CounterMeasures - A Security Blog � email

The mystery of the “hacked” Facebook accounts

Rik Ferguson — Wed, 19 Oct 2011 14:30:36 +0000

After a day of investigation it seems that “Team SwaStika” may be attempting to take credit for compromising account details that they really had nothing to do with.

The two lists of hacked accounts (Part 1 and Part 2) have both been circulated online before the Pastebin posts were made by Team SwaStika. The list entitled Part 1 appears to have been doing the rounds on various underground forums for the better part of a year. The second list entitled Part 2 by Team SwaStika is much more recent. The first evidence I can find of the accounts listed in Part 2 is only 19 days old.

A list with content exactly matching this second Pastebin post by Team SwaStika was uploaded to a compromised website by the better known group of hackers Group Hp-Hack. Group Hp-Hack is a Saudi Arabian hacker group that has previously gained notoriety in August of this year for defacing the websites of Joomla Canada and ethicalhackingcourses.com (which remains defaced to this day).

The html list of alleged Facebook logins uploaded to a compromised web server was created in Microsoft Word and has a creation date of 1st October 2011 but was posted with the claim (in Arabic) that the list only represents 10% of the 7 million accounts that were breached by Group Hp-Hack.

Group Hp-Hack defacement

I have informed the owners of the compromised server and advised them to remove the content and once again passed this information to Facebook’s security team

Sony (not) hacked

Rik Ferguson — Wed, 12 Oct 2011 13:45:25 +0000

Enter your password

News reports today are characterising an attack against the Sony PlayStation Network (PSN) and Sony Entertainment Online (SOE) as “another hack” or “Sony hacked again“. However, according to a blog post from Sony’s SVP and Chief Information Security Officer, that simply isn’t the case.

The attack against PSN accounts belonging to Sony subscribers went like this… Person or persons unknown, built or obtained a database of username and password pairs which they attempted to use to log into the PSN and SOE. The “overwhelming majority” of access attempts using these pairs of credentials failed, in fact less than 0.1% were successful. For this reason Sony suspect that the credentials used were not stolen from Sony directly, either now or in past intrusions. The database in question was most probably email and password pairs that have been obtained elsewhere but were being used in a brute force attack against Sony, in the knowledge that users have the unfortunate habit of reusing passwords across multiple services.

When Sony detected this irregular activity against its servers it immediately locked out all of the affected accounts and is informing the affected users that they need to change their passwords. Only a small fraction of that 0.1% showed evidence of irregular activity before Sony locked them down, meaning that the damage was successfully contained.

In reality this story should not be characterised as a failure over at Sony, but rather a success. Through their own monitoring systems they detected anomalous behaviour, acted quickly to contain the damage and locked out the accounts affected. They are also obliging the affected users to change their service passwords to better secure themselves in the future. Of course given the past intrusion at Sony, there is every possibility that the data does relate to that stolen from Sony earlier but also indicates that the mass password reset policy it instituted after the event served to render the majority of that data unusable.

After all it is not, as Sony have learned to their cost, whether you get attacked that is important, it’s how you deal with it. The lesson for Sony customers is not that Sony hasn’t learned lessons, it is rather that we as users still have some important lessons to learn.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

70 million customers affected by the Sony breach

Rik Ferguson — Wed, 27 Apr 2011 07:28:18 +0000

The most recent update update from Sony unfortunately confirms the worst fears of many. Between April 17th and 19th an “unauthorised person” gained access to the personal information of Sony’s more than 70 million customers. The information confirmed stolen is as follows:

– Name
– Address
– Email address
– date of birth
– PlayStation Network/QRiocity login name and password and online ID

Information “possibly obtained”:
– Billing address
– Purchase history
– PlayStation Network/Qriocity password security question responses
– all above data for any dependent accounts (your children’s sub-accounts)

Although there is no evidence at this time that payment card information has been accessed, Sony are “unable to rule out this possibility” and are advising their customers accordingly.

What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals now have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Aside from this, given the nature of the warning from Sony keep aeather eye on your bank statements for any unauthorised activity.

Data mining for bad guys

Rik Ferguson — Tue, 05 Apr 2011 09:22:24 +0000

My notification mail from Hilton HHonors

Over the past three days many of us have woken up to an unwelcome sight in our email inboxes. A notification that your email address was among those exposed in what may be the biggest data theft of its kind, the data breach at the “database marketing vendor” Epsilon. Today I got my first one and I’m far from alone.

The list of companies affected by this intrusion is already long, but seems to still be growing. The notification mail I received was from Hilton HHonours, the loyalty scheme for Hilton hotels. Other affecetd companies include: American Express, BestBuy, Borders, Capital One, Citibank, Disney, The Home Shopping Network, JP Morgan Chase, Marriott Rewards, Ritz Carlton, TiVo, US Bank, Verizon & Visa, to name but some.

No details have been made available regarding how the data was accessed beyond the initial statement made on the 1st April by Epsilon and the breach notification mails continue rolling in to affected individuals.

Epsilon state that the “unauthorized entry into Epsilon’s email system” affected just 2% of their customers and that they comprise only a subset of the clients to whom Epsilon provide email services. Given the list of names of affected institutions known thus far then, you have to wonder if the attackers were able to browse the entire database at will and extract only what they considered to be the most valuable information.

Every notification email and also the public statement from Epsilon reassures us that “only” names and email addresses were “obtained” (read stolen) and that no other information, financial or otherwise is at risk. Unfortunately, this downplays the level risk to customers and is also misleading.

Not only do the criminals know your name and email address, they know where you go shopping, where you bank, which hotels you stay at and much more. If you are unfortunate enough to have received multiple notifications, just imagine what kind of profile is now in criminal hands.

The risk from spear-phishing (highly targeted phishing) is hugely increased as a result of this data breach and people should be more vigilant that usual when receiving emails from affected institutions that may request personal information.

It is important to remember though, that phishing is not the only criminal activity facilitated by this fraud. This gold mine of information makes credible malicious mails much more simple to design. An email may appear to come from from an organisation or shop of which you are known to be a customer. It will be designed solely to get you to click on a link. In the complex world of online crime you are often only one click away from compromise and infection without any user interaction beyond that first click. If a criminal can own your PC, they don’t have to ask your for your personal details, they can simply take them, and much else besides.

So, for those affected by this breach, (note to self):

Pay careful attention to emails your receive in the coming months, perhaps years.
Never surrender personal information to a website without having used one of your own bookmarks to get there or typing it yourself (i.e. don’t follow links in mails).
Before giving out personal details, ensure that the connection is secured with SSL. You can see this is the case if the address starts with “https://“. If it’s not encrypted they don’t deserve your data.
Read the privacy agreement carefully before you hand over any details. If there is anything you are unhappy with reconsider your decision to sign up.
To better insure yourself against this kind of eventuality in future consider using unique addresses for each service, I wrote an article on how to easily achieve this here.

And for all of the companies out there that process, store or transmit personal data belonging to other people… ENCRYPT IT, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care.

“Serious” cyber attack on EU

Rik Ferguson — Thu, 24 Mar 2011 09:25:28 +0000

used with permission from Anonymous9000 under creative commons

On the eve of an EU summit set to discuss the ongoing military action in Libya, the European nuclear program and the debt crisis, key systems have been shut down and warning issued to staff as a result of what a spokesperson called “a serious cyber attack“.

Details on the nature, extent and consequences of the attack are currently very few but the timing and targeting are highly reminiscent of the attack against the French finance ministry two weeks ago which reportedly targeted information relating to the G20 summit.

A spokesperson for the European Commission stated that the commission is often “targeted” by cyber attacks, but that the extent of this one was far larger than those more regular events. Staff have been asked to change their passwords, external access to email and to the Commission’s intranet was temporarily suspended, in order to “prevent the disclosure of unauthorised information”. EUObserver reports having seen an internal mail that warned all staff

“We have found evidence that both the commission and EEAS [European External Action Service] are the subject of an ongoing widespread cyber attack.“

According to the AFP report, EU spokesperson Antony Gravili blamed the attack on malware, “rather than any attempt to unearth secret documents relating to summit issues”. Given the nature of contemporary attacks on commercial and government institutions, in reality it’s very difficult to draw the line between those two eventualities. Malware is simply one of the tools in the criminal and international espionage bag of tricks and making such a clear distinction before a thorough investigation has been completed may be counter-productive to say the least.

International cyber-espionage and criminal theft of information for commercial advantage has been going on for several years now but only really caught the public imagination with the furore surrounding the Aurora attacks in 2009/2010. Since that time, the mood for public disclosure of these attacks has rapidly changed and may contribute somewhat to the impression that they are increasing in frequency.

Nevertheless, Aurora, Night Dragon, Stuxnet and the attacks on the G20 and EU summits graphically illustrate the new reality. Cyberespionage, just like cybercrime is more simple to perpetrate, more difficult to spot and  carries much less risk than the more traditional methods. This is the new front line.

Play.com victim of data breach

Rik Ferguson — Tue, 22 Mar 2011 10:24:02 +0000

Image used under Creative Commons from Noah Sussman's Flickr photostream

Many customers of play.com will have opened their inboxes this morning to find some unwelcome news from the online retailer.

“Dear Customer,

Email Security Message

We are emailing all our customers to let you know that a company that handles part of our marketing commmunications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.“

The email does not offer any details of which subcontracted marketing agency was breached, or how that breach occurred, which is a shame as it seems a reasonable assumption that the agency in question would also be holding customer details on behalf of other companies.

Play.com go on to say:

“We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.”

The fact that it is a third party that has suffered the breach will not protect Play.com from falling foul of the Data Protection Act, the Data Controller (Play.com) remains responsible for the security of data handled by subcontracted third parties (known as Data Processors).

I called the Information Commissioner’s Office this morning to check if they had been notified of this data breach, they were unable to locate any recent notification on behalf of Play.com. According to the lady I spoke to there, play.com are only required to notify the Information Commissioner of a breach “if they consider it serious”. Play.com certainly considered it serious enough to notify their customers, so we can only hope the official notification is making its way through the correct channels.

Unfortunately the email from play.com to their customers does not contain any contact information for worried customers, only the advice “Please do be vigilant with your email and personal information when using the internet“, which seems a little ironic under the circumstances.

Online discussion forums seem to already show evidence that the stolen email adresses are being used for spamming.

If you have received one of these notification emails and have any concerns, you can make a direct complaint to the Information Commissioner’s Office by downloading this form and following the instructions on this page over at the ICO.

Email this!

Rik Ferguson — Sun, 12 Dec 2010 00:13:17 +0000

Spammers are abusing the social media sharing functionality of popular web sites, to bypass spam filters.

I received an email this evening with the subject line “NYTimes.com: Money for Social Science”, turns out it was a story that a spammer had chosen to share with me from the New York Times web site. Of course the spammer was not aware of my hidden passion for Social Science funding projects, he was simply trying out a new avenue to get his scam into my inbox.

The article sharing functionality allows the sender to specify their own message to go along with the story and of course that was where the much more traditional 419 scam was to be found.

Spam sent through NYT article sharing

Although this tactic means that the Spam will be sent from an IP address that is unlikely to be blacklisted, and contain much content that is unlikely to set off a spam filter, it certainly doesn’t add any credibility, to a 419 scam at least.

That said though, if this technique were to be adopted by criminals seeking to spread socially engineered malicious links it could be made to look much more convincing. Interestingly this abuse of the New York Times web site happens in spite of the fact that users need to create an account in order to share stories by email. Perhaps web sites offering this kind of functionality would do well to invest in technology to scan the content of their outbound emails in order to stomp on this sort of abuse. If it becomes widespread they are very likely to find themselves blacklisted which would be a serious blow to their social media capabilities.

Selling the real spyware?

Rik Ferguson — Thu, 02 Dec 2010 12:06:31 +0000

From anonymous9000 Flickr under creative commons

In a report from the BBC, it was revealed that the the British intelligence community was considering ways in which it could commercialise its own electronic surveillance technology.

Security minister, Dame Pauline Neville Jones told the Science Committee in the House of Commons that Government Communications Headquarters, GCHQ, and the governement are “thinking about” adressing the “many, many ways” that the state surveillance technology could be packaged and sold on to the private sector.

Of course it is commendable that a national government is considering such far reaching innovations in order to maximise the return on the huge investment that has been ploughed into electronic surveilance. News reports have previously suggested that a budget of £1 billion (UK pounds) has been set aside for a project euphemistically called “Mastering the Internet”, or the Interception Modernisation Programme, with hundreds of billions of pounds already reportedly awarded to contractors. “Mastering the Internet” is reportedly dedicated to massively expanding the surveillance capabilities if GCHQ to create a huge, government owned and controlled database, recording every text, email and telephone call made and every website visited by every person in the UK, which I have previously blogged about here.

Regardless of any privacy concerns about such a wide ranging project (which I covered in the earlier blog post). it is nevertheless interesting that the famously secretive folks at GCHQ are investigating the possibility of commercialising their services, interesting for a couple of reasons.

Firstly I imagine that if they commercialise their true top level capabilities then they surely run the risk of exposing the tools and techniques they use to public and international scrutiny, which may be to their detriment. Secondly, companies may be reticent to invite a governmental organisation, charged with intelligence gathering, into the heart of their corporate networks.

Targeted to appeal to executive vanity

Rik Ferguson — Wed, 17 Nov 2010 23:52:52 +0000

A friend of mine received an “interesting” email today. The friend in question is a senior director with an global software company and this targeted spear phishing attack was clearly designed to appeal to his executive vanity. Presumably with the aim of harvesting enough details to build a valuable contact database. Click the thumbnail below to view the original mail.

: Click to enlarge: The Phish!

The email in question was adressed to the victim’s correct first name and informs them that they have been

“selected by the nomination committee to represent your industry in the Top 100 Business Leaders of 2010“

All the unfortunate mark needs to do is “verify your biographical information and obtain your photo and/or company logo prior to the upcoming publication deadline“.

There are a couple of clues in the mail that should serve as warning signs… Firstly there is no mention of when the spurious deadline actually falls, clearly an attempt to prolong the shelf life of the scam, also both URLs embedded within the mail have been obfuscated with URL shortening services.

The eventual landing page of the phishing mail looks like the below:

If the mail itself wasn’t enough to make you suspicious, the website should be! It is one single page, there are no links to any contact or corporate information and the only quote on the site is of course unattributed. Finally the graphic on the site seems to suggest issues of the Top 100 magazine dating back to 2004, the domain was only registered in October of this year and of course the details of the registrant are protected.

In the case of unsolicited mail, always look a gift horse in the mouth; after all that’s where the Greeks hid their spies.

Facebook 419

Rik Ferguson — Tue, 15 Jun 2010 13:24:14 +0000

No matter how hard I try, I just can’t get away from people trying to give me money.

It’s an age old scam, older even than the venerable Internet; Advance-fee fraud also known as 419 fraud. Fortunately it is also a scam that anti-spam technology has become adept at spotting and blocking. So it’s no surprise to see that criminals are turning to alternative distribution mechanisms to try to snare their victims.

I just received I friend request on Facebook from (the no-doubt bogus) Mariam Mehdi and as you can see below, the content is unfortunately all too familiar

419 fraud mail received as Facebook friend request

I was very pleased to note that, in the hour that passed between the message being sent and me checking my friend requests on Facebook, the offending Facebook user account and the any friend requests had been erased from the social network.

Anyway, old scams never die, they just get annoyingerer more annoying. If you receive any of this junk, treat it the same as any other Spam, terminate with extreme prejudice.