September 19, 2014

Researchers reckon that there could be as many as three major security breaches per month

Processed by: Helicon Filter;As part of the B-Sides San Francisco security conference, Verizon Risk researchers Kevin Thompson and Suzanne Widup have presented findings about the number of major data breaches that could be occurring each month. By “major” the two researchers mean any security breach where more than 1,000,000 records are stolen. If their findings are accurate that means that up to 3 million records are stolen each and every month!

The findings were presented as part of the pair’s “Ripped from the headlines, what the news tells us about information security incidents” talk.  As part of their research Thompson and Widup have been investigating the data breach numbers since May of last year. Using a combination of  Verizon’s Data Breach Investigations Report and the open-source Veris Community Database the pair compiled over 3,000 data sets from sources including news articles, the Attorney General’s website, government breach tools and Freedom of Information Act requests.

Although the data set isn’t perfect and the research is continuing, one thing is clear, the number of major data breaches is much higher than previously thought. The number of three major data breaches per month was reached using data from 2011 to 2013 coupled with Poisson Distribution theory – a mathematical tool which expresses the probability of a given number of events occurring in a fixed interval of time.

At the end of last year Trend Micro predicted that “we will see one major data breach incident each month in 2014.” However the new number is triple that amount. “When I saw Trend Micro’s prediction I thought it was pretty high,” said Thompson. “But the estimate is actually pretty low right now.”

Thompson told SCMagazineUK.com that the actual figure was 3.07 and that 2010 was not included as data breaches were not as widely reported at the time. Verizon’s data is available on Github and the researchers are actively seeking for data to help with the research.

Forbes and Kickstarter breached in separate attacks

forbesHackers have recently breached two high profile sites and user credentials have been stolen. Forbes announced on its Facebook page that it was “targeted in a digital attack” and that the site was “compromised.” The result was that the hackers stole over 1 million account records. At around the same time Kickstarter also posted a blog entry reporting “that hackers had sought and gained unauthorized access” to some of its customers’ data.

The attack on Forbes.com seems to have been carried out by the Syrian Electronic Army (SEA). The hacktivists subsequently published a database of email addresses and passwords for 1,071,963 accounts. Forbes says that the passwords were encrypted, however the site “strongly encourage Forbes.com readers to change their passwords.” The disclosure notification went on to say, “The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks.”

Kickstarter found out about the breach to its systems when law enforcement officials contacted it and pointed out what the hackers had been doing. According to Kickstarter, “No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.”

However user account information including usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords were accessed. Kickstarter doesn’t actually say if it used a salt for its password encryption, however it does state that users should change their password as it is possible that “a malicious person with enough computing power” could guess and crack an encrypted password, particularly a weak or obvious one.

It looks as Forbes.com may have used the Portable PHP password hashing framework (phpass) and according to Sophos that means the passwords where hashed using a 6 byte random salt and 8192 iterations of the MD5 hash. The repeated use of the MD5 hash is there intentionally to stretch out the computation time needed for a brute force attack.

As is the norm, both sites are sorry and apologize for what happened and everyone is promising to tighten up security.

Adobe Acrobat source code stolen along with 2.9 million customer records

adobe-logo(LiveHacking.Com) – Adobe has suffered what it is calling a series of “sophisticated attacks” on its network, resulting in the theft of customer information as well as source code for numerous Adobe products including Adobe Acrobat.

It is currently thought that the attackers stole Adobe customer IDs and encrypted passwords as well as personal and financial information relating to 2.9 million of its customers. The data stolen includes customer names, encrypted credit or debit card numbers and expiration dates.

As a result of the breach Adobe has reset all the  relevant customer passwords, and notified the customers whose credit or debit card information was taken. Adobe is also offering the customers, whose card information was taken, the option of a one-year complimentary credit monitoring membership. Adobe has also notified the banks that process its customer payments and have contacted the relevant federal law enforcement agencies.

In what is being seen as a related incident, Adobe is investigating the unauthorized access of source code for Adobe Acrobat, ColdFusion and ColdFusion Builder.  Brian Krebs, a former reporter for The Washington Post and renowned security expert spotted a 40 GB source code dump stored on a server used by some known cyber criminals. The dump contained huge repositories of uncompiled and compiled code that appeared to be for ColdFusion and Adobe Acrobat. Krebs told Adobe about the source dump, Adobe then revealed to Krebs that the company has been investigating a security breach into its networks since Sept. 17, 2013.

“We are in the early days of what we expect will be an extremely long and thorough response to this incident,” said Adobe’s Chief Security Officer Brad Arkin. “We’re still at the brainstorming phase to come up with ways to provide higher levels of assurance for the integrity of our products, and that’s going to be a key part of our response. We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”

Adobe isn’t aware of any zero-day exploits targeting any Adobe products. However, as always, it recommends that customers use only supported versions of its software and apply all available security updates.

In an unrelated announcement, Adobe confirmed it will it will be releasing critical security updates next Tuesday for Adobe Acrobat and Adobe Reader.

Two machines attacked within the FreeBSD.org cluster

(LiveHacking.Com) – Just over a week ago the FreeBSD team detected an intrusion on two of its machines in the FreeBSD.org cluster. As a result the affected machines were taken offline while they investigated.  Also as a precaution, most of the remaining infrastructure machines were also taken offline. The investigation has revealed that the compromise occurred due to a leaked SSH key. No vulnerability or code exploit within FreeBSD was found. However the most alarming thing is that the attack and subsequent  compromise may have occurred as early as the 19th September 2012.

FreeBSD is divided into two segments: the “base” which includes the kernel; the system libraries; the compiler; and the core command-line tools and daemons, and the “packages” which are the third-party components distributed as part of the overall FreeBSD system. According to the security advisory published by the FreeBSD team, “no part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way. However, the attacker had access sufficient to potentially allow the compromise of third-party packages.”

The investigation has concluded that although the attacker had sufficient access to compromise the third-party packages, no evidence has been found that any packages were modified. But the FreeBSD team is taking an extremely conservative view and is working on the assumption that packages generated and distributed between the 19th September and 11th November 2012 could theoretically have been modified.

Who’s affected?

You have no reason to worry if:

  • you are running a system that has had no third-party packages installed or updated on it between the 19th September and 11th November 2012.
  • you reply in the Source, Ports and Documentation Subversion repositories to make updates.
  • you use the freebsd-update binary upgrade mechanism (it uses an entirely separate infrastructure).

However for everyone else the FreeBSD project cannot cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors. Those affect should re-install any machines from scratch, using trusted sources.

The package set built for the upcoming 9.1-RELEASE has been deleted, and will be rebuilt from source before 9.1 is released. With regards to the cluster machines, all suspect machines are being either reinstalled, retired, or thoroughly audited before being brought back online.

Adobe’s internal build server hacked, needs to revoke certificate

(LiveHacking.Com) – Adobe has discovered that its internal code signing infrastructure was breached and used to sign to malicious programs to make them appear like genuine Adobe files. The security breach happened back in July and as a result Adobe will revoke the certificate for all software code signed after July 10, 2012. This will happen on October 4th, in the mean time Adobe is in the process of issuing updates signed using a new digital certificate for all affected products.

Once the breach was discovered and the signatures verified, Adobe immediately decommissioned its existing code signing infrastructure and initiated a forensics investigation to determine how the signatures were created.

The first, of the two malicious files signed with Adobe’s certificate, is called pwdump7 v7.1, it extracts password hashes from the Windows OS. The second malicious utility, myGeeksmail.dll, is thought to be a malicious ISAPI filter. However it doesn’t appear to be publicly available.

“Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk,” wrote Adobe security chief Brad Arkin.

The revocation of the certificate affects only the Windows platform and three Adobe AIR applications (Adobe Muse, Adobe Story AIR applications and Acrobat.com desktop services). However the revocation does not impact any other Adobe software for Macintosh or other platforms. Adobe has informed its partners of the incident including participants in the Microsoft Active Protections Program (MAPP) who have received samples of the falsely signed programs.

The hacked server

Adobe has identified a compromised build server that required access to the code signing service as part of the build process. However the compromised server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service. During its initial investigation, Adobe has discovered malware on the server and the probable mechanism used to gain access.

“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” added Arkin. “The build server had no access to Adobe source code for any other products and specifically did not have access to any of Adobe’s ubiquitous desktop runtimes such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR.”

VMWare ESX Source Code Stolen – Starts to Leak onto Internet

(LiveHacking.Com) – VMware has confirmed that the source code for its ESX hypervisor has been stolen and portions of it are starting to appear on the Internet. Iain Mulholland, the Director of the VMware Security Response Center, wrote that they are “aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.”

The hacker, named Hardcore Charlie, is claiming that the code was stolen from the military contractor China National Import & Export Corp (CEIEC), however they are reporting that such claims are “totally groundless, highly subjective and defamatory.”

“The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers,” added Iain Mulholland. In the same blog post VMware acknowldged that it shares its source code and interfaces with others companies. Which seems to lend credence to Hardcore Charlie’s claims about the CEIEC breach.

The header file (vmkemit.h) posted by the hacker carries a 1998 copyright date stamp and lists a set of code emission macros for base x86 architecture used by vmkernel.

Hardcore Charlie published the code in a rather incoherent posting to pastebin that also talks about alleged collusion between CITEC and Western military and terrorist organisations: “we want to make it clear that CEIEC is engaged in a criminal activity with Ukraine and Russian officials as of supplying Ukraine and Russia with US army information for the terrorists.” 

The hacker has also threatened to release the source code for EMC.

Global Payments Says 1.5M Card Details Exposed in Unauthorized System Access

(LiveHacking.Com) – Over the weekend VISA and MasterCard started alerting banks across the USA about a major security breach at a  credit card processor. Initial reports said that as many as 10 million credit card numbers were exported, including Track 1 and Track 2 information, raising fears of massive credit card cloning.  Shortly after the news broke, Atlanta-based processor Global Payments confirmed, via a press release, that it was the payment processor which had suffered the  unauthorized access into its processing system.

The company says that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers (not 10,000,000 as initially reported). Its investigation has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals.

“We are making rapid progress toward bringing this issue to a close.  Our nearly 4,000 employees around the world are focused on providing exceptional service. We are open for business and continue to process transactions for all of the card brands,” said Chairman and CEO Paul R. Garcia.

Security expert Brian Krebs was one of the first to reveal details of the breach on his blog but initially he was unable to name Global Payments as the victim. VISA has now dropped support for Global Payments and added that “Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet.”

PSCU, which provides online financial services to credit unions, issued a security alert to its members after it was contacted by Visa. The alert reported that 46,194 of the compromised Visa card numbers belonged to PSCU customers, and that the breach lasted from Jan. 21 to Feb. 25.

Since Track 1 and Track 2 data was exposed, the thieves could use the stolen information to counterfeit new cards. For an explanation of the meaning of Track 1 and Track 2 data see here.

The origin of the attack is, as yet, unknown.

Verizon Issued an Annual Report on Data Breaches

Default configuration and miss-configuration attacks are commune types of attack by the hackers. In these types of attacks the hackers do not use the software or hardware vulnerabilities.

Jeremy Kirk from Computerworld has an interesting article about Verizon new study about the security breaches in 2009.

This year Verizon for its annual report on data breaches, had access to statistics related to investigations done by the U.S. Secret Service. These statistics covered 141 cases involving 143 million records for 2009.

Read the full article at Computerworld.