Wednesday, August 27, 2014

Feds warn first responders of dangerous hacking tool: Google Search

“Google dorking” warning from DHS and FBI calls out “advanced search” as a threat.

You may already be dorking.
In a restricted intelligence document distributed to police, public safety, and security organizations in July, the Department of Homeland Security warned of a “malicious activity” that could expose secrets and security vulnerabilities in organizations’ information systems. The name of that activity: “Google dorking.”
“Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks,” the for-official-use-only Roll Call Release warned. “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.”
That’s right, if you’re using advanced operators for search on Google, such as “site:arstechnica.com” or “filetype:xls,” you’re behaving like a “malicious cyber actor.” Some organizations will react to you accessing information they thought was hidden as if you were a cybercriminal, as reporters at Scripps found out last year. Those individuals were accused of “hacking” the website of free cellphone provider TerraCom after discovering sensitive customer data openly accessible from the Internet via a Google search and an “automated “ hacking tool: GNU’s Wget.
But this warning from the DHS and the FBI was mostly intended to give law enforcement and other organizations a sense of urgency to take a hard look at their own websites’ security. Local police departments have increasingly become the target of “hacktivists.” Recent examples include attacks on the Albuquerque Police Department’s network in March following the shooting of a homeless man and attacks on St. Louis County police networks in response to the recent events in Ferguson, Missouri.

Bad queries

Enlarge / A quick "dorking" query for a common PHP backdoor reveals 25 sites already rooted and ready for those up to no good.
It’s true that Google hacking, or “dorking,” has been used by hackers and penetration testers for years. Just as the National Security Agency can use its XKeyscore surveillance data as a targeting system for more intrusive attacks on intelligence targets, hackers can use Google to find and target vulnerable sites—including ones where the work of hacking has already been done for them. A single query based on the signature of a common PHP-based “shell” malware can be used as a backdoor to access the operating system of affected websites. This search turns up a list of two dozen sites that have been hacked with the backdoor left open—most of them in Russia and Romania.
David Helkowski, the consultant who hacked the University of Maryland’s website and gained access to personal data in a university database, told Ars that he used Google advanced search to discover pages within UMD sites that allowed arbitrary Web executable files to be uploaded to them. Google searches allowed him to discover exploits that pre-existed on the site.
The DHS and the FBI called out two “dorking” incidents in particular to underscore the dire threat posed by not properly configuring robots.txt on websites. One of those was the October 2013 breach of more than 35,000 websites running vulnerable versions of the vBulletin Web bulletin board. The report says that a “dorking” query was used by hackers to identify websites that were still using an unpatched version of the software. The hackers could then attack them with open source exploit tools. Google was also allegedly used by attackers to target a vulnerable FTP server at Yale in 2011, exposing the Social Security numbers of 43,000 people.
There’s also a penetration testing tool called Diggity Project that can build automated queries against Google or Bing to locate files containing passwords, remote administration interfaces, and other vulnerabilities in Web-accessible computer systems. Diggity was called out specifically in the DHS/FBI intelligence report: “It contains both offensive and defensive tools and over 1,600 pre-made dork queries that leverage advanced search operators.”

Only you can prevent dorking

The Diggity Project is intended as a tool to help organizations secure their websites by finding the holes exposed by Google queries before someone with ill intent does. There’s also a vast database of tested-and-true Google queries in the Google Hacking Database hosted within Offensive Security’s Exploit Database site (though accessing the site, ironically, may be blocked by application firewalls used by Federal agencies because they contain keywords associated with Web malware).
These tools expose what Google already indexed. The best defense is to not have sensitive content indexed in the first place (or, if possible, to not have it on servers that face the public Internet to begin with—but let’s not get too far ahead of ourselves). The DHS and FBI recommended using Google’s Webmaster tools to remove things that shouldn’t have been indexed from their cache; they also suggested the liberal application of robots.txt files to tell Google and Bing to not spider down particular directory paths.
To seasoned Web hands, all of this sounds glaringly obvious. But considering the nature of the websites operated by many state, local, and regional agencies—and much of the Federal government for that matter—it’s worth stating the obvious. The same is true for thousands of private websites on the Internet operated by businesses and individuals. The sites may not seem important enough in themselves to secure, but they may inadvertently be connected to sensitive customer or employee information.

Monday, August 25, 2014

DHS Employees Data Revealed

US government employees are the victims of the latest security breach. A contractor for the government has revealed that sensitive information on at least 25,000 workers has been obtained as a result of a cyber attack. The information includes standard personal details like Social Security numbers and birth dates, as well as workers' educational and criminal backgrounds. It also includes information on family members, relatives, and acquaintances.
The data is so complete because the hack targeted a company named US Investigations Services, or USIS, which handles background checks for agencies such as the Department of Homeland Security. The breach specifically included information on employees at the agency's Immigration and Customs Enforcement and U.S. Customs and Border Protection departments, according to Reuters. It could also contain information on some undercover workers. In a statement, the company said that "records including this data were exposed to unauthorized users during the cybersecurity intrusion," adding. "we do not yet know whether the data was actually taken."
The attack was first revealed earlier this month, at which time the company said that it had "all the markings of a state-sponsored attack." Only now has the breadth of the attack been revealed. If the cyber attack was executed by or for a foreign nation, experts suggest the info could be used to coerce or blackmail workers at the Department of Homeland security. The agency, created after the events of September 11th, is charged with preventing terrorist attacks on US soil, and it is in charge of border control, among other tasks. Since the attack was revealed, the agency has stopped doing work with USIS as the FBI continues its investigation into the breach.

Monday, August 18, 2014

Chinese Hackers Steal Hospital Records

Why Chinese Hackers Stole 4.5 Million US Hospital Records
This month's installment of Chinese hackers stealing your data focuses on breaches at an especially scary type of venue: hospitals. A massive hospital empire that mostly serves small towns and rural areas reports that hackers lifted 4.5 million patient records earlier this year. You might be surprised by what the hackers were after.
The attack affected Community Health Systems, the operators of 206 hospitals in 29 states. The company described the hackers as an "Advanced Persistent Threat" group from China in an SEC regulatory filing and hired a firm called Mandiant to investigate. This was a good choice since Mandiant coined the term "Advanced Persistent Threat" when describing a Chinese Army unitthat's been launching similar attacks—a New York Times report last month claimed that this unit was going after smaller federal agencies.
While it's unclear whether the hackers who attacked the hospitals are the same Chinese Army unit, the methods were similar. Re/Code sums up a Mandiant report from last year that describes these types of attacks:
On average, the hackers would spend nearly a year perusing a targeted company's systems looking for sensitive information to steal: Product development plans, manufacturing techniques, business plans and the email messages of senior executives. The point is to help Chinese companies be more competitive.
And that description appears to match up to these most recent attacks. Apparently, the Chinese hackers didn't seek out medical information but rather "non-medical patient identification data related to the Company's physician practice operations." So they're either trying to steal identities or figure out how American doctors work.
Either way, many of you can expect to receive a letter from Community Health Systems in the coming weeks. And hopefully, the inconvenience stops there. [Re/Code]

Friday, August 15, 2014

Pop-up Ad Inventor

"I'm sorry. Our intentions were good."
Ethan Zuckerman was a designer and programmer for the early web-hosting service Tripod.com when a car company freaked out. The unspecified manufacturer had bought a banner ad on a page that "celebrated anal sex," and was not too pleased at the association of its brand with sexual escapades. Tripod had the solution: what if an advert could launch in its own window? Zuckerman wrote the code for the world's first pop-up ad, and for many years it was impossible to browse without being inundated by pop-ups.
You'll still find some pop-ups in the seedier parts of the internet, of course, but they're few and far between. Thanks to work from Netscape and Opera, who were the first to add pop-up blockers into their products, the majority of web browsers now prevent sites from launching hundreds of ad windows. Regardless of public opinion, the pop-up ad was instrumental in defining advertising as the primary business model for websites, but Zuckerman now believes there's a better way. In a long essay for The Atlantic, he explains how online advertising became the behemoth that it is, and what we can do about it.

More Credit Cards Stolen


Welcome to the weekend everyone! What better way to kick things off than with the news that one of the nation’s largest supermarket operators has had its card payment system compromised at chains like Albertsons, Jewel-Osco, Shaw’s, and ACME.According to AB Acquisition LLC, which operates these chains and others, the company “recently learned of an unlawful intrusion to obtain credit and debit card payment information in some of its stores.”
The company says that it has brought in the authorities and that it working with its IT services provider and third-party data forensics experts to investigate the cause and breadth of the breach.
It looks like the hack began on June 22 and ended by July 17.
As of this morning, AB Acquisition said it could not find evidence that any cardholder data was in fact stolen, or that any cardholder information had been misused.
In a statement, the company said it “believes that the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.”
The hack affected the following stores:
Albertsons: stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah.
ACME: stores in Pennsylvania, Maryland, Delaware and New Jersey.
Jewel-Osco: stores in Iowa, Illinois and Indiana.
Shaw’s and Star Markets: stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.
The company says it will be posting more information on albertsons.com, acmemarkets.com, jewelosco.com, and shaws.com within 24 hours.
Customers whose cards may have been affected are being offered 12 months of complimentary consumer identity protection services. Starting today at 4 p.m. ET, concerned customers from these stores can call AllClear ID at 1-855-865-4449 to learn about this offer.

Security Badge Secure?

Security conferences are a great place to learn about the latest hacking tricks, tools and exploits, but they also remind us of important stuff that was shown to be hackable in previous years yet never really got fixed. Perhaps the best example of this at last week’s annual DefCon security conference in Las Vegas came from hackers who built on research first released in 2010 to show just how trivial it still is to read, modify and clone most HID cards — the rectangular white plastic “smart” cards that organizations worldwide distribute to employees for security badges.
HID iClass proximity card.HID iClass proximity card.
Nearly four years ago, researchers at theChaos Communication Congress (CCC), a security conference in Berlin, released a paper (PDF) demonstrating a serious vulnerability in smart cards made by Austin, Texas-based HID Global, by far the largest manufacturer of these devices. The CCC researchers showed that the card reader device that HID sells to validate the data stored on its then-new line of iClass proximity cards includes the master encryption key needed to read data on those cards.
More importantly, the researchers proved that anyone with physical access to one of these readers could extract the encryption key and use it to read, clone, and modify data stored on any HID cards made to work with those readers.
At the time, HID responded by modifying future models of card readers so that the firmware stored inside them could not be so easily dumped or read (i.e., the company removed the external serial interface on new readers). But according to researchers, HID never changed the master encryption key for its readers, likely because doing so would require customers using the product to modify or replace all of their readers and cards — a costly proposition by any measure given HID’s huge market share.
Unfortunately, this means that anyone with a modicum of hardware hacking skills, an eBayaccount, and a budget of less than $500 can grab a copy of the master encryption key and create a portable system for reading and cloning HID cards. At least, that was the gist of the DefCon talk given last week by the co-founders of Lares Consulting, a company that gets hired to test clients’ physical and network security.
Lares’ Joshua Perrymon and Eric Smith demonstrated how an HID parking garage reader capable of reading cards up to three feet away was purchased off of eBay and modified to fit inside of a common backpack. Wearing this backpack, an attacker looking to gain access to a building protected by HID’s iClass cards could obtain that access simply by walking up to a employee of the targeted organization and asking for directions, a light of a cigarette, or some other pretext.
Card cloning gear fits in a briefcase. Image: Lares Consulting.Card cloning gear fits in a briefcase. Image: Lares Consulting.

Perrymon and Smith noted that, thanks to software tools available online, it’s easy to take card data gathered by the mobile reader and encode it onto a new card (also broadly available on eBay for a few pennies apiece). Worse yet, the attacker is then also able to gain access to areas of the targeted facility that are off-limits to the legitimate owner of the card that was cloned, because the ones and zeros stored on the card that specify that access level also can be modified.
Smith said he and Perrymon wanted to revive the issue at DefCon to raise awareness about a widespread vulnerability in physical security.  HID did not respond to multiple requests for comment.
“Until recently, no one has really demonstrated properly what the risk is to a business here,” Smith said. “SCADA installations, hospitals, airports…a lot of them use HID cards because HID is the leader in this space, but they’re using compromised technology. Your card might not have data center or HR access but I can get into those places within your organization just by coming up to some employee standing outside the building and bumming a light off of him.”
Organizations that are vulnerable have several options. Probably the cheapest involves the use of some type of sleeve for the smart cards. The wireless communications technology that these cards use to transmit data — called radio-frequency identification or RFID – can be blocked when not in use by storing the key cards inside a special RFID-shielding sleeve or wallet. Of course, organizations can replace their readers with newer (perhaps non-HID?) technology, and/or add biometric components to card readers, but these options could get pricey in a hurry.
A copy of the slides from Perrymon and Smith’s DefCon talk is available here.