Vanguard Defense Industries suffers Anonymous hack attack

VanGuard's ShadowHawk helicopterAnonymous hackers working under the flag of AntiSec have targeted a US defense contractor, stealing and publishing thousands of emails and documents.

Vanguard Defense Industries (VDI) works closely with government agencies such as the Department of Homeland Security and FBI, developing the unmanned remote-controlled ShadowHawk helicopter which can be used for aerial surveillance and fly at up to 70mph, shooting grenades and shotgun rounds in combat situations.

Of course, real life battlefield technology like that is no protection against cybercriminals, who appear to have published emails and documents containing VDI meeting notes, contracts, schematics and other confidential information as part of the hackers' ongoing "F**k FBI Friday" campaign.

VanguardA statement from the hackers will remind readers of past hack attacks on Monsanto and Infragard, and makes clear that VDI's senior vice president Richard T. Garcia was being singled out for particular attention:

The emails belong to Senior Vice President of VDI Richard T. Garcia, who has previously worked as Assistant Director to the Los Angeles FBI office as well as the Global Security Manager for Shell Oil Corporation. This leak contains internal meeting notes and contracts, schematics, non-disclosure agreements, personal information about other VDI employees, and several dozen "counter-terrorism" documents classified as "law enforcement sensitive" and "for official use only".

Richard T. Garcia is also an executive board member of InfraGard, a sinister alliance of law enforcement, military, and private security contractors dedicated to protecting the infrastructure of the very systems we aim to destroy. It is our pleasure to make a mockery of InfraGard for the third time, once again dumping their internal meeting notes, membership rosters, and other private business matters.

AnonymousThe hackers seemed keen to underline that they weren't planning to cease their activities anytime soon:

We are doing this not only to cause embarrassment and disruption to Vanguard Defense Industries, but to send a strong message to the hacker community. White hat sellouts, law enforcement collaborators, and military contractors beware: we're coming for your mail spools, bash history files, and confidential documents.

Operation AntiSec is the name that has been given to a series of hacking attacks, born out of the activities of Anonymous and the burning embers (or should that be watery grave?) of LulzSec.

Past victims have included US government security contractor ManTech and DHS contractor Booz Allen Hamilton.

Once again, a defense contractor is learning a lesson the hard way about the importance of strong computer security.


Stealing ATM PINs with thermal cameras

At the USENIX Security Symposium last week, researchers Keaton Mowery, Sarah Meiklejohn and Stefan Savage from the University of California at San Diego presented their paper "Heat of the Moment: Characterizing the Ef?cacy of Thermal Camera-Based Attacks."

Inspired by previous research on safecracking by Micha? Zalewski, they thought it would be easier for a criminal to snoop on ATM PINs using a thermal (infrared) camera to detect residual heat from keypresses rather than current techniques using traditional video cameras.

Thermal image of ATM PIN padThermal imaging provides several advantages. Unlike with traditional cameras, visually masking the PIN pad does not defeat the attack, and the ability to automate PIN harvesting using computer software further simplifies the task.

The researchers gathered 21 volunteers and had them test 27 randomly selected PIN numbers using both a plastic PIN pad and a brushed metal PIN pad.

The strength of the participants' button presses and their body temperature were shown to affect the results to some degree. The researchers discovered that the metal pad made the attack nearly impossible to implement, but with the plastic PIN pad, it was even possible to determine from the heat signatures not only the numbers pressed but also the number order.

With the plastic PIN pad, the custom software the researchers wrote to automate the analysis had approximately an 80% success rate at detecting all digits from a frame 10 seconds after the person entered their PIN. The success rate was still over 60% using a frame 45 seconds after the PIN was entered.

Button recovery chartThe researchers also compared human analysis of the video footage to their automation software. It turns out that not only does the software work, but often performs more accurately than the humans looking at the video.

While thermal cameras are a bit expensive, this research suggests that thieves could adopt this technique in the future. It's easier to place and hide the camera, allows automated analysis and could return enough useful results to be profitable.

As far as we know, this attack hasn't been used in the wild, but the cautious among us could opt to use ATMs with metal PIN pads to reduce the risk of becoming a victim.

View This Poll

Follow @chetwisniewski

Toshiba website hacked – email addresses and passwords exposed

Toshiba logoToshiba announced this weekend that a web server run by its US sales subsidiary had been hacked, and the email addresses, telephone numbers and passwords of hundreds of customers had been compromised.

The Japanese electronics firm said that the server was run by Toshiba America Information Systems Inc., and held personal data relating to 7,520 customers. Fortunately, according to the firm, the personal information exposed did not include any credit card data.

Nevertheless, you don't want your email address and password falling into hands of malicious hackers.

Not only could cybercriminals "try out" your passwords to see if they unlock any of your other online accounts (too many people use the same password on multiple websites), but they could also target you with attacks pretending to come from Toshiba.

After all, you have a business relationship with Toshiba - so you would be less suspicious of opening an email or clicking on a link which appeared to have been sent by them. Especially if some clever social engineering made the email appear particularly enticing.

A Toshiba spokesperson told the Wall Street Journal, that the Toshiba subsidiary's IT staff first noticed a problem with the web server on July 11th, and confirmed on July 13th that it had been hacked.

"We will continue the investigation and intend to thoroughly protect customers' information and manage (related computer) systems to prevent a recurrence."

All customers potentially affected by the hack are said to have been informed of the problem by the firm.

If you run a website it's essential to ensure it is as secure as possible from hacker attacks.

If you haven't already done so, read this informative paper by SophosLabs, "Securing websites", which covers some of the issues.

Follow @gcluley

Lady Gaga website stays strangely silent over database hack

Lady Gaga hackedA gang of hackers known as SwagSec announced at the tail end of last week that they had hacked into Lady Gaga's UK website and made off with a database of names and email addresses of fans. To prove their point, they published the stolen data online.

The press reported that a source close to Lady Gaga said that she was:

"upset and hopes police get to the bottom of how this was allowed to happen"

If she was upset, she made no mention of the hack on her Twitter page, and posted no apology to her UK fans for the poor website security. She wasn't, however, too upset to tweet about Emmy award nominations or to drop a line to Cher about doing a duet remix.

Although it's right that the authorities should be informed regarding SwagSec's illegal activities, there should surely be some recognition at Gaga HQ that perhaps the website was doing a lousy job at securing its fans' information?

Lady Gaga user database

Lady Gaga's record label, Universal, said it had confirmed that the hack had occurred and said that police had been informed:

"The hackers took a content database dump from www.ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken. We take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised."

The risk to users who had their details compromised, of course, is that they could have been the subject of targeted attacks. Imagine how many of them might have opened an attachment or clicked on a link if they received an email claiming to be about free tickets for a Lady Gaga concert, or a sneak preview of her new video.

But although Universal says that it has contacted everyone who was affected - can they be confident that they know the extent of SwagSec's hack? After all, the hack is claimed to have occurred weeks ago, but was only made public by SwagSec at the end of last week.

Wouldn't it be more open and transparent to have a message to fans of the Lady Gaga UK website, telling them all what occurred. I went looking and couldn't find anything to warn the wider array of Lady Gaga fans.

You may remember that the SwagSec hacking group defaced Amy Winehouse's website earlier this month as well.

One wonders what eccentric female troubadour they will target next..

Follow @gcluley

Apple iOS 4.3.4 jailbreak bugfix jailbroken already

Most iPhone and iPad users are perfectly happy with the software on the device as it is shipped by Apple.

A minority, however, prefer to open up their devices. By doing this, they can:

* Run applications and extensions not approved by Apple.

* Download software from alternative appstores, without tying those downloads to an Apple account.

* Access all the files and configuration data on their device directly, in order better to understand and secure it.

Liberating your device sounds like a great idea, but this behaviour has been stigmatised amongst corporate users.

Firstly, the action of removing artificial security restrictions is known as "jailbreaking," making it sound like a doubly-dangerous criminal act. (Since only crooks are supposed to be in jail in the first place, jailbreakers are not only criminals, but recidivists to boot.)

Secondly, jailbreaking opens up the less security-savvy user to additional risks. Some jailbreakers don't take on the additional responsibility which goes with the increased power over their device. That's how the now-infamous iPhone viruses Ikee and Duh were able to spread.

Thirdly, jailbreaking isn't supposed to be possible. So every jailbreak relies on you exploiting a software vulnerability to escape from Apple's artificial strictures. That means you have to trust the creators of the jailbreak not to abuse the exploit you're choosing to run against your device.

The flipside, of course, is that those who don't jailbreak their phones are trusting Apple not to leave the sort of exploitable hole that would permit crooks to break into the internals of their device.

And Apple hasn't been terribly trustworthy on that score. Despite a solid commercial reason for keeping its devices secure - namely, that an unjailbroken device can only shop at the Apple AppStore - few of Apple's operating system versions stay safe for very long.

Early in July, the JailbreakMe site published an automated, on-line method for opening recent iDevices running iOS 4.3.3.

(The jailbreakers also provided a patch by which you could close the remotely exploitable hole, for your own safety, after jailbreaking.)

Apple, to its credit, caught up within two weeks with an iOS update to version 4.3.4, closing the hole used by JailbreakMe.

But the jailbreakers claim to be back in already. By all reports, the latest jailbreak doesn't work for iPad2 users, and it can't be done simply by visiting a website.

You need to plug your device in to a computer, in what's called a "tethered" jailbreak, and you need to re-jailbreak it every time you reboot.

Nevertheless, Apple's latest security fix has been circumvented already.

With this in mind, the tricky question becomes, "Whom should I trust more: Apple or the jailbreakers?"

I can't answer that question - and if your iDevice is provided by your company, you shouldn't try to answer it by yourself.

Perhaps the best way to approach the issue is to rephrase it more equivocally, in the manner of Google, which sets out not to be evil, rather than actually to be good.

So, if you're thinking of jailbreaking, ask yourself, "Do I distrust the jailbreakers." If not, then jailbreaking may be for you. Just be sure to read all the security guidelines associated with the process, and be sure you have the explicit permission of the owner of the device.

PS. I have an iPad. It is jailbroken.

Follow @duckblog

Apple releases iOS 4.3.4/4.2.9 to fix JailBreakMe.com flaw

Hands holding jail barsAfter a little more than a week after disclosure, Apple has patched three flaws in iOS for iPod Touch, iPad, iPad2, iPhone 3GS, iPhone 4 and the Verizon iPhone.

You may recall the return of the website JailBreakMe.com 10 days ago which exploited these vulnerabilities to provide an easy method of jailbreaking your iDevice.

The updated version for all but the Verizon iPhone is version 4.3.4, while Verizon customers can update to 4.2.9. To update just open iTunes, check for updates and plug in your phone/MP3 player/tablet.

This raises one of my big pet peeves with Apple products.. Why do I have to tether to update? Oh! I see you will have that feature in iOS 5? I guess I will stay vulnerable until I happen to be in the same city as my copy of iTunes...

JailBreakMe do not update warningTwo of the fixes are for font handling issues in PDFs that allow for remote code execution (RCE). The third fix is in the graphics handling code and can be exploited to allow for elevation of privilege (EoP).

It appears the JailBreakMe.com hack used at least two of the three flaws to jailbreak the iDevices. It initially downloaded a PDF to gain the ability to run arbitrary code and then sent down a PNG file that elevated itself to root to perform the jailbreak.

If your phone is not jailbroken, I recommend updating as soon as possible. If you have jailbroken your device you will need to decide if you wish to trust the unofficial "patch" on Cydia and stay jailbroken, or if you should join the herd and go with Apple.


‘Foreign government’ hackers steal secret Pentagon plans

BlueprintThe US Deputy Defense Secretary William Lynn has revealed that a foreign intelligence agency was behind a hack attack that stole classified information about a top secret weapons system.

According to Aviation Week, the weapons system, which is under development, might have to be redesigned after the files were stolen from a military contractor's computer network.

Plans and confidential blueprints were included in the haul of 24,000 files said to have been copied by the hackers.

The revelation came to light as William Lynn gave a speech at the National Defense University (NDU) in Washington DC, outlining his department's "first ever strategy for operating in cyberspace". Recognising that the problem extended beyond its own networks, the Pentagon is piloting a program to share classified intelligence about threats with select military contractors and their ISPs.

NDU was somehow an appropriate venue for the speech - Lynn told his audience that the National Defense University itself had fallen victim to hackers after its "website and its associated server were recently compromised by an intrusion that turned over system control to an unknown intruder."

William Lynn speech

Lynn's speech contained much jaw-jaw about the nature of cyberwar - and how it could vary from destructive attacks to information theft:

"Tools capable of disrupting or destroying critical networks, causing physical damage, or altering the performance of key systems, exist today. The advent of these tools mark a strategic shift in the cyber threat - a threat that continues to evolve. As a result of this threat, keystrokes originating in one country can impact the other side of the globe in the blink of an eye. In the 21st Century, bits and bytes can be as threatening as bullets and bombs."

"But disruptive and destructive attacks are only one end of a continuum of malicious activity in cyberspace that includes espionage, intellectual property theft, and fraud. Although in the future we are likely to see destructive or disruptive cyber attacks that could have an impact analogous to physical hostilities, the vast majority of malicious cyber activity today does not cross this threshold."

"In looking at the current landscape of malicious activity, the most prevalent cyber threat to date has been exploitation - the theft of information and intellectual property from government and commercial networks."

ChessI have always been nervous of the tendency amongst governments to point fingers at foreign nations and blame them for an internet attack. For instance, Lynn claims that a foreign government was involved in the hack, but does not say which one.

You have to ask yourself, why the reluctance to say which country? And if you don't know which country, how do you know it was any country?

Of course, the US Deputy Defense Secretary has shown himself to be tight-lipped on matters to do with internet attacks in the past. For instance, he declined to confirm or deny if the USA had been responsible for the Stuxnet virus.

And we shouldn't be naive. Just because it's hard to prove that a particular country was behind a particular cyber attack, doesn't mean that that country is whiter-than-white when it comes to such things.

My suspicion is that all countries are using the internet to their advantage when engaged in espionage - whether it be for political, economic or military ends.

Nuclear buttonWhat surprises me, however, is that Lynn claims that these sort of "sophisticated capabilities" (the ability to hack into military contractor computer systems and steal files) is almost exclusively within the abilities of nation states, and that the only thing stopping countries from using the internet to destroy their enemies is the risk of a military counter-attack:

"Today, sophisticated cyber capabilities reside almost exclusively in nation-states. Here, U.S. military power offers a strong deterrent against overtly destructive attacks. Although attribution in cyberspace can be difficult, the risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States. We must nevertheless guard against the possibility that circumstances could change, and we will have to defend against a sophisticated adversary who is not deterred from launching a cyber attack."

Of course, terrorists probably wouldn't fear a counter-attack like this. Why haven't they launched a destructive strike against the United States? Well, Lynn has an answer for that:

"If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation. And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining, and expanding their cyber capabilities."

Hmm. So, thank goodness that only governments know how to get their hands on the most dangerous and destructive internet weapons and that the rest of the world just isn't as sophisticated..

The PentagonMarine Gen. James Cartwright, Vice Chairman of the Joint Chiefs of Staff, told the press gathered at NDU that he believed a defensive approach to cyberwar is insufficient, and that the current situation of the Pentagon being 90% focused on defensive measures and 10% on offensive, should be reversed.

One thing is clear amongst all this talk - computer security needs to be taken seriously. Cybercriminals, whether state-sponsored or not, are regularly going beyond damaging and defacing websites to stealing sensitive information which could have more than a financial value. You would be foolish to ignore such a threat, and ensure that you have strong defences in place.

Meanwhile, the US Department of Defense says that it is now treating cyberspace as an operational domain - alongside land, air, sea and space. As such, I think we can expect to see more speeches warning about the perils that the United States faces from other nations and terrorist forces.

Follow @gcluley

Further reading: You can read the full speech by William Lynn on the defense.gov website.


MasterCard.com brought down in apparent Wikileaks-motivated internet attack

MasterCard and WikiLeaksMasterCard's website was knocked offline earlier today following a WikiLeaks-inspired internet attack against it.

In what appears to be the latest salvo by hactivists, the mastercard.com website is thought to have suffered from a denial-of-service attack - where an internet site is bombarded with a large amount of traffic making it impossible for genuine visitors to access it.

A Twitter user called ibomhacktivist seems to be taking responsibility for the attack, and links the action to the WikiLeaks-inspired attack on MasterCard by the Anonymous group last year.

Tweet about Mastercard.com website

MasterCard.com DOWN!!!, thats what you get when you mess with @wikileaks @Anon_Central and the enter community of lulz loving individuals :D

MasterCard angered the hacktivist community after it suspended the ability for WikiLeaks to accept payments via the firm. Police in the Netherlands arrested two teenagers for allegedly playing their part in the attacks last year.

WikiLeaks is a subject which tends to generate strong emotions - whether you're in favour of what the organisation stands for, or against it.

Computer users would be wise, however, to remember that even if you feel WikiLeaks is being persecuted by the authorities or abandoned by online companies, denial-of-service attacks are still illegal.

I'll update this article with more information as it becomes available, or alternatively follow me on Twitter.

Follow @gcluley

Update: The MasterCard.com website appears to be back online. It will be interesting to see if it stays up, or whether it will sporadically disappear again. Fingers crossed.


Goatse hacker pleads guilty to stealing iPad user data

Hacker typingDaniel Spitler, an alleged member of the Goatse Security hacking group, has pleaded guilty to breaking into AT&T's systems and obtaining the email addresses of iPad users.

The story of how a vulnerability on AT&T's website allowed outsiders to scoop up the email addresses of early adopters of the Apple iPad made huge news headlines this time last year.

Goatse (don't Google it, trust me..) bombarded the AT&T website service with thousands of requests using made-up ICC-ID codes (an internal code used to associate a SIM card with a particular subscriber).

By flooding the website with so many made-up ICC-IDC codes, some were bound to relect a genuine one, and when this happened the website believed them to be a genuine iPad user and revealed the associated email address.

Email addresses. Image source: Gawker

In total, about 120,000 iPad users were said to have had their email addresses exposed. The court in Newark, New Jersey heard that victims of the hack included New York Mayor Michael Bloomberg, ABC News anchor Diane Sawyer and Rahm Emanuel, who was the White House chief of staff at the time.

26-year old Spitler, who hails from San Francisco, is scheduled to be sentenced on September 28th, and could face a maximum penalty of five years in prison and a $250,000 fine.

In all honesty, although taking the information was clearly against the law, the hack probably received so much media attention at the time purely because it was iPad-related rather than because of the data that was taken.

That's not to say that you want your email address exposed (it could potentially have become a victim of phishing attacks, for instance, targeting iPad owners) but there is presumably much more damaging information that could have been taken.

Another man, 25-year-old Andrew Auernheimer, has pleaded not guilty to the hacking charges and continues to faces prosecution.

Follow @gcluley

Hackers break into Tony Blair’s webmail server, disclose former PM’s address book

Tony BlairA hacking group known as TeaMp0isoN have published private information belonging to former Prime Minister Tony Blair.

TeaMp0isoN have been in the news recently for allegedly hacking into a web site they claimed belonged to a member of LulzSec.

This time they targeted a webmail server used by Tony Blair in December of 2010. It is unclear why they waited for so long to disclose the breach and there is no evidence as of yet to confirm their story.

The information disclosed includes "Tony Blair Office Members Information, Tony Blair Address & Phone Book (Includes family, friends, MPs & lords) and Katie Kay Curriculum vitae (Tony Blairs special adviser)."

Screen capture of stolen Blair address book

Information on Mr. Blair's friends and colleagues includes names, home addresses, home, work and cell phone numbers and email addresses. Additionally Mr. Blair's National Insurance Number (NIN) and Ms. Kay's CV (resume) are also included in the dump.

We don't know what specific flaws were exploited in this attack, but seeing that it is a webmail server the most likely method was SQL injection. It is extremely important to keep web servers patched and up to date, especially if they are running Linux using commonly exploited CMSs, webmail solutions and blogging software.

TeaMp0isoN logo

This attack like many we have reported on this year appears to be politically motivated. The TeaMp0isoN attackers called Mr. Blair a war criminal in a Twitter post and much of the language used is derogatory.