Category: security

The Big Business Hackers

When you imagine a team of highly skilled hackers attempting to make money, most people will probably think of some criminal exercise of exploitation, cyber crime or extortion.   You certainly wouldn’t think of the stock market or investment firms profiting directly from this sort of enterprise – yet it seems this is exactly what is happening.

Hacking is going mainstream and it looks likely that there will be a lot more profit going legitimate than through the standard ransom or blackmailing routes.   Others will perhaps argue that these new methods are pretty much the same as the criminals use.

The story arises from the tactics of a company called MedSec a cyber security firm which has recently started up.  They investigated a range of hospitals and medical hardware for potential security issues and identified one medical devices company to be at particular risk – St Jude Medical Incorporated, more specifically the pacemakers and defibrillators they make.

At this point MedSec faced a classic, traditional ‘hackers dilemma’ – you find a serious vulnerability – what do you do?   For the ethical hacker it often represented a difficult choice particularly if a little digital trespassing was involved.  Many individuals have found themselves behind bars after attempting to inform a company or organisation about a vulnerability in their software or network, while some have been praised and rewarded.   The MedSec guys though have a plan to inform and profit at the same time, although the ethics seem fairly dubious to many.

They approached an investment firm run by Carson Block called Muddy Waters Capital LLC with their money making initiative.   The idea was unusual, MedSec team would prepare all the evidence demonstrating the problems with the medical devices, however before making this public the investment company would take out a short position on the parent company of St Jude Medical.    Basically they would both make money if the share price fell in response to the negative news.

Sounds like insider dealing? Perhaps, although it is assumed legal advice was taken before this unusual tactic  – here’s a MedSec representative justifying their tactics.

Convinced? Nope me neither, I suspect they may be in trouble for using this tactic. Where will it end ? The false concern about patients using these medical devices to try and justify their money making scheme was particularly hard to believe. Currently the tactic seems to have paid off though with the share price falling significantly and presumably making the ‘short’ position profitable.

Do You Trust Your TV? It Could be Spying on You.

Well if you have a new Samsung TV then perhaps you should think twice before answering that question.  Their new generation of Smart TVs have a voice activation feature that allows you to switch on and off, change channels and stuff like that, but it’s possible that this comes at a significant cost.

 

An eagle eyed EFF activist called Parker Higgins, took the time to read the privacy policy of these TVs and discovered a rather alarming paragraph which stated –

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

So let’s just have a think about this, if you enable the voice recognition function on your shiny new Samsung Smart TV, the bloody thing will not only listen to all your conversations it will also transmit them to a myriad of  third party companies.  Your TV would actually be sitting in the corner of your room spying on you!

Now putting aside my personal dislike of all voice enabled devices, I mean why is talking to an inanimate device preferable to pushing a button, this is a seriously worrying threat to people’s privacy.  For a start you’d have to be permanently on your guard, who knows where your conversations are going to – just some spotty Samsung technical geek  or more likely a selection of marketing companies?   Secondly, it’s not only spying on you the owner of the TV but anyone who happens to be in the room – have they given their permission ?  Should anyone entering your living room be given a disclaimer and need to sign a consent form !!

Samsung have now modified the wording in their policy insisting that the TV doesn’t in fact listen to ordinary conversations.  This is however rather difficult to believe after the initial policy wording,  I mean you’d never put that down in writing if it wasn’t in some way true.  There is obviously little thought being put into the design of these devices, as far as privacy goes – relying on stuffing a few sentences deep in the TVs documentation (which it probably thought nobody would read).

There are other aspects to the technology which makes it even more unlikely that conversations can’t be monitored by the device.  For start the TV is capable apparently of recognising complex requests like –

‘recommend a good Sci-Fi Movie’ or ‘open BBC iPlayer

I mean a TV would have to listen to pretty much everything to pick up and filter requests like that, this is beyond someone like me shouting OFF  in his stupid accent.

What is more that the TV doesn’t have a single microphone, you can’t just huddle in the corner away from the TV whispering – there’s another in the damn remote control.   Cunning move, the TV remote in my house for example it is the singlest most difficult to find device by far.  It routinely turns up in all sorts of obscure locations and I’m sure my children are on some sort of retainer to hide it every time they’ve finished watching.

Well I for one, will not be purchasing one of these things, however unfortunately it will also involve me upgrading my general level of paranoia.  I foresee a future of creeping around electronic stores or checking the backs of friends TV sets when I enter their house  (and of course enquiring about the location of the remote).

Does anyone really need this rubbish !!

Lessons from the Internet of Things – Do you Trust Your Fridge?

The ‘Internet of Things‘ is one of the most discussed topics on technical forums at the moment. The idea that you can enable all sorts of devices with a network card and a bit of memory to attach it online obviously has many benefits. It reminds me of the excitement of the ‘Trojan Room Coffee Machine which was a live video stream of a coffee machine hooked up in Cambridge University, via MPLS and an Acorn Archimedes (remember them!) in 1993. Sure it was just a coffee machine, certainly the picture rarely changed – it was either full, empty or half empty – but the realisation that you could check on it in real time without leaving your chair was kind of exciting at the time. The web cam was switched off in 2001, but many of us can still recall checking that the geeks in Cambridge had enough coffee.

isyourfridge-spamming

Nowadays of course, our devices are increasingly network aware, printers were of course, the logical first piece of equipment to stick online, it saved having them hooked up to computers and people could use them remotely. However it didn’t take long for hackers to target the first network enabled printers to infiltrate networks, distribute malware or just muck about by sending huge print jobs to them.

A story has broken this week in the security press which adds a strange twist with the first reported Spam attack by a fridge. The report released by the security firm, Proofpoint claims that a fridge took part in sending 750,000 email messages in a wide bot enabled Spam attack. It’s actually a little late as there have been similar reports as early as 2013 of this new vocation of our kitchen appliances, however it’s still rather disturbing.

Many of us, will perhaps question the need for kitchen appliances to have access to the internet. I for one can happily live without my fridge tweeting me that I’m out of milk, in fact being nagged by my fridge doesn’t appeal at all!! Manufacturers will point to the fact that internet access will provide a host of other benefits like fault finding and notifying manufacturer of potential problems. Again, the old school method of the fridge simply stopping working seems more than adequate. Imagine getting a call from a Samsung customer representative who has just been notified that your fridge light is not working by your erm fridge. It’s an internet horror story and the benefits negligible at best and in reality pretty much pointless.

Enabling these devices means there’s another headache you are responsible for, you’ll need to configure your fridge to connect, ensure it’s got a strong password and it’s behaving itself online.  How do you connect to your fridge, could you compromise other logins, should you use a VPN to connect?  Coming down in the morning and finding your fridge cornered by the FBI might seem far fetched but it’s not as ridiculous as it might seem.   Using these devices in botnets to attack other machines, send out spam or as proxies to attack other machines is perfectly feasible and it’s actually happening now.

Network security on these enabled devices is normally an after thought, it’s often much easier to hack into a network enabled device than a laptop or computer.   For example how many people would log onto their fridge after purchase to change the default password – but if you’ve bought  a fancy internet enabled smart fridge it’s something you really should do.   Already hackers have demonstrated how to to steal your google login from a Samsung fridge, at this years DefCon conference.  The fridge ran a flawed implementation of  SSL which failed to check false certificates making it vulnerable to MiTM attacks.

This ‘internet of things’ basically sounds like a huge pain, introducing fairly pointless benefits at the cost of loads of hassle and vulnerabilities.  Of course for things like printers and using my Smart TV to access online entertainment then it makes sense.  However I for one will not be upgrading my fridge anytime soon.

Surprising New Palestine Charity Donors

If you follow the security and hacker world, you’ll know that there is a constant tit-for-tat battle going on across countries, religions and ideologies.  One group will deface a certain web site usually with badly spelt propaganda and  ‘1337 speak’, then a few days later another group will retaliate with an attack on a different web site.  There’s lots of threats and tough talk, and it sometimes seems like there are literally thousands of these groups all over the world fighting their own cyber way.
computercrime

The reality is that it’s been happening for so long it doesn’t really make much impact any more, unless it’s a really big commercial name.  There’s another problem with this attack method, especially due to the minimal impact – it usually takes much more effort than it’s worth.  Of course there are literally thousands of ways to hack a web site – vulnerabilities on the code, the host, bruteforce passwords or pinch user credentials – the list is virtually endless.

However it does take time, and can take an awful lot of effort which is why it often looks like a complete waste of time.  You spend days finding out a web sites vulnerabilities and hack into it, replace it with your leet message – then take a couple of screenshots.  What happens then?  The owner changes all the password, closes the vulnerability and restores the original from backup and it’s all back to normal.  Unless you dash out and advertise the hack, then it’s likely not that many have even noticed and those who do have seen it all before anyway.   Of course if it’s a bank or a big commercial site then there is much more of an impact and of course commercial implications – but those sites are likely to take much more effort and resources to hack into anyway.

Which is why I think this was a rather innovative angle by a group of  pro-palestinian (or perhaps just anti-Israeli) hackers called AnonGhost (not impressed with that name!).  They’re involved in an cyber offensive against the Israeli’s, which sounds a bit more impressive than the reality, and have been for several years in line with other Muslim extremist groups like ISIS.  It all get’s very messy here as you have a ‘free speech’ hacker group like Anonymous, working towards the same target alongside ISIS sympathising hacking groups such as AnonGhost.  Obviously supporting any ISIS related group is kind of a backwards step toward promoting free speech and liberty.

Anyway the point is that instead of just stealing a few user details and posting up a bit of tedious cyber graffiti which is overwritten half an hour later, they did something different.   They stole lots of credit card details from an Israeli based site and posted some of them online, the rest they used to make donations to a Palestinian children’s charity.

anonghostdonate

Well that’s the story at least, there is a little bit of evidence to support it but not enough to be completely sure. The irony of course relies on these being stolen Israeli credit cards. Though whether the payments were completed by the charity site – fundrazr, is also perhaps difficult to believe -especially after the facts were posted all over the web.

As usual, the attackers probably didn’t hide their tracks very well and unless they used some very secure VPNs, like these, have probably now got loads of their details listed on databases compiled by various security agencies like GCHQ and the NSA.  However as a stunt,  it was at least a little bit innovative.

Hacking Your Exam Grades

There’s a scene in the iconic 80’s film Ferris Bueller’s Day Off where the hero logs into his school’s computer system and starts modifying his records.   It’s a dream that’s probably passed through the thoughts of millions of young people over the years.  If only I could just go and change a couple of those grades discretely, no-one would ever know.

ferris-hacker

Unfortunately as with nearly all ‘computer crimes’, committing is much, much easier than getting away with it. The problem is that it’s very difficult to hide your tracks online, one tiny mistake and there’ll be lots of markers pointing your way.

This is exactly what has happened to student Imran Uddin early this year. A bio-science student at the University of Birmingham, Imran decided that his projected 2:2 degree wasn’t quite good enough and decided to try and gain access to the Universities Exam system to modify his grades slightly – changing the scores on five exams in order to boost his grades.

His attack involved installing keyloggers into a selection of the Universities computers in order to steal staff passwords who had access to the exam recording system.
keylogger
These are little hardware devices which you can pick up for a few dollars on the internet, that plug into the back of a computer and record every keystroke made on that keyboard. It’s the easiest way to steal usernames and passwords as it operates at the hardware level and you don’t need to worry about encryption and security. Imran managed to grab a handful of staff accounts including ones that were able to change the exam grades, where he duly modified his own.

Of course, the problem is that these devices have to be installed and can be identified if someone looks carefully enough. Which is what happened in this case, a technician performing an upgrade on some computers in the Bio-Science lab noticed the device. Of course then all the University computers were checked and staff found several more including one on the back of a computer in a staff only area.

After that all roads led back to Mr Uddin and when police checked his own computers they found a huge amount of incriminating evidence. There were ebay searches and purchases of the keylogging devices, evidence of a failed attempt to login to the University marking system plus loads of other forensic evidence incriminating him.

Which is mainly the problem with these computer crimes, although they’re pretty easy to commit, it’s very difficult to hide all this incriminating evidence when people start looking for it. There will be CCTV records of the keyloggers being installed, records of IP addresses and logins and of course simply looking at backups of the exam system will reveal logs of grades being modified. You can route your connection through Russian or Australian proxies but if you leave obvious clues elsewhere it won’t help you.

I once investigated a system where criminal records where accessed by someone who shouldn’t have had access. Looking at the logs of this system it took about ten minutes to find them – although there were hundreds of thousands of records the culprit stood out like a sore thumb. While every legitimate user of the system logged in and performed searches using an account in this format – USR1077672356, one account was logged in as Jamie333 (details slightly modified!). It was the first account checked and despite the individual being cunning (his name was not Jamie) it didn’t take long to find lots more evidence.

Mr Uddin was sentenced to six months and presumably lost his degree completely, he also faces the possibility of legal action from the University too. It’s impossible to know how many people actually get away with crimes like this, but one small mistake or piece of bad luck and it’s very simple to track the culprits down. Still kind of feel sorry for the guy though, but there’s definitely a lesson to be learnt here!