Archive for the “Uncategorized” Category
First they came for Jackson,
Then they came for Neidorf,
Then they came for Mitnick,
Then they came for Watt,
Then they came for Swartz,
Then they came for me,
Lets see if I can break this down chronologically.
On July 12, 2012 a third party marketing firm hired by Verizon had a large database of Verizon user information ‘copied’. Verizon claims the incident was reported to authorities but no breach actually happened.
This statement from Verizon raises several questions. 1. Why did a 3rd party marketing firm have possession of this data which contained much more than just names and addresses. 2. How exactly was the data copied and 3. If there was no breach why were the authorities involved?
On Friday December 21st a twitter user with the handle @TibitXimer (since removed) posts to Twitter and Pastebin that he was in possession of 3 million leaked accounts including plaintext passwords of Verizon Wireless customers. ZDNet publishes an ‘exclusive’ Exclusive: Hacker nabs 3m Verizon customer records (title has since been changed) covering the supposed breach. Of course the original story had no comment from Verizon or any verification of the data.
With a little digging around I find the link to the original Pastebin post by @TibitXimer and his link to the data. A link that goes to a pay for download site. I thought that was a little odd and wasn’t about to pay to download a breach database. After making a few posts to Twitter I got a sample of the data.
I could tell right away that it was not Verizon Wireless data and it looked to me like possibly Verizon FiOS data. I also did not see any passwords, plaintext or otherwise. After sharing the data with some other security people we decided pretty quickly amongst ourselves that the data was very similar to some other data that had been floating around the net for a few months.
After attempting to get a response from @TibitXimer via twitter to confirm this new information his twitter account, pastebin link and download link all quickly disappeared.
By Saturday December 22nd Forbes writes an article Verizon Denies Hacker Leaked 300,000 Customers’ Data-UPDATE with an actual update from Verizon. ZDNet does not bother to update their article until 8:00PM EST that evening with nothing but a one-sentence denial from Verizon.
On Sunday December 23rd The Next Web seems to put all the pieces together After hacker disappears from Twitter, Verizon reveals customer data was leaked by a marketing firm and examines the
It is pretty obvious at this point that ZDNet has been trolled; while the results were spectacular (from a troll point of view) the troll itself was not very complicated or sophisticated. Now on Wednesday December 26th the original ZDNet story still stands with a one-sentence disclaimer from Verizon and a brief mention that the pastebin link no longer works. However, the still posted story makes no mention of the incorrectness of the data, its original source, its apparent age, the disappearance of the original poster and still alludes that this is a new Verizon breech.
I reached out to Charlie Osborne @ZDNetCharlie, the first name on the byline of the story, and asked if the story would be updated. She said that despite being listed first on the story she was not the lead contributor and therefore had no way to make edits. I’m not really sure I understand this, if my name was on the story I would want to make sure it was correct and would be calling my editor immediately even if it meant waking him up. I guess some people don’t care what their name gets attached to.
I shouldn’t be surprised at this as ZDnet has gotten rid of or lost all of their seasoned reporters. Charlie Osborne seems to have only recently begun writing technology after graduating with a medical anthropology degree. Zack Whittaker, who I presume is the lead contributor to the story hasn’t responded to my tweets asking for an update. He to has only recently started his writing career and it would appear that most of his stories lately have been centered on smartphones.
While I understand that new reporters need to start somewhere I would hope that ZDNet would have seasoned editors in place that would force fact checking, verification and confirmation of a story before publishing. Leaving a story such as this to fester on their website reflects poorly not just on ZDNet but on the InfoSec industry as a whole, not to mention the damage that it is doing to Verizon.
The excuse that it is Christmas does not fly; a news website has a responsibility to the public to publish accurate and timely information. There is no excuse in this modern age not to update stories with new information as it becomes available. ZDNet did update this story, twice, but the information they provided was inadequate and is now outdated.
I ask ZDNet to either completely rewrite the story on their site to reflect the currently known facts or to remove it altogether.
For those of you who have seen my talk ‘Media Hype in the Information Security Industry’ you should recognize that this is just another example of a big hack that never really happened. Unfortunately it will not be the last.
LATE UPDATE: It looks like I wasn’t the only one to notice the sloppy reporting at ZDNet on this story. Dissent at the Dataloss DB has published Fool us once, shame on you. Fool us twice, we implement policies!
28 08 2012
I have been giving my talk “Hackers and Media Hype or Big Hacks That Never Really Happened” for a few months now and I think it is time to retire it. You may have seen it at Shmoocon Epilogue, Source Boston or Hope 9. If not catch the video below. I also have the entire slide deck available including the bibliography if anyone is looking to check sources.
Here is the slide deck MediaHypeinInfoSec2012_HOPE.pptx
There has been a story making the rounds the last few weeks that is really bugging me. I was going to let it slide but the story just won’t die and every time it comes around again I just get angrier. The problem is I don’t think the story is actually true, which wouldn’t be that big a deal if I could actually prove it wasn’t true but in this case its just a feeling, I have no proof, not even a preponderance of evidence, just a feeling.
The story is sort of infosec related and deals with the geotagging of photos uploaded to social media sites. This is a very real concern for people like the US Army who usually don’t want it known where high value targets like say, oh, AH-64 Apache helicopters might be parked. The problem I have is that I seriously doubt the scenario as presented by Steve Warren, deputy G2 for the Maneuver Center of Excellence actually happened.
“Warren cited a real-world example from 2007. When a new fleet of helicopters arrived with an aviation unit at a base in Iraq, some Soldiers took pictures on the flight line, he said. From the photos that were uploaded to the Internet, the enemy was able to determine the exact location of the helicopters inside the compound and conduct a mortar attack, destroying four of the AH-64 Apaches.”
There are just so many things wrong with this story as it is presented to make it believable to me. Is it possible? Absolutely. Is it a real security concern? Most definitely. But did it really happen? I don’t think so.
First lets try to imagine how the US Army determined that the enemy downloaded the photos and extracted the GPS location in order to lob mortars at the helicopters. How did the Army find that out? Did they enemy carry a sign past the airbase front gate saying “Hey, grabbed your FaceBook pics HA! HA!” Did they capture an enemy combatant and water-board it out of him? Did they recover a laptop with a bunch of photos and map coordinates? Why are we only hearing about it five! years after happened? How did the Army determine how the enemy got the information? That part is never explained.
Lets look at a second more plausible explanation, assuming that helicopters actually did get blown up. A fleet of UH-64s are not easy to hide. If you’re a Iraqi sitting in your house eating your hummus and pita bread and you’re hear a fleet of UH-64s fly over head your gonna notice it. You put down the pita and look out the window to see the helicopters flying off to the nearby US Army base. Then you call your buddies, grab your motor tube and go have some fun. To me this makes a lot more sense than randomly grabbing pictures off FaceBook.
So if this is really a made up story why did the US Army release it? I suspect they know they have a very real problem of soldiers uploading geotagged photos to social media sites. They tried banning Facebook and other sites before and that didn’t work. And actually the military needs social media for morale reasons. The number one morale booster when I was in the service was mail, or more accurately communication home to family and loved ones and with todays military that communication happens over the Internet and with social media. We cannot turn it off. So you have to do the next best thing, educate the users/soldiers/sailors/airmen/marines not to post stupid stuff that will compromise your military situation. Loose lips sink ships, or in this case geotaged photos blow up helicopters (doesn’t really have the same ring to it.) Based on my own experience with educating users I suspect they have met with only limited success.
So this story of UH-64s being bombed via Facebook makes a perfect urban/military legend. To people in the military it does not matter if it was true or not the story will live on and spread and take on a life of its own. Now soldiers will double check their buddies when they take pictures because they won’t want mortors raining down on their own heads. Where training has failed peer pressure will succeed, and it gets repeated so many times it just magically become fact. Mission Accomplished.
But to those of us in infosec we need to look at this story for what it is, a possibility, not yet a reality, but something to look out for and to caution our clients against. Just remember not everything you read is true, the sky isn’t always falling but that doesn’t mean you shouldn’t pay attention.
A lot of people ask me why I still use a handle and go by ‘Space Rogue’ instead of using my real name. Trust me it is kinda awkward to go to a respectable con like BSides, Blackhat or even RSA and introduce myself as ‘Space Rogue’. People always ask me to repeat myself as if they didn’t hear me, then they get this weird look on their face like ‘who is this crazy person?’
The original handles came about because early multi-users systems, like UNIX and BBS systems, could only handle eight character login names. So people tended to get a little creative. Those handles became intimately identifiable with the personas behind the keyboards. Most of the people I still interact with from those days I still refer to by their handle. Jeff Moss will always be DT, Chris Wysopal at Veracode will always be ‘Weld’, Joe Grand will always be Kingpin, or just KP. Not just online but in face to face meetings as well. People who know my real name still refer to me as Space, SR or even Mr. Rogue when we are together. For me handles are easier identifiers than actual names, I seldom remember a name but I almost always remember a handle.
During the L0pht years handles were important. We felt we needed them to protect us from individual lawsuits that may be filed from the companies whose security holes we were exposing at the time. We went to great lengths to protect those handles. We gave up many press opportunities because numerous journalists couldn’t get past not having a real name to pin a quote to. I figured if my handle was good enough for a Senator to read into the Congressional Record it was good enough for a newspaper quote.
Somewhere along the line most of the people I knew who were using handles switched to using their real names, usually because of a job. There aren’t many people at the top of the InfoSec world these days that still uses a handle. (Of course there a few that use ‘normal’ sounding handles, and a few whose actual names sound like handles.)
For me it comes down to keeping my day job. I tend to do infrastructure, networks, servers, that sort of thing. Big deal right? Well a lot of company’s are still afraid of the evil ‘hacker’ label. I guess they don’t feel comfortable with having a ‘hacker’ have physical access to their networks, servers and other mission critical systems. Never mind my extensive experience in the IT field or that my ‘hacker’ background probably makes me a better IT Manager than anyone else they are probably able to hire. Companies tend to freak out and pull a knee jerk reactions.
Making my real name easily associated with ‘Space Rogue’ via a Google search does not assist the job search. I have lost at least one and possibly two jobs, and who knows how many potential jobs, when someone was able to make the connection between the two identities. Now they didn’t come right out and say ‘Oh your Space Rogue you can’t work here anymore’ but it can be pretty apparent when a company is trying to get rid of you and then you find out later that they made the connection somehow.
So while a lot of people ‘in the scene’ know my real name I keep my Infosec identity as Space Rogue separate from my IRL identity and will continue to do so. At least until there is a company that is willing to see the value behind the handle. With any luck I will be able to merge the handle with the real name and become ‘John “Space Rogue” Smith’
Let me say first that SCADA (supervisory control and data acquisition) attacks are real, they do happen and should be a real concern. But if we look at the recent press surrounding such attacks we see little in the way of any hard evidence that such an attack actually occurred. Instead we see rumor and accusation and a hell of of a lot of theory.
The most recent example is the report, first reported on by The Register that someone broke into a local water utility and caused a pump to fail by turning it off and on repeatedly. This is a completely plausible scenario but when we look a little closer at the report some holes start to develop.
The media gabbed a hold of this story and quickly spread it around, over sixty different articles that I can find so far, yet none of them cite ANY primary sources for the incident. That’s Journalism 101 folks, and I didn’t even take journalism class. The Register article quotes Joe Weiss, a managing partner for Applied Control Solutions talking about the attack. This would seem to lend provenance to the story and that the attack actually happened, but Weiss was not a primary source. Most of his quotes are hypothetical and refer to an ‘official government report’ that he refused to name. Weiss refused to state which water district was targeted other than to say the report was released on November 10th. According to Weiss a software vendor lost control of its customer username and password database which allowed attackers, who had been traced back to Russia, access to the systems.
The Register at least got a comment from the US Department of Homeland Security indicating the utility in question was located in Springfield, Illinois. I’m not sure why the Register did not pick up the phone and call Springfield but Kim Zetter from Wired did call. The Springfield water department denied it was them and said the attack took place in the Curran-Gardner water district. When she called Curran-Gardner they hung up on her.
By the time the story made it to C|Net they actually had a quote from DHS.
The key words that I see are ‘no credible corroborated data’ – Bingo! Now, it is possible that DHS is downplaying this so as to not cause widespread panic but lets face it, this is DHS, their whole reason for existing is wide spread panic. So if they say there is ‘no credible corroborated data’ I’m going to go with that.
So what facts do we have that can be confirmed? I think it is pretty safe to say that a water pump somewhere in Illinois failed. I also think it is pretty safe to say that some secret government report blamed that failure on Russian hackers. Thats it. Everything else is pure speculation.
Now lets read between the lines shall we? Lets assume that a pump somewhere in Illinois, over the course of several weeks or even months turned itself off and on and failed. Pumps fail all the time, it happens, doesn’t mean they were hacked. Unfortunately we don’t know what kind of pump, who manufactured it or how long it had been turning off and on before someone noticed. Now what if the code controlling this system was flawed in such a way that the control loop code wasn’t working properly? Control loops are tricky things and it is easy to screw them up, especially if your a pump manufacturer and don’t really pay attention to closely to the software that controls them. Now I have no more evidence to say that this was a software glitch than I do to prove it was an external intrusion. But doesn’t a control software glitch sound a hell of a lot more possible than a russian breaking into a small Illinois township water district?
I think @Jack_daniel said it best “No one sentient doubts the vulnerability of SCADA systems, but for the love of $DEITY SHARE REAL DETAILS or crank up the skeptic settings.”
That pretty much settles that in my book.
Although I have to share one last quote from the Curran-Gardner Water District trustee “I drank the water this morning.”
2011.11.25 – Update
01 11 2011
Since I posted my previous item regarding my suspicions as to the validity of the claims of ‘interference’ with a US Government satellite there have a few more developments.
According to NASA PAO: “NASA experienced two suspicious events with the Terra spacecraft in the summer and fall of 2008. There was no manipulation of data, no commands successfully sent to the satellite, and no data captured. NASA notified the Department of Defense, which is responsible for investigating any attempted interference with satellite operations. While we cannot discuss additional details regarding the attempted interference, our satellite operations and associated systems and information are safe and secure.
Which if you read between the lines says absolutely nothing and denies everything. Just “two suspicious events” that caused no commands to be sent to any satellites, and no data changed or captured from a satellite. So what exactly constitutes a “suspicious event”? How the hell did we go from “suspicious event” to “OMG Hackers are controlling satellites!”?
This of course brings me right back to my original theory, that nothing of any significance actually happened, that some system got infected with malware and since that system was supposed to be air gapped and could control a satellite NASA had to inform DoD as a matter of protocol. So no satellites actually got ‘hacked’ and the cyber cold war continues as usual.
The second development is that China has denied all the accusations. Naturally. Specifically they claimed “This report is untrue and has ulterior motives. It’s not worth a comment,” which I agree with completely.
27 10 2011
First some historical background, this is at least the third time I have seen a similar story over the last 15 years. “OMG ‘hackers’ can control a satellite”, the previous two times it turned out to be false. The first time I was one of the first people call the story suspect.
It is hard to find links that still work from 1999 but Reuters actually had to publish a retraction, if you can call it that
It reared its ugly head again a few years later and became “the second most mysterious unsolved cyber crime.” and it wasn’t even true. I have a blog post about that mess here with a some more supporting links.
I’ve seen similar stories pop up about once every five years or so, “OMG the world is gonna end, hackers control the skies, Aaarrrrggghhh!!!!” Remember the story a year or so ago where Taliban ‘hackers’ got control of a predator drone or some bullshit? When all it most likely was that they got a copy of the off the shelf control software, maybe. Never conclusively got the end of that one.
In all of these case there are similarities, blame some unknown entity, vague details and no verifiable information.
So lets look at this story. The accusation comes from some anonymous report, ok, ok, not actually anonymous but from the U.S.-China Economic and Security Review Commission. Hmmm, think they have an interest in pointing fingers? And I don’t see any actual names on the report (admittedly I haven’t looked to hard) So, first they blame China, naturally, who else you going to blame? They don’t blame kids in basements anymore, there is no profit motive in controlling satellites (well, unless you can keep control) so cyber criminals are right out, must be a nation state, and with the cyber cold war going full bore the biggest enemy is China, so lets blame them. Why not, they are just going to deny it like always.
As for specifics, they say the ‘hackers’ caused ‘interference’, WTF does that mean? Did they gain full control? Did they move the satellite from its intended orbit? Where they able to send unauthorized commands? Or did they merely ping the control systems? Maybe infected them with standard malware? Did they stand outside and try to jam the microwave signals? Just what the hell does ‘interference’ mean?
This report actually lists a suspect location for the attack, “may have used an Internet connection at the Svalbard Satellite Station in Spitsbergen, Norway”. But has anyone bothered to call anyone who works there to verify the story? Even to get a dry ‘no comment’? I haven’t seen one. Also notice the “may have” implying they don’t really know. How the hell could they not know?
I mean come on, think about it, this is a satellite installation, according their web page “the world’s largest commercial ground station with more than 31 state-of-the-art multi-mission and customer dedicated antenna systems in C-, L-, S- and X-band.” Whoa! Sounds like they know what they are doing. I would think that someone there would be able to give some sort of comment. If they are a commercial organization then letting word get out, unchallenged, that their systems got broke into and multi million dollar satellites are not under their control, sounds like there could be some liability there. Someone should be confirming the story and minimizing its impact or denying it outright. Something. No, all we have is a ‘may have’.
And lastly Satellite control systems are supposed to be air gapped, in other words not connected to the Internet. Granted there are numerous cases where the air gap got bridged, usually with a USB drive, the recent remote command center for Predators Drones being infected with malware comes to mind, so air gaps aren’t fool proof, but still you would think a breach of this magnitude would show up somewhere other than an almost unnoticed report put out by the U.S.-China Economic and Security Review Commission.
I have no facts or sources to confirm this but my theory is that the ‘interference’ was nothing more than run of the mill malware that infected the office and business systems of the Svalbard Satellite Station. One of the authors of this report got wind of it and and suddenly it becomes hackers interfere with satellites.
So, until I see some actual facts and verifiable sources I’m calling this whole story bullshit.
- Space Rogue
Getting your customers to fill out market satisfaction survey’s is all the rage these days. “We greatly appreciate your feedback ” Hey, its free demographic marketing! Its also usually ego stroking, studies show that people tend to skew their own responces to the positive side of things. Generally I don’t fill these things out at all. I just route these emails directly tot he trash bin. I don’t do free marketing research for your company. However, once in a while I get pissed off enough to waste ten minutes to fill out the survey, at least enough until I get to the comment box. (Didn’t put a comment box in your survey? Better hope all your executives have an asbestoes covered email inbox)
“You indicated that you are not very likely to recommend Verizon Business to a friend or a colleague. What can we do to improve?”
Not suck. You failed at every level, from order taking to product delivery to service connection. You failed at everything, multiple times. The only thing you can do to improve is just not suck. It isn’t really that hard. Seriously, I have never seen so much suckage, you suck at incomprehensable levels. I don’t mean to sit hear and call you names but I have never ever seen one organization just not care, about anything. This wasn’t just one bad employee, this was everyone, it was systemic within your organization. The order taker, the project lead, her boss, the implementer, the guys on the phone when I turned the circuit up, everyone. No one cared, and no one could do their job correctly the first time.
I have delt with Verizon off and on for years and years, there have always been problems. I have had dozens of circuits installed and every single one of them have had something go wrong. I expect it and I usually plan for for it. But this time, everything went wrong, order taker forgot to submit paperwork for me to sign until the last minute, the site survey was delayed by two weeks, and actually had to happen twice. Your Business unit could not talk with your Core unit. (What the hell is the differance?) You couldn’t pull cable, then you failed to connect the circuit the first time, or the second, then you forgot to send me the router you ordered for me two months prior! All the while I am attempting to get things corrected with the project manager and her boss. Basically, they didn’t care.
You have problems Verizon, deep problems. And now I am stuck with your line into my company like some grotesque festering infectous tentacle that I would rip out completely down the seven floors into your node if I could. You have your contract, you have me for three years and frankly I am so tired of fighting that now that the service is working, finally, I am too tired to change it. So yeah, you have my (companies) money Verizon, for now but as soon as this contract is up I will be switching and I will never ever EVER install another Verizon circuit ever again. I would rather install