Entries Tagged "email"

Page 7 of 12

Chinese Hacking of iBahn Internet Services

Citing unexplained “intelligence data,” an unnamed “senior intelligence official,” and an anonymous “privacy security official,” Bloomberg News claims that iBahn—the company that runs Internet services for a bunch of hotel chains—has been hacked by the Chinese. The rest of the story is pretty obvious: all sorts of private e-mails stolen, corporate networks hacked via iBahn, China does lot of hacking, and so on. iBahn has denied the story.

Come on, people. I know that China hacking stories are plausible, but the bar for actual evidence should be higher than this.

Posted on December 21, 2011 at 5:55 AMView Comments

Domain-in-the-Middle Attacks

It’s an easy attack. Register a domain that’s like your target except for a typo. So it would be countrpane.com instead of counterpane.com, or mailcounterpane.com instead of mail.counterpane.com. Then, when someone mistypes an e-mail address to someone at that company and you receive it, just forward it on as if nothing happened.

These are called “doppelganger domains.”

To test the vulnerability, the researchers set up 30 doppelganger accounts for various firms and found that the accounts attracted 120,000 e-mails in the six-month testing period.

The e-mails they collected included one that listed the full configuration details for the external Cisco routers of a large IT consulting firm, along with passwords for accessing the devices. Another e-mail going to a company outside the U.S. that manages motorway toll systems provided information for obtaining full VPN access into the system that supports the road tollways. The e-mail included information about the VPN software, usernames, and passwords.

They’re already being used to spy on companies:

Some of the companies whose doppelganger domains have already been taken by entities in China included Cisco, Dell, HP, IBM, Intel, Yahoo and Manpower. For example, someone whose registration data suggests he’s in China registered kscisco.com, a doppelganger for ks.cisco.com. Another user who appeared to be in China registered nayahoo.com ­ a variant of the legitimate na.yahoo.com (a subdomain for Yahoo in Namibia).

Kim said that out of the 30 doppelganger domains they set up, only one company noticed when they registered the domain and came after them threatening a lawsuit unless they released ownership of it, which they did.

He also said that out of the 120,000 e-mails that people had mistakenly sent to their doppelganger domains, only two senders indicated they were aware of the mistake. One of the senders sent a follow-up e-mail with a question mark in it, perhaps to see if it would bounce back. The other user sent out an e-mail query to the same address with a question asking where the e-mail had landed.

Defenses are few:

Companies can mitigate the issue by buying up any doppelganger domains that are still available for their company. But in the case of domains that may already have been purchased by outsiders, Kim recommends that companies configure their networks to block DNS and internal e-mails sent by employees that might get incorrectly addressed to the doppelganger domains. This won’t prevent someone from intercepting e-mail that outsiders send to the doppelganger domains, but at least it will cut down on the amount of e-mail the intruders might grab.

I suppose you can buy up the most common typos, but there will always be ones you didn’t think about—especially if you use a lot of subdomains.

Posted on September 16, 2011 at 5:22 AMView Comments

Forged Google Certificate

There’s been a forged Google certificate out in the wild for the past month and a half. Whoever has it—evidence points to the Iranian government—can, if they’re in the right place, launch man-in-the-middle attacks against Gmail users and read their mail. This isn’t Google’s mistake; the certificate was issued by a Dutch CA that has nothing to do with Google.

This attack illustrates one of the many security problems with SSL: there are too many single points of trust.

EDITED TO ADD (9/1): It seems that 200 forged certificates were generated, not just for Google.

EDITED TO ADD (9/14): More news.

Posted on September 1, 2011 at 5:46 AMView Comments

Details of the RSA Hack

We finally have some, even though the company isn’t talking:

So just how well crafted was the e-mail that got RSA hacked? Not very, judging by what F-Secure found.

The attackers spoofed the e-mail to make it appear to come from a “web master” at Beyond.com, a job-seeking and recruiting site. Inside the e-mail, there was just one line of text: “I forward this file to you for review. Please open and view it.” This was apparently enough to get the intruders the keys to RSAs kingdom.

F-Secure produced a brief video showing what happened if the recipient clicked on the attachment. An Excel spreadsheet opened, which was completely blank except for an “X” that appeared in the first box of the spreadsheet. The “X” was the only visible sign that there was an embedded Flash exploit in the spreadsheet. When the spreadsheet opened, Excel triggered the Flash exploit to activate, which then dropped the backdoor—in this case a backdoor known as Poison Ivy—onto the system.

Poison Ivy would then reach out to a command-and-control server that the attackers controlled at good.mincesur.com, a domain that F-Secure says has been used in other espionage attacks, giving the attackers remote access to the infected computer at EMC. From there, they were able to reach the systems and data they were ultimately after.

F-Secure notes that neither the phishing e-mail nor the backdoor it dropped onto systems were advanced, although the zero-day Flash exploit it used to drop the backdoor was advanced.

Posted on August 30, 2011 at 6:25 AMView Comments

Spear Phishing Attacks from China Against Gmail Accounts

Reporters have been calling me pretty much constantly about this story, but I can’t figure out why in the world this is news. Attacks from China—old news; attacks from China against Google—old news; attacks from China against Google Gmail accounts—old news. Spear phishing attacks from China against senior government officials—old news. There’s even a WikiLeaks cable about this stuff.

When I first read the story, I decided it wasn’t worth blogging about. Why is this news?

Posted on June 2, 2011 at 9:48 AMView Comments

Bin Laden Maintained Computer Security with an Air Gap

From the Associated Press:

Bin Laden’s system was built on discipline and trust. But it also left behind an extensive archive of email exchanges for the U.S. to scour. The trove of electronic records pulled out of his compound after he was killed last week is revealing thousands of messages and potentially hundreds of email addresses, the AP has learned.

Holed up in his walled compound in northeast Pakistan with no phone or Internet capabilities, bin Laden would type a message on his computer without an Internet connection, then save it using a thumb-sized flash drive. He then passed the flash drive to a trusted courier, who would head for a distant Internet cafe.

At that location, the courier would plug the memory drive into a computer, copy bin Laden’s message into an email and send it. Reversing the process, the courier would copy any incoming email to the flash drive and return to the compound, where bin Laden would read his messages offline.

I’m impressed. It’s hard to maintain this kind of COMSEC discipline.

It was a slow, toilsome process. And it was so meticulous that even veteran intelligence officials have marveled at bin Laden’s ability to maintain it for so long. The U.S. always suspected bin Laden was communicating through couriers but did not anticipate the breadth of his communications as revealed by the materials he left behind.

Navy SEALs hauled away roughly 100 flash memory drives after they killed bin Laden, and officials said they appear to archive the back-and-forth communication between bin Laden and his associates around the world.

Posted on May 18, 2011 at 8:45 AMView Comments

How did the CIA and FBI Know that Australian Government Computers were Hacked?

Newspapers are reporting that, for about a month, hackers had access to computers “of at least 10 federal ministers including the Prime Minister, Foreign Minister and Defence Minister.”

That’s not much of a surprise. What is odd is the statement that “Australian intelligence agencies were tipped off to the cyber-spy raid by US intelligence officials within the Central Intelligence Agency and the Federal Bureau of Investigation.”

How did the CIA and the FBI know? Did they see some intelligence traffic and assume that those computers were where the stolen e-mails were coming from? Or something else?

Posted on April 12, 2011 at 6:03 AMView Comments

Epsilon Hack

I have no idea why the Epsilon hack is getting so much press.

Yes, millions of names and e-mail addresses might have been stolen. Yes, other customer information might have been stolen, too. Yes, this personal information could be used to create more personalized and better targeted phishing attacks.

So what? These sorts of breaches happen all the time, and even more personal information is stolen.

I get that over 50 companies were affected, and some of them are big names. But the hack of the century? Hardly.

Posted on April 5, 2011 at 12:58 PMView Comments

Comodo Group Issues Bogus SSL Certificates

This isn’t good:

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.

More news articles. Comodo announcement.

Fake certs for Google, Yahoo, and Skype? Wow.

This isn’t the first time Comodo has screwed up with certificates. The safest thing for us users to do would be to remove the Comodo root certificate from our browsers so that none of their certificates work, but we don’t have the capability to do that. The browser companies—Microsoft, Mozilla, Opera, etc.—could do that, but my guess is they won’t. The economic incentives don’t work properly. Comodo is likely to sue any browser company that takes this sort of action, and Comodo’s customers might as well. So it’s smarter for the browser companies to just ignore the issue and pass the problem to us users.

Posted on March 31, 2011 at 7:00 AMView Comments

Using Language Patterns to Identify Anonymous E-Mail

Interesting research. It only works when there’s a limited number of potential authors:

To test the accuracy of their technique, Fung and his colleagues examined the Enron Email Dataset, a collection which contains over 200,000 real-life emails from 158 employees of the Enron Corporation. Using a sample of 10 emails written by each of 10 subjects (100 emails in all), they were able to identify authorship with an accuracy of 80% to 90%.

Posted on March 14, 2011 at 5:04 AMView Comments

1 5 6 7 8 9 12

Sidebar photo of Bruce Schneier by Joe MacInnis.