• Breach a 'security disaster' for IEEE

    posted by Keito
    2012-09-29 19:21:01
    'The IEEE (Institute of Electrical and Electronics Engineers) describes itself on its website as "the world's largest professional association for the advancement of technology."

    But after a data breach that left the usernames and passwords of 100,000 of its members exposed in plain text for a month, some security experts said it is clear both the organization and at least some of its members should also be in the business of the advancement of common sense security.

    The breach discovered by an independent security researcher, demonstrates an almost inexplicable lack of basic security protocols, including some of the most vulnerable passwords possible.

    Torsten George, vice president of worldwide marketing and products for Agiliance, a security risk management firm, called it "plain stupid."

    Paul Ducklin, writing at Sophos' Naked Security blog, called it, "a veritable security disaster for the IEEE."

    The IEEE announced the breach earlier this week. Redo Dragusin, a Romanian researcher and now a teaching assistant in the Department of Computer Science at the University of Copenhagen, said he discovered it on Sept. 18, and notified IEEE on Monday, Sept. 24.

    "The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery," Dragusin wrote. "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places."

    He said the unencrypted passwords were the most "troublesome" element of the breach, but also said, "the simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs ..." which included more than 100GB of data containing detailed information on more than 376 million HTTP requests made by IEEE members.

    A number of IEEE members were also failing to use basic security. Dragusin found that seven of the top-10 most popular passwords were combinations of the number string "1234567890," in order. Others in the top 20 included "password" and "admin."

    IEEE sent a letter to its members the next day, acknowledging the breach, but saying, "This matter has been addressed and resolved. None of your financial information was made accessible in this situation. However, it was theoretically possible for an unauthorized third party, using your ID and password, to have accessed your IEEE account."

    Because of that, the organization said it had terminated the access of its members under their current passwords, and would have to, "authenticate through a series of personal security questions you set up at the time you opened the account and to change your password."

    The IEEE was unresponsive to questions from CSO Online about why the passwords were in plain text, how access to the weblogs was unrestricted and why the group did not discover the breach itself.

    Adrienne McGarr, a public relations spokeswoman, emailed a copy of the statement IEEE had already posted on its website, saying the issue was addressed and resolved and members were being notified.

    "IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused," the statement said.

    George said the group has not taken the privacy of member information seriously, adding that the IEEE is not alone -- that this is somewhat typical of too many organizations.

    "This illustrates a check-box mentality of compliance," he said. "It is looking at security as a necessary evil, but only to fulfill a regulatory mandate."

    The failure to encrypt the data is especially mystifying, he said, "especially after the LinkedIn breach," a reference to the breach in June of the professional networking site that led to the posting of 6.5 million member passwords on a Russian hacking site. At the time LinkedIn was not using the preferred encryption method called salted hashing.

    Following the breach, LinkedIn was hit with a $5 million class-action lawsuit.

    George said it looks like the failure to restrict access to the webserver logs at IEEE was human error. "Somebody must have changed the access and forgot to change it back," he said. "It's a human mistake that's made very easily. But if they had done continuous monitoring, they would have noticed the restriction was not in place.

    "You can't rely on humans," he said. "You have to automate the process."

    Dragusin made it clear in his post that he did not intend to use the information for malicious means. Besides notifying IEEE, "I did not, and plan not to release the raw log data to anyone else," he wrote.

    But that does not make him a hero to Paul Ducklin's, who mocked Dragusin's professed "uncertainty" about what to do with the information. Ducklin noted that Dragusin waited a week from the time he discovered the breach to notify IEEE, but still found time to "register his vanity name-and-shame domain,, on 19 September 2012.

    "Nor did it prevent him grabbing and processing 100GB of log data he knew wasn't supposed to be accessible," he wrote. "How is this bad? It probably isn't. But it's more of a 'don't be evil' outlook than one of 'actually be good.'"

    George said that the IEEE, in addition to improving its own security standards, should force its members to have more rigorous passwords.

    "You can mandate password policies," he said. "You can require that they include a combination of characters and digits. You can require that they be changed every 30 days. There is a lot of room for improvement."'
  • Kaspersky researcher cracks Flame malware password

    posted by Keito
    2012-09-22 22:45:42
    'Researchers have cracked the password protecting a server that controlled the Flame espionage botnet giving them access to the malware control panel to learn more about how the network functioned and who might be behind it.

    Kaspersky analyst Dmitry Bestuzhev cracked the hash for the password Sept. 17 just hours after Symantec put out a public request for help getting into the control panel for Flame, which infected thousands of computers in the Mideast.

    27934e96d90d06818674b98bec7230fa - was resolved to the plain text password 900gage!@# by Bestuzhev.

    Symantec said it tried to break the hash with brute force attacks but failed. Flame has been investigated by a joint effort of Symantec, ITU-IMPACT and CERT-Bund/BSI.

    Meanwhile, researchers at Symantec report that Flame was being developed at least as long ago as 2006, four years before its Flamer's compilation date of 2010 and well before the initial deployment of the first Flame command and control server March 18 of this year.

    By May, Flame had been discovered and owners of infected computers in Iran and other Mideast countries were cleaning up. The malware itself also executed a suicide command in May to purge itself from infected computers.

    The command and control server also routinely wiped out its log files, which successfully obliterated evidence of who might be behind the attacks. "Considering that logging was disabled and data was wiped clean in such a thorough manner, the remaining clues make it virtually impossible to determine the entity behind the campaign," the Symantec report says.

    Despite Flame being neutralized earlier this year, more undiscovered variants may exist, the report concludes. Evidence for this is that the command and control module can employ four protocols to communicate with compromised clients, three of which are in use. "The existence of three supported protocols, along with one protocol under development, confirms the C&C server's requirement to communicate with multiple evolutions (variants) of W32.Flamer or additional cyberespionage malware families currently unknown to the public."

    A sophisticated support team ran the spy network that gathered data from infected computers and uploaded it to command servers, the Symantec report says. The team had three distinct roles - server admins, operators who sent and received data from infected client machines and coordinators who planned attacks and gathered stolen data.

    "This separation of operational and attacker visibility and roles indicates that this is the work of a highly organized and sophisticated group," the report authors conclude.

    The servers gathered the data encrypted then passed it along to be decrypted offline. Each infected machine had its own encryption key.

    Evidence from one of its command and control servers indicates the server can talk to at least four other pieces of malicious code that researchers believe are either undiscovered Flame variants or completely separate attacks, according to a Symantec report.

    This is accomplished with a versatile Web application called Newsforyou supported by a MySQL database that could be used as a component for other attacks.

    Researchers also discovered a set of commands the server could execute including one that wipes log files in an effort to minimize forensic evidence should the server be compromised. It also cleaned out files of stolen data in order to keep disk space free.

    "The Newsforyou application is written in PHP and contains the primary command-and-control functionality split into two parts," the report says, "the main module and the control panel." The main module includes sending encryption packages to infected clients, uploading data from infected clients, and archiving when unloading files.

    The application resembles a news or blog application, perhaps in an effort to avoid detection by automated or causal inspection, the researchers say.

    PHP source code for Newsforyou included notes that identified four authors - D***, H*****, O****** and R*** - who had varying degrees of involvement. D*** and H***** edited the most files and so had the most input. "O****** and R*** were tasked with database and cleanup operations and could easily have had little or no understanding of the inner workings of the application," the report says. ". It is likely D*** and O****** knew each other, as they both worked on the same files and during a similar time period in December 2006."

    Newsforyou employed both public key and symmetric key encryption depending on the type of data being encrypted. News files intended for clients were encrypted with symmetric keys while stolen data was encrypted using public/private key pairs.

    Despite Flame being exposed in May, the evidence left behind in compromised command and control servers indicates the overall spying project it was part of is still alive. "There is little doubt that the larger project involving cyber-espionage tools, such as Flamer, will continue to evolve and retrieve information from the designated targets," the report says.'
  • An Admin Password For The Universe

    posted by Keito
    2012-07-26 19:24:23
    "Sweet Newton's ghost!" howls Ed from the basement. His voice is abject astonishment tinged with fear.

    This is never a good thing.

    Ed seems to have been stamped directly from the comic-book mad scientist mould - last week he raised an Amiga 500 to sentience (although it took us a while to notice; it thinks darned slowly). When Ed gets even slightly worried about anything, it's time to run for the next Earthlike planet.

    "What's up, Ed?" I holler back, for I am busy fighting a boss and cannot be interrupted.

    "You remember last year when I found a second layer of reality below this one?"

    My mind races. I vaguely remember something like that. Ed had remotely hijacked control of the Relativistic Heavy Ion Collider, just out of curiosity. It's a long story. "Yeah... but you said it was completely featureless void, didn't you?"

    "That's what I thought, but it's not. You should come and have a look at this."

    Odolwa will have to wait. I pause the game and descend into the basement.


    "So what did you find?"

    "Messages," says Ed. "Messages, encoded into the very fabric of reality itself. Absolutely no question about it. It's like a pattern of vibrations in- well, the details aren't important. What's important is that the message is obviously in some kind of language; and there was enough of it for me to translate it.

    "I've just finished reading the translation. Look at this: it reads like a piece of software documentation." Ed hands over a chunk of paper. I leaf through it.

    The first page is a table of settings. The numbers I don't exactly recognise, but some of the names I do.

    "Those settings," says Ed, anticipating my first question, "are fundamental physical constants. The speed of light. The Planck Constant. The gravitational constant. Some others that you won't have heard of. Some others that even I haven't heard of."

    Next is a list of instructions for altering the settings. Short one-line commands followed by large tracts of incomprehensible vector equations. This goes on for about forty pages.

    "The instructions are extremely detailed. In order to alter the constants, you basically need to access this second level of reality and adjust it in some special way. That involves using some seriously heavy hardware. And when I say 'heavy' I mean heavy - if I'm reading this right, I think we're looking at something like five white dwarfs in a Klemperer Rosette..."

    "Sorry, white dwarf stars?"

    "And that's just to get access. To actually change the settings, for instance if you wanted to increase the speed of light by a factor of a thousand; well, use your imagination. There's no way mankind will ever get that far, not in a million years. But think about what this means. Our universe is 1) open-source and 2) user-modifiable."

    "Are you saying... that God uses Linux?"

    "Keep reading."

    I leaf through another few pages. "It says here that the settings have been changed. There are comments, too."

    "Several times, and by several different people, yes. The comments you see there were written by the changers. There aren't any dates - after all, we measure our time according to the vibrations of a caesium atom, and theoretically, one could adjust the frequency of that vibration as much as you liked. But check out the very last comment. 'The next wave of changes that our race makes to these settings will hopefully result in the spontaneous creation of an entirely new universe from the ashes of our own dead one.' I'm willing to bet that the very last change occurred roughly one quadrillionth of a second before the Big Bang."

    I am deeply thoughtful for a moment. "It is my considered suggestion that we don't attempt to mess with these settings."