes Brian Snow, former NSA Information Assurance Director. “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”
The latest Java exploit has given another view into the workings of the cybercrime economy. Although I should not be, I am always startled at just how open and robustly capitalistic the whole enterprise has become. The business is conducted more or less in the open.
Krebs on Security has a nice piece on an auction selling source code to the Java exploit. You can see that there is a high level of service provided, and some warnings about now to ensure that the exploit you paid for stays valuable.
It appears that the laptops of two EU officials at the Internet Governance Forum in Azerbaijan got hacked while they were in the hotel.
Suspicion is immediately falling on the Azerbaijan government.
No one is mentioning breaking and entering, so I would assume they were attacked via the insecure Internet in the hotel.
NBC News is reporting that the iOS UDIDs leaked last week were actually stolen from Blue Toad publishing company. Comparing the leaked data with Blue Toad’s data showed 98% correlation which makes them almost certainly the source.
They checked the leaked data against their own after receiving a tip from an outside researcher who had analyzed the leaked data.
It is certainly possible that this data had been stolen earlier and that, in tracking that crime, the FBI had obtained the stolen information. This strongly suggests that this is not a case of the FBI conducting some kind of massive surveillance activity.
The other possibility is that Anonymous and Antisec are simply lying about the origin of the information as part of an anti-government propaganda campaign.
Either way, it is a big knock on their credibility, unless you think this whole thing is just a conspiracy to protect the FBI.
Forbs is reporting that Anonymous and Antisec have dropped a file with a million Unique Device ID (UDID) numbers for Apple iOS devices. They claim to have acquired an additional 11 million records which they may release later.
In addition to the identifiers, the file is said to also contain usernames, device names, cell numbers, and addresses. It is this additional personal information that seems to be the real threat here.
The Next Web has set up a tool for checking to see if your information is in the leaked data. You don’t need to enter your full UDID into the field, just the first 5 characters. That way you don’t need to trust them with your information either.
None of my iOS devices showed up on the list, so I downloaded the entire file to look it over. You can see the release and download instructions here.
Looking through the document, I don’t see any examples of particularly sensitive information. In the first field are the claimed UDID. The second field is a 64 digit hex string. After that is the name of the device, frequently something like “Lance’s iPad”. Finally is a description of the device itself: iPad, iPhone, iPod touch.
SHA hashes are 64 hex digits long, and are widely used in forensics to verify that captured evidence has not been changed. My intuition is something like that is what we are seeing in that second column.
I have no idea where the claims about addresses, and account names came from. I am not seeing anything like that.
It is interesting that Anonymous / Antisec claim that this data came from the hacked laptop of an FBI agent. This certainly raises big questions about why he would have this information on his laptop, and why the FBI has it at all.
While 12 million is a big number, it is a tiny fraction of the over 400 million iOS devices sold to date. Still, that would represent a shockingly wide dragnet if these are all being monitored in some way by law enforcement.
Of course, for all we know this list was captured evidence from some other group of hackers.
So, short answer (too late!), you probably don’t have anything to worry about here, but you might want to check to see if your device is in the database anyway.
UPDATE: It appears that the UDID may tie to more information that was immediately apparent. While Apple’s guidelines forbid tying UDIDs to specific account, of course that happens all the time. My friend Steve shared a link with me to an open API from OpenFeint which can tie a UDID to personal information. Certainly there are others which would reveal other information. The existence of these, and the leaked list of UDIDs would allow an app developer to tie a user’s real identity to their activity and use of the app on their iOS device.
UDATE 2: I find it impossible to actually read documents from Anonymous and Antisec, they are just so poorly written. It seems I missed their statement in lines 353,354 of the pastbin where they say that they stripped out the personal information. The 64 digit block is actually the “Apple Push Notification Service DevToken”. SCMagazine is reporting that the FBI is denying the laptop was hacked or that they have the UDIDs.
There has been a lot of attention recently to the arrest of an alleged LulzSec hacker after his anonymity was compromised by the anonymity service he was using, HideMyAss.com. Some articles on the event are here, here and the provider’s explanation here.
The reason this company was able to compromise the privacy of their user was that they had logs of user activity. They know what IP address is assigned to each user and can use that to attribute any activity back to the real identity of the person behind the account.
The real problem with logs is that they exist or they don’t. You can’t keep logs only for “bad users” but not for responsible “good users” because even if it was possible to identify them as such in advance, you would not find anything like agreement about who should fall in which category.
Many operators of privacy services, including myself, feel very strongly that such tools should be usable in countries like China to circumvent the censorship and surveillance there. Such actions are certainly illegal for the user, and probably for the provider. While being a UK company and only responding to UK court orders, they were “forced” to expose the identity of a person in the US who was then arrested by the FBI.
I don’t know enough about this case to debate whether or not this person is guilty or deserved to be arrested. My concern is that this case has demonstrated that anyone who can cause a UK court order to be severed against this company can expose their users. It also makes them a target for hacking, social engineering, infiltration and other attacks which could gain access to these logs without a UK court order.
As a general rule, if information exists and people want it, there is a very good chance it will escape, if only by accident.
I founded this company, Anonymizer.com, and I personally stand behind our services. We have clear privacy policies, we keep no logs of the surfing activities of our users, we have no way of identifying what user may have visited what website. We have an unblemished record of providing robust privacy since 1995.
As I have said in many previous posts, it all comes down to trust. If you don’t know who is providing the service, and don’t have the ability to research their history and gauge their integrity, you should not use that service.
Bruce Schneier on the real world effectiveness of a very simple domain name based man in the middle attack.
Here is a Wired article on the same issue showing how it was used to steal 20 GB of email from a Fortune 500 company.
Brian Krebs has an interesting blog post on how all of the credit card information was stolen by a hacker from a website that sells stolen credit cards.
This is in the “don’t know whether to laugh or cry” department.