Embed Size (px)
Citation preview
FBI Claims Hacker Made Plane Fly Sideways
P1
Phantom Menace Attacker Set Sights on Oil
Companies P2
United Airlines Rolls Out Bug Bounty P2
Hackers Target Starbucks Mobile Payments
App P3
Google: Account Recovery Security Questions
Not Very Secure P4
More bad news: The bad guys are getting
better P5
InfoSEC Times Abu Dhabi Polytechnic’s Monthly Newsletter on Information Security Issues
Infosec times completed one year
Welcome to the thirteenth edi-
tion of our new newsletter from
the Abu Dhabi Polytechnic
Information Security Engineer-
ing Technology (ISET) Depart-
ment.
In this edition we have collected
news about latest trends in
information security
We would like to encourage
and invite our readers in con-
tributing to the development of
this newsletter so that we may
keep everyone informed with
the current issues that may
affect us all in the ever increas-
ing world of computers and
technology.
FBI Claims Hacker Made Plane Fly Side-
ways The FBI has accused a security researcher of hacking a
plane’s on-board computers to make it fly sideways during
a flight.
The details emerged in a search warrant applica-
tion produced by the Feds to examine the accused’s lap-
tops, hard drives and other computer equipment for evi-
dence.
It claims that in two interviews with the FBI in February
and March this year, One World Labs founder Chris Rob-
erts admitted identifying vulnerabilities in the in-flight
entertainment (IFE) systems on Boeing 737-800, 737-900,
757-200 and Airbus A-320 aircraft.
He’s said to have compromised these systems 15 to 20
times between 2011 and 2014, gaining physical access by
“wiggling and squeezing” the seat electronic box (SEB)
installed under the seat in front of him.
After doing so, Roberts would apparently use an Ethernet
cable to hook up his laptop and then hack the IFE system.
The affidavit continues:
“He stated that he then overwrote code on the airplane’s Thrust
Management Computer while aboard a flight. He stated that he
successfully commanded the system he had accessed to issue the
‘CLB’ or climb command. He said that he thereby caused one of
the airplane engines to climb resulting in a lateral or sideways
movement of the plane during one of these flights. He stated that
he used Vortex software after compromising/exploiting or
‘hacking’ the airplane’s networks. He used the software to moni-
tor traffic from the cockpit system.”
Although he admits hacking planes’ IFE systems, Roberts
has taken issue with the above.
“That paragraph that’s in there is one paragraph out of a
lot of discussions, so there is context that is obviously miss-
ing which obviously I can’t say anything about,” he
told Wired.
“It would appear from what I’ve seen that the federal guys
took one paragraph out of a lot of discussions and a lot of
meetings and notes and just chose that one as opposed to
plenty of others.”
Roberts was first detained for questioning after sending a
now infamous tweet about his activities which got him
kicked off a United Airlines flight in April.
He maintains that he managed to make a plane climb in a
simulated test but has never interfered with these systems
during a real flight.
A statement from Boeing would seem to indicate that such
a hack would be impossible:
“IFE systems on commercial airplanes are isolated from flight
and navigation systems. While these systems receive position
data and have communication links, the design isolates them
from the other systems on airplanes performing critical and
essential functions.”
There’s been widespread condemnation of Roberts’ re-
search in certain quarters, although some security experts
have backed him.
“Research is the lifeblood of the security industry and it is
absolutely imperative for protecting the virtual front line,”
Bloxx CEO Charles Sweeney told Infosecurity.
“The majority of security researchers know and under-
stand the valuable contribution they make, but also re-
spect their role and the need to draw a line between re-
sponsible research and the temptation to ‘have a bit of
fun.’ Yes, this researcher has got a bit carried away but the
incident shouldn't detract from the invaluable work of
researchers in keeping us all safe online.”
18 May 2015
Source: Infosecurity-magazine.com
I S S U E
J u n e 2 0 1 5
13
Security researchers have uncovered a major new targeted attack seemingly
originating from Nigeria and designed to steal official documents which can be
used in follow up 419 scams against oil brokers.
Spain-based Panda Security claimed in a new report, Operation Oil Tanker: The
Phantom Menace, that 10 companies had been hit by the campaign.
However, police can’t begin investigating because none of the firms affected
are prepared to report the crime – preferring to keep quiet for fear of harming
their corporate reputation.
Researchers at Panda managed to trace the attack back to a single actor operat-
ing from a suburb of Nigerian capital Lagos, by tracing the FTP connection
used to send out the stolen data.
They believe that the motive behind the attacks is to grab official proof of prod-
uct documents, used by vendors selling oil to prove the authenticity of their
product to potential buyers.
Such documents can be used in 419 scams, where fraudsters pretending to be
sellers try to persuade brokers to transfer large sums of money as an advance
on the cost of buying oil which doesn’t exist.
The targeted attack campaign was first uncovered when an oil transportation
company in the north-east of England took part in a pilot program to trial a
new advanced endpoint security tool.
They picked up the presence of a suspicious PDF file which had been opened
by a secretary at the company and which led to an attempt to steal her log-in
credentials and send them to a remote computer.
Curiously, the attack did not feature any malware but simply a self-extracting
file, Panda said.
It uses legitimate tools and scripts to modify the Windows registry, collect
usernames and passwords stored in the local mail client and internet browser,
and save them to a text file before uploading them to an external FTP server.
That server contained over 800 files belonging to 10 companies in the same
industry, indicating a sustained targeted attack campaign, the report claimed.
The attack could be traced back to August 2013, meaning it was six months old
by the time Panda Security got involved.
18 May 2015
Infosecurity-magazine.com
Phantom Menace At-
tacker Set Sights on Oil
Companies
In the wake of a high-profile frequent flier account hack, United Airlines
has rolled out a bug bounty program, promising airline miles for vulnera-
bilities. A lot of miles too: up to 1 million for a remote code execution flaw.
“At United, we take your safety, security and privacy seriously,” the airline
said in its announcement. “We utilize best practices and are confident that
our systems are secure. We are committed to protecting our customers'
privacy and the personal data we receive from them, which is why we are
offering a bug bounty program — the first of its kind within the airline
industry.”
In January, it was revealed that high-flying thieves with stolen usernames
and passwords had broken into customer accounts at both American Air-
lines and United, booking trips for themselves using peoples’ stores of fre-
quent flier miles. The login information was pilfered through a third-party
source, and mileage transactions were made on about three dozen United
accounts, and about 10,000 AA accounts were hacked. Talk about flying the
unfriendly skies.
United said that it’s looking for issues that affect the confidentiality, integri-
ty and/or availability of customer or company information. The eligible list
includes: Authentication bypass; bugs on customer-facing websites, the
United app or third-party programs loaded by united.com or its other
online properties; cross-site request forgery (CSRF) and cross-site scripting
(XSS); potential for information disclosure; remote code execution; timing
attacks that prove the existence of a private repository, user or reservation;
and the ability to brute-force reservations, MileagePlus numbers, PINs or
passwords.
Non-customer-facing sites, partner or third-party websites or apps and a
few others are not eligible for bounties. But notably, neither are those in
critical systems like onboard Wi-Fi, entertainment systems or avionics.
The payout structure is based on the severity and impact of bugs (all bugs
must of course be new discoveries). It ranges from the aforementioned 1
million frequent miles to 50,000 for CSRF, XSS and third-party code loaded
by United sites.
Award miles will be provided only to the first researcher who submits a
particular bug, who must be a MileagePlus member in good standing.
“We believe that this program will further bolster our security and allow us
to continue to provide excellent service,” the airline said. “If you think you
have discovered a potential bug that affects our websites, apps and/or
online portals, please let us know. If the submission meets our require-
ments, we’ll gladly reward you for your time and effort.”
18 May 2015
Infosecurity-magazine.com
United Airlines Rolls
Out Bug Bounty
Credit-card hackers are reportedly targeting Starbucks gift card and
mobile payment users around the country. Taking advantage of weak
passwords and the Starbucks auto-reload function, they can steal hun-
dreds of dollars in a matter of minutes—without even knowing the
account number of the card they’re hacking.
The ramifications can be significant: Last year, Starbucks said it pro-
cessed $2 billion in mobile payment transactions, and about one in six
transactions at Starbucks are conducted with the Starbucks app.
Several users have complained of hacking via Facebook. “My account
was hacked this morning,” said one on a page devoted to the issue.
“They got my balance and tried to reload the card with the saved credit
card but the bank stopped it. Had all the hassle of canceling the credit
card, and also because my address and email and phone number was on
there, put in a fraud alert to the credit report companies as well just in
case.”
According to security blogger Bob Sullivan, based on conversations with
an anonymous source who is familiar with the crime, any criminal who
obtains username and password credentials to Starbucks.com can drain
a consumer’s stored value, and attack their linked credit card. And, this
issue has been going on since the beginning of the year, the source told
him.
The issue likely goes back to brute-force password attacks, he said in a
blog. “Because Starbucks’ mobile payment app is so popular, any large
set of stolen credentials is bound to have at least a few combinations
that unlock Starbucks accounts,” he said. “Criminals could also be steal-
ing credentials in other ways—through phishing emails, or keylogging
programs.”
In any event, once logged in, criminals have several options for draining
card values—and this is where Starbucks can come in to help remedy
the issue. The most common: they can transfer balances from the gift
card to another, or combine balances from multiple cards onto a single
other card. It just takes a special, one-time emailed authentication code
to do so, but the two-factor approach is fundamentally flawed. By using
the settings in the Starbucks.com account, hackers can change the email
address linked to the app to one that they control—and can thus have
the code that Starbucks requires for transfers sent directly to them.
There is also a further risk in that the app also stores and displays per-
sonal information about the user, such as their name, full address, phone
number and email address. Criminals could then use this information or
sell it for use in more targeted larger-scale spear-phishing or identity
theft attacks.
As for Starbucks, a spokesperson issued the following statement, and
noted that customers are not responsible for charges or transfers they
didn’t make:
“While I’m not able to comment on an individual customer’s account,
what you’re describing is not connected to mobile payment—linking the
two is inaccurate. We take the obligation to protect customers’ infor-
mation seriously and have safeguards in place to constantly monitor for
fraudulent activity, working closely with financial institutions like all
major retailers. For obvious reasons, we are unable to discuss specific
security measures. Our customers’ security is incredibly important to us
and we take all these concerns seriously.”
But the problem is not that the mobile payments themselves are insecure.
Rather, with auto-reload, accounts are automatically topped up from a
linked bank account when the balance falls below a certain level, offering
an endlessly replenishing pool of cash to steal. And according to Sullivan,
those stolen, auto-funded Starbucks cards—or more specifically, the elec-
tronic codes behind them—can then be sold on the black market for cash.
Consumers would be none the wiser until they notice the extra transac-
tions coming out of their bank accounts.
“Because the crime is so simple, can escalate quickly, and the consumer
protections controlling the transaction are unclear, I recommend all Star-
bucks consumers immediately disable auto-reload on the Starbucks mo-
bile payments and gift cards,” Sullivan said.
Gavin Reid, VP of threat intelligence at Lancope, said that this highlights
problems with using consumer cards and accounts that are backed up
with either a high limit credit card, or even worse, a checking account.
“Ideally vendors would make this form of compromise harder by using
multi-factor authentication, and the banks themselves would issue one-
time-use account numbers that contain a fixed amount of cash limiting
the loss,” he said via email. “This type of small amount theft can be auto-
mated reusing already exposed credentials.”
Source:Infosecurity-magazine.com
13 May 2015
Hackers Target Starbucks Mobile Payments App
Google: Account Recovery Security Questions Not
Very Secure
An analysis of millions of answers to security questions
show many are predictable and easily guessable, says
Google.
The security questions that many websites ask to help
users gain or recover access to online accounts do little to
improve security. In fact, they are neither reliable nor
secure enough to be used as a standalone authentication mechanism for
account recovery purposes, Google said in a new report.
Researchers at the company analyzed hundreds of millions of answers to
secret questions that people have provided to Google over the years after
forgetting their passwords or being asked to provide additional authenti-
cation to gain access to their accounts.
They then set out to see how easy or difficult it would be for malicious
actors to try and guess those answers and discovered that it is easier than
many might assume.
With a single guess, an attacker would have a nearly 20 percent chance of
accurately guessing that an average English-speaking user’s answer to
the security question “What is your favorite food” would be "pizza."
In about 10 guesses, they’d have the correct answer to an Arabic-
speaking user’s first teacher’s name, a 21 percent chance of guessing a
Spanish-speaking user’s father’s middle name, a nearly four in 10 chance
of guessing a Korean user’s city of birth and a 43 percent chance of cor-
rectly guessing their favorite food.
One problem, according to Google researchers Elie Bursztein and Ilan
Caron is that people often tend to fib when choosing their responses to
security questions. A survey of Internet users that Google conducted
showed that about 37 percent admitted to providing fake answers to
security questions apparently in a bid to make them harder to guess, the
two researchers wrote in their blog post announcing the results of their
analysis.
Ironically, this behavior only has the effect of making such answers easier
to guess because people on aggregate tend to make their answers harder
in a predictable way, the researchers said. Many users for instance had
identical answers even to questions that should have generated unique
responses, like "what’s your frequent flier number." That’s because in
choosing to provide a fake answer, people tend to gravitate towards a
predictable set of answers, the Google researchers said.
“People intentionally provide false answers to their questions thinking
this will make them harder to guess. However this ends up backfiring
because people choose the same (false) answers, and actually increase the
likelihood that an attacker can break in.”
At the same time, people who chose difficult secret questions had a hard
time coming up with the correct response when they needed it. For exam-
ple, secret questions like ‘what’s your library card number’ or ‘what is
your frequent flier number’ are generally very secure but had recall rates
of just 22 percent and 9 percent, Google said. In contrast, easier questions
like those pertaining to a parent’s middle name had a much higher suc-
cess rate.
What the research showed, according to Bursztein and Caron, is that an-
swers to security questions are either somewhat secure or easy to remem-
ber, but seldom both.
Asking users to respond to more than one question can make it much
harder for attackers to break into an account through guesswork, they
noted. But it makes things difficult for users as well. Most users for exam-
ple have little problem remembering the city they were born in or their
father’s middle name. An attacker would only have a 6.9 percent chance
and a 14.6 percent chance of correctly guessing either in 10 tries and an
even slimmer 1 percent chance when confronted with both questions at
the same time.
But the ability for users to remember both answers correctly too drops
from an average of around 75 percent to about 59 percent. “Piling on
more secret questions makes it more difficult for users to recover their
accounts and is not a good solution, as a result,” Bursztein and Caron
said.
A more secure approach for website owners may be to use other authenti-
cation mechanisms such as one time codes sent via SMS or to secondary
email addresses, they said. “These are both safer, and offer a better user
experience,” the researchers said.
Source:darkreading.com
May 22nd 2015
suggests attackers have been developing better ways to maximize the impact
of their work.
At the rate attacks are progressing, Akamai said, security researchers are
concerned about what attackers may be able to accomplish by this time next
year. Add to that the fact that employing current attacks techniques “has not
required much skill,” and even relatively inex-
perienced attackers could be capable of creat-
ing major damage as more potent tools enter
the picture and attack bandwidth increases.
And what, then, to make of the recent news
that the Defense Department is going to take a
“no holds barred” approach with users who
threaten security with sloppy cyber habits?
Bad cyber hygiene “is just eating our shorts,”
according to David Cotton, deputy CIO for
Information Enterprise at the Pentagon.
Users will be given a very short time to comply
with DOD password-security policies or to
change behavior that invites phishing attacks
while using third-party social media accounts. The Pentagon is also pushing
vendors to come up with more timely patches for security vulnerabilities,
though recent research also points to the need to make sure patches are up-
dated on all hosts at the same time.
The DOD, along with the intelligence agencies, is considered to be better at
security than most other parts of the government, so it’s a little startling to
read that the Pentagon’s crackdown as aimed at giving department leader-
ship “a consolidated view of basic network vulnerabilities.”
Isn’t this supposed to be the very first thing organizations do when assessing
security needs? And if the DOD doesn’t even have this bit of the puzzle sort-
ed out, how is it ever going to successfully defend against the threats indicat-
ed by the G Data and Akamai reports?
Perhaps it’s finally time for government organizations to give up on security
that is user focused. The Cloud Security Alliance’s “Dark Cloud” project
could be one way of doing that.
Source: Gcn.com
May 22
If there’s one lesson to be gained from all the security breaches and
revelations of major bugs in security protocols in 2014, it’s that at-
tackers are upping their game and finding more opportunities.
That’s only reinforced by several new studies.
German security company G Data, for example, reported a huge
increase in the number of new malware
strains in the second half of the year -- on
average, a new type was discovered every
3.75 seconds! For the year as a whole, just
under six million new malware strains
were seen in the wild, some 77 percent
more than 2013's total.
Not all kinds of malware saw an increase.
Those using backdoor vulnerabilities in
software fell, for example, and worms and
spyware remained relatively flat. But root-
kits, while still a very small percentage of
the overall number of malware, jumped
more than ten-fold in the second half of
the year.
Rootkits are software included in malware that help to embed the
malicious part of the package in a system and ensure the persistence
of additional attacks by helping the malware evade the scanners and
monitors now used to detect it.
Not surprisingly, malware developers are mainly targeting the ubiq-
uitous Microsoft platforms, with malware programmed as .NET
applications continuing to rise. Overall, new variants for Windows
platforms made up 99.9 percent of the new malware variants.
More problems could arise with Microsoft’s withdrawal of support
for Windows XP in April last year, G Data said, because systems still
using this operating system are “unprotected against attacks on ex-
isting or newly discovered security holes going forward.”
Akamai Technologies' most recent State of the Internet survey simi-
larly reported more than double the number of distributed denial of
service attacks in the first quarter of 2015 compared to first quarter
2014, and over 35 percent the number in the final quarter.
DDoS attacks may not be such a big deal for the public sector, which
gets only around two percent of the total. But Akamai noted a poten-
tially dangerous trend in the 2015 attacks, with peak DDoS attacks of
100 Gbps making up a significantly bigger part of the total. That
More bad news: The bad guys are getting better
InfoSEC Times Issue 13 June 2015
Abu Dhabi Polytechnic, Mohammed Bin Zayed City, PO BOX 111499, Abu Dhabi, UAE
For information and to get involved in the next issue contact :
Dr. Jamal Al-Karaki at:
Phone: +971 2-6951047
Abu Dhabi Polytechnic has success-
fully conducted National Trisec 2015
Cyber security Contest on 20-21
April 2015 from MBZ campus Ab-
udhabi
Students from different universities
and schools in UAE has participated
for coding, hacking and Fixing com-
petition. Welcome note was given by
Dr. Ahmad Al-Awar, managing Di-
rector of IAT.
Winners for the contest were
awarded cash prize. There was
separate competition for Uni-
versity and school level stu-
dents.
