Vanguard Defense Industries suffers Anonymous hack attack

VanGuard's ShadowHawk helicopterAnonymous hackers working under the flag of AntiSec have targeted a US defense contractor, stealing and publishing thousands of emails and documents.

Vanguard Defense Industries (VDI) works closely with government agencies such as the Department of Homeland Security and FBI, developing the unmanned remote-controlled ShadowHawk helicopter which can be used for aerial surveillance and fly at up to 70mph, shooting grenades and shotgun rounds in combat situations.

Of course, real life battlefield technology like that is no protection against cybercriminals, who appear to have published emails and documents containing VDI meeting notes, contracts, schematics and other confidential information as part of the hackers' ongoing "F**k FBI Friday" campaign.

VanguardA statement from the hackers will remind readers of past hack attacks on Monsanto and Infragard, and makes clear that VDI's senior vice president Richard T. Garcia was being singled out for particular attention:

The emails belong to Senior Vice President of VDI Richard T. Garcia, who has previously worked as Assistant Director to the Los Angeles FBI office as well as the Global Security Manager for Shell Oil Corporation. This leak contains internal meeting notes and contracts, schematics, non-disclosure agreements, personal information about other VDI employees, and several dozen "counter-terrorism" documents classified as "law enforcement sensitive" and "for official use only".

Richard T. Garcia is also an executive board member of InfraGard, a sinister alliance of law enforcement, military, and private security contractors dedicated to protecting the infrastructure of the very systems we aim to destroy. It is our pleasure to make a mockery of InfraGard for the third time, once again dumping their internal meeting notes, membership rosters, and other private business matters.

AnonymousThe hackers seemed keen to underline that they weren't planning to cease their activities anytime soon:

We are doing this not only to cause embarrassment and disruption to Vanguard Defense Industries, but to send a strong message to the hacker community. White hat sellouts, law enforcement collaborators, and military contractors beware: we're coming for your mail spools, bash history files, and confidential documents.

Operation AntiSec is the name that has been given to a series of hacking attacks, born out of the activities of Anonymous and the burning embers (or should that be watery grave?) of LulzSec.

Past victims have included US government security contractor ManTech and DHS contractor Booz Allen Hamilton.

Once again, a defense contractor is learning a lesson the hard way about the importance of strong computer security.


Toshiba website hacked – email addresses and passwords exposed

Toshiba logoToshiba announced this weekend that a web server run by its US sales subsidiary had been hacked, and the email addresses, telephone numbers and passwords of hundreds of customers had been compromised.

The Japanese electronics firm said that the server was run by Toshiba America Information Systems Inc., and held personal data relating to 7,520 customers. Fortunately, according to the firm, the personal information exposed did not include any credit card data.

Nevertheless, you don't want your email address and password falling into hands of malicious hackers.

Not only could cybercriminals "try out" your passwords to see if they unlock any of your other online accounts (too many people use the same password on multiple websites), but they could also target you with attacks pretending to come from Toshiba.

After all, you have a business relationship with Toshiba - so you would be less suspicious of opening an email or clicking on a link which appeared to have been sent by them. Especially if some clever social engineering made the email appear particularly enticing.

A Toshiba spokesperson told the Wall Street Journal, that the Toshiba subsidiary's IT staff first noticed a problem with the web server on July 11th, and confirmed on July 13th that it had been hacked.

"We will continue the investigation and intend to thoroughly protect customers' information and manage (related computer) systems to prevent a recurrence."

All customers potentially affected by the hack are said to have been informed of the problem by the firm.

If you run a website it's essential to ensure it is as secure as possible from hacker attacks.

If you haven't already done so, read this informative paper by SophosLabs, "Securing websites", which covers some of the issues.

Follow @gcluley

Lady Gaga website stays strangely silent over database hack

Lady Gaga hackedA gang of hackers known as SwagSec announced at the tail end of last week that they had hacked into Lady Gaga's UK website and made off with a database of names and email addresses of fans. To prove their point, they published the stolen data online.

The press reported that a source close to Lady Gaga said that she was:

"upset and hopes police get to the bottom of how this was allowed to happen"

If she was upset, she made no mention of the hack on her Twitter page, and posted no apology to her UK fans for the poor website security. She wasn't, however, too upset to tweet about Emmy award nominations or to drop a line to Cher about doing a duet remix.

Although it's right that the authorities should be informed regarding SwagSec's illegal activities, there should surely be some recognition at Gaga HQ that perhaps the website was doing a lousy job at securing its fans' information?

Lady Gaga user database

Lady Gaga's record label, Universal, said it had confirmed that the hack had occurred and said that police had been informed:

"The hackers took a content database dump from www.ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken. We take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised."

The risk to users who had their details compromised, of course, is that they could have been the subject of targeted attacks. Imagine how many of them might have opened an attachment or clicked on a link if they received an email claiming to be about free tickets for a Lady Gaga concert, or a sneak preview of her new video.

But although Universal says that it has contacted everyone who was affected - can they be confident that they know the extent of SwagSec's hack? After all, the hack is claimed to have occurred weeks ago, but was only made public by SwagSec at the end of last week.

Wouldn't it be more open and transparent to have a message to fans of the Lady Gaga UK website, telling them all what occurred. I went looking and couldn't find anything to warn the wider array of Lady Gaga fans.

You may remember that the SwagSec hacking group defaced Amy Winehouse's website earlier this month as well.

One wonders what eccentric female troubadour they will target next..

Follow @gcluley

‘Foreign government’ hackers steal secret Pentagon plans

BlueprintThe US Deputy Defense Secretary William Lynn has revealed that a foreign intelligence agency was behind a hack attack that stole classified information about a top secret weapons system.

According to Aviation Week, the weapons system, which is under development, might have to be redesigned after the files were stolen from a military contractor's computer network.

Plans and confidential blueprints were included in the haul of 24,000 files said to have been copied by the hackers.

The revelation came to light as William Lynn gave a speech at the National Defense University (NDU) in Washington DC, outlining his department's "first ever strategy for operating in cyberspace". Recognising that the problem extended beyond its own networks, the Pentagon is piloting a program to share classified intelligence about threats with select military contractors and their ISPs.

NDU was somehow an appropriate venue for the speech - Lynn told his audience that the National Defense University itself had fallen victim to hackers after its "website and its associated server were recently compromised by an intrusion that turned over system control to an unknown intruder."

William Lynn speech

Lynn's speech contained much jaw-jaw about the nature of cyberwar - and how it could vary from destructive attacks to information theft:

"Tools capable of disrupting or destroying critical networks, causing physical damage, or altering the performance of key systems, exist today. The advent of these tools mark a strategic shift in the cyber threat - a threat that continues to evolve. As a result of this threat, keystrokes originating in one country can impact the other side of the globe in the blink of an eye. In the 21st Century, bits and bytes can be as threatening as bullets and bombs."

"But disruptive and destructive attacks are only one end of a continuum of malicious activity in cyberspace that includes espionage, intellectual property theft, and fraud. Although in the future we are likely to see destructive or disruptive cyber attacks that could have an impact analogous to physical hostilities, the vast majority of malicious cyber activity today does not cross this threshold."

"In looking at the current landscape of malicious activity, the most prevalent cyber threat to date has been exploitation - the theft of information and intellectual property from government and commercial networks."

ChessI have always been nervous of the tendency amongst governments to point fingers at foreign nations and blame them for an internet attack. For instance, Lynn claims that a foreign government was involved in the hack, but does not say which one.

You have to ask yourself, why the reluctance to say which country? And if you don't know which country, how do you know it was any country?

Of course, the US Deputy Defense Secretary has shown himself to be tight-lipped on matters to do with internet attacks in the past. For instance, he declined to confirm or deny if the USA had been responsible for the Stuxnet virus.

And we shouldn't be naive. Just because it's hard to prove that a particular country was behind a particular cyber attack, doesn't mean that that country is whiter-than-white when it comes to such things.

My suspicion is that all countries are using the internet to their advantage when engaged in espionage - whether it be for political, economic or military ends.

Nuclear buttonWhat surprises me, however, is that Lynn claims that these sort of "sophisticated capabilities" (the ability to hack into military contractor computer systems and steal files) is almost exclusively within the abilities of nation states, and that the only thing stopping countries from using the internet to destroy their enemies is the risk of a military counter-attack:

"Today, sophisticated cyber capabilities reside almost exclusively in nation-states. Here, U.S. military power offers a strong deterrent against overtly destructive attacks. Although attribution in cyberspace can be difficult, the risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States. We must nevertheless guard against the possibility that circumstances could change, and we will have to defend against a sophisticated adversary who is not deterred from launching a cyber attack."

Of course, terrorists probably wouldn't fear a counter-attack like this. Why haven't they launched a destructive strike against the United States? Well, Lynn has an answer for that:

"If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation. And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining, and expanding their cyber capabilities."

Hmm. So, thank goodness that only governments know how to get their hands on the most dangerous and destructive internet weapons and that the rest of the world just isn't as sophisticated..

The PentagonMarine Gen. James Cartwright, Vice Chairman of the Joint Chiefs of Staff, told the press gathered at NDU that he believed a defensive approach to cyberwar is insufficient, and that the current situation of the Pentagon being 90% focused on defensive measures and 10% on offensive, should be reversed.

One thing is clear amongst all this talk - computer security needs to be taken seriously. Cybercriminals, whether state-sponsored or not, are regularly going beyond damaging and defacing websites to stealing sensitive information which could have more than a financial value. You would be foolish to ignore such a threat, and ensure that you have strong defences in place.

Meanwhile, the US Department of Defense says that it is now treating cyberspace as an operational domain - alongside land, air, sea and space. As such, I think we can expect to see more speeches warning about the perils that the United States faces from other nations and terrorist forces.

Follow @gcluley

Further reading: You can read the full speech by William Lynn on the defense.gov website.


Goatse hacker pleads guilty to stealing iPad user data

Hacker typingDaniel Spitler, an alleged member of the Goatse Security hacking group, has pleaded guilty to breaking into AT&T's systems and obtaining the email addresses of iPad users.

The story of how a vulnerability on AT&T's website allowed outsiders to scoop up the email addresses of early adopters of the Apple iPad made huge news headlines this time last year.

Goatse (don't Google it, trust me..) bombarded the AT&T website service with thousands of requests using made-up ICC-ID codes (an internal code used to associate a SIM card with a particular subscriber).

By flooding the website with so many made-up ICC-IDC codes, some were bound to relect a genuine one, and when this happened the website believed them to be a genuine iPad user and revealed the associated email address.

Email addresses. Image source: Gawker

In total, about 120,000 iPad users were said to have had their email addresses exposed. The court in Newark, New Jersey heard that victims of the hack included New York Mayor Michael Bloomberg, ABC News anchor Diane Sawyer and Rahm Emanuel, who was the White House chief of staff at the time.

26-year old Spitler, who hails from San Francisco, is scheduled to be sentenced on September 28th, and could face a maximum penalty of five years in prison and a $250,000 fine.

In all honesty, although taking the information was clearly against the law, the hack probably received so much media attention at the time purely because it was iPad-related rather than because of the data that was taken.

That's not to say that you want your email address exposed (it could potentially have become a victim of phishing attacks, for instance, targeting iPad owners) but there is presumably much more damaging information that could have been taken.

Another man, 25-year-old Andrew Auernheimer, has pleaded not guilty to the hacking charges and continues to faces prosecution.

Follow @gcluley

Hackers break into Tony Blair’s webmail server, disclose former PM’s address book

Tony BlairA hacking group known as TeaMp0isoN have published private information belonging to former Prime Minister Tony Blair.

TeaMp0isoN have been in the news recently for allegedly hacking into a web site they claimed belonged to a member of LulzSec.

This time they targeted a webmail server used by Tony Blair in December of 2010. It is unclear why they waited for so long to disclose the breach and there is no evidence as of yet to confirm their story.

The information disclosed includes "Tony Blair Office Members Information, Tony Blair Address & Phone Book (Includes family, friends, MPs & lords) and Katie Kay Curriculum vitae (Tony Blairs special adviser)."

Screen capture of stolen Blair address book

Information on Mr. Blair's friends and colleagues includes names, home addresses, home, work and cell phone numbers and email addresses. Additionally Mr. Blair's National Insurance Number (NIN) and Ms. Kay's CV (resume) are also included in the dump.

We don't know what specific flaws were exploited in this attack, but seeing that it is a webmail server the most likely method was SQL injection. It is extremely important to keep web servers patched and up to date, especially if they are running Linux using commonly exploited CMSs, webmail solutions and blogging software.

TeaMp0isoN logo

This attack like many we have reported on this year appears to be politically motivated. The TeaMp0isoN attackers called Mr. Blair a war criminal in a Twitter post and much of the language used is derogatory.


Dropbox lets anyone log in as anyone – so check your files now!

Customers of cloud-based file storing-and-sharing company Dropbox should check on the data they've entrusted to the service, following the company's admission that it messed up its access controls for several hours.

(Updated: please see footnote below.)

Unlike the majority of data breaches we've reported on lately - where usernames and passwords were stolen, allowing attackers and miscreants to access other people's accounts illegally - Dropbox's "hack" was of a more embarrassing sort.

Apparently, Dropbox published a code update which inadvertently removed the need to authenticate. So you could log in to other people's accounts without knowing their passwords at all. (Dropbox isn't alone in having made this sort of mistake. Facebook did something similar last year, leading to Mark Zuckerberg's own fan page being hacked.)

Ouch.

One popular use of services like Dropbox is to get around the restrictions many companies put on emailing around large files. If I'm working at home and have a huge spreadsheet which I know my IT manager won't let through the email gateway, I can just upload it to Dropbox and share the resulting web link with my colleagues.

In theory, the risk of this should be no worse that me copying the file to a USB key and letting my colleagues copy it from there. (In fact, if you're not careful with USB keys, they may pose a larger risk than sharing web links, since the USB key may contain other files - such as malware - besides the spreadsheet you just saved on it.)

But the safety of a web link allowing you to share a file "through the cloud" depends very strongly on who's able to access that link. If anyone can download it, you run the risk of data leakage. And if anyone can access and modify it, you run the risk of something much worse.

Dropbox can also automatically synchronise your own files between all your various devices, such as your desktop PC, your Mac laptop and your smartphone.

In the company's own promotional video, an intrepid adventurer named Josh uses Dropbox to share and to synchronise detailed information between his numerous devices for his forthcoming safari in Africa.

That means that unauthorised access to your Dropbox data could give cybercrooks an enormous amount of information about your life, your plans and your identity. And unauthorised modification of your Dropbox data could propagate incorrect information throughout your digital world.

Dropbox did well to fix the problem within four hours, and to admit this openly on its blog.

But the "eternal beta" flavour of many cloud services - where updates and improvements are rolled out regularly and frequently to suit the service provider rather than its users - is an often-underestimated risk.

By the way, one way to improve the safety of web-based file sharing is to encrypt the files you share before you upload them. Only someone with the password will be able to decrypt those files. And if you don't have the password, you won't be able to alter their content, either.

If you're interested, Sophos has a free tool for Windows users that you can use to encrypt and compress sensitive information. You can use it for free both commercially and personally.

* Download now (direct download, no registration, Windows only)

* Learn more

Footnote. As alert Twitterer Andy Durdin points out, you can readily see if someone else has changed your Dropbox files. But you can't see if someone else has been snooping through your data.

Dropbox suggests on its blog that less than 1% of accounts were accessed during the unprotected period, and that it will contact those users in case the access was unauthorised.

If your account was accessed, be sure to ask Dropbox for a detailed log of what happened so you can find out what got stolen as well as what got changed. Unauthorised access and unauthorised modification are both bad for your digital well-being.

Follow @duckblog

Citibank victimized by hackers, insists cardholders are safe

CitiCardReuters is reporting that Citibank's systems were hacked, resulting in a loss of Personally Identifiable Information (PII).

Citibank says that data for 1% of their cardholders was accessed through this breach, but customers' Social Security Numbers (SSNs), birth dates, card expiration dates and CVV codes are safe.

Information that may have been disclosed to the hackers includes customers' names, account numbers, contact details and email addresses.

According to Citibank's website they are the world's largest provider of credit cards, issuing more than 150,000,000 cards globally. Based on these numbers, information for 1,500,000 or more individuals may have been compromised.

In April Paul Gaulant, former head of the bank's credit card unit, told Reuters, "Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments."

That may be true, but feeling secure is not the same as being secure. How this information was acquired and why it wasn't protected against theft is a far more important question.

Citi has stated they will notify customers believed to be affected by the breach.

Customers affected by this incident should be on high alert for scams, phishing and phone calls purporting to be from Citibank and their subsidiaries.

While Citi customers aren't likely to have fraudulent charges against their accounts as a result of this breach, they are likely to encounter social engineering attempts to enable further crime.

Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims.

Never accept incoming communications purporting be from financial institutions you do business with, whether by email or phone call. Call them back using only the phone numbers published on your cards or statements. When logging in to perform online transactions, always enter their website address directly in your browser. Never click links.

Update: It has been confirmed that there are approximately 220,000 cardholders affected by this incident as it was limited to just US customers. The number above was based on all Citibank cardholders.


Sony Portugal latest to fall to hackers

Sony Music Portugal logoThe same Lebanese hacker who targeted Sony Europe on Friday has now dumped a database from Sony Portugal.

The hacker claims to be a grey hat, not a black hat, according to his post to pastebin.com.

"I am not a black hat to dump all the database I am Grey hat"

Instead of dumping the entire database like many previous Sony attackers, idahc only dumped the email addresses from one table in Sony's database.

Idahc tweet announcing Sonymusic.pt hackHe claims to have discovered three different flaws on SonyMusic.pt, including SQL injection, XSS (cross-site scripting) and iFrame injection.

By my count, this is the 16th attack against Sony since the chaos came raining down on them in mid-April.

There were two other breaches on Monday by LulzSec, but I simply couldn't bring myself to write about more Sony hacks.

LulzSec compromised the Sony Computer Entertainment devnet and downloaded the source code for SCE's entire website, which they posted on BitTorrent.

In what LulzSec claimed as a separate hack, they also disclosed a complete network map detailing all of the Sony BMG internal systems.

In what I suppose you would call their press release, they stated:

"We've recently bought a copy of this great new game called "Hackers vs Sony", but we're unable to play it online due to PSN being obliterated."

The question that remains is whether Sony is reacting to this situation at all, or whether their strategy is simply to hope it goes away.

You would expect an organization with 170,000 employees and over $88 billion in revenue over the last 12 months to be able to round up the resources necessary to secure their web presence.


Infragard Atlanta, an FBI affiliate, hacked by LulzSec

Infragard logoIn a self-titled hack attack called "F**k FBI Friday" the hacking group known as LulzSec has published details on users and associates of the non-profit organization known as Infragard.

Infragard describes itself as a non-profit focused on being an interface between the private sector and individuals with the FBI. LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.

Where did the plain text passwords come from? Considering LulzSec was able to decrypt them it would imply that the hashes were not salted, or that the salt used was stored in an insecure manner.

One interesting point to note is that not all of the users passwords were cracked... Why? Because these users likely used passwords of reasonable complexity and length. This makes brute forcing far more difficult and LulzSec couldn't be bothered to crack them.

In addition to stealing data from Infragard, LulzSec also defaced their website with a joke YouTube video and the text "LET IT FLOW YOU STUPID FBI BATTLESHIPS" in a window titled "NATO - National Agency of Tiny Origamis LOL".

Infragard Atlanta's defaced website

Aside from defacing their site and stealing their user database, they tested out the users and passwords against other services and discovered many of the members were reusing passwords on other sites - an violation of FBI/Infragard guidelines.

LulzSec singled out one of these users, Karim Hijazi, who used his Infragard password for both his personal and corporate Gmail accounts according to the hackers.

They've published a BitTorrent with what they claim are nearly 1000 of Hijazi's corporate emails and a IRC chat transcript that proclaims to be a conversation they had with him.

They also disclosed a list of personal information including his home address, mobile phone and other details.

It's hard to say when these attacks will end, but a great start would be to carefully analyze your security practices and ensure that your data is properly encrypted and to regularly scan your servers for vulnerabilities.

As for LulzSec? It appears they have declared war on one of the premier police forces in the world... Their fate remains a mystery.