Saturday, February 15, 2014

Cyber-security items of note February 15 , 2014..... focus on infrastructure , hackers circulating credentials for thousands of FTP sites , Target hack update ........ January round up od data breaches ( Esecurity Planet )

Kickstarter hacked, user data stolen

The crowd-funding site says hackers broke into its systems and made off with data. Apparently credit card numbers escaped the attack.
Hackers hit crowd-funding site Kickstarter and made off with user information, the site said Saturday.
Though no credit card info was taken, the site said, attackers made off with usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords.
"Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," the site said in a blog post, adding that "as a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password."
The site said law enforcement told Kickstarter of the breach on Wednesday night and that the company "immediately closed the security breach and began strengthening security measures throughout the Kickstarter system." The site also said "no credit card data of any kind was accessed by hackers" and that "there is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts."
You can read additional information about resetting a password here. We've contacted Kickstarter for more info on the attacks and will update this post when we hear back.
Update, 3:05 p.m. PT Kickstarter has added an FAQ to its earlier post. Here it is:
How were passwords encrypted?
Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Does Kickstarter store credit card data?
Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.
If Kickstarter was notified Wednesday night, why were people notified on Saturday?
We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.
Will Kickstarter work with the two people whose accounts were compromised?
Yes. We have reached out to them and have secured their accounts.
I use Facebook to log in to Kickstarter. Is my login compromised?
No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.

U.S. Gives Cyber-security Advice to Critical Infrastructure Operators—But No Rules

Photo: Luke Sharrett/Bloomberg/Getty Images
This Week in CybercrimeThe U.S. government, finally realizing that it has to take action to ensure a minimum level of cybersecurity in networks that manage the nation’s energy, water and financial services, presented the Framework for Improving Critical Infrastructure Security on Wednesday. The document, which was put together by industry and government experts, is a compilation of cybersecurity standards and best practices; it is the result of the year-old Executive Order 13636, under which President Barack Obama directed operators of critical infrastructure to provide guidance for defending their networks.
“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said in a statement. “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”
The 41-page document describes itself as a complement to industries’ existing risk management practices. What remains to be seen is whether this “guidance” will make firms that have minimal safeguards in place immediately take action to update or reconfigure their systems. Something tells me that a book of suggestions without force of law will not do the trick.
Industrial Control Systems Unguarded
Security researchers have been taking creators of industrial control systems and devices like programmable logic controllers to task for the abject lack of security controls that would prevent networks and the facilities they run to be taken over by hackers. But many products and systems remain insecure. That was the focus of a talk by researcher Jonathan Pollet, founder of Red Tiger Security, at the Kaspersky Security Analyst Summit in Punta Cana, Dominican Republic, on Tuesday.
Referring to the maddening state of play in industrial cybersecurity, he said, “It’s like hacking in the 1980s and 1990s,” when IT software and hardware vendors typically buried their heads in the sand, hoping that researchers presenting vulnerability reports would eventually go away if the companies ignored them long enough. According to a Kaspersky Threatpost article, Pollet recalls, “being at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went home, got his laptop, returned and was able to debug the software, find the problem and fix it and get the ride going again.” 
Did he have credentials giving him access to the system? No. Did he face much difficulty in reconfiguring the control system for a machine that thousands of people would ride that same day? Nope. Now imagine that scenario if Pollet’s intentions had been nefarious.
That anecdote was but one example of the widespread lack of authentication, failure to use encryption, and lack of monitoring in critical systems—even after security holes are reported. Pollet said that when he does hear from industrial control and automation vendors, they present excuses such as protocols aren’t ready or that security is difficult to build in.
“All these excuses aren’t really excuses,” he said during his talk. “With the current software and hardware we have, there’s no reason we can’t have these systems secured.”
Automakers Keep Cybersecurity Discussions in Park
In another talk at this week’s Kaspersky Security Analyst Summit, security researchers Charlie Miller and Chris Valasek reported that a year after they published a detailed paper showing a series of cyberattacks that enabled them to control the steering, braking and other functions in some cars, they’ve heard nary a word from automakers about the exploits. In other words, Miller and Valasek have had neither the opportunity to explain which weakness the attacks take advantage of, nor the chance to help design systems to prevent or at least detect intrusions. Miller, referring to the automobile manufacturers, said, “We have no idea what they’re doing. They could be building something, but it could be years down the line.”
By the Power Vested In Me by Me, Myself, and I…
Dozens of phony SSL certificates spoofing legitimate ones for banks, e-commerce sites, ISPs, and social networks, were discovered this week. The unsigned certificates could put people who use apps or other software that access the Internet—but don’t necessarily check the legitimacy of SSL certificates—at risk for man-in-the-middle attacks. Netcraft, a British security firm, provided details about the bogus certs on its blog.
Apparently the various certificates have different purposes. For example, a fake YouTube cert blocked residents of Pakistan from accessing the site, a phony iTunes cert was a linchpin in an online scam, and a fraudulent Facebook cert redirected users to a phishing site.

Hackers circulate thousands of FTP credentials; New York Times among those hit

A list of compromised FTP credentials is circulating in underground forums

By Jeremy Kirk
February 13, 2014 05:38 PM ET
IDG News Service - Hackers are circulating credentials for thousands of FTP sites and appear to have compromised file transfer servers at The New York Times and other organizations, according to a security expert.
The hackers obtained credentials for more than 7,000 FTP sites and have been circulating the list in underground forums, said Alex Holden, chief information security officer for Hold Security, a Wisconsin-based company that monitors cyberattacks.
In some cases, hackers used the credentials to access FTP servers and upload malicious files, including scripts in the PHP programming language. In other instances, they placed files on FTP servers that incorporate malicious links directing people to websites advertising work-at-home schemes and other scams.
An FTP server run by The New York Times was among those affected, and hackers uploaded several files to the server, Holden said.
Eileen Murphy, head of communications for the Times, said via email the company was "taking steps to secure" its network and could not comment further due to an investigation.
UNICEF, another organization whose credentials appear on the list, did not confirm it had been compromised but said it had disabled the FTP application in question, which it said was part of a system no longer in use.
UNICEF has been moving to a "more robust" content management platform and the organization uses third parties to check its infrastructure for vulnerabilities, spokeswoman Sarah Crowe said via email.
"It is therefore very rare for us to witness such a breach," she said.
Not all the credentials on the list are valid but a sampling showed that many of them work, said Holden, whose research credits include discovering large data breaches affecting the retailer Target and software vendor Adobe Systems.
Holden said he did not know the name of the group responsible for the FTP attacks.
The attackers may have obtained the credentials through malware installed on other computers at the affected organizations, he said. The passwords in many cases are complex, suggesting the hackers weren't merely guessing default credentials that had not been changed.
FTP servers are online repositories where people can upload and download files, and they're designed to be accessible remotely via login and password.
The default application for accessing FTP servers is usually a Web browser, which can log into an FTP site automatically if supplied with a link containing the proper credentials. Hackers could therefore embed links in spam emails, for example, and the name of a familiar company might give victims the confidence to trust a link and click on it.
In the case of The New York Times, one of the files uploaded to its FTP server was a .html file, Holden said. That file could be incorporated into a malicious link that could be used in a spam message, he said. If opened, the link would take a person to The New York Times' FTP server but then redirect them to another website advertising a work-at-home scheme.
Users need to be careful about opening links in emails even if they appear to be for legitimate domains, Holden said.
FTP applications can also be used to update files on a Web server, meaning hackers could potentially use the credentials to make changes to a company's website. It's hard to say how many of the FTP sites on the list are connected to Web servers, he said.
Several other companies whose FTP domains appear on the list could not be reached for comment.

The New Normal: 200-400 Gbps DDoS Attacks

Over the past four years, KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet — a nearly 200 Gbps assault leveraging a simple attack method that industry experts say is becoming alarmingly common.
At issue is a seemingly harmless feature built into many Internet servers known as theNetwork Time Protocol (NTP), which is used to sync the date and time between machines on a network. The problem isn’t with NTP itself, per se, but with certain outdated or hard-coded implementations of it that attackers can use to turn a relatively negligible attack into something much, much bigger. Symantec‘s writeup on this threat from December 2013 explains the problem succinctly:
Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. In this case, the attackers are taking advantage of the monlist command.  Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic.
Matthew Prince, the CEO of Cloudflare — a company that helps Web sites stay online in the face of huge DDoS attacks — blogged Thursday about a nearly 400 Gbps attack that recently hit one of the company’s customers and leveraged NTP amplification. Prince said that while Cloudflare “generally [was] able to mitigate the attack, it was large enough that it caused network congestion in parts of Europe.”
“Monday’s DDoS proved these attacks aren’t just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks,” Prince wrote. “On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare’s network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.” Continue reading →

Email Attack on Vendor Set Up Breach at Target

The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.
Cyber attack.Last week, KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa.  Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.
Two of those sources said the malware in question wasCitadel – a password-stealing bot program that is a derivative of the ZeuS banking trojan — but that information could not be confirmed. Through a PR firm, Fazio declined to answer direct questions for this story, and Target has declined to comment, citing an active investigation.
In a statement (PDF) issued last week, Fazio said it was “the victim of a sophisticated cyber attack operation,” and further that “our IT system and security measures are in full compliance with industry practices.”
There is no question that, like Target, Fazio Mechanical was the victim of cybercrime. But investigators close to the case took issue with Fazio’s claim that it was in full compliance with industry practices, and offered another explanation of why it took the Fazio so long to detect the email malware infection: The company’s primary method of detecting malicious software on its internal systems was the free version of Malwarebytes Anti-Malware.
To be clear, Malwarebytes Anti-Malware (MBAM) free is quite good at what it’s designed to do – scan for and eliminate threats from host machines. However, there are two problems with an organization relying solely on the free version of MBAM for anti-malware protection: Firstly, the free version is an on-demand scanner that does not offer real-time protection against threats (the Pro version of MBAM does include a real-time protection component). Secondly, the free version is made explicitly for individual users and its license prohibits corporate use.
Fazio’s statement also clarified that its data connection to Target was exclusively for electronic billing, contract submission and project management. The company did not specify which component(s) of Target’s online operations that Fazio accessed externally, but a former employee at Target said nearly all Target contractors access an external billing system calledAriba, as well as a Target project management and contract submissions portal called Partners Online. The source said Fazio also would have had access to Target’s Property Development Zone portal.
According to a former member of Target’s security team who asked not to be identified, when a work order for an external vendor is created, the payment is collected through the Ariba system: Vendors log into Ariba, complete the necessary steps to close out the work order and they are later paid. But how would the attackers have moved from Target’s external billing system into an internal portion of the network occupied by point-of-sale devices? The former Target network expert has a theory:
“I know that the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application,” the source said. “Most, if not almost all, internal applications at Target used Active Directory (AD) credentials and I’m sure the Ariba system was no exception. I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD login to access the system from inside. This would mean the sever had access to the rest of the corporate network in some form or another.”
Last week’s story about Fazio’s role in the attack on Target mentioned that Target could be facing steep fines if it was discovered that the company was not in compliance with payment card industry (PCI) security standards. Among those is a requirement that merchants incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties.
Another source who managed Target vendors for a number of years until quite recently said that only “in rare cases” would Target have required a vendor to use a one-time token or other two-factor authentication approach.
“Only the vendors in the highest security group — those required to directly access confidential information — would be given a token, and instructions on how to access that portion of the network,” the source said, speaking on condition of anonymity.  ”Target would have paid very little attention to vendors like Fazio, and I would be surprised if there was ever even a basic security assessment done of those types of vendors by Target.”
But according to Avivah Litan, a fraud analyst at Gartner, Target wouldn’t have needed to require vendors to use two-factor logins if the company believed it had taken steps to isolate the vendor portals from its payment network.
“In fairness to Target, if they thought their network was properly segmented, they wouldn’t have needed to have two-factor access for everyone,” Litan said. “But if someone got in there and somehow escalated their Active Directory privileges like you described, that might have [bridged] that segmentation.”
Many readers have questioned why the attackers would have picked on an HVAC firm as a conduit for hacking Target. The answer is that they probably didn’t, at least at first. Many of these email malware attacks start with shotgun attacks that blast out email far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff.
But Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing Web properties that do not require a login. Indeed, many of these documents would be a potential gold mine of information for an attacker.

Data Breach Roundup: January 2014

Many data breaches that occurred in January highlight the importance of user education. Knowledgeable users are less likely to engage in behavior that poses security risks.

Each month, eSecurity Planet looks back at the data breaches we’ve covered over the past 30 days or so, providing an admittedly unscientific but (we hope) interesting overview of the current breach landscape.
To get some perspective on the current range of threats and recent breaches, eSecurity Planet spoke with Giovanni Vigna, co-founder and CTO of Lastline and a professor at the University of California, Santa Barbara.
Regarding the recent high-profile data breaches at Target andNeiman Marcus, Vigna says it’s worth noting that retailers in general are particularly vulnerable to such attacks."They’re super-dispersed, they have sometimes hundreds and hundreds of separate offices and separate point-of-sale devices – and all of these are very difficult to protect in an integrated way," he says.
Any effective security solution for a retailer, Vigna says, needs to be able to monitor all point-of-sale devices from a central location.
"The idea that POS and terminals are just devices and cannot be compromised, that’s gone out the window. They’re Windows machines that can be hacked, like any others," he says. "The problem is that for certain industries, investment in this type of security is very difficult to motivate, because there are very, very tight margins."

Importance of User Education

At the same time, several other types of breaches – laptop thefts, employee error, and insider breaches – are far more low-tech.
"We call it PEBKAC – problem exists between keyboard and chair," Vigna says. "Oftentimes, security issues come down to the person, and I think there’s an incredibly important and incredibly underestimated value in educating people on security. If you go to a company, you’ll get trained on pretty much everything – sales, strategies – but how much training in security will you get?"
That training, Vigna says, can be as simple as ensuring the implementation of basic policies, like requiring the use of two-factor authentication.
"You can have all the security you want, but if somebody leaves their laptop unencrypted, someone can just pick it up and have full access to everything – especially with long-lasting, single sign-on access, where if I have your Twitter password, now I can use Twitter authentication to move to all these other services," he says. "People don’t realize how having a person’s device, even a cell phone, can really break the security of a whole company."
For mobile devices in particular, Vigna says it can make a huge difference simply to implement password protection, along with the ability to wipe a device if it’s stolen. "You have to understand that if somebody is NSA-level motivated to break into your company, they will … but you can do a lot to prevent the generic, opportunistic attack of the guy who just steals a laptop," he says.
Still, Vigna says, corporate culture can make that very difficult to implement. "I’ve seen situations in which the techies say, 'Hey, if we put Google Authenticator on our Gmail, we completely solve the problem of stolen Gmail accounts – can we please do that?' And it’s management that says, 'No, I don’t know how to set it up, I don’t want to have to put in a number – no, absolutely not.'"
And that’s what has to change, he says.
"Even the best security tool cannot solve the problem if we are not able to, as a culture, provide the user with the sensitivity and the type of attention to what’s happening in the cyber world that we have in the physical world," Vigna says.
A person who would be cautious when walking through an empty parking lot at night often will not exhibit the same caution when dealing with potential cyber threats, he says. "Unfortunately, the cyber world is very new to a lot of us, and that type of culture has not percolated down to people enough. So when they see an attachment, their first thought isn’t, 'What is this attachment?' Their first thought is, 'I’m going to click on it.' And until we change that culture, you can have a lot of good security, but you’ll always find somebody who shoots themselves in the foot."
Among the data breaches that occurred in January:

Employee Error

An undisclosed number of Burlington, Vt. residents’ Social Security numbers were mistakenly published online as part of an agenda item posted on the city council’s website; Nebraska’s Sidney Regional Medical Center notified employees and job applicants that their personal information had been made available online by mistake; and theU.S. Department of Veterans Affairs eBenefits website briefly provided site visitors with access to other users’ personal, medical and financial information due to a “software defect.”
Third party vendors were also a source of such breaches. EasyDraft, which processes payments for Bright Horizons Family Solutions, notified current and former Bright Horizons customers that their names and bank account details were mistakenly made available online; and Virginia’s Loudoun County Public Schools said an error by third-party provider Risk Solutions International made students’ and staff members’ personal information accessible online.


A breach at software provider BigTree Solutions may have exposed credit card information for customers of food delivery services and The Bike Waiter; hackers stole more than a million credit and debit card numbers from Neiman Marcus’ point-of-sale systems; and data on approximately 6,000 medical responses was stolen from Washington’s North East King County Regional Public Safety Communication Agency (NORCOM).
Orient-Express Hotels notified an undisclosed number of customers that their names, credit/debit card numbers, expiration dates and security codes may have been exposed when an attacker accessed seven company email accounts; the Puerto Rico College of Physicians and Surgeons was hacked, exposing the personal information of all doctors licensed to practice in Puerto Rico; and unidentified hackers claimed to have leveraged a security flaw in theSnapchat app to access 4.6 million users’ phone numbers and user names.
The encrypted credit or debit card information of 93,389 Staysure customers was stolen when the company’s systems were breached; The Straight Dope message board was hacked, exposing user names, email addresses and hashed passwords; and hackers stole an undisclosed number of donors’ personal and financial information from the U.S. Fund for UNICEF.
An undisclosed number of wichcraft customers’ credit or debit card information was stolen when the company’s servers were breached, and a hacker claimed to have breached the website for the World Poker Tour Amateur Poker League (WPTAPL), and leaked 175,333 email addresses and clear text passwords.
Several hacker groups are still active. ObeySec hackers breached the website for the Directors Guild of Canada and leaked 2,031 user names, email addresses and clear text passwords, and members of Anonymous defacedMonsanto’s Korean website and leaked what appeared to be two user names, email addresses and plain text passwords.
Hackers regularly leverage malware. Hackers may have accessed the personal and medical information of patients atBarry University’s Foot and Ankle Institute after a school laptop was infected with malware, and a malware infection provided attackers with access to the personal and health information of an undisclosed number of customers ofEdgepark Medical Supplies.
Third-party vendors are a common weak point. A breach of a Web portal run by REI Systems for the Department of Homeland Security exposed private documents and financial information for at least 114 companies that bid on a contract in 2013; Easton-Bell Sports notified several customers that their personal and financial information may have been exposed when a third-party vendor’s servers were infected with malware; T-Mobile USA notified customers that their personal information, including names, addresses and Social Security numbers or driver’s license numbers, may have been exposed when a third-party supplier’s servers were hacked; and an undisclosed number of Yahoo Mailpasswords after were reset after the company discovered what it described as “a coordinated effort to gain authorized access” to the accounts, using passwords that it said were “likely collected from a third-party database compromise.

Insider Breach

The City of Sumner, Wash., fired a temporary municipal court clerk after she forwarded information on 3,600 people to her personal email account; a Korea Credit Bureau employee was arrested and charged with stealing at least 20 million people’s names, Social Security numbers and credit card numbers; and a former Riverside Health Systememployee inappropriately accessed 919 patients’ medical records, including their Social Security numbers and medical history.
Third-party vendors were the source of insider breaches as well. Colorado’s Department of Health Care Policy and Financing informed 1,918 clients that a temporary employee of a third-party contractor had inappropriately accessed their names, addresses, birthdates and protected health information.

Laptop/Drive Theft or Loss

Barnabas Health patients’ medical information may have been exposed when an unencrypted laptop was stolen; 74,000 current and former Coca-Cola employees, contractors and suppliers’ personal information may have been exposed when several unencrypted company laptops were stolen; and New Mexico Oncology and Hematology Consultants notified 12,354 patients that their protected health information may have been exposed when a laptop was stolen.
Georgia’s Phoebe Putney Memorial Hospital said 6,777 patients’ personal information may have been exposed when an unencrypted computer was mistakenly discarded, and the personal information of 41,437 Unity Health Insurancecustomers may have been exposed when a portable hard drive was lost.


The personal or medical information of approximately 1,800 UC Davis Health System patients may have been exposed when three UC Davis’ physicians’ email accounts were compromised by phishing attacks.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at