Year of the Hacks Fail 2011 November 29, 2011 Hamza Sirag | Hanh Tran
Outline• Introduction• Key players• Victims• Timeline of significant attacks of 2011• Statistics• Common attack methods• Motives• Threat mitigation• Conclusion – Future of security
Introduction• Fail 2011: Year of the Hacks• New Hacktivist Groups• New Operations – #AntiSec • Protests government censorship & Internet monitoring – #Sony• Data leakage via PasteBin / PasteHTML• Hacking: easier than ever before
Key Players• Hacktivist Groups – Anonymous – LulzSec – TeaMp0isoN• Individual hackers/script kiddies• Nation States – China, Russia, Iran, Pakistan, etc.• Nation State Cyber Armys – Iranian Cyber Army – Indian Cyber Army – Pakistan Cyber Army – Albanian Cyber Army
January• 8th grade student – Ontario, Canada hacked into school servers to access test results – Using laptop & downloaded software• Lush Cosmetics (UK)– Data Breach – Credit card information compromised – Customers reported fraudulent charges on credit cards• Anonymous implemented DDOS attack on multiple African government websites – Tunisia, Egypt, and Zimbabwe• Security communities – Pakistan Cyber Army, rootsecurity.org, uNknown.eu – Claimed to be best or underground hacker forum – By TeaMp0isoN
February• Government websites – Britain – UK Foreign Secretary – Canada – Egypt – Italy – Yemen• Security communities – The Hacker News Network, by Albania Security Group – Indian Cyber Army, by Albania Security Group – Rootkit.com, by Anonymous
March• RSA Security, Inc. – Advanced Persistent Threat (APT) using social engineering • Excel spreadsheet exploited a zero-day Flash vulnerability – SecurID tokens used by financial, government and other sites were at risk – China suspect• Digital Certificate Authorities – Stolen certificates by 21 year old Iranian man – Protested US Policy & involvement in Stuxnet • Targeted Iran’s nuclear program, according to experts – Could spoof websites if compromised certificates not revoked in time • Google, Microsoft, Skype, Yahoo, etc.• Bank of America, London Stock Exchange, WordPress, display screens in Time Square, whatismyip.com, etc.
April• Operation Sony – Payback • George Hotz • Sony’s acquisition of IP addresses of visitors to his blog – Anonymous, LulzSec, Lebanese hacker Idahc and various other hackers – DDoS, SQL injection, etc. – Website defacement – Leakage of 77 million customers’ personal information • Names, birthdays, addresses, emails, usernames, passwords, credit cards, etc.
May• LulzSec formed – “Laughing at your security since 2011” – 50 Days of Lulz• Fox News X-Factor – 250,000 details exposed – By LulzSec• PBS Website – After Frontline Wikileaks program on Bradley Manning – Zero-day exploit on Movable Type 4 (MT4) by LulzSec – Passwords leaked and false report posted• Operation Sony continues – Sony Greece, Sony Indonesia, Sony Japan, Sony Ericsson, Sony PlayStation – Some were by LulzSec
June• Gmail – Passwords stolen with a phishing attack, also changed forwarding and delegation settings• Acer Europe – Pakistan Cyber Army, due to server admin error – Source code and user data of 40,000 people compromised• FBI Partner Infragard Atlanta – LulzSec, in an attempt to embarrass the FBI and security firm government contractor – Site hacked, defaced and 180 Infragard usernames and passwords leaked• U.S. Senate – LulzSec, “don’t like the U.S. government much” and “their sites aren’t very secure” – Server was on public side, so no sensitive data breached• CIA – LulzSec, ““Tango down — cia.gov — for the lulz”• Electronic Arts – System hosting BioWare Neverwinter Nights forum breached – IDs, passwords, e-mails, addresses, names, phones, CD keys and birthdates compromised
July• Apple – 26 admin usernames and passwords for an Apple server exposed.• Fox Twitter account – The Fox News Twitter feed was used to publish false reports that President Obama had been killed.• German Federal Police – hackers compromised a server used by the countrys customs service and posted location coordinates, license plate and telephone numbers, police usernames and passwords, and a GPS application in response to government communications interception.• Italian Polices National Center for Computer Crime and the Protection of Critical Infrastructure – Stole more than 8 GB of internal data that was allegedly seized during police investigations, including information on the Ministry of Transport in Egypt, Ministry of Defense in Australia, Russian companies and U.S. Justice Department.
August• 72 public and private organizations in 14 countries hacked• Government of Syria – Home page of the Syrian Ministry of Defense site defaced with Anonymous logo and a call for the downfall of President Bashar al-Assad.• Hong Kong Stock Exchange – Hackers broke into news site of Hong Kong stock exchange, where corporate filings are published, forcing the suspension of trading for seven companies.• Research in Motion – RIMs BlackBerry blog was hacked in retaliation for RIM offering to assist London police in combating rioters, many of whom are using BlackBerrys to organize. – By TeaMp0isoN• Citigroup Japan – Attack was perpetrated by a third-party vendor that had been given access to Citis internal systems. – Personal information of 92,408 Citigroup credit card customers in Japan was stolen and sold to third parties.
September• NBC News Twitter – 9/11 prank: plane attack underway at Ground Zero – By @S_kiddies, claimed affiliation with Anonymous• 50,000 WordPress sites – Infected with spam from wplinksforwork.com• 25,000 Austrian Police records – Posted on PasteHTML – by Anonymous• Operation Syria – 7 major Syrian government sites compromised – by Anonymous
October• U.S. Military – Predator and Reaper drones – Common key logger- registered the keystrokes pilots use to control the unmanned drones.• Operation DarkNet – 40 child pornography websites taken down – 1,500 users’ information exposed – By Anonymous• Operation Cartel – Targeted Los Zetas, after kidnapping of Anonymous member – Gustavo Rosario’s website defaced – By Anonymous
Anonymous Veracruz message to ZETAhttp://www.youtube.com/watch?v=bJORGO1Q2VY
November• Capital One Bank – DDOS attack – By Anonymous – Other victims that day listed on PasteBin• 150 international foreign government emails – By TeaMp0isoN – Usernames and passwords uploaded on PasteBin• Neo-Nazi website in Finland – By Anonymous – Personal information of 16,000 people leaked• Valve Steam – Steam forum defaced – intruders obtained access to a Steam database in addition to the forums. – Database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.
Common Attack Methods• Keylogging and spyware• Backdoor or command/control• Phishing• SQL injection• Abuse of system access/privileges• Unauthorized access via default credentials• violation of acceptable use and other policies• Unauthorized access via weak or misconfigured access control lists (ACLs)• Packet sniffing• Unauthorized access via stolen credentials• Pretexting or social engineering• Authentication bypass• Physical theft of asset• Brute-force attack
Threat Mitigation• Use a firewall• Least privilege – When prompted for root, ensure program is legitimate• Disable AutoPlay – Disconnect drives when not required• Disable file sharing if not needed – If needed, use ACLs and password protection – Disable anonymous access to shared folders Reference: Liang Yuan, Yi Li, Kai Xiao, Dennis Tran, Symantec
Threat Mitigation• Disable unnecessary services – If a threat exploits a service, disable or block access to it until a patch is applied• Keep patch levels up-to-date – Especially on computers hosting public services / accessible through firewall (HTTP, FTP, mail, DNS)• Block emails containing suspicious attachments – .vbs, .bat, .exe, .pif, .scr, etc.• Isolate compromised systems to prevent spread – Perform forensic analysis and restore systems using trusted media• Common security practices Reference: Liang Yuan, Yi Li, Kai Xiao, Dennis Tran, Symantec
Threat Mitigation• Enforce strict IT security policies• Perform regular audits and remediations• Have user awareness programs• Establish a disaster recovery plan• Attend security conferences – DefCon, DerbyCon, BruCon, SchmooCon, ReCon, RuxCon, ToorCon, SummerCon, NullCon, Infiltrate 2011, Hacker Halted USA 2011, etc.
Conclusion - Future of Security• Increased growth in – Cyber attacks – Cyber fraud – Cyber espionage – Hacktivist groups – Attempted attacks on industrial systems• More advanced attacks• Targeted attacks
References•  The Hacker News. "It’s Fail 2011 - Year of Hacks." http://thehackernews.com/2011/09/its-fail-2011-year-of-hacks.html?m=1.•  International Business Times. “Operation Anti-Security: Anonymous Yet to Act While LulzSec Rampage.” http://uk.ibtimes.com/articles/167639/20110622/lulzsec-lulz-security- anonymous-operation-anti-security-anti-sec-hacked-cleary-ryan-arrest-attack.htm.•  PSX-Scene. “Geohot: Here is Your PS3 Root Key.“ http://psx- scene.com/forums/f6/geohot-here-your-ps3-root-key-now-hello-world-proof- 74255/#post643883.•  UPI. “8th Grader Hacks School Server.” http://www.upi.com/Odd_News/2011/01/11/8th-grader-hacks-school-server/UPI- 91161294770552.•  PC Mag. “Nintendo 3DS Hacked Within 24 Hours.” http://www.pcmag.com/article2/0,2817,2381021,00.asp.•  InfoSec Island. “Sony Becomes Latest Operation Payback Attack Target.” https://www.infosecisland.com/blogview/12780-Sony-Becomes-Latest-Operation- Payback-Attack-Target.html.•  Pastebin. “50 Days of Lulz.” http://pastebin.com/1znEGmHa.
References•  Pastebin. “PBS.org Hacked and it was Not Done by SQL.” http://pastebin.com/0YULt1ZG.•  Schenk, M. “10 Tips for Securing Your Movable Type Installation.” http://www.movabletips.com/cgi-bin/mt/mt- search.cgi?IncludeBlogs=2&tag=0day&limit=20.•  Miller, Z. “The NBC News Twitter Account was Just Hacked in Disgusting 9/11 Prank.” http://www.businessinsider.com/nbc-news-twitter-account-hacked-in- disgusting-911-prank-2011-9.•  The Hacker News. “50000 WordPress Sites Infected with Spam.” http://thehackernews.com/2011/09/50000-wordpress-sites-infected-with.html.•  Twitter. “AnonAustria.” https://twitter.com/#!/AnonAustria/status/118131885997174784.•  Forbes. “Hackers Attack Child Porn Sites.” http://www.forbes.com/sites/mobiledia/2011/10/25/hackers-attack-child-porn- sites.•  The Hacker News. “Anonymous Hackers Threatening a Mexican Drug Cartel.” http://thehackernews.com/2011/10/anonymous-hackers-threatening- mexican.html.
References•  Gustavo Rosario. http://www.gustavorosario.com.•  Pastebin. “What a Good Day Huh.” http://pastebin.com/gkMGyQMd.•  Pastebin. “International Foreign Government E-Mails Hacked.” http://pastebin.com/X8s4Xqu4.•  The Hacker News. “Anonymous Hackers Hack Neo-Nazis Website and Leak Personal Info of 16,000 Finns.” http://thehackernews.com/2011/11/anonymous- hackers-hack-neo-nazis.html.•  Youtube. “Anonymous – Operation Blackout.” http://www.youtube.com/watch?v=czY-dZQsd-k.•  Martin, Bob, Mason Brown, Alan Paller, and Dennis Kirby. "2011 CWE/SANS Top 25 Most Dangerous Software Errors." MITRE and SANS. http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf.•  Yuan, L. (2011, September 6). Mebromi. Retrieved from http://www.symantec.com/security_response/writeup.jsp?docid=2011-090609- 4557-99&tabid=2•  Wasim, A. (2011, July 17). Looking back at the size of data breaches. Retrieved from http://superconductor.voltage.com/2011/07/looking-back-at-the- size-of-data-breaches.html