Tag Archives: Cybercrime

Flight MH370 – did cyber attack steal its secret?

Classified documents relating to the missing Malaysian Airlines Flight MH370 were stolen using a carefully-crafted spear-phishing attack, targeting 30 government officials just one day after the disappearance of the still-missing aircraft.

The Malaysian Star claims that the attack targeted officials with a PDF document which appeared to be a news report about Flight MH370, and was sent to a group of investigators. Around 30 computers were infected by the malware.

“We received reports from the administrators of the agencies telling us that their network was congested with e-mail going out of their servers,” CyberSecurity Malaysia chief exec Dr Amirudin Abdul Wahab said.

Flight MH370: ‘Confidential data’

“Those e-mail contained confidential data from the officials’ computers, including the minutes of meetings and classified documents. Some of these were related to the Flight MH370 investigation.”

Business Insider says that the attack occurred one day after the Boeing 777 went missing, and took the form of an .exe file disguised as a PDF (a common office file format).

It’s unclear who the attacker – or attackers – were, but information from infected computers was transmitted to an IP address in China. Officials in Malaysia blocked the transmission, The Star said.

‘Very sophisticated attack’

Department of Civil Aviation, the National Security Council and Malaysia Airlines were among those targeted by the hacker, the Telegraph reports. The infected machines were shut down, but “significant amounts” of information on Flight MH370 had been stolen.

“This was well-crafted malware that antivirus programs couldn’t detect. It was a very sophisticated attack,” Amirudin said.

CyberSecurity Malaysia suspects the motivation may have been curiosity about supposedly “secret” information held by the Malaysian government on Flight MH370.

“At that time, there were some people accusing the Government of not releasing crucial information,” Amirudin said.“But everything on the investigation had been disclosed.”

The post Flight MH370 – did cyber attack steal its secret? appeared first on We Live Security.

Traffic light – ‘easy’ to hack whole city’s systems

The most famous traffic light ‘hack’ in history is in the classic film, The Italian Job (1969), a caper movie where the heist involves paralyzing Turin via its traffic control system. The plan’s author, played by Michael Caine, says, “It’s a very difficult job and the only way to get through it is we all work together as a team. And that means you do everything I say.”

The reality, it turns out, is much easier – at least according to researchers at the University of Michigan, who say that networked traffic systems are left vulnerable by unencrypted radio signals and factory-default passwords, and that access to individual lights – or even a city-wide attack, as in the film, is possible, according to Time’s report.

“This paper shows that these types of systems often have safety in mind but may forget the importance of security,” the researchers write. Technology Review points out that Michigan’s system, which networks 100 lights, is far from unique. Similar systems are used in 40 states.

An attacker focused, like the film’s ‘crew’ on robbery could control a series of lights to give himself passage through intersections, and then turn them red to slow emergency vehicles in pursuit, according to the BBC’s report.

Traffic light: Blow the bloody doors off

“Once the network is accessed at a single point, the attacker can send commands to any intersection on the network,” the researchers write.

“This means an adversary need only attack the weakest link in the system. The wireless connections are unencrypted and the radios use factory default user-names and passwords.”

Traffic light controllers also have known vulnerabilities, and attacks could paralyze cities: a traffic DDOS could, the researchers suggest, turn all lights to red, and cause “confusion” across a city.

Lights ‘go green automatically’ as thief escapes

“An attacker can also control lights for personal gain. Traffic lights could be changed to be green along the route the attacker is driving,” the researchers write.

“Since these attacks are remote, this could even be done automatically as she drove, with the traffic lights being reset to normal functionality after she passes through the intersection.”

“More maliciously, lights could be changed to red in coordination with another attack in order to cause traffic congestion and slow emergency vehicle response,” they write.They also suggest measures including encrypted signals and firewalls which could improve current systems.

Perhaps a film reboot is in order: after all, the 1969 version ends with Caine saying, “Hang on, lads; I’ve got a great idea.”

The post Traffic light – ‘easy’ to hack whole city’s systems appeared first on We Live Security.

Gamescom: How gaming grew up into a target for crime

With over double the attendance of San Diego’s Comic-Con (340,000 attendees last year, compared to Comic-Con’s 130,000), gamescom highlights not just how pervasive video games have become in our lives, but also how video games have gone since the late 1970s and early 1980s from being a small offshoot of the “traditional” computing industry to becoming a full-fledged multi-billion dollar industry in themselves. Today, companies like Microsoft, Nintendo and SONY generate billions of dollars from sales of games and gaming consoles; and there is a burgeoning market for dedicated gaming hardware for PCs ranging from specialized graphics processors from companies like AMD (formerly ATI) and Nvidia to exotic cooling solutions using liquid nitrogen and metalized thermal interface materials; to the creation of AAA games such as Electronic Arts‘ fifteen year old (and still going strong) The Sims franchise, and Blizzard‘s World of Warcraft, which redefined MMORPG gaming.

Gaming by the numbers

To get an idea of just how pervasive computer gaming is, let’s look at these successful games and consoles, and match them up with some other real-world numbers:

ITEM
NUMBER
EQUIVALENT TO
The Sims 175 000 000
(copies sold over 15 years)
Combined population of Austria, Belgium, Denmark, Germany, Liechtenstein, Luxembourg, Netherlands, Poland, Slovakia and Switzerland
World of Warcraft 7 600 000
(avg. # players over
last 4 quarters)
Cost of 2014 upgrades (in
USD) to Kensington Palace,
United Kingdom
8th generation console units 18 680 000
(PS4+Wii+XBONE units shipped/sold)
Average number of viewers per
episode of Big Bang Theory
during its 2012-2013 season

Computer gaming is a huge and a wildly successful market, and as in any system that works at scale, there are going to be so-called businessmen or entrepreneurs who “seek to optimize their return on investment through whatever means possible” or, to put it more succinctly, criminals who abuse the ecosystem.  But in virtual worlds, can real crimes occur?

Game Crime

gamescom

As gaming has moved online, as with next-gen consoles such as Xbox One, crime has moved in

As it actually turns out, there’s actually quite a bit of undesirable activity that can occur online, such as trolling or griefing, which have occurred for as long as people have been playing games online.  The exact nature of these activities varies between games, as do their consequences, but while some online behavior is horrifying, it is not always clear whether an actual crime, prosecutable outside of cyberspace, has occurred and, if so, in what jurisdictions.  Likewise, cheating, while unsportsmanlike, may be a violation of a game’s acceptable-use policy, but not a criminal offense.

Doing time, online

Computer game companies police their virtual worlds to various degrees, as unwanted or objectionable in-game behavior could cause paying customers to leave en masse, with a corresponding drop in revenue.  If warnings are not sufficient, the usual sentence for abusive users is to ban them from playing the game for a fixed amount of time.  Repeat offenders, or those who may have done something especially offensive, may find themselves permanently banned from the game and their accounts closed.

Real thieves in a virtual world

The sale of virtual goods (including virtual currencies) is an important part of in-game economies, but also presents criminals with some unique opportunities as well:

Theft of Goods

The longer you play a MMORPG, the more likely you are to get items which are rare, limited edition, unique or otherwise contain powerful buffs for your character.  Game companies create these kinds of items and adjust their scarcity because it helps encourage gamers to pay real money, either for the items themselves, or for in-game currency.  Or the developer may charge a subscription fee to play the game.  And that use of real money is what makes some games lucrative targets for thieves.

In some games’ player-versus-player (PvP) combat, the losers of fights may drop items that they were using in their inventory or currency, upon their in-game death.  In some games, this has led to the creation of gangs or “mafias” who often target new players, either to “loot their corpses” or merely to threaten them with looting in order to obtain their items or currency.

In the real world, gamers are regularly targeted by criminal gangs with phishing emails, as well as password stealing software, in order to gain access to their account credentials.  From there, it is a simple matter for the criminals to empty out the gamer’s account, akin to taking the jewels out of some kind of high-tech safe deposit box.

While some game companies employ sophisticated geolocation tracking and even two-factor authentication systems identical to those employed by banks, others do not, and this makes those game accounts not only vulnerable to being emptied out, but to being stolen themselves.  It can take years of grinding away at some games to reach the upper levels.  For some unsporting game players, that represents an almost irresistible target.

Counterfeiting items

The amount of virtual items (including virtual currencies) is usually carefully calculated by gaming companies, even to the point of employing economists, to help ensure the stability of their virtual economy.  Unfortunately, as in the real world, some virtual worlds are subject to counterfeiting, where in-game items or currency is duped (“duplicated”) over and over again by criminal gangs by exploiting vulnerabilities or bugs in the game, network connection or timing issues, and so forth.

If an in-game item can be duped ad nauseam, it can generate a lot of money, especially if it is the in-game currency that is being copied, and not some scarce or unique item.  While item duping may not be enough to disrupt the in-game economy if the item is not being sold, it does disrupt game play and fairness when characters become seriously overbalanced.

Regardless of why it is being done, counterfeiting can be difficult to deal with, especially if the recipient of a duped item is not aware of its provenance.  This may not stop game admins from removing counterfeit items or currency from a gamer’s account, or even banning the gamer, though.

Gold farming

Although in-game currency is not always golden coins, gold farming is the generic term used to describe players who do nothing but play a game in order to generate in-game currency, which they sell online for real-world currency.  This is particularly problematic in China, where there have been reports that prisoners are used as slave labor to generate revenue for prison authorities.

As with item duping, gold farming is disruptive to gaming economies because it leads to inflation.  Aside from that, it also leads to other problems, both in-game and in the real world, with being spammed with advertisements for gold.  And, as with selling counterfeit or stolen goods, one runs the risk of having the items removed by the game admins or even being banned for having received counterfeit or stolen virtual property.

Companies under assault

Of course, computer criminals don’t just target gamers:  Gaming companies themselves can be targeted as well.  Probably the most well-known example of this is the April 2011 breach of the SONY PlayStation Network gaming and Qriocity music streaming service, which resulted in the compromise of the names, addresses and credit card details of 77 million user accounts.

ESET provided extensive coverage of the SONY data breach in our blog, starting from the initial report of the breach in April 2011 all the way up to the proposed settlement of a week ago.  As a result, I am not going to discuss the details of the SONY breach in this article.  Readers should be aware that this sort of problem is not unique to SONY, either.  Almost exactly, two years ago, Blizzard Entertainment suffered a data breach themselves, although they responded in a different and—this author thinks—more responsible fashion.

The point here is that that computer game companies and their associated services face real threats from criminals:  If they charge customers for online play, the purchase of in-game items, or otherwise contain customer billing data in their computers, then those computers systems are targets for financial crime.  But even if they don’t charge customers, their systems might still be targeted by criminals seeking access to accounts for the reasons mentioned in the preceding section.  Game companies recognize this, of course, and as a result their security practices have improved greatly over the past couple of years.

Final thoughts

For the most part, computer gaming poses no additional risks beyond any other activities you might perform on the Internet.  You may, however, wish to take a few extra precautions, as outlined in the previous two articles from We Live Security:

I would also suggest reading our Comic-Con 2014: Eight super-powered digital safety tips article.  While Comic-Con is not exactly the same type of conference as gamescom, going to any type of conference with your computer, tablet, smartphone and various digital devices poses similar risks these days, and you may find some helpful information in that article.

Thanks to my colleagues Bruce P. Burrell, David Harley and Righard Zwienenberg for their assistance with this article.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher, ESET

 

Selected Bibliography

For further reading, here is a fairly complete compendium of gaming-related articles from We Live Security:

The post Gamescom: How gaming grew up into a target for crime appeared first on We Live Security.

Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars

It’s still high season for security news, with the last days of DEF CON 22 luring out the best in the business – and causing controversy (as, of course, it should).

The biggest draw was a hack which knocked out the “ultra-private” encrypted Blackphone in just five minutes – although there was much discussion of the techniques used. Silent Circle, creators of the PGP encryption standard, took a secure, dignified response.

They patched – fast – and admitted their errors, saying, “No hard feelings — things get fixed by being found.”

Android versus RAT: Rodent wins

Android users in Russia were offered a bundle of free apps – with one catch. Each had been tweaked to hide malware – a RAT built to steal information. Remote Access Trojans (found on both PCs and Adroid devices) allows an attacker access to data – in the case of Android/Spy.Krysanec, GPS location, contacts lists, web history, contacts lists and more.

This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security. Naturally, it was shared through third-party app stores and social sites – not Google Play.

The malware was found to be distributed through several channels, including a typical filesharing (think Warez) site or a Russian social network.

ESET’s Robert Lipovsky says: “users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app.”

Wi-Fi: The skies are safe once more

The good news – your aeroplane will not plunge from the skies thanks to hackers armed with iPads – and the idea of hacking planes via Wi-Fi is silly. The bad news: things ARE getting worse.

Black Hat is no stranger to world-changing hacks – but Ruben Santamarta’s talk was described by CNET as “the hacking presentation that will get the most attention”, claiming that plane security could be hacked wirelessly, by Wi-Fi or even SMS.

The debunking didn’t take long. Dr Phil Polstra of Bloomsburg University has the credentials – he holds 12 aviation ratings, all current, including aircraft mechanic and avionics technician, thousands of hours of flight time, and has worked on on the development of avionics found in modern airliners. He also recruited an even more qualified but anonymous pilot to help.

Short answer: planes cannot be hacked wirelessly – any model ever built. Strict rules prevent avionics systems from being accessible via wireless – except in Boeing aircrafts, which use a system “harder to hack” he says.

Several companies have already said wireless hacks were “impossible”, and that access to wired systems restricted: “In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only,” said one.

Polstra warned, however, that “increasing automation” may lead to problems in the future.

Security news: Your router is a time bomb

No wonder cybercrime gangs target routers – yet another “live fire” test against the devices proved they were packed with vulnerabilities. More than a dozen were found in the challenge at DEF CON – and one router-hunter found 11 on his own.

PC World described the devices – the portal into most home networks – as “insecure as ever” as hackers romped through challenges against big-brand devices from Linksys, Netgear, D-Link, Belkin and others.

Once again, the routers proved weak foes – and a second challenge, to extract information from the devices, proved equally easy for the contestants.

Cyberjacking: It’s a word, and it’s happening (soon)

Two researchers who have previously demonstrated hacks against cars declared a new threat this week – in-car web browsers.

In an exhaustive analysis of top car brands, the researchers found that while it WAS possible to compromise systems, the results were limited. A BlueTooth hack, for instance, would not compromise the vehicle – but allow attackers to ‘pair’ devices.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.” The recent reported hack against the Tesla Model S relied on its connected control panel.

A SlashDot user claims to have found a hidden port on the Tesla Model S, and used it to prove the car ran a modified version of Firefox.

 

Two-factor security: We want it now!

Millions of Americans were directly affected by the breach at Target – and as cybercriminals increasingly take aim at POS terminals, similar tragedies look likely in future.

But American banks and card companies have been slow to reassure customers with measures such as two-factor security systems.

A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.

The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”

“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”

An ESET video explains what two-factor is, and why it works, here.

One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.

 

The post Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars appeared first on We Live Security.

Russian PM has his Twitter account hacked, announces “I resign”

There may be red faces in Red Square, after Russian prime minister Dmitry Medvedev had his Twitter account hacked.

The Russian-language account @MedvedevRussia, which has more than 2.5 million followers, was compromised on Thursday by hackers who posted messages suggesting Medvedev was immediately resigning, and making criticisms of Russia’s president Vladimir Putin.

The hackers tweeted out a resignation message from the Russian PM

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

I resign. I am ashamed for the actions of the government. I’m sorry

If such an announcement were genuine, of course, it would make headlines and raise eyebrows around the world.

But when the hackers followed up by posting messages on the account proposing the banning of electricity, and that the Russian PM would now pursue a career as a professional freelance photographer, it should have become obvious to everyone that Medvedev was no longer in control of his social media account.

According to media reports, the Twitter account was under the control of hackers for approximately 40 minutes yesterday before control was wrestled back by the PM’s office.

The only silver lining is that whoever hacked the account did not take advantage of the situation to direct some of the Medvedev’s 2.5 million followers to websites which might have contained malware designed to infect their computers.

A hacker calling themselves Shaltay Boltay (“Humpty Dumpty”) has claimed responsibility for the hack. Besides the attack on Medvedev’s Twitter account, Shaltay Boltay has also in the past published internal Kremlin documents and leaked private emails from government officials.

Shaltay Boltay's Twitter account

Shaltay Boltay, who describes him or herself as a member of Anonymous on their Twitter profile, posted a message claiming that they they had also managed to compromise the Gmail account and three iPhones belonging to the Russian prime minister. However, whether that is true or not is open to question.

In all likelihood, a busy chap like Dmitry Medvedev isn’t running his Twitter account on his own. Chances are that he has staff in his office who assist him with his social media presence.

And there lies the problem.

Although Twitter has introduced extra levels of protection like two factor authentication to better protect accounts from being hijacked, it doesn’t have good systems in place that work well when more than one person is accessing and posting from a Twitter account.

It would only have taken Medvedev, or one of his staff, to have been careless with their passwords once, or to have used an easy-to-guess password, or to have used the same password elsewhere on the web, for the hackers to have found the weak point necessary to break in and seize control.

Remember – you should always be careful with your passwords. Choose passwords wisely, make sure that they are hard to crack, hard to guess and that you are not using them anywhere else online.

If you find it hard to remember your passwords (which would be understandable if you are following the advice above) use a password management program which can remember them for you, and store them securely behind one master password that you *will* remember.

And once you’re following a strong password policy, ensure that you are always careful where you are entering your passwords, that you never enter them on a third-party site that could be phishing for your credentials, and be sure not to share passwords with friends or colleagues unsafely.

The post Russian PM has his Twitter account hacked, announces “I resign” appeared first on We Live Security.

2FA – are big banks failing America?

The Target breach caused real damage to millions of American card users – but big financial institutions are doing little to remedy security issues, according to the New York Times.

A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.

The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”

“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”

2FA: Big savings – for banks

The opinion piece, a plea for increased adoption of two-factor authentication systems, has ignited debate.

Computer World discusses if there are any “silver bullets” for a world where passwords are stolen in industrial quantities. Some attacks such as a recent attempt against PayPal have attempted to bypass these systems – but they are still another hurdle for gangs to clear.

The below ESET video explains what two-factor is.

Two-factor systems are far more secure than passwords – many high-profile hacks, such as those against the Twitter accounts of media organizations last year, could not have happened if a 2FA system had been in place. Even if a hacker places malware on a PC and steals a password, they are still locked out.

2FA: Why are banks failing us?

Information Week says that 2FA systems are a key part of ensuring corporate security: “Passwords are the Achilles heel of any network. Around 80% of all domain compromises carried out by our Penetration Testing team come from either a weak password being set, or a password being reused somewhere. Any company that takes its security seriously should protect privileged accounts with strong two-factor authentication (2FA).”

A recent report found that two-thirds of companies who allowed ‘working from home’ failed to provide secure access to company networks, putting private corporate information at risk.

Two-factor systems can help small businesses by allowing home working – and cutting overheads such as office space.

Bank attacks – safety tips

Both Information Age and Computer World suggested further measures – with Computer World suggesting Google Chromebooks as ideal for banking.

“Like private browsing, guest mode erases all traces of your browsing activity when you’re done, but in addition, it also starts you off with a clean slate. That is, when you logon as a Guest there are no cookies, favorites or browsing history to be discovered, stolen or manipulated,” the magazine writes.

One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.

Many sites – including Twitter, Gmail and Dropbox – offer two-factor systems already, free, although you have to enable them yourself – it’s usually found under Settings or Privacy, and most sites walk you through the process.

It’s worth doing so if you keep any private information in such accounts – and particularly if you store sensitive business information.

Two-factor authentication makes it far more difficult – although not impossible – for cybercriminals to break into accounts on sites such as Twitter and Dropbox. At present, though, the system is “opt-in” – you have to go to settings, and add your authentication method manually.

 

The post 2FA – are big banks failing America? appeared first on We Live Security.