Cyber Defense Weekly: Hacks, Breaches, and Disclosures

Wednesday, February 08, 2012

Cyber Defense Weekly

6d1c762d9c16395a7e258d098091ee00

This week's CDW is sent from the Ritz in Cancun. Yes, there is a cyberwar conference in Cancun...

The first thing we do is hack all the lawyers

It was 1994 and I was presenting at a conference on security and privacy on that newfangled Internet thing.  As founder of an ISP (Rust.net) in the Midwest I did a lot of such events.  One of the other speakers was an attorney from the US Justice Department. 

He fielded a question from the audience regarding email security. His response was reasonable for the day: " If it was easy to read someone's email we would all be reading Marcia Clark's email today".  He was referring of course to the 40-year-old Deputy District Attorney who led the prosecution in the OJ Simpson trial. 

As the hottest topic of the day the implication was that there were lots of people that would love to know her strategy and any inside dirt.  His syllogism was apt. For the day.

Today that has changed.  Lawyers are an insecure conduit to their clients' business.  Smaller firms have little or no security staff.  IT infrastructure is limited to an Exchange server and a web site and perhaps internal print and file sharing.  While their clients might have best-of-breed security  the law firm is viewed as an easy way to get at the ultimate target.  

Friday's news that hackers had breached and leaked the 2.6 gigabytes of email from the firm of Puckett Faraj who provided the defense for the Marine  accused of leading a massacre of civilians in Iraq. To literally add insult to injury they also defaced the firm's website.  As of this writing the site is down and the hosting provider's default server page is visible.

According to Gawker the defaced site said:

"As part of our ongoing efforts to expose the corruption of the court systems and the brutality of US imperialism, we want to bring attention to USMC SSgt Frank Wuterich who along with his squad murdered dozens of unarmed civilians during the Iraqi Occupation. Can you believe this scumbag had his charges reduced to involuntary manslaughter and got away with only a pay cut?"

Attacking third parties to get at a target is not new of course.  Attackers exploit trust relationships to gain entry.   

According to security investigators at Toronto based Digital Wyzdom  they uncovered a wide spread attack against multiple law firms involved in the mega acquisition of Potash Corp. of Saskatchewan  by Australian firm BHP Billiton.  The deal was worth $40 billion and the researchers attribute the attacks to China who wanted to derail the deal.  According to Bloomberg the attackers hit seven different law firms as well as Canada's Finance Ministry and the Treasury Board.

Joel Brenner, former national counter intelligence executive in the office of the Director of National Intelligence (DNI), and author of America the Vulnerable observes:

"Us law firms have been penetrated both here and abroad. Firms with offices in China and Russia are particularly vulnerable, because the foreign security services are likely to own the people who handle the the firms' physical and electronic security. These services are not interested in stealing brilliant legal briefs; they want information about the firm's clients. Every law firm with offices on several continents holds privileged and sensitive electronic documents worth millions of dollars to a foreign service, ranging from investment plans to negotiations and business strategies, and much more."

If you share critical information with your attorney it is time to review their security practices.  If you are part of a law firm get used to the idea that your IT costs are going to go up.

Attack on Verisign: Is this the next RSA?

Joseph Menn of Reuters reported Thursday on an attack on VeriSign in 2010.  He had picked up on a brief notice in Versign's 10-Q quarterly report.   On page 33 of this 43 page document we find:

"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. ... Information stored on the compromised corporate systems was exfiltrated. ... In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."

At the time of the successful penetrations Versign had two critical infrastructure responsibilities: host the Top Level Domain servers for .com, .org, and .gov and the issuing of digital certificates for SSL.  Verisign sold off the digital certificate business to Symantec later in 2010 but that is no assurance that information gleaned in an attack is not still useful to the attackers.  Symantec of course has had its own issues recently with the admission that some of their source code has been stolen in 2006 and they only recently discovered it.   

I wrote about the seriousness of attacks on certificate authorities previously on Security Bistro  I called it the most important breach of 2011 because it has disrupted the inherent trust in site certificates that is built in to every browser. The ComodoHacker, who claims credit for the attack, aligns himself with the Iranian regime which did indeed use newly minted SSL certificates to execute man-in-the-middle attacks against their own citizens.  The threat is real and these successful attacks against VeriSign are worrisome in the same way.

VerSign's DNS infrastructure is truly the primary plumbing of the Web.  As such it is almost continuously under attack.  Distributed Denial of Service attacks against their root servers are frequent. VeriSign has had to build out redundant data centers across the globe and multiply redundant servers in each data center to take peak loads that are ten times the average expected load.

But, an attacker who had access to VerSign's back end systems could wreak havoc and could either take down websites or redirect them to fake sites at will. The implications as Joseph Menn, points out are chilling.  VeriSign's security team took corrective measures and hopefully are now taking extraordinary precautions to prevent further incursions.

Anonymous records FBI/Met Police conference call

What lessons can we learn from the Anonymous infiltration of the FBI's email and subsequent eavesdropping on a conference call where agents discussed ongoing investigations of Anonymous/Lulzsec?

First, despite a rapid ramp in resources and ability in cyberspace, the FBI still has a lot to learn about OpSec.  Either there is an insider leaking email to hackers or the hackers have planted malware on the computer of an agent.  Either case is drastically bad.

Second, international law enforcement agencies use open conference calling systems and do not even vet parties that call in.  Either this whole episode is a ruse to rope in Anonymous actors or the FBI has a lot to learn about secure communications.

AVG IPOs      
    
As Nasdaq hit a ten year high this past week, anti-virus vendor AVG has gone public.  We are still waiting on Palo Alto Networks to file. It is going to be a good year for security vendors.

Best of @cyberwar

  • RT @SunTzuSaid: Be subtle! be subtle! and use your spies for every kind of business
  • RT @e_kaspersky Eugene Kaspersky: Russian army: "Warfare has moved to cyber security. Concepts of network-centric war have made great progress"
Possibly Related Articles:
11666
Network->General
Information Security
FBI Symantec Cyberwar Attacks Anonymous VeriSign hackers AVG Information Security breach Cyber Defense Lulzsec AntiSec Conference Call IPO Lawyers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.