Vanguard Defense Industries suffers Anonymous hack attack

VanGuard's ShadowHawk helicopterAnonymous hackers working under the flag of AntiSec have targeted a US defense contractor, stealing and publishing thousands of emails and documents.

Vanguard Defense Industries (VDI) works closely with government agencies such as the Department of Homeland Security and FBI, developing the unmanned remote-controlled ShadowHawk helicopter which can be used for aerial surveillance and fly at up to 70mph, shooting grenades and shotgun rounds in combat situations.

Of course, real life battlefield technology like that is no protection against cybercriminals, who appear to have published emails and documents containing VDI meeting notes, contracts, schematics and other confidential information as part of the hackers' ongoing "F**k FBI Friday" campaign.

VanguardA statement from the hackers will remind readers of past hack attacks on Monsanto and Infragard, and makes clear that VDI's senior vice president Richard T. Garcia was being singled out for particular attention:

The emails belong to Senior Vice President of VDI Richard T. Garcia, who has previously worked as Assistant Director to the Los Angeles FBI office as well as the Global Security Manager for Shell Oil Corporation. This leak contains internal meeting notes and contracts, schematics, non-disclosure agreements, personal information about other VDI employees, and several dozen "counter-terrorism" documents classified as "law enforcement sensitive" and "for official use only".

Richard T. Garcia is also an executive board member of InfraGard, a sinister alliance of law enforcement, military, and private security contractors dedicated to protecting the infrastructure of the very systems we aim to destroy. It is our pleasure to make a mockery of InfraGard for the third time, once again dumping their internal meeting notes, membership rosters, and other private business matters.

AnonymousThe hackers seemed keen to underline that they weren't planning to cease their activities anytime soon:

We are doing this not only to cause embarrassment and disruption to Vanguard Defense Industries, but to send a strong message to the hacker community. White hat sellouts, law enforcement collaborators, and military contractors beware: we're coming for your mail spools, bash history files, and confidential documents.

Operation AntiSec is the name that has been given to a series of hacking attacks, born out of the activities of Anonymous and the burning embers (or should that be watery grave?) of LulzSec.

Past victims have included US government security contractor ManTech and DHS contractor Booz Allen Hamilton.

Once again, a defense contractor is learning a lesson the hard way about the importance of strong computer security.


Stealing ATM PINs with thermal cameras

At the USENIX Security Symposium last week, researchers Keaton Mowery, Sarah Meiklejohn and Stefan Savage from the University of California at San Diego presented their paper "Heat of the Moment: Characterizing the Ef?cacy of Thermal Camera-Based Attacks."

Inspired by previous research on safecracking by Micha? Zalewski, they thought it would be easier for a criminal to snoop on ATM PINs using a thermal (infrared) camera to detect residual heat from keypresses rather than current techniques using traditional video cameras.

Thermal image of ATM PIN padThermal imaging provides several advantages. Unlike with traditional cameras, visually masking the PIN pad does not defeat the attack, and the ability to automate PIN harvesting using computer software further simplifies the task.

The researchers gathered 21 volunteers and had them test 27 randomly selected PIN numbers using both a plastic PIN pad and a brushed metal PIN pad.

The strength of the participants' button presses and their body temperature were shown to affect the results to some degree. The researchers discovered that the metal pad made the attack nearly impossible to implement, but with the plastic PIN pad, it was even possible to determine from the heat signatures not only the numbers pressed but also the number order.

With the plastic PIN pad, the custom software the researchers wrote to automate the analysis had approximately an 80% success rate at detecting all digits from a frame 10 seconds after the person entered their PIN. The success rate was still over 60% using a frame 45 seconds after the PIN was entered.

Button recovery chartThe researchers also compared human analysis of the video footage to their automation software. It turns out that not only does the software work, but often performs more accurately than the humans looking at the video.

While thermal cameras are a bit expensive, this research suggests that thieves could adopt this technique in the future. It's easier to place and hide the camera, allows automated analysis and could return enough useful results to be profitable.

As far as we know, this attack hasn't been used in the wild, but the cautious among us could opt to use ATMs with metal PIN pads to reduce the risk of becoming a victim.

View This Poll

Follow @chetwisniewski

‘Foreign government’ hackers steal secret Pentagon plans

BlueprintThe US Deputy Defense Secretary William Lynn has revealed that a foreign intelligence agency was behind a hack attack that stole classified information about a top secret weapons system.

According to Aviation Week, the weapons system, which is under development, might have to be redesigned after the files were stolen from a military contractor's computer network.

Plans and confidential blueprints were included in the haul of 24,000 files said to have been copied by the hackers.

The revelation came to light as William Lynn gave a speech at the National Defense University (NDU) in Washington DC, outlining his department's "first ever strategy for operating in cyberspace". Recognising that the problem extended beyond its own networks, the Pentagon is piloting a program to share classified intelligence about threats with select military contractors and their ISPs.

NDU was somehow an appropriate venue for the speech - Lynn told his audience that the National Defense University itself had fallen victim to hackers after its "website and its associated server were recently compromised by an intrusion that turned over system control to an unknown intruder."

William Lynn speech

Lynn's speech contained much jaw-jaw about the nature of cyberwar - and how it could vary from destructive attacks to information theft:

"Tools capable of disrupting or destroying critical networks, causing physical damage, or altering the performance of key systems, exist today. The advent of these tools mark a strategic shift in the cyber threat - a threat that continues to evolve. As a result of this threat, keystrokes originating in one country can impact the other side of the globe in the blink of an eye. In the 21st Century, bits and bytes can be as threatening as bullets and bombs."

"But disruptive and destructive attacks are only one end of a continuum of malicious activity in cyberspace that includes espionage, intellectual property theft, and fraud. Although in the future we are likely to see destructive or disruptive cyber attacks that could have an impact analogous to physical hostilities, the vast majority of malicious cyber activity today does not cross this threshold."

"In looking at the current landscape of malicious activity, the most prevalent cyber threat to date has been exploitation - the theft of information and intellectual property from government and commercial networks."

ChessI have always been nervous of the tendency amongst governments to point fingers at foreign nations and blame them for an internet attack. For instance, Lynn claims that a foreign government was involved in the hack, but does not say which one.

You have to ask yourself, why the reluctance to say which country? And if you don't know which country, how do you know it was any country?

Of course, the US Deputy Defense Secretary has shown himself to be tight-lipped on matters to do with internet attacks in the past. For instance, he declined to confirm or deny if the USA had been responsible for the Stuxnet virus.

And we shouldn't be naive. Just because it's hard to prove that a particular country was behind a particular cyber attack, doesn't mean that that country is whiter-than-white when it comes to such things.

My suspicion is that all countries are using the internet to their advantage when engaged in espionage - whether it be for political, economic or military ends.

Nuclear buttonWhat surprises me, however, is that Lynn claims that these sort of "sophisticated capabilities" (the ability to hack into military contractor computer systems and steal files) is almost exclusively within the abilities of nation states, and that the only thing stopping countries from using the internet to destroy their enemies is the risk of a military counter-attack:

"Today, sophisticated cyber capabilities reside almost exclusively in nation-states. Here, U.S. military power offers a strong deterrent against overtly destructive attacks. Although attribution in cyberspace can be difficult, the risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States. We must nevertheless guard against the possibility that circumstances could change, and we will have to defend against a sophisticated adversary who is not deterred from launching a cyber attack."

Of course, terrorists probably wouldn't fear a counter-attack like this. Why haven't they launched a destructive strike against the United States? Well, Lynn has an answer for that:

"If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation. And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining, and expanding their cyber capabilities."

Hmm. So, thank goodness that only governments know how to get their hands on the most dangerous and destructive internet weapons and that the rest of the world just isn't as sophisticated..

The PentagonMarine Gen. James Cartwright, Vice Chairman of the Joint Chiefs of Staff, told the press gathered at NDU that he believed a defensive approach to cyberwar is insufficient, and that the current situation of the Pentagon being 90% focused on defensive measures and 10% on offensive, should be reversed.

One thing is clear amongst all this talk - computer security needs to be taken seriously. Cybercriminals, whether state-sponsored or not, are regularly going beyond damaging and defacing websites to stealing sensitive information which could have more than a financial value. You would be foolish to ignore such a threat, and ensure that you have strong defences in place.

Meanwhile, the US Department of Defense says that it is now treating cyberspace as an operational domain - alongside land, air, sea and space. As such, I think we can expect to see more speeches warning about the perils that the United States faces from other nations and terrorist forces.

Follow @gcluley

Further reading: You can read the full speech by William Lynn on the defense.gov website.


Goatse hacker pleads guilty to stealing iPad user data

Hacker typingDaniel Spitler, an alleged member of the Goatse Security hacking group, has pleaded guilty to breaking into AT&T's systems and obtaining the email addresses of iPad users.

The story of how a vulnerability on AT&T's website allowed outsiders to scoop up the email addresses of early adopters of the Apple iPad made huge news headlines this time last year.

Goatse (don't Google it, trust me..) bombarded the AT&T website service with thousands of requests using made-up ICC-ID codes (an internal code used to associate a SIM card with a particular subscriber).

By flooding the website with so many made-up ICC-IDC codes, some were bound to relect a genuine one, and when this happened the website believed them to be a genuine iPad user and revealed the associated email address.

Email addresses. Image source: Gawker

In total, about 120,000 iPad users were said to have had their email addresses exposed. The court in Newark, New Jersey heard that victims of the hack included New York Mayor Michael Bloomberg, ABC News anchor Diane Sawyer and Rahm Emanuel, who was the White House chief of staff at the time.

26-year old Spitler, who hails from San Francisco, is scheduled to be sentenced on September 28th, and could face a maximum penalty of five years in prison and a $250,000 fine.

In all honesty, although taking the information was clearly against the law, the hack probably received so much media attention at the time purely because it was iPad-related rather than because of the data that was taken.

That's not to say that you want your email address exposed (it could potentially have become a victim of phishing attacks, for instance, targeting iPad owners) but there is presumably much more damaging information that could have been taken.

Another man, 25-year-old Andrew Auernheimer, has pleaded not guilty to the hacking charges and continues to faces prosecution.

Follow @gcluley

How to stop your Gmail account being hacked

GmailAs has been widely reported, high profile users of Gmail - including US government officials, reporters and political activists - have had their email accounts hacked.

This wasn't a sophisticated attack against Google's systems, but rather a cleverly-crafted HTML email which pointed to a Gmail phishing page.

Victims would believe that they had been sent an attachment, click on the link, and be greeted by what appeared to be Gmail's login screen. Before you knew it, your Gmail username and password could be in the hands of unauthorised parties.

So, what steps should you take to reduce the chances of your Gmail account being hacked?

  1. Set up Two step verification
  2. Check if your Gmail messages are being forwarded without your permission
  3. Where is your Gmail account being accessed from?
  4. Choose a unique, hard-to-crack password
  5. Secure your computer
  6. Why are you using Gmail anyway?

1. Set up Two step verification

The hackers who broke into high profile Gmail accounts grabbed usernames and passwords. So, an obvious thing to do would be to make Gmail require an extra piece of information before allowing anybody to access your account.

Google provides a facility called "two step verification" to Gmail users, which provides that extra layer of security. It requires you to be able to access your mobile phone when you sign into your email account - as they will be sending you a magic "verification" number via SMS.

The advantage of this approach - which is similar to that done by many online banks - is that even if cybercriminals manage to steal your username and password, they won't know what your magic number is because they don't have your phone.

Google has made two step verification easy to set up.

Setting up 2 step verification

Once you're set up, the next time you try to log into Gmail you'll be asked for your magic number after entering your username and password. Your mobile phone should receive an SMS text message from Google containing your verification number.

Mobile phone receives verification number

Let's just hope the bad guys don't have access to your mobile phone too..

Here's a video from Google where they explain two step verification in greater detail:

You can also learn more about two step verification on Google's website.

By the way, note that two step verification doesn't mean that your Gmail can't ever be snooped on by remote hackers. They could, for instance, install spyware onto your computer which could monitor everything that appears on your screen. But it's certainly a good additional level of security for your Gmail account, and one which will make life much more difficult for any cybercriminal who might be targeting you.

2. Check if your Gmail messages are being forwarded without your permission

Gmail gives you the ability to forward your emails to another email address. There are situations where this might be handy, of course, but it can also be used by hackers to secretly read the messages you receive.

Go into your Gmail account settings, and select the "Forwarding and POP/IMAP" tab.

If your emails are being forwarded to another address, then you will see something like the following:

Gmail forwarding

That's fine if you authorised for your emails to be forwarded to that email address, but a bad thing if you didn't.

If your messages are not being forwarded you will see a screen more like this:

Gmail forwarding

Hackers want to break into your account not just to see what email you've received up until their break-in. Ideally, they would like to have ongoing access to your email, even if you change your password or enable two step verification. That's why it's so important to check that no-one has sneakily asked for all of your email to be forwarded to them.

3. Where is your Gmail account being accessed from?

At the bottom of each webpage on Gmail, you'll see some small print which describes your last account activity. This is available to help you spy if someone has been accessing your account at unusual times of day (for instance, when you haven't been using your computer) or from a different location.

Last account activity

Clicking on the "Details" option will take you to a webpage describing the type of access and the IP address of the computer which logged your email account. Although some of this data may appear nerdy, it can be a helpful heads-up - especially if you spot a computer from another country has been accessing your email.

IP addresses of computers accessing Gmail account

4. Choose a unique, hard-to-crack password

As we've explained before, you should never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if they grab your password in one place they can try it in many other places.

Also, you should ensure that your password is not a dictionary word, and is suitably complex that it's hard to break with a dictionary attack.

Here's a video which explains how to choose a strong password, which is easy to remember but still hard to crack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Don't delay, be sensible and make your passwords more secure today

And once you've chosen a safer password - keep it safe! That means, don't share it with anyone else and be very careful that you're typing it into the real Gmail login screen, not a phishing site.

5. Secure your computer

Secure PCIt should go without saying, but this list would be unfinished without it. You need to properly secure your computer with up-to-date anti-virus software, security patches and so forth. If you don't, you're risking hackers planting malicious code on your computer which could spy upon you and, of course, your email.

You always want to be certain that your computer is in a decent state of health before you log into a sensitive online account, such as your email or bank account. That's one of the reasons why I would always be very nervous about using a computer in a cybercafe or hotel lobby. You simply don't know what state the computer is in, and who might have been using it before.

6. Why are you using Gmail anyway?

Okay, I don't really mean that. But I do mean, why are you storing sensitive information in your Gmail account?

The news headlines claim that senior US political and military officials were being targeted by the hackers. Surely if they had confidential or sensitive data they shouldn't have that in their webmail account? Shouldn't that be on secure government and military systems instead?

Always think about the data you might be putting on your web email account - because if it's only protected by a username and password that may actually be less security than your regular work email system provides.