Category Archives: Cyber

ISIS Cyberattack on TV5Monde; FBI issues warning

An “extremely powerful” cyberattack claimed by supporters of Islamic State of Iraq and il Sham (ISIS) has left French broadcaster TV5Monde working to regain control of its 11 news channels and websites for three hours. The attack occurred around 10 pm local time. Hackers took down the television channels and posted material on the broadcaster’s Facebook and Twitter feeds. The station’s network director, Yves Bigot, said operations were “severely damaged.” The station’s programming and Facebook page are now back up, but its website remains under maintenance.

The hackers posted documents on the TV5Monde Facebook page which they claim are the identity cards of relatives of French soldiers involved in anti-Islamic State operations. The hackers also posted threats against the troops. France is part of the international coalition fighting against ISIS insurgents.

TV5Monde, which broadcasts around the world, is working with police and national security to determine how their security was breached. It is not yet known how the group accessed station operations, but it appears to have been conducted by the “Islamic State Hacking Division.” The hackers referred to themselves as the “CyberCaliphate” on TV5Monde’s Facebook page, which also took credit for the recent hacking of US military servers.

The station has restored broadcast of one signal across all of their channels, however they cannot “send out pre-recorded broadcasts nor restart the production of our news shows,” according to Bigot. He added that it could take days for broadcasts to return to normal, adding that the attack must have required “weeks” of planning. The station is broadcast in nations around the world, including the US, Canada and Britain.

A day before the attack on TV5Monde, the US Federal Bureau of Investigation (FBI) warned that attackers claiming to be sympathetic to the extremist group ISIS are targeting websites that have vulnerable WordPress plugins.

WordPress is a website hosting system which also has a community third-party developers who have created some 37,000 plugins. Occasionally, security vulnerabilities in one of the plugins can put a large number of websites at risk by allowing hackers to gain unauthorized access, inject scripts, or install malware on the affected sites. The attackers have reportedly hit news organizations, religious institutions, and commercial and government websites. The hackers have defaced websites that share some of the common WordPress plugins with vulnerabilities that are easily exploited, the FBI said.

The FBI advisory states, “Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.” The attackers have voiced support for ISIS; they are likely conducting attacks in order to gain notoriety.

On Tuesday, the security company Sucuri issued an advisory for a flaw it found in the WP-Super-Cache plugin. The plugin is utilised by up to a million WordPress sites.  The vulnerability in the plugin could allow an attacker to add a new administrator to a site, or create a “backdoor” using WordPress’s theme edition tools.

The same day as the FBI warning was issued, The homepage of AustismIreland.ie showed a photograph of a soldier with their face covered, alongside the words “ISLAMIC STATE HACKERS”

“Hacked By Moroccanwolf and ABdellah elmaghribi ~ Moroccan Attacker ~ I love IS”.

The image remained on the site for six hours before it was removed. CEO of Irish Autism Action, Kevin Whelan, confirmed that the hack “appears to have happened to a number of sites” and was not directed at the charity in particular. It is likely that the hackers scanned several websites to identify vulnerable sites, and conducted hacks at random. The Dublin Rape Crisis Centre were also part of a worldwide hack affecting users of a vulnerable WordPress plugin.

Largest Cyber Attack in History Slows Internet Worldwide

Internet around the world has been slowed down in what security experts are calling the biggest Distributed Denial of Service (DDoS) attacks in Internet history. Five national cyber-police-forces are investigating the attacks.

Background:

The attacks originally targeted Spamhaus, a European, non-profit anti-spam organisation. Spamhaus blacklists what it considers sources of email spam, and sells those blacklists to Internet Service Providers (ISPs). Last week, Spamhaus blacklisted controversial Dutch web hosting company, Cyberbunker, which claims willingness to host website with the exception of child pornography or terrorism-related material.

Following the blacklisting, the attacks began as waves of large but typical DDoS assaults. Spamhaus has alleged that Cyberbunker is behind the attack. Cyberbunker has not directly taken responsibility for the attacks; however Sven Olaf Kamphuis, spokesman for Cyberbunker, said that Spamhaus was abusing its position, and should not be allowed to decide “what goes and does not go on the internet”.

How the Attacks Happened:

The attackers used Distributed Denial of Service (DDoS), which floods the target with large amounts of traffic, rendering it unreachable. Picture a door with thousands of people standing on outside of it. Everyone is trying to enter, and no one can get out. This is the equivalent of a DDoS attack.

In most common DDoS attacks, hackers use thousands of “zombie” computers to send traffic to a particular site, with the intention of overloading it. These computers have often been infected with malware (most often received through spam email), which gives a hacker control of the machine, unbeknownst to its owner. Hackers can amass large networks of these infected computers, called “botnets”, and use them to conduct attacks.

Once the attacks began, Spamhaus immediately hired a security firm, CloudFlare, which enacted systems to prevent the DDoS from making a large impact. The attackers then changed tactics and targeted network providers of CloudFlare. To do this, they exploited a fault in the Domain Name System (DNS). The DNS converts a web address into a numeric IP address. A DNS resolver finds the connection from the IP address to the server, which then delivers content to a user’s computer. If a network is set up incorrectly, an open resolver can become an easily exploited vulnerability.

In this case, the hackers identified 25 million vulnerable DNS servers worldwide which could be used for attack, and instructed those vulnerable servers to forward an initial attack. Thus the attack, which was initiated at a single location, was amplified millions of times by exploited DNS servers around the world.

Global Impact and Prevention

Because the Internet relies on DNS to work, a large scale, DNS amplified DDoS attack can have consequences beyond the scope of the attack. Part of the internet infrastructure which connects all the servers on the internet was getting overloaded. This would result in delays or unresponsiveness to completely unrelated websites that share the same lines that Spamhaus is using.

Some Internet Service Providers have been working to implement technologies which prevent hackers from spoofing victims’ IP addresses. But the process is slow. Network administrators need to close all open DNS resolvers running on their network.

If a company operates a network, they should visit openresolverproject.org, and type in the IP addresses of their network. This will show if there is an open resolver on their network. If there is, it is more than likely to be used by criminals to launch attacks such as these.

Password Security In A Corporate Environment

Many companies use passwords to allow employees access to sensitive material, yet to many cyber security experts, passwords are a relic of the past, stemming from a time when individuals used passwords to access email and the rare e-commerce site. Today, the internet has caused computers to be hyper-connected: many sites require password authentication, and more information belonging to individuals and corporations is stored in “The Cloud”.  The constant use of passwords is a double-edged sword. First, it causes individuals make critical mistakes in creating passwords, either through over-simplification or through creating over-complex and forgettable passwords which cost company time in retrieval and/or resetting. Second, many corporations have been lulled into a false sense of security by allowing one-factor access to secure information.  To a malicious hacker or a corporate espionage actor, these vulnerabilities make it easy to access critical information. 

How Hackers Hack

Hackers access corporate information in a number of ways. The first, and simplest, is guesswork. Individuals who use passwords to access many sites tend to become lazy in creating passwords. In 2012, the number one password used around the world was “password”, followed by “123456”. Hackers can often guess simpler passwords, or use “password dumps”— web pages dedicated to passwords uncovered by other hackers. In addition, automated password cracking programs simplify the process of cracking common passwords, even incorporating common numeric substitutions (i.e. pa55w0rd). In addition, many people tend to reuse passwords for multiple access points, so it is common that a user will create a password in their personal life, and then use it in their corporate environment as well. If a malicious user gains access to an individual’s private password, the likelihood increases that they can use the same password to gain access into a corporate environment.

Hackers also gain access to passwords through “phishing” by which they create websites or emails which look almost identical to existing companies, such as banks or email sites, and ask users to submit login information. Regardless of how complex a password is, the strength of that password is useless when it is freely given through these methods. If a hacker has access to a personal site, they may “lurk”, that is, look at the emails people receive to identify their banks and banking habits, place of business, social connections, and even “electronic mannerisms” such as how a person “speaks” online. By watching email transactions, a hacker can easily emulate the person to gain access into other parts of their life, such as sending messages to an accountant or a client, asking them to redirect funds or use the “new” email address, so as to go unnoticed.

In addition, hackers can gain passwords using malware: undetected viruses which are stored on one computer and send data to another, such as monitoring key strokes or activating a web camera. A report from 2011 indicated that malware was responsible for almost 70% of data breaches. Malware is particularly vicious because it targets large groups or corporations, gaining access to entire systems rather than single individuals.

Finally, an emerging trend that hackers can take advantage of is called “socialing”. Because most individuals use one or two email accounts to access banking, ecommerce, social networks and other sites, gaining access to one can easily allow a hacker to gain access to the other. For example, if a hacker has an e-mail username and password, they may attempt to use it on an e-commerce site, such as Amazon, which stores credit card information. If the password doesn’t work, they can click “Forgot Password?” and answer a few personal questions, often which are accessible through a Google Search or looking through the hacked email account. The password gets sent, and the hacker deletes the email and immediately logs onto the e-commerce site and changes the email address to direct it to him. Now, the hacker has access to banking information and home address.  The hacker then uses this information to gain access to other data, including tax and benefits numbers, and can infringe upon a person’s work and private life.

Increasing corporate password security

Because passwords are still the most common and critical entry point into most businesses, steps should be taken to increase security wherever possible.

Strong Passwords: First, and most critical, encourage staff to come up with strong passwords, with a minimum of eight characters, and check them through a password strength estimator, which measures the accessibility of the password, and can be found using a simple Google search.  Using the tool, one can see that a password such as “12345678” has a strength of 4%.

To generate a strong password, it is beneficial to think of a favourite saying or line from a book, and use the letters from each word, then to replace certain letters with capital letters or numbers. For example: “It was the best of times, it was the worst of times”

First becomes:                    iwtbotiwtwot (3% strength)

Then becomes:                   Iwtb0t1wtw0t (93% strength)

Another option is to create random phrases with mixed characters where possible, such as “nine-happy_dolphins_ate?” (85% strength).

Most importantly, discourage use of passwords which individuals use in other parts of their lives, and discourage password re-use as passwords expire. Many companies are opting for longer periods between password expiration to prevent people from changing only one portion of their password (For example, from “password1” to “password2”). Stronger passwords and longer user periods can minimize the risk of password apathy.

Malware and Phishing Awareness: Again, a password is meaningless when it is given freely. Corporations are increasingly educating employees on how to identify and authenticate legitimate e-mails and websites, encouraging staff to contact the company in question if the information looks suspicious. Organizations should invest in anti-virus programs which update regularly as new viruses are introduced into the cyber-world, and check digital certificates (the fingerprints of an incoming piece of data) to see if they are associated with existing malware.

Multi-factor IDs: Earlier this week, social media site Twitter announced a new two-factor identification system following a system-wide hack which compromised the information of over 250,000 users. Increasingly, corporations use multi-factor identification to allow employees access to protected information. Users supply their chosen password, and then either receive a SMS message to their phone which provides the secondary password, or enter a password from a physical token (some of which also require a code for authentication—creating a three factor ID). The multi-factor method adds an additional layer of security, and alerts true owners of attempts to intrude upon an account.

Biometrics: Biometrics, such as fingerprint, or voice scans, seem like the best possible protection for corporate integrity. However the technique has not yet been perfected, and is considerably pricey. If biometrics are used as a one-factor system, they are easily replicated: fingerprints can be lifted, or a voices can be recorded, particularly if one is speaking into such a system in a public location, such as a library or coffee-shop. In the future, biometrics may become one component of a multi-factor verification system, but at present, they are not feasible to many organizations.

White-Hat Hackers: In cyber-slang, a white-hat hacker is one of the “good guys”. Often, companies will hire white-hat hackers to expose weaknesses in cyber security systems, and suggest or provide remedies before those weaknesses are exploited by black-hat hackers, who use the weaknesses for malicious purpose.

Monitor Abnormalities: The best protection is vigilance, specifically, identifying access attempts that are outside of normal business processes. For example, Internet Service Providers identify the location from which a user attempts to access a secure sight. Be wary if a user, known to be in London, is logging in from Boston or Singapore. In addition, if a user is given a company phone or computer, identify whether that user is attempting to log in from a non-registered device.

As hackers become increasingly efficient, individuals and corporations struggle to find the balance between convenience and privacy. While multi-factor systems are on the rise, it is important to avoid making them cumbersome or inaccessible. Cyber experts are constantly working to deliver a system that covers the new areas of cyberspace that corporations venture into. Cyber-awareness and education ensures that your company is abreast of the latest technology in online security.