INFORMATION SECURITY REVIEW 2/2011

Transcription

1 INFORMATION SECURITY REVIEW 2/ July

2 CERT-FI Information Security Review 2/2011 Introduction Security breaches and groups that claim to have been behind the attacks have received plenty of publicity during this spring. Information security violations are usually carried out systematically and targeted at certain companies or organisations. Motives for the attacks include political agendas and desire for publicity. Windows are becoming more common. A malware called MacDefender, disguised as antivirus software, has spread to Mac computers. The sixth vulnerability research meeting organised by CERT-FI gathered the Finnish software vulnerability researchers from universities, the public administration and companies in the sector. In April, several data breaches were targeted at Sony's services and hackers succeeded in stealing the user information of over hundred million users. The company reported a loss of $ 170 million caused by the attacks. Because of the data breaches, Sony PlayStation Network and Sony Online Entertainment services remained closed for a long time. In March, the information security company RSA noticed that the company had been attacked by hackers. The attackers managed to steal information that affects the information security of systems secured with SecurID products. RSA has announced that all SecurID password generating tokens that have been taken into use before the data breach will be exchanged for new ones. After the midsummer, CERT-FI was informed of a list published on the Internet that included addresses and passwords of over six thousand Finnish users. The data had been obtained in an attack targeted at an online game site alypaa.com over a year ago. In an information security seminar arranged in May 2011 by FICORA, The National Emergency Supply Agency and The Ministry of Transport and Communications, GSM decryption was demonstrated in practice. Malware targeted at computers using other operating systems than Microsoft 2

3 Data breaches to Sony's services In April, an attack was targeted at the Sony PlayStation Network service, and hackers succeeded in stealing the user information of 77 million users of the PSN service. At the same time, a data breach occurred at the Sony Online Entertainment online game service. During this break-in, the hackers obtained the user information of 24 million users. In total, the user information of over 100 million users was stolen in these attacks, which makes this data breach case the vastest on record in regard to the amount of stolen user information. Game service closed for over three weeks Sony closed the popular PlayStation Network service on 19 April after noticing a data breach in the company's service centre situated in San Diego. The break-in is likely to have happened between 17 and 19 April. On 24 April, Sony released a notice explaining the reasons for and details about closing the service. According to Sony, the data-break-in revealed vulnerabilities that could not be mitigated without the reconstruction of the whole service. On 26 April, a new notice was published for the users of the service in order to inform them about the data stolen in the data breach. Sony revealed that the hackers managed to steal for example the users' names, dates of birth, street addresses and addresses in addition to user names and passwords. Sony released yet another notice on 28 April, stating that there were no evidence of credit card information having been stolen. In addition, Sony representatives told that credit card information was stored in encrypted format and that only the digests of the user passwords were stored in the service. However, it should be noted that especially weak passwords are rather easy to decrypt based on the digest. Sony also confirmed that FBI participates in investigating the case. 3 The service has many Finnish users According to Sony, the Playstation Network service has approximately 330,000 Finnish users. On 27 April, CERT- FI published Alert 1/ concerning the data breaches (in Finnish). The Playstation Network service was reopened in Finland in mid-may. At the same time, a compulsory software update for PlayStation 3 game consoles was published and users were made to change their passwords. User information from the Sony Online Entertainment service stolen as well In the beginning of May, Sony reported that in connection with the service centre data breach that happened in April, hackers managed to steal the user information of over 24 million users of the Sony Online Entertainment service. Because of the break-in, the SOE service had to be closed and reconstructed as well. In this attack, hackers managed to steal the same kind of information as in the attack against the PSN service, that is personal data, user names and password digests. In addition, the credit card information of 12,700 European users from the year 2007 and the direct billing information of 10,700 users were stolen in the data breach. The service was reopened on 14 May. Nearly 20 data breaches to Sony's other sites Due to the publicity the data breaches had gained, several of Sony's other services and sites were attacked as well. Hackers managed to steal user information in almost 20 of these attacks. The worst of the attacks was the one targeted at the Sony Pictures service. In this attack, the attackers stole the plain text passwords of million users html

4 Considerable losses for service provider Sony reported a loss of $ 170 million caused by the data breaches. The losses consist of the costs of defining the attacks and reconstructing the services, and of the losses of income caused by the service interruptions. Sony's information security criticised Many have judged the implementation of Sony's services because of the successful data breaches. The information security of the global technological company has been criticised as weak. According to critics, most of the attacks could have been prevented by following the standard information security best practices. RSA will exchange SecurID key code generators for new ones In March, the information security company RSA noticed that the company had been attacked by hackers. The attackers managed to steal information that affects the information security of systems secured with SecurID products. RSA has not confirmed what kind of information related to the SecurID products the attackers managed to steal. It is likely that the attackers obtained information that can be used to individualise the password-generating tokens used for user identification. This kind of information can be used in data breach attempts. The stolen information has probably been used in the break-in attempt against the data systems of the defence company Lockheed Martin in the end of May. RSA has announced that it will exchange all SecurID key code generators dated before 23 March 2011 for new ones. RSA has contacted its largest clients, such as IT service providers and service integrators, to change their passwordgenerating tokens. If your company has obtained SecurID key code generators straight from RSA/EMC or its partner company, and RSA has not contacted you so far, your company will have to contact RSA to obtain new tokens. 4 To be able to break in to a system secured with SecurID, the attacker has to know the frequently changing number code generated by the password-generating token, as well as the user name and the personal password connected to the SecurID. Hackers can obtain this information by using phishing s or data-stealing malware. Companies should watch out for break-in attempts by monitoring the authentication attempts to their systems performed with RSA's SecurID devices. Companies should also pay special attention to the information security of the servers used in authentication. CERT-FI has published Alert 2/ because of the weakened information security of the SecurID products manufactured by RSA. The alert includes advice for both the IT personnel of companies using SecurID products and the end users of SecurID products. Data stolen in data breach to Älypää game site has been exploited After the midsummer, CERT-FI was informed of a list published on the Internet that included s and passwords of over six thousand Finnish users. Later it became clear that this was the same data that had been stolen from the alypaa.com game site and published over a year ago. In March last year, CERT-FI published Alert 1/2010 (in Finnish) because of the Älypää data breach. The user names and passwords connected to the hotmail.com and live.com services have been used without permission in those services and also for example in Facebook, if the user had the same password in several services. CERT-FI has contacted Microsoft on the case. The users should change their passwords and remember not to use the same password in other online services. 2

5 Increased activism could be seen in the growing number of data breaches During the past months, many different kinds of information security violations have taken place. These violations also gained plenty of publicity. The attackers have usually announced themselves, but only with an alias or as an anonymous member of a certain group. These incidents reflect characteristics of systematic network activism. The number of successful data breaches and the high publicity the attacks have gained indicate that different organisations are not prepared for information security threats. Data thefts are planned and executed systematically and persistently. In some cases, the actual data breach and unauthorised intrusion into the system may have happened a long time before the stolen data is published or exploited. Weaknesses in the target services are noticed and exploited without delay. Attackers also aim at obtaining passwords and other confidential information by targeting attacks at organisations. In these cases, the attackers send authenticlooking messages to a limited group of recipients and attach data-stealing malware to the messages. Motives vary Economic benefits, publicity or even straightforward anarchism seem to have motivated the attackers. Especially the motives of a group called Anonymous are political and have to do with supporting the WikiLeaks organisation. For almost two months, a group called LulzSec has loudly claimed to have been behind several data breaches. This group's motive seem to have been the desire for publicity. For now, most of the attacks widely discussed in public have been targeted outside Finland. However, attacks targeted at Finnish organisations and denial-ofservice attacks targeted at Finnish services happen all the time. 5 Defects in implementation of services One would have thought that many of the targets of these data breaches could have resisted the attacks. By means of attacks such as SQL injection, great amounts of confidential data has been stolen from the data systems of large organisations, agencies and even banks. It can be seen from the news, notifications given by the companies and information published by the hackers that information security has not always been taken into account sufficiently when planning, implementing and maintaining the data systems. Service users have only limited chances to affect the security of the services they use. By choosing passwords that are complicated enough and by using different passwords in different services, a user can try to prevent possible consequences of a data breach. Decryption of GSM network demonstrated in information security seminar FICORA, The National Emergency Supply Agency and The Ministry of Transport and Communications arranged an information security seminar in May In the seminar, researchers demonstrated the decryption of the A5/1 algorithm used to protect GSM phones. The A5/1 method is used to encrypt communication between a mobile phone and a GSM base station. The weaknesses of this encryption method have been known for several years already, but the new decryption methods published just lately enable much faster decryption than the earlier methods. However, the decryption still requires plenty of work, preparations and knowledge on the GSM network technology. In addition, the eavesdropper has to be able to follow the target. The eavesdropping of phone calls can be avoided by defining the phone's settings so that the phone will only use the 3G network, which is protected by a more

6 sophisticated encryption method. The communication between a 3G phone and a base station can not be eavesdropped on by any method FICORA is aware of. Malware disguised as antivirus software pester Macs as well Malware targeted at computers using other operating systems than the Microsoft Windows are becoming more common. A malware called MacDefender, disguised as antivirus software, spread to numerous Mac OS X computers in May. The makers of this kind of malware mislead computer users in the same ways that are used in malware targeted at Windows users. Infection mechanisms specifically designed for the Mac OS X operating system have not come up so far. All malware targeted at the Mac OS X operating system have aimed at misleading the user to install the malware. A malware may for example announce that a video can not be shown before the user installs a new media player. Self-spreading malware, worms in other words, have not been found in Mac computers so far. Apple provides Mac OS X users with an antivirus software. After the software has been updated with MacDefender malware identification, the software will be completed with fingerprints of about twenty malicious programs. It is probable that the Mac OS X operating system contains approximately the same number of vulnerabilities to be exploited as other operating systems. The operating system includes a sandbox mechanism that protects and isolates applications. In addition, Mac computers are seldom used with administrative rights, which also makes the operating system more secure. CERT-FI gathered vulnerability researchers together CERT-FI arranged a vulnerability research meeting that was the sixth in sequence. These meetings have been organised since 2008 and they gather the Finnish vulnerability researchers from universities, the public administration and companies in the sector. CERT-FI organised the meeting in cooperation with Microsoft. The meeting gathered over 30 participants. The discussion concentrated on IPv6 technology and embedded systems. Complicated network vulnerabilities CERT-FI published an advisory on multiple techniques that can be used to evade intrusion detection and prevention systems (IDS/IPS). Stonesoft Oy reported to CERT-FI about these techniques. So far only three manufacturers have commented on how vulnerable their products are for these evasion techniques. A vulnerability was found in the implementations of the RTP protocol of Cisco's IOS operating system. RTP (Real Time Protocol) is a protocol used for transmitting voice and picture especially in Internet calls. The vulnerability affected only those devices that used the Digital Signal Processing (DSP) technique from a certain manufacturer. The previous advisories by CERT-FI will be updated as the manufacturers publish their updates. Future prospects In the near future, CERT-FI will keep an eye on the malicious activity in the Internet and monitor the possible impacts on Finnish services. The latest information security violations and the amount of publicity around these attacks may increase the number of attempted data breaches and denial-of-service attacks in Finland. 6

7 CERT-FI contacts by title 1-6/ /2010 Change Interview % Vulnerability or threat % Malware % Advice % Preparation of attack % Data breach % Denial-of-service attack % Other information security problem % Social engineering % Total % The number of malware reports handled by CERT-FI has increased considerably since last year. 7