Annual Review January

Transcription

1 Annual Review January

2 CERT-FI review 2011 Abstract annual The year 2011 was characterised by many information security breaches getting a lot of public attention. The information obtained from these break-ins was also published on the internet. The usernames, passwords and other information of several Finnish and foreign services were given a lot of publicity in discussion forums and file sharing services. The data theft against Sony's services can be considered as the most wide-spread data leak of all times. The company suffered significant financial loss on account of the break-in. The trustworthiness of the certificate system has been tested due to information security breaches and hacking attempts against companies acting as root Certificate Authorities (CA's). The cases have drawn attention to the information security level of certificate providers and the weaknesses in the system in general. Due to an operator's error, secret mobile phone numbers ended up in publicity during the spring and summer. Due to the mistake, the numbers meant to be secret were temporarily available in the nationwide database of Suomen Numeropalvelu Oy. The mistake concerned approximately 37,000 DNA customers who switched subscription types between 10 April and 28 June. Data related to the SecurID tokens used for strong authentication and belonging to the American security firm, RSA, were stolen due to a data theft against the company. The tokens are widely-used in Finland, too. Detailed information on the information that fell in the hands of third parties has not been published. It is assumed that the information will possibly be used for copying the functionality of the token and using the copied token for login. Due to the incident, RSA has replaced its customers' SecurID key generators by new ones. Increasingly more often, the configuration files of malware hijacking online banking connections have references to Finnish banks. Several scam attempts using malware and phishing sites were targeted at customers of Finnish banks. Especially man-in-the-middle attacks and malware hijacking browser connections became general in Finland, too. The malware have mainly been the different versions of the Zeus malware family. The shortcomings in the vulnerabilities of e-shop applications have in some cases enabled malpractice where the person who is ordering products has been able to make believe that s/he has paid for the products s/he has ordered. CERT-FI has coordinated the patching of several software vulnerabilities. The evasion methods found by the Stonesoft company received the most publicity. In 2011, CERT-FI arranged two meetings for Finnish vulnerability researchers. The encryption methods used for telephone calls and data traffic in 2G GSM mobile telephone networks can no longer be considered completely secure. Eavesdropping telephone calls or taking over someone else's identity on the internet still require expertise, but are technically possible with the help of publicly-available tools. It is possible to improve the security of GPRS data traffic by means of encryption methods at application level, and the introduction of the 3G network improves the security of voice traffic. 2

3 Major information security breaches to Finnish and foreign services Drawing public attention to themselves, several information security breaches involving users' personal data, credit card information and confidential documents took place in Several successful information security breaches have shown that not enough attention is paid to the secure implementation and maintenance of online services. Stealing information from systems is often possible by means of publicly-available software which search for vulnerabilities and exploit them. The data released by the hackers leads to believe that it is all too easy to crack user passwords. In addition, the same password is used for different services, which multiplies the risk related to the exploitation of stolen data. Information security breaches led to discussions about whether it is safe enough to authenticate users by using a username and password. However, there are no widely-used alternatives for using a password. During the year, CERT-FI released several articles in the series 'Information security Now!'. For example, on how to choose a safe password, as well as Guidelines 1/ on the selection of network service software platforms and maintenance of secure service. Several Finnish services became targets of hacking Finnish network services were breached in the latter part of the year, in particular. The breached data was published on online discussion forums and at sites for file download services. Data related to the member applications of a grouping named 'Kansallinen 1 vastarinta' (National resistance) was published in October. The breached data included the name, age and contact details of persons who had applied for the group's membership. A link on a Finnish discussion forum leading to a file containing the personal data of approximately 16,000 Finns was published in November. The data comprised the persons' identity number, complete name, home address, address and telephone number. The list was based on several different sources. There is no certainty over when the breach was made or how it was made. The Police are investigating the case. A list containing the addresses of more than half a million Finns was published in November. Some addresses on the list had obviously not been used for quite a long time. It is likely that several sources over a longer stretch of time have been used to produce the list. The user database of the discussion forum helistin.fi, part of the website group named 'Terve', fell into wrong hands when it was breached. The database contained the username, password and address of 73,000 users. The same credentials also give access to the other Darwin Media services, which are: tohtori.fi, poliklinikka.fi, kimallus.fi, huoltamo.com, terve24.fi, mustapippuri.fi, terkkari.fi and verkkoklinikka.fi. Furthermore, the usernames, passwords and addresses of users of napsu.fi and netcar.fi were published in a file sharing service. The list contained the details of 16,000 users. The respective user data of netcar.fi were also published online. The database contained the username, password and address of 12,000 users. Hackers remain unknown A group named Anonymous Finland announced to be the perpetrator behind several data leaks and information security breaches. Very little is known about the perpetrators. At least two different sources have announced to acting in the name of the group 3

4 Anonymous. It is typical of the groupings to publish Twitter messages and longer texts, such as username lists and other messages in file sharing services. The attack not only involved information security breaches and data leaks, but several websites had been defaced by adding unauthorized content to them. Corporate subscribers are not obliged to report of information security breaches. Companies and organisations which have filed a telecommunications notification are obliged to notify if they have been the targets of information security breaches or attempted attacks. CERT-FI has also been informed of other lists containing user credentials which have been published online. For the most part, the lists are based on stolen information from earlier breaches. It is probable that similar lists will be published in the future, too. After the holiday season, a list of 50,000 names was published including credit card infor-mation. It did not take long to see that the list was made up. Breaches to Sony concerned Finns, too Among the breached foreign services, it was the breaches targeted at Sony's services that received the most publicity. The impact also extended to the Finnish users of these services. Before Easter, an attack was targeted at the Sony PlayStation Network service, and hackers succeeded in stealing the user information of 77 million users of the PSN service. At the same time, an information security breach occurred at the Sony Online Entertainment online game service. During this break-in, the hackers obtained the user information of 24 million users. In total, information of more than 100 million users was stolen in these security breaches, which makes them the vastest on record in regard to the amount of stolen user information. According to Sony, the Playstation Network service had approximately 330,000 Finnish us-ers. In late April, CERT-FI released the Alert 1/ concerning the information security breaches (in Finnish). Due to the publicity the data breaches had gained, several of Sony's other online services and sites were attacked as well. Hackers managed to steal user information in almost 20 of these attacks. Sony reported a loss of $ 170 million caused by the information security breaches. According to experts, most of the attacks could have been prevented by following the standard information security practices. Secret telephone numbers revealed by accident Due to a mistake that was made in connection with a system update, the secret telephone numbers belonging to DNA's customers ended up in public during the spring and summer. The mistake concerned some of DNA's customers who switched subscription types within the telecom operator between 10 April and 28 June. More than 37,000 subscriptions were switched over the time period. Due to the mistake, the numbers meant to be secret were temporarily available in the nationwide database of Suomen Numeropalvelu Oy. Companies providing number enquiry services use the database for updating their data. After the mistake was detected, DNA corrected the data and confidentiality of the numbers was restored. A letter informing of the matter was sent to all customers whose data may have changed in connection of the case. In addition, DNA informed FICORA of the matter in accordance with the Act on the Protection of Electronic Communications

5 The EC Directive on privacy and electronic communications was amended in the spring of Telecom operators are now obliged to notify of information security breaches targeted at personal data related to telecommunications. This had minor impact on the situation in Finland because the notification obligation was already embedded in the general notification obligation. GSM network security tested The weaknesses of the encryption portion of the A5/1 have been known for several years already, but the new decryption methods published just lately enable much faster decryption than the earlier methods. The weaknesses found in the encryption method can be exploited for the purpose of finding the encryption key related to the telephone call. Not only can the key be used for decrypting a phone call, but also for presenting oneself as the victim's terminal device. This enables the making of calls or sending of text messages so that they seem to be coming from another person's telephone number. Decryption of calls and unauthorized use of another subscriber's identity require good knowledge of GSM technology and tools. Furthermore, the attacker must be located nearby the targeted user. There are many solutions available for the weaknesses of network protection. Some of them have already been standardised. It is not likely that all of the proposed patches will be implemented in the networks of Finnish operators, because they are already switching to 3G networks, which cannot be eavesdropped by means of currently available methods. Research results related to the information security of GPRS data traffic and Tetra networks were also published in The GEA/1 encryption algorithm used for protecting GPRS data traffic in GSM networks has been partially cracked by means of algebraic methods. It is recommended to protect the encryption of GPRS data traffic at application level or by encrypted VPN connections, because some operators do not use any encryption for GPRS traffic. Foreign mobile operators used mobile network monitoring software Certain international mobile telephone operators have admitted to have installed an intelligence tool named Carrier IQ on their customers' handsets. The software has been used in devices using the operating systems Android and Apple ios. The software allows operators to collect data related to the mobile phone's performance, for example. In some cases, the reports sent from phones have, however, contained information that the user had meant to be private, such as text messages, pressings of a key and browser history. Once it became known that the software was being used, a few operators announced that they would give it up. Apple had also said that the company's ios 5 operating system no longer contains the Carrier IQ code. Finnish mobile telephone operators have stated that they do not use Carrier IQ. Furthermore, Carrier IQ does not ship products for any Nokia devices. Certification authorities' reliability suffered due to information security breaches The trustworthiness of the certificate system became weaker due to several information se-curity breaches and attempts, which gained a lot of publicity in The access rights obtained by crackers have been used for the creation of server certificates in the name of third parties. Software manufacturers have had to release updates for their products, because the design of certification technology has not taken into consideration situations where the top level of the hierarchy, in other words the root certification authority becomes unreliable. 5

6 In the summer, hackers broke into the systems of the Dutch DigiNotar. The hackers succeeded in creating several server certificates for Google services. A hacker known as Comodohacker not only took responsibility for the attack made against a subcontractor of a Comodo named company that issues certificates in March, but also the failed break-in targeted at Globalsign. Certificates are used, for example, for verifying the authenticity of a website. They are also used for verifying the authenticity of software or software updates and for identifying persons. The significance of software signatures is growing along with the Windows 7 operating system and smartphone applications. Identification is based on a confidence chain in which various pieces of software trust a limited set of root certificates and certificates issued by root certificate holders. This has resulted in one of the greatest weaknesses of the certificate system: there is no hierarchy between root certificates, but each root certificate is good for the certificate signer of all sites. Even if the service provider had obtained the certificate from a certain CA, a certificate issued by any other trusted CA is considered the equivalent of the real certificate. In order for certificate authorities to get on the root certificate list, they must pass an information security auditing process. However, this did not ensure that information security would have been at a sufficient level. Falsified certificates can be used to carry out a man-in-the-middle (MITM) attack, hijacking the connection between the service and its user. In this case, the attacker must also control the network infrastructure, the name server must be in the attacker's control or the attacker must be located in the same local network as the target of the attack. For example, open WLAN networks may provide a suitable environment for carrying out attacks. The user can also be tricked by manipulating the name service to direct network connections to an address that contains a falsified website and certificate. The authentic-looking website can be used to find out user information such as usernames and passwords. Information security researchers and software developers have developed several parallel solutions to improve the security of certificates. However, some of the solutions are rather complicated to use and familiarity with the matter is required from the user. RSA SecurIDs replaced due to break-in In March, the information security company RSA announced that the company had been attacked by hackers. The breach was made by sending an Excel file containing malware code to a group of RSA employees. The file contained an exploitation method whose purpose was to exploit a vulnerability in a software for showing Adobe's Flash files. The attackers got their hands on user accounts, which helped to steal information from RSA's systems. RSA has not reported what sort of data fell to hackers, but has admitted that the data is related to SecurID products. It has been speculated that the attackers had succeeded in stealing the so-called seed files, which are needed for deploying SecurID key generators. In principle, seed data can be used for making copies of key generators that are already in use. SecurID key generators are used for strong identification as users log into services. The token generates a new number code for example once a minute. To log in to a system secured with SecurID, the user has to enter a username, personal password and a frequently changing number code generated by the token. Approximately 40 million SecurID tokens are used worldwide. In addition to these, some 2.5 million people use application-based solutions. 6

7 Due to the attack, RSA announced that it will replace all SecurID key generators manufactured before the breach. The replacement of tokens has not cost some of the customers any money. Neither has the initiation of the replacement required any initiative on the part of customers. In Finland, nearly all key generators whose users had wished replacement, had been replaced by the end of The cost of the replacement depends, for example, on the number of SecurIDs in use and their age. According to the questionnaire CERT-FI sent to critical infrastructure actors in August, more than half of the respondents were about to replace or had already replaced their SecurID tokens by new ones. One of five respondents said that they were not planning to replace their tokens or that they had already started using an alternative technology. The data stolen at the break-in was probably exploited in late May when there was an attempted information security breach to the information systems of the American Lockheed-Martin, the country's largest defence contractor. Lockheed- Martin said to have prevented the attack. CERT-FI published the Alert 2/ about the lowered information security level of SecurID products after the word spread of RSA information security breach. The alert included advice to organisations and individual users of SecurID. Finnish online banking service users targets of malware In 2011, several cases were reported to CERT-FI where Finnish computers had been infected by malware targeted at users of online banking services. There has been a lot of variation among the malware. The simplest ones are similar to phishing sites once the login has taken place. The more advanced ones function inside the browser and make use of JavaScript. At least one malware has a feature called balance adjustment. The 3 malware puts forward a fake balance which is shown on the website and hides the transactions made by criminals. Among the more advanced malware versions are the malware containing a feature called Man-In-The-Middle. When a user logs into the online banking service, a box is initiated by the malware stating that the user is requested to wait while the 'information security of the online banking service is being improved'. The malware enables the criminals to monitor the telecommunications of the user's online banking service and use the codes given by the user for the purpose of confirming the transactions. The detected malware mainly represented the different versions of the Zeus malware family. The anti-virus software were not initially able to detect the previously unknown malware versions. The manufacturers of anti-virus software have, however, been immediately delivered samples of malware, after which anti-virus software have detected the malware. CERT-FI has been notified of various botnets containing Finnish internet users. They have exploited the various versions of the Zeus malware. The addresses of computers belonging to botnets have been reported to the internet operators. The addresses of the botnet command and control servers have been reported to CERT-FI's foreign cooperation partners. Users of online banking services as phishing targets There has been a sharp increase in the number of Finnish online banking service users who have fallen as victims of phishing attempts during the latter half of the year. The phishing targets have received messages from criminals. The messages have often contained a link leading to a hacked web server. In the messages, the users are threatened that their bank identifiers or accounts will be closed, unless they follow the link. These messages are long from being credible. Although they are written in Finnish, the language is rather clumsy and contains spelling mistakes. 7

8 In some cases, criminals have registered domain names for the purpose. These domain names look similar to those of online banks. Phishing sites have been put together by copying the online bank's real login page. Shortcomings in e-shop data security The Police and CERT-FI were informed of cases where design errors or vulnerabilities in e-shop applications had been exploited in scams. These errors made it possible to order products from certain e-shops without payment. Online e-shop applications were misled to believe that the payment had been made. As far as is known, these vulnerabilities have been used in fraud, resulting in financial losses totalling more than EUR 300,000. This was not an information security issue of a single application or of a single manufacturer, but a vulnerability caused by the implementation method of e-shops. Not all e-shop implementations have followed the technical definitions of banks or other providers of pay-ment transaction services by the book. E-shop administrators are responsible for the information security of e-shops. Vulnerabilities have never concerned customers who shop online, and the online shoppers' information security has not been compromised due to the possibilities for misuse. In investigating this matter, CERT-FI cooperated with the information security company Nixu Oy, the Helsinki Police Department, and E-commerce Finland to share information with software manufacturers and e-shop administrators. It is likely that similar vulnerabilities and related exploitation attempts will occur in the future. BEAST attack revealed flaws in the security of SSL/TLS connections The BEAST (Browser Exploit Against SSL/TLS), method introduced in September, revealed that a web session based on TLS 1.0 protocol may be hijacked by third parties, if certain conditions are met. An attack may succeed, if the TLS session is based on block cipher encryption. In addition, the attacker must feed his or her program code to the victim's browser, and be able to listen to the victim's network traffic. An efficient way to protect oneself from a BEAST attack is to start using TLS 1.2 protocol. In practise, the transition period from the current protocol may be long, because many browsers or server software do not support the more recent protocol version. Browser manufacturers have added precise updates to their products. They prevent the exploitation attempts of the BEAST attack. Vulnerability coordination work is versatile In 2011, CERT-FI coordinated the repair and publication of vulnerabilities that were very different from one another. The interest in the research of open source software security is reflected in the number of vulnerabilities reported to CERT-FI. An example of open source software is the Chrome browser. The bug bounty program pays rewards for vulnerabilities reported in the Chrome browser. As a result, several vulnerabilities have been found. Amongst the Finnish researchers who have excelled in the discovery of vulnerabilities are the Oulu university information security group OUSPG's researchers Aki Helin and Atte Kettunen. Cooperation with OUSPG has been intensive and fruitful and dates back to the establishment of CERT-FI. A vulnerability in the SNMP protocol published ten years ago drew a lot of attention to itself and afterwards, the patches and release of several software vulnerabilities have been coordinated in cooperation. 8

9 New evasion techniques kept CERT-FI busy at the beginning of the year Due to the protection evasion methods researched by the information security company Stonesoft Oy, CERT-FI has been in contact with several software and device manufacturers during the year. Vulnerabilities involve protocol messages which enable the evasion of the protection provided by various IDS/IPS devices. Only few device and software manufacturers have reported of their vulnerability to the evasion methods in question or whether they have patches for their products. It is difficult for end users to find out whether their products need updates due to possible evasions. Interest in the security of smartphones is growing The first smartphone vulnerability coordinated by CERT-FI was that of Nokia E75 s security code bypass method. In recent years, attitudes towards vulnerabilities requiring the physical management of computers and telephones have become more serious. This may be the result of tighter information security requirements. Various data transfer networks as research subjects CERT-FI participated in the publication processes of several vulnerabilities. Similar vulnerabilities have still been detected in the implementations of various networks, which tells of the same implementation errors lying beneath, especially in input verification and memory handling. A vulnerability in the Linux Bluetooth tools was patched. Bluetooth is a network technology used for the wireless connection of various devices, such as telephones and headphones. iscsi is a standard used for linking data storage devices over a network. A 9 vulnerability in Solaris operating system's implementation was patched. Patches were made for the Quagga software's routing protocol at the end of the year. The latest security patches were related to the BGP and OSPF routing protocol implementations in Quagga. In early 2011, a vulnerability in the RTP protocol of Cisco products (Real-time Transport Protocol) was fixed. During the latter part of the year, a patch was made available for a vulnerability in the RTPS streaming services (Real-time Signaling Protocol) of the VLC media player. RTP and RTSP are commonly used for the implementation of internet telephone calls and streaming of video and sound. Meetings with vendors and researchers In February, CERT-FI participated in a meeting held in connection with a RSA conference bringing together several software manufacturers. The meeting was arranged by the CERT Coordination Center in San Francisco. During the same trip, CERT-FI met several software manufacturer representatives in the Silicon Valley. In 2011, CERT-FI arranged two meetings for Finnish vulnerability researchers. The first one was held in Espoo in cooperation with Microsoft, the other one in Oulu at the premises of VTT Technical Research Centre of Finland. The meetings brought together more than 30 parties interested in the technical implementation of information security. Outlook for 2012 The legislative projects related to the regulation of the internet have been objected and there are protests online, too. It is probable that network attacks will also be used as an in-strument for protesting in the coming year. It is to be expected that there will be attempts to steal user information from inadequately protected network services. The data will either be exploited or published on the internet.

10 Statistical data on contacts made to CERT-FI CERT-FI contacts by title Change Interview % Vulnerability or threat % Malware % Advice % Preparation of attack % Information security breach % Denial-of-service attack % Other information security issue % Social engineering % Total % 10