Dec 122012
 

Forget Disclosure — Hackers Should Keep Security Holes to Themselves

WIRED
by Andrew Auernheimer
November 29, 2012

aka “Weev”

 

Editor’s Note: The author of this opinion piece, aka “weev,” was found guilty last week of computer intrusion for obtaining the unprotected e-mail addresses of more than 100,000 iPad owners from AT&T’s website, and passing them to a journalist. His sentencing is set for February 25, 2013.

Right now there’s a hacker out there somewhere producing a zero-day attack. When he’s done, his “exploit” will enable whatever parties possess it to access thousands — even millions — of computer systems.

But the critical moment isn’t production — it’s distribution. What will the hacker do with his exploit? Here’s what could happen next:


The hacker decides to sell it to a third party.

The hacker could sell the exploit to unscrupulous information-security vendors running a protection racket, offering their product as the “protection.” Or the hacker could sell the exploit to repressive governments who can use it to spy on activists protesting their authority. (It’s not unheard of for governments, including that of the U.S., to use exploits to gather both foreign and domestic intelligence.)


The hacker notifies the vendor, who may — or may not — patch.
The vendor may patch mission-critical customers (read: those paying more money) before other users. Or, the vendor may decide not to release a patch because a cost/benefit analysis conducted by an in-house MBA determines that it’s cheaper to simply do … nothing.

The vendor patches, but pickup is slow. It’s not uncommon for large customers to do their own extensive testing — often breaking software features that couldn’t have been anticipated by the vendor — before deploying improved patches to their employees. All of this means that vendor patches can be left undeployed for months (or even years) for the vast majority of users.

 

The vendor creates an armored executable with anti-forensic methods to prevent reverse engineering. This is the right way to deploy a patch. It’s also manpower-intensive, which means it rarely happens. So discovering vulnerabilities is as easy as popping the old and new executable into an IDA Pro debugger with BinDiff to compare what’s changed in the disassembled code. Like I said: easy.

Basically, exploiting the vast unpatched masses is an easy game for attackers. Everyone has their own interests to protect, and they aren’t always the best interests of users.

Things Aren’t So Black and White

Vendors are motivated to protect their profits and their shareholders’ interests over everything else. Governments are motivated to value their own security interests over the individual rights of their citizens, let alone those of other nations. And for many information security players, it’s far more lucrative to sell incrementally improved treatments of a disease’s symptoms than it is to sell the cure.

Clearly, not all the players will act ethically, or capably. To top it all off, the original hacker rarely gets paid for his or her highly skilled application of a unique scientific discipline towards improving a vendor’s software and ultimately protecting users.

So who should you tell? The answer: nobody at all.

White hats are the hackers who decide to disclose: to the vendor or to the public. Yet the so-called whitehats of the world have been playing a role in distributing digital arms through their disclosures.

Researcher Dan Guido reverse-engineered all the major malware toolkits used for mass exploitation (such as Zeus, SpyEye, Clampi, and others). His findings about the sources of exploits, as reported through the Exploit Intelligence Project, are compelling:

The so-called whitehats of the world have been playing a role in distributing digital arms.
  • None of the exploits used for mass exploitation were developed by malware authors.
  • Instead, all of the exploits came from “Advanced Persistent Threats” (an industry term for nation states) or from whitehat disclosures.
  • Whitehatdisclosures accounted for 100 percent of the logic flaws used for exploitation.

Criminals actually “prefer whitehat code,” according to Guido, because it works far more reliably than code provided from underground sources. Many malware authors actually lack the sophistication to alter even existing exploits to increase their effectiveness.

 

Navigating the Gray

 

A few farsighted hackers of the EFnet-based computer underground saw this morally conflicted security quagmire coming 14 years ago. Uninterested in acquiring personal wealth, they gave birth to the computational ethics movement known as Anti Security or “antisec.”

Antisec hackers focused on exploit development as an intellectual, almost spiritual discipline. Antisec wasn’t — isn’t — a “group” so much as a philosophy with a single core position:

An exploit is a powerful weapon that should only be disclosed to an individual whom you know (through personal experience) will act in the interest of social justice.

After all, dropping an exploit to unethical entities makes you a party to their crimes: It’s no different than giving a rifle to a man you know is going to shoot someone.

Dropping an exploit to unethical entities makes you a party to their crimes.

Though the movement is over a decade old, the term “antisec” has recently come back into the news. But now, I believe that state-sanctioned criminal acts are being branded as antisec. For example: Lulzsec’s Sabu was first arrested last year on June 7, and his criminal actions were labeled “antisec” on June 20, which means everything Sabu did under this banner was done with the full knowledge and possible condonement of the FBI. (This included the public disclosure of tables of authentication data that compromised the identities of possibly millions of private individuals.)

This version of antisec has nothing in common with the principles behind the antisec movement I’m talking about.

But the children entrapped into criminal activity — the hackers who made the morally bankrupt decision of selling exploits to governments — are beginning to publicly defend their egregious sins. This is where antisec provides a useful cultural framework, and guiding philosophy, for addressing the gray areas of hacking. For example, a core function of antisec was making it unfashionable for young hackers to cultivate a relationship with the military-industrial complex.

The only ethical place to take your zero-day is to someone who will use it in the interests of social justice.

Clearly, software exploitation brings society human rights abuses and privacy violations. And clearly, we need to do something about it. Yet I don’t believe in legislative controls on the development and sale of exploits. Those who sell exploits should not be barred from their free trade — but they should be reviled.

In an age of rampant cyber espionage and crackdowns on dissidents, the only ethical place to take your zero-day is to someone who will use it in the interests of social justice. And that’s not the vendor, the governments, or the corporations — it’s the individuals.

In a few cases, that individual might be a journalist who can facilitate the public shaming of a web application operator. However, in many cases the harm of disclosure to the un-patched masses (and the loss of the exploit’s potential as a tool against oppressive governments) greatly outweighs any benefit that comes from shaming vendors. In these cases, the antisec philosophy shines as morally superior and you shouldn’t disclose to anyone.

So it’s time for antisec to come back into the public dialogue about the ethics of disclosing hacks. This is the only way we can arm the good guys — whoever you think they are — for a change.

 

Direct Link:  http://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/

 

 

Feb 042012
 

 

F.B.I. Admits Hacker Group’s Eavesdropping

The New York Times
‘By SCOTT SHANE
February 3, 2012

 

 

 

WASHINGTON —

The international hackers group known as Anonymous turned the tables on the F.B.I. by listening in on a conference call last month between the bureau, Scotland Yard and other foreign police agencies about their joint investigation of the group and its allies.

Anonymous posted a 16-minute recording of the call on the Web on Friday and crowed about the episode in via Twitter: “The FBI might be curious how we’re able to continuously read their internal comms for some time now.”

Hours later, the group took responsibility for hacking the Web site of a law firm that had represented Staff Sgt. Frank Wuterich, who was accused of leading a group of Marines responsible for killing 24 unarmed civilians in Haditha, Iraq, in 2005. The group said it would soon make public “mails, faxes, transcriptions” and other material related to the case, taken from the site of Puckett & Faraj, a Washington-area law firm. A voluminous 2.55 gigabyte file labeled as those files was later posted on a site often used by hackers, Pirate Bay.

 

 

Regarding the conference call, an F.B.I. official said Anonymous had not in fact hacked into it or any other bureau facilities. Instead, the official said, the group had simply obtained an e-mail giving the time, telephone number and access code for the call. The e-mail had been sent on Jan. 13 to more than three dozen people at the bureau, Scotland Yard, and agencies in France, Germany, Ireland, the Netherlands and Sweden. One recipient, a foreign police official, evidently forwarded the notification to a private account, he said, and it was then intercepted by Anonymous.

“It’s not really that sophisticated,” said the official, who would discuss the episode only on condition of anonymity. He said no Federal Bureau of Investigation system was compromised but noted that communications security was more challenging when agencies in multiple countries were involved.

“We’re always looking at ways to make our communications more secure, and obviously we’ll be taking a look at what happened here,” he said.

The bureau issued a brief statement confirming the intrusion, which was first reported by The Associated Press: “The information was intended for law enforcement officers only and was illegally obtained. A criminal investigation is under way to identify and hold accountable those responsible.”

The breach, clearly an embarrassment for investigators, is the latest chapter in a continuing war of words and contest of technology between hacking groups and their perceived opponents in law enforcement and the corporate world.

 

The F.B.I. e-mail titled “Anon-Lulz International Coordination Call” — a reference to Anonymous and to an allied group of hackers, Lulz Security — announced a conference call for investigators “to discuss the on-going investigations related to Anonymous, Lulzsec, Antisec, and other associated splinter groups.”

The recording posted on YouTube and elsewhere included American and British voices discussing suspects in the case. The call begins with banter between an American named Bruce and British officials named Stewart or Stuart and Matt, who are joined by another official from F.B.I. headquarters, Timothy F. Lauster Jr., who sent the e-mail announcing the conference call.

The conference call illustrates both the scale of the international police effort to identify and prosecute the hackers, and the striking contrast in age and status of the investigators and their targets: what seem to be middle-aged law enforcement officials on two continents are overheard dissecting the illicit activities of teenagers.

A British official refers to Ryan Cleary and Jake Davis, two British teenagers who have been arrested and are wanted in the United States on suspicion of having ties to Anonymous. The British official describes a 325-page report analyzing Ryan Cleary’s hard drive, and an F.B.I. agent in Los Angeles discusses various suspects and their nicknames.

The investigators also refer to several suspects who had not yet been arrested, including one who calls himself Tehwongz, described by the British official as “a 15-year-old kid who’s basically just doing this all for attention and is a bit of an idiot.”

The conversation was part of an international criminal investigation that began in 2010 after Anonymous championed WikiLeaks by mounting electronic attacks on MasterCard and PayPal and other sites that had stopped collecting donations for the antisecrecy organization.

Last month, Anonymous attacked the Web sites of the Justice Department and major entertainment companies in retaliation for criminal charges against the founders of Megaupload, a popular Internet service used to transfer music and movies anonymously.

The hackers could have penetrated the law-enforcement official’s personal e-mail account by guessing a weak password, sneaking into an unencrypted wireless network, or, most likely, with a common and relatively easy tactic known as a phishing attack, said Keith Ross, a computer science professor at Polytechnic Institute of New York University and a security expert. A phishing attack involves sending an e-mail that looks like it is from a friend or relative and persuading the recipient to click on a link that allows every keystroke entered on that particular computer to be recorded. Recording keystrokes is an efficient way to steal someone’s e-mail username and password.

“The real issue for law-enforcement officials is they need to be better educated about how they handle sensitive data on their e-mails,” Mr. Ross said. “It’s an easy vulnerability to crack. If you’re not careful it’s a very dangerous attack.”

The same methods may have been used to hack the Web site of the lawyers who represented Sergeant Wuterich, Neal Puckett and Haytham Faraj. Their Web site was defaced by the hackers to display a message from Anonymous saying it was exposing “the corruption of the court systems and the brutality of U.S. imperialism,” Gawker.com reported. Later, the site was taken down.

In an interview late Friday, Mr. Faraj said he thought that little of the material stolen from their site related to the Haditha case, though some documents might relate to a polygraph that he said Sergeant Wuterich had passed. He said he feared the documents might include a confidential statement from a rape victim in an unrelated case. “I think in their haste to put stuff out there, they’re going to hurt some people,” he said.

Mr. Faraj said he had represented Guantanamo detainees and had supported and offered to represent Pfc. Bradley Manning, the soldier accused of providing documents to WikiLeaks, suggesting that the hackers of Anonymous may be inadvertently attacking someone who shares some of their presumed political views. “They got the wrong guy,” he said.

He said the F.B.I. had contacted the law firm and opened an investigation.

Sergeant Wuterich, 31, pleaded guilty last month in a military court in California to dereliction of duty, telling the judge that he regretted ordering his men to “shoot first, ask questions later.” As part of a plea agreement, however, he received no prison time, though his rank was reduced to private. The sentence sparked anger in Iraq and among some human rights advocates, and the Anonymous message complained that Sergeant Wuterich had gotten “only a pay cut” as a penalty.

Somini Sengupta and Nicole Perlroth contributed reporting from San Francisco.

 

Direct Link:  http://www.nytimes.com/2012/02/04/us/fbi-admits-hacker-groups-eavesdropping.html?nl=todaysheadlines&emc=tha22

Dec 112011
 

The Most Notorious Cybercrooks Of 2011 — And How They Got Caught

A torrent of attacks from groups like Anonymous, LulzSec, Goatse Security, and Antisec has made it a busy year for cybercrime investigators
By Ericka Chickowski, Contributing Editor
Dark Reading
Dec 07, 2011

While there are plenty of elusive hackers that will forever manage to outrun the law, the good guys scored some impressive arrests, indictments, and convictions in 2011.

Here are some of the highest profile cases to hit the headlines this year.

1. Anonymous and LulzSec Hacker: Ryan Cleary


Police raided the home of 19-year-old Brit Ryan Cleary and arrested him this summer for allegedly using distributed denial-of-service (DDoS) attacks to take down the British Serious Organised Crime Agency (SOCA) website this year, plus websites for the International Federation of the Phonographic Industry the British Phonographic Industry last year. His arrest was heralded by authorities as part of a crackdown against LulzSec, but the loosely organized group associated with Anonymous disavowed him as its leader. Cleary for sure had some affiliation with Anonymous, though. Acrimony between him and other Anonymous members for hacking into the group’s AnonOps website and exposing its members IP addresses led to Anonymous exposing Cleary’s full name, address, phone number, and IP on its site. These details were used by authorities to eventually find, arrest, and indict him.
2. Ivy League Academic Content Turbo Downloader: Aaron Swartz

 


A programmer and fellow at Harvard University’s Safra Center for Ethics, 24-year-old Aaron Swartz faced indictment this year after he downloaded more than 4 million academic articles from the Massachusetts Institute of Technology (MIT) network connection to Jstor, an online academic repository. Swartz used anonymous log-ins on the network in September 2010 and actively worked to mask his log-ins when MIT and Jstor tried to stop the massive drain of copyrighted material. After Jstor shut down access to its database from the entire MIT network, Swartz visited the campus and directly plugged in a laptop the infrastructure at an MIT networking room and left it hidden there as it downloaded more content. It was this visit in the flesh that got him nabbed; authorities had been tipped off by an IT admin about the laptop and after searching the laptop left it there along with a hidden webcam to catch Swartz when he came back for his computer. But not everyone thought his actions were criminal.
3. DNSchanger Creators: Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev and Anton Ivanvov

 

Vladimir Tsastsin


In a cybercrime bust that some security pros called one of the biggest ever, the six masterminds behind the DNSchanger malware were arrested in November for operating one of the longest running and most costly botnets to afflict the Internet. Lead by Tsastsin, this gang of thieves is accused of developing the DNSchanger malware to help perpetrate a profitable clickjacking scheme that netted it $14 million in stolen advertising views. The malware pioneered the method of using social engineering techniques to deliver unobtrusive payloads used to hijack victims’ DNS settings in order to set up revenue streams based on their manipulated browsing. Law enforcement closed in on the takedown after a multiyear, public-private investigation it dubbed “Operation Ghost Click,” which was initiated nearly five years ago after researchers with Trend Micro brought the gang’s botnet to the attention of the Feds.

4. Sony Hacker: Cody Kretsinger


This September, authorities detained and indicted Cody Kretsinger (a.k.a. “recursion”) for allegedly carrying out the summer attack against Sony Pictures on behalf of LulzSec. Authorities apparently hunted down Kretsinger through the U.K.-based HideMyAss proxy server service provider he used to help him “anonymously” carry out his SQL injection attack against Sony. The provider coughed up the logs to the authorities that allowed them to match time-stamps with IP addresses to pinpoint Kretsinger as the suspect in question.

5. Anonymous’ Inside Man at AT&T: Lance Moore
Former AT&T Mobility contractor Lance Moore allegedly handed over to Anonymous tens of thousands of phone numbers, confidential server names with IP addresses, usernames, and passwords to log into them, plus corporate emails, presentation documents, and intellectual property that was used by the LulzSec/Antisec movement in a public data dump this summer. According to his indictment soon thereafter, his misdeeds were discovered through the robust network auditing and log management run by his employer. AT&T was able to use its various logging and intelligence capabilities to connect the dots between an AT&T VPN connection used to upload documents to FileApe.com at the same time that unauthorized access was made to sensitive information. The IP address used was assigned to a group of less than 20 contractors and further investigation by security staff showed that Moore’s account was the only one used to access both FileApe and the servers with the stolen digital goods. What’s more, Web monitoring software showed that he used his account to search on Google for information on uploading files and file hosting.
6. Apple iPad Snoop: Andrew Auernheimer


Authorities indicted Andrew Auernheimer (a.k.a. “weev”), a vocal member of Goatse Security, for his involvement in exposing a flaw in AT&T’s Web security that the group used to acquire 114,000 email addresses belonging to iPad users, including notable celebrities, politicians, and businesspeople. The attack was carried out when Auernheimer and Goatse hackers realized they could trick the site into offering up the email address of iPad users if they sent an HTTP request that included the SIM card serial number for the corresponding device. Simply guessing serial numbers — a task made easy by the fact that they were generated sequentially during manufacturing — generated tons of sensitive addresses. Auernheimer and Goatse released details about the attacks to Gawker Media, and shortly thereafter the FBI arrested Auernheimer in connection with the breach.

7. Celebrity Hackerazzi: Christopher Chaney


Celebrity-obsessed hacker Christopher Chaney took cyberstalking to a new level when he used publicly available information from celebrity blog sites to help him guess passwords to hack Google and Yahoo emails owned by 50 different stars, including Scarlett Johansson, Mila Kunis, and Christina Aguilera. Using his access he set up email-forwarding to send himself of all email received by each celebrity. Chaney was responsible for the release of nude Scarlett Johansson photos that circulated the Internet. Though FBI investigators did not release the details of exactly how they managed to track Chaney down, they did report that they were piecing the details together during an 11-month investigation they dubbed “Operation Hackerazzi.”

8. Gucci Hacker: Sam Chihlung Yin
Fired after being accused of selling stolen Gucci shoes and bags on the Asian gray market, the former Gucci IT employee allegedly managed to set up a VPN token using a bogus employee name on his way out the door. A forensics investigation found that after he left the job, he called the company’s IT department posing as the fake employee to get his former co-workers to activate the fob, and from there he used that access to perpetrate digital mayhem, deleting servers, destroying storage set-ups ,and wiping employee mailboxes — essentially cutting off employee access to files and email across the U.S. for nearly an entire business day.

Direct Link: http://www.darkreading.com/security/attacks-breaches/232300124/the-most-notorious-cyber-crooks-of-2011-8211-and-how-they-got-caught.html?pgno=1

Nov 232011
 

14 Enterprise Security Tips From Anonymous Hacker
Former Anonymous member “SparkyBlaze” advises companies on how to avoid massive data breaches.
InformationWeek
By Mathew J. Schwartz
August 31, 2011

Want to avoid large-scale data breaches of the type served up by hacking group Anonymous, and its LulzSec and AntiSec offshoots? Start by paying attention to the security basics, including hiring good people and training employees to be security-savvy.

“Information security is a mess. … Companies don’t want to spend the time/money on computer security because they don’t think it matters,” said ex-Anonymous hacker “SparkyBlaze,” in an exclusive interview with Cisco’s Jason Lackey, published on Cisco’s website Tuesday.

Accordingly, what’s the best way for businesses to improve the effectiveness of their information security efforts? SparkyBlaze offered 14 tips, ranging from using “defense-in-depth” and “a strict information security policy”; regularly contracting with an outside firm to audit corporate security; and hiring system administrators “who understand security.” Also encrypt data–”something like AE-256,” he said–and “keep an eye on what information you are letting out into the public domain.”

Other best practices: use an intrusion prevention system or intrustion detection system to detect unusual network activity. Employ “good physical security” too, he said, to ensure no one routes around your information security measures by simply walking through the front door. Finally, pay attention to employees’ security habits and keep them briefed on the threat of social engineering attacks, since all it takes is one person opening a malicious attachment to trigger a data breach of RSA-scale proportions.

While SparkyBlaze’s back-to-basics guidance isn’t new, it bears repeating given the number of data breaches and releases executed by hacktivist groups in recent months. According to security experts, these attacks aren’t necessarily highly sophisticated, and most don’t make use of so-called advanced persistent threats. Rather, attackers often exploit common vulnerabilities or misconfigurations in Web applications, just as they’ve done for years.

SparkyBlaze defected from Anonymous earlier this month, saying via a Pastebin post that he was “fed up with Anon putting people’s data online and then claiming to be the big heroes.” As that suggests, there’s no clear and easy definition of what constitutes “hacktivism.” Even so, the “scope creep” in the type of data collected and released by Anonymous and its offshoots is evidently turning some people away from the collective.

“I love hacking and I believe in free speech and anti-censorship, so putting both together was easy for me. I feel that it is ok if you are attacking the governments. Getting files and giving them to WikiLeaks, that sort of thing, that does hurt governments,” said SparkyBlaze to Cisco’s Lackey.

But in his Pastebin post, SparkyBlaze said that AntiSec and LulzSec had increasingly been operating against the supposed mission statement of Anonymous, which was ostensibly formed to keep governments accountable. “AntiSec has released gig after gig of innocent people’s information. For what? What did they do? Does Anon have the right to remove the anonymity of innocent people? They are always talking about people’s right to remain anonymous so why are they removing that right?”

On a related note, the raison d’etre of Anonymous–WikiLeaks–appears to have lately suffered its own data breach, or at least loss of data control. On Monday, German weekly news magazine Der Spiegel reported that a file posted by WikiLeaks supporters to the Internet included concealed, password-protected, and unexpurgated versions of the 251,000 U.S. State Department cables that WikiLeaks released–with many sources omitted–in November 2010.

Through a somewhat circuitous sequence of events, possibly involving personnel disagreements inside WikiLeaks, the existence of a 1.73-GB “cables.csv” file, which contains the uncensored cables and which is protected by a password, became publicly known. Furthermore, thanks to an “external contact” of WikiLeaks, according to Der Spiegel, the password was also publicly disclosed, enabling the file to be unlocked.

But in a statement on Twitter, WikiLeaks disputed responsibility for the leak: “There has been no ‘leak at WikiLeaks’. The issue relates to a mainstream media partner and a malicious individual.” WikiLeaks, however, didn’t name either.

Direct Link: http://www.informationweek.com/news/security/intrusion-prevention/231600561?itc=edit_in_body_cross