Tag Archives: hacking

ITNow – Hacktivism and Anonymous

The following introduction was originally published in the Information Security section of the BCS ITNow Magazine, Summer 2012 issue (Volume 54, Issue 2), which was on the topic of Hacktivism and Anonymous:

There is a lot more to online activists, such as Anonymous, than the mainstream media would have us believe, says Gareth Niblett, Chair of BCS ISSG.

Just as the media often uses ‘terrorism’ and ‘Al-Qaida’ as shorthand for a broad church of Islamist militants, so too they use ‘hacktivism’ and ‘Anonymous’ to describe a diverse collection of attackers and motives.

This oversimplification means that the true motivations and intents of online vigilantes are not always adequately acknowledged or addressed.

It is too easy to put them in the ‘bad guy’ bucket and overlook well-intentioned, albeit illegal, activities – such as hunting down online sexual predators, exposing authoritarian regimes, protesting greed and corruption, undermining state censorship and so on.

Anonymous affiliated offshoots, such as AnonOps, LulzSec and AntiSec each have different members, objectives and approaches that lead to different types of targets and attacks – some of these are more questionable than others.

As the authorities close in on the more active members of these ‘leaderless’ groups, plenty of others adopt the anonymous concept whether as members of the franchise or simply following in its wake.

Fear of attack

One recent survey of ‘security experts’ concluded that most were concerned about being attacked by Anonymous.

I’m not sure that I’d be most concerned about them, versus say a more subtle state-sponsored long-term infiltration, as although an attack would be embarrassing it would also likely be relatively obvious and possible to quickly assess the impact.

Although I cannot support the illegal actions of Anonymous, I think we should not be too quick in demonising them either because, as in all things relating to human nature, things are often more nuanced than the headlines might lead one to believe.”

A PDF version of the magazine is available online to BCS members at:

http://www.bcs.org/upload/pdf/itnow-jun12.pdf

Preventing Voicemail Hacking

The following article on preventing voicemail hacking was originally published on the BCS website:

Voicemail hacking is not new. The two main methods are guessing PINs or using spoofing to bypass caller ID-based access control.

For convenient remote access to voicemail, e.g. where caller ID is not available or when the user is calling from a different phone, service providers allow users to authenticate through the use of PINs. Invariably these are short, usually four digits, and often they are preset to a known default – making hacking a simple guessing game.

Where caller ID is available, service providers use it to automatically identify users and allow direct access into their voicemail boxes. Unfortunately, caller ID spoofing has been around, for legitimate reasons, as long as caller ID. This facility can be misused to falsely represent the Calling Party and bypass such access control.

Historically, unlike other forms of login, service providers have not put much effort into the prevention and detection of brute force PIN guessing or caller ID spoofing attacks. Some limit the number of attempts per call, say to three, but attackers can set up automated brute force attack systems to break even a four digit PIN over a weekend.

In the US it is not illegal, at the federal level, to offer a public caller ID spoofing service. In the UK, regulator Ofcom has wisely chosen to try and restrict such public services offerings. Unfortunately, access to the right switchboard software or network signalling can enable a caller to set whatever Caller ID they wish.

Caller ID spoofing services can help reduce this type of fraud by not allowing the spoofing of a calling ID where it is the same as the called party number, so that someone cannot masquerade as a mobile phone and be automatically admitted by the mobile operator’s filtering mechanism. Some already have this restriction.

Mobile operators could improve things by:

  1. requiring robust PIN numbers are set for all accounts with voicemail;
  2. notifying users of (repeated) failed attempts to login to accounts – not just with a voicemail (as one operator does), which a successful attacker would delete;
  3. only trusting calls, presenting caller IDs of their own customers, originating from their own and roaming partner networks;
  4. relying less on presentation ID (easily spoofed) than network ID (less easily spoofed) when automatically connecting a caller to voicemail.

Users could improve things by:

  1. regularly changing voicemail PIN to a non-predicable numbers, so that if you were compromised you lock out your attacker until they can break in again;
  2. listening out for old message they don’t recall hearing before;
  3. noticing when told of a voicemail being left that they did not receive;
  4. disabling voicemail where not required or concerned about intrusion.

Awareness is the name of the game and reporting suspected breaches to your service provider, police and the Information Commissioner’s Office will maintain focus on this continued area of weakness in personal communications.

Gareth Niblett is the chair of BCS ISSG and previously a CISO at a telecommunications group.

Edited from my submitted text, due to length, were the following paragraphs that you may also find useful:

“Business voicemail, as a feature of a private branch exchange (PBX) or automated call distribution (ACD) system, is also vulnerable to poorly set PINs – which are often the last digits of the direct dial in (DDI) number or the same as the extension or a common default – Caller ID spoofing or simply using the target’s handset.

Skype and VoIP services also provide a voicemail capability, and where software clients are used there is also the risk of malware that could allow an attacker to gain access to credentials or data enabling them to monitor calls or messages. Staying up-to-date with patches and anti-virus updates, as well as strong passwords, will help.”

The original version of this piece is available online at:

http://www.bcs.org/content/conWebDoc/41177

Computing – Opinion: Sony PSN Hack

The following brief opinion piece was originally published as an Opinion piece in Computing, on the topic of the recent large-scale Sony hacks, including of the PlayStation Network (PSN):

“Over the past few weeks there has been a lot of complaint and speculation about the significant compromises of the Sony PlayStation Network (PSN), Qriosity and Sony Online Entertainment (SOE) affecting over 100 million accounts. I don’t know all the facts, as they are still emerging, but I have a few general views:

1. Be prepared
Ensure that you have an effective communications plan, which you can enact quickly. Sony and Apple have recently both been castigated for their time to both acknowledge and respond to issues. People shouldn’t expect answers immediately, but they would like to know that you’re actively addressing the situation.

Have a forensic readiness plan, retaining technical and investigative expertise as required. This will help minimise contamination of evidence whilst controlling the incident – essential if you want to know how they got in, what they did, what trail they left. Without this, you have no realistic chance for a successful prosecution.

2. Treat customer data as your own
It’s one thing to spend lots of effort in protecting your information with DRM, DMCA takedown notices, rootkits, and legal threats & proceedings and another to leave personal data such as e-mail addresses, phone numbers and passwords in the clear. Just encrypting credit card data, to get your PCI-DSS tick in the box, is not enough.

Validated email addresses have value to spammers, real names help phishers, dates of birth help facilitate identity fraud, password reuse is big with users leading to further compromises. Learn from other attacks, such as on Epsilon and Gawker. Governments looking to spy on dissidents have targeted Facebook and Gmail.

If it is popular, expect it to be targeted and hacked. Build your platform to minimise impact.

3. Expect legal and regulatory fallout
In our interconnected world, there is a raft of jurisdictionally specific (and sometimes conflicting) legal and regulatory requirements that large online services need to be aware of and compliant with, including ones covering data breach notifications and privacy of personal and financial data. Investigations may ensue.

Fines may be imposed by data protection and financial regulators, and individual or class action suits may be brought. These could be anywhere you are considered to operate your service. The Sony and Hotz ‘PS3 hacking’ case demonstrated this can be a complex and fraught process. Make sure you have access to a great legal team.

This hacking incident may have brought some positives in that Sony has now learnt some of the above lessons, and has a new Chief Information Security Officer (CISO) role that, hopefully, has the remit to improve security and privacy practices, and the PSN users have gone outside to enjoy the spring sunshine.”

The original version of this piece is available online at:

http://www.computing.co.uk/ctg/opinion/2071155/firm-learn-sony-psn-debacle

Computer Weekly – Think Tank

I provided a response to the Computer Weekly Think Tank question ‘What should corporate IT managers do to ensure data protection?’:

Hacks of Google and at least 20 other companies in December prove that sophisticated cyber espionage attacks are a real and present danger. But in the light of the fact that most commercial security tools are ineffective against these attacks, according to the SANS Institute, what can and should corporate IT managers do to ensure data protection?

“Few organisations have the resources available to Google, who were still unable to prevent or readily detect the recent wide-scale electronic espionage, and most are unlikely to work with the National Security Agency after a compromise. Yet, organisations that form part of the UK critical national infrastructure (CNI) have for years received government advice and guidance on threats, including those emanating from China, from the Centre for the Protection of National Infrastructure (CPNI). Although its private advice is not readily available, the CPNI website provides non-classified information that non-CNI businesses should be aware of.

Many organisations tend to focus on preventative measures – policy, procedure, and technology – and fail to fully address the detective and responsive controls required for good information security management. Log analysis, required for firewalls, intrusion detection and data loss prevention, is resource intensive, requires expert interpretation of results and is not particularly appealing, but is necessary to detect anomalous behaviours. A robust incident reporting and management procedure is also required, along with an associated forensic readiness plan.

Every organisation should understand the need for regular upgrades and patches, after adequate testing and planning, for all vulnerable systems. Sometimes this is set aside for operational expediency, for critical systems where downtime or the risk of failure is unacceptable, or due to backward compatibility requirements, for legacy applications or platforms  – but the risk posed by the failure to upgrade or patch must be mitigated by additional controls that compensate for the vulnerabilities. Defence is depth, or layered security, would mean that a single weakness or vulnerability does not expose everything.

Common factors in this and similar attacks is the level of research and targeting that goes into them, not just utilising multiple zero-day vulnerabilities in IE6 and Adobe Acrobat, but directing the attack at specific people with sufficiently contextually correct information to trick them into effecting the compromise. The attackers appear patient and with long-term goals, rather than seeking money or glory, which makes them all the more insidious. A long-term strategy of user awareness training and education is required to combat this threat, in conjunction with technical and procedural security measures.”

The full articles is available online at:

http://www.computerweekly.com/Articles/2010/02/15/240300/Think-Tank-What-should-corporate-IT-managers-do-to-ensure-data.htm