Hackers using Social Engineering attacks are getting much better at their craft, and people are making it very easy for them. A Social Engineer will use information gathered about a person, place or business in specially crafted attacks that play on people’s thoughts, beliefs or emotions.

But how do they get personal information that they could use against someone?

Drum roll please…

Social Media sites!

“No way”, you say, “I only give friends, colleagues and people I know access to my Facebook page.” Do you really? I mean come on, let’s be honest. We have all seen them, people with 500, 1000, even 2000 people or more on their friends list. Do they really know all those people?

People are human, and humans are always into popularity contests. It reminds me of the TV commercial where the daughter is sitting in front of her computer with hundreds of friends on her social media site. And she is making fun of her parents who have like 5 on their site, but then it shows the parents out kayaking (or something like that) with friends.

Hackers are using this very weakness of the human psyche to gain pertinent and sometimes very personal information about a person. But how you ask?

How about Linked-In? Do you get friend requests from people you have never heard of that “know you” from some website, have similar likes or dislikes, or attended the same conference? Hackers are gaining full technical backgrounds, co-worker names, titles and even full resumes using this very simple tactic.

It also works on Facebook. Except here, social engineers gain personal information about you. Everything from news about your family, your interests (sports, clubs, etc), heck some even go as far as to tell you their travel plans and even food preferences. Sometimes a lucky hacker will even get the daily itinerary of a very trusting individual.

How could they leverage this information in an attack?

Simple, from Linked-In they could craft an e-mail saying they are from some company that you worked with or for. Or from Facebook, that they are from your kid’s school or from one of the many clubs that you attend and have scheduling or other important “news”. All this in an attempt to get you to click on a link that heads to a malware infested site or to get you to run a PDF file that contains a backdoor trojan.

A friend recently received an e-mail supposedly from the technical support department for a product that he actually owned. It was about an important update and the link for the update led to a site that tried several browser exploits in attempts to install remote access malware. It was very believable, luckily the broken English in the e-mail made him think twice before he visited the site.

How do you protect yourself from these types of attacks?

It is always best to actually know or have met the person that you are allowing into your social media circles. Limit the level of personal information that you place on these sites. And be very careful telling people your schedules. Do your 2000+ friends really need to know that you will be out of the country for 2 weeks and what airline you will use and what hotel you will be staying at?

Just some things to think about. Hackers are getting much better using Social Engineering attacks. A little discretion will go a long way.

Security Onion is one of my favorite tools. Doug Burks did an amazing job pulling many of the top open source Network Security Monitoring (NSM) and Intrusion Detection System (IDS) programs. You can run Security Onion in Live CD mode, or you can install it and run it off of your hard drive.

It’s based on Xubuntu 10.04 and contains a ton of programs including Snort, Suricata, Sguil, Squert, argus, Xplico, tcpreplay, scapy, hping, and many other security tools. Sounds complicated right? Well, Doug has done the hard work in pulling all these tools together into an easy to use Linux distribution.

Run this on a system that has two network cards and you have a complete NSM/IDS system. One NIC connects to your network or the internet side of your traffic and records and monitors every packet that comes in or goes out of your system. The second NIC connects to your LAN side and can be used to remotely view and monitor intrusion attempts and security threats.

The exceptional basic setup video above was created by Adrian Crenshaw aka “Irongeek”. Adrian has always done an amazing job passing on information on the latest security tools and techniques. Irongeek.com has a ton of videos and security how too’s, check it out!

Hakin9 is well known in the security circles and is just a great magazine. It is known as “A magazine for IT security professionals by IT security professionals”. It covers some of the latest information on attack and defense tactics that are out there.

For those of you who are not familiar with Hakin9, the Worldwide IT Security magazine started in 2005 and is released 4 times a month:

• Hakin9 (release date:1stof each month) – 50 pages of content dedicated to IT security, few regular columns written by specialists
• Hakin9 Mobile (release date: 7th of each month) – 40 pages of content devoted to hacking and security of mobile devices and applications
• Hakin9 Extra (release date: 15thof each month) – 50 pages of strictly topical content dedicated each time to different hot security topic
• Exploiting Software (release date: 22nd of each month) – 40 pages of content dedicated to latest software exploits and security

This months Exploiting Software magazine has some interesting articles including:

Starting to Write Your Own Linux Schellcode
Buffer Overflow Exploitation A to Z
Anatomy of the Black Hole Exploit Kit
Hacking Applets: A Reverse Engineering Approach
The Gentoo Hardened Project: Or How to Minimize Exploits Risks

And, forgive me for some shameless self promotion, How to Recover Passwords from a Memory Dump.

How to Recover Passwords from a Memory Dump

Malware analysis is an amazing field. To be able to grab a memory dump from a live machine and then have the capabilities to pull useful information from it just amazes the author. Can we find pertinent system settings, and even pull information from them? Were you ever curious about what could be done with a memory dump of an active computer? This article is a short demonstration on how to acquire a memory dump from a running system, and then how to use tools to not only recover the system password hashes from the memory dump, but also how to decode them.

The Hakin9 article I wrote is based on the memory forensics topics & hash cracking posts that have been covered recently here on CyberArms. I am pretty excited about it, and hope you like it too.

Check it out!

According to the Rapid 7 Blog the following exploits that target General Electric’s D20 PLCs have been added to Metasploit:

• d20pass : This module leverages a pretty major information disclosure for the device — turns out, anyone who connects to the TFTP server on the D20 can snag the complete configuration for the device, which includes plaintext usernames and passwords. This module does just that — downloads the configuration file, parses out the credentials, and stores them in Metasploit’s database for reuse.
• d20tftpdb : This module demonstrates an asynchronous backdoor functionality in the D20 via the TFTP interface. Again, in an unauthenticated way, anyone can connect to the TFTP server, and issue command by writing to a special location on the filesystem. Also again, this is a pretty big deal. Note that this module is currently still in the unstable Metasploit branch pending a little more QA work on getting this (pretty unique) command and channel all nice and automated. As is, though, it works just fine for demonstration purposes, and if you have some of these PLCs in your environment, you are encouraged to investigate this more (and send patches!).

With the media hype of “CyberWar” and the news of hacker attacks against critical infrastructure systems, this is a shocking move by the Metasploit team. But maybe that is what they intended.

Metasploit is used for network security and penetration testing and it is very good. There are automated options that you can use with Metasploit that will try numerous exploits against a system, and give you a remote shell if one of them works. Taking this technology  and adding in PLC exploits is truly scary, or should I say, push button easy.

Just last month the FBI released the news that infrastructure systems of three US cities were hacked:

“We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into Scada systems within the city.” And, “Essentially it was an ego trip for the hacker because he had control of that city’s system and he could dump raw sewage into the lake, he could shut down the power plant at the mall – a wide array of things.”

The problem is, even though people who run PLC devices in a SCADA environment have had years of warnings, many systems are still woefully unprotected, some even using default passwords. And many of these systems can be found using simple online search tools.

Most likely the thinking behind publicly releasing a tool to automate PLC exploits is that it will force companies to lock down their SCADA systems, as Dale Peterson, founder of Digital Bond states:

“We felt it was important to provide tools that showed critical infrastructure owners how easy it is for an attacker to take control of their system with potentially catastrophic results. These attacks have existed in theory for a while, but were difficult to demonstrate to a Plant Manager. By creating exploit modules for the most widely used exploit framework – Metasploit – we hope that security professionals in critical infrastructure companies, consultants, and penetration testers will prod vendors to add basic security measures to PLCs after decades of neglect.”

Hopefully this tactic works and the good guys are the ones using the tools.

US Army A160 Hummingbird VTOL UAS

By early summer, the US Army will deploy three of these robotic helicopters to Afghanistan.

“The U.S. Army is using a hybrid-type acquisition approach to develop a helicopter-like, Vertical-Take-Off-and-Landing Unmanned Aerial System with a so-called ARGUS wide-area surveillance sensor suite designed to beam back information and images of the surrounding terrain, service officials said.”

This unmanned eye in the sky will come packing a whopping 1.8-gigapixel color camera, and will be able to scan an area of about 25 miles.

“To provide a sense of just how high-resolution this sensor is, Leininger compared it to a standard cell phone camera. A cell phone image typically runs between 1 million and 2 million pixels. With ARGUS-IS, it’s 900 to 1,800 times that number — enough to track people and vehicles from altitudes above 20,000 feet.”

USMC Kaman K-Max

This unmanned cargo helicopter is already in service in Afghanistan. Two were sent in August of last year for battlefield trials. One successfully completed an actual mission last month.

They will be used for resupplying troops in hard to get to or dangerous locations. The K-Max can be flown remotely or the more traditional way requiring a pilot:

“K-MAX, which employs a unique counter-rotating, dual-rotor design that eliminates the need for a tail rotor, is capable of lifting 6,000 pounds, or nearly its own weight. Originally designed as a manned civilian craft, K-MAX has been modified by Lockheed to operate with or without a pilot onboard.”

The goal in Afghanistan is to reduce the number of manned convoys. Drone vehicles could eventually account for a large portion of resupply missions:

“Pratson has said a single K-MAX helicopter could reduce reliance on convoys to resupply forward operating bases in Afghanistan by 6 percent. At that volume, a fleet of 16 to 20 aircraft theoretically could handle 100 percent of the resupply mission in Afghanistan, although that isn’t the plan for now.”

Robots of the Future

The military has already made heavy use of robots in detecting and disposing of explosive and IED devices. But the push is on to make these robots even more autonomous and intelligent. The Space and Naval Warfare Systems Center Pacific is working with the Naval EOD technology division to create the next generation robots.

According to the Department of the Navy’s October-December 2011 issue of CHIPS magazine, color and infrared technologies will be used to map an area and detect hostile targets or suspicious devices:

“The Autonomous Robotic Mapping System (ARMS), for example, can automatically explore an unknown or hostile environment while building a highly accurate and detailed map. A scanning laser rangefinder measures distance to all surrounding objects within a 360-degree field of view, and stereo cameras assist with three-dimensional rendering. No human guidance is necessary, other than initial high level direction telling the robot where to search.”

Military drones and robots currently save lives and with the demand for more and better platforms, they will increasingly take over more common and dangerous tasks making our troops safer and more effective.

(Photo/China Daily, mod.gov.cn)

According to the China News Service (ECNS), China is a victim in cyberwar and needs to develop a strong security force to defend itself from further attacks. Hence the “Online Blue Army” has been created and is ready for cyber warfare.

Using rhetoric similar to cold war Soviet Union, CNS paints China as the developing nation trying to defend itself against international threats.

When I was a child growing up I heard numerous times that the Soviet Union needed so many nuclear missiles to protect it’s vast land mass from aggressors. Everyone knew though that the large missile stockpile was more of a threat than a safety net. It seems that China may be trying to play the same card.

Granted China has the most internet users, about 485 million. That is a lot of users, especially when compared to the US who sits at #2 with 245 million. The scary part is that the US already has about 80% of our population connected, whilst China is only about 40% connected. And just by shear number of users, would have a large amount of virus infections.

But is China the victim that they claim? ECNS states,  “China can be described as merely a computer user with a fairly fragile Internet security system. These are circumstances that cry out for the build up of Internet security forces.”, and, “China is a defender in the cyber war battlefield, fending off the ‘information warfare’ and ‘media warfare’ of others...”

Not likely, China has faced international condemnation from numerous nations that claim China has not only infiltrated key networks, but have exfiltrated government and military secrets. But yet, they claim that the “Online Blue Army” will help defend China’s military internet and that it is only in an “entry level” state:

Li Li, a military expert at the National Defense University, told the People’s Daily that compared with the online military units of Western countries, China’s “Online Blue Army” is currently at its fledging stage, and applied more in online maneuver mode than as an organic, large-scale online army.

Though the article denies that the “Blue Army” tag has any relevance, in military war games the “Red Team” is normally the aggressor force, and the “Blue Team” is usually the defending force or “good guys”.

China already has a very strong cyber capability. I am really not sure what they are trying to prove or who they are trying to deceive by this obvious propaganda piece, but we are not buying it.

Once they had it, they are now trying to convince us that they can extract data from the encrypted on-board database, reverse engineer the drone and use the technology to make their own UAV drones that are comparable or more superior to the US.

But how advanced is Iran’s home grown UAV program?

An Iranian college recently released information on a UAV that they have created:

At first it looks like a full size leer jet, until you notice the car in the background. Another thing that stands out of this homegrown Iranian Drone is the word “Honda” on the side.

Hmm… Either this means “Death to America” in Farsi or could China be helping them build a new class of advanced drones?

Apparently you too can have your own Advanced Iranian UAV. Our researchers have found not only a blueprint for the classified design, but a complete parts kit and instruction manual (written in English!):

You can even buy one for yourself or a friendly third world country.

Tell them Ahmadinejad referred you for a 10% discount! Order in the next 15 minutes and get the new Ahmadinejad bobble head doll with realistic “Death to America” action.

Act now, supplies are limited!

(Okay, before my inbox gets flooded with e-mails, the CIA starts to investigate me or Model RC Planes Inc. gets hit with angry people who want a 10% discount or an Ahmadinejad bobble head doll, this is just a joke!  )

I had to take a relative out of town to see a specialist at a “more modern and up to date” medical facility. Apparently the local award winning hospital was just not good enough. And you can tell he was a specialist, because the hour wait to get into an examination room was followed by another hour waiting to be actually seen by the doctor for 5 minutes.

While I was there I was shocked by the lengths that they went to enforce HIPPA privacy. No longer do you wait in a cattle line to check in. No way, you waited in a lobby with your hands folded gently in your lap for your number to be called. And when the glorious bank teller like receptionist finally called you, you hesitantly approached the exalted one and waited behind a line painted on the floor ten feet from the desk.

Just in case you missed the bright yellow line and the painted feet showing you where to stand, signs posted everywhere stated in a draconian font, “For patient safety, stand behind the painted line until called, or you will be shot.” Or something like that. I guess they didn’t want you to see that the receptionist was on Facebook before they were ready for you.

Each receptionist Window had wide blinds installed so that you couldn’t see anything going on at the next receptionist window. And each computer monitor had a privacy screen to protect that classified patient data.

Once in the exam room all seemed to change though. The nurse dutifully checked my relative’s vitals, logged into the Windows XP computer in the room and entered all the information into their online system. She then told us the doctor would be in to see us within the next month or so and left the room.

Sitting there pondering life for what seemed like an eternity, I noticed several things. One, she seemed to stay logged into the patient database when she left the room. Two, no password protected screen saver kicked on. Three, she left the logged in system unattended in a room with patients for literally about an hour. Four, when the Doctor finally graced us with his presence, he did not log in, just moved the mouse to turn off the screen saver and started viewing my relatives file.

Finally when we left, we had to go the the billing window. Again, the wait behind the line nonsense. Then the billing window with the privacy dividers and screens. As I stood there as my relative paid the co-pay, I looked at the wall beside the checkout clerk. In plain site was a note that stated:

Wireless Password: (And it listed a Password)

John XXXXX – IT Tech Support guy
XXXXXXXX – Tech Support Company Name
XXX-XXXX – Tech Support Phone Number

Okay, noticing that the Billing workstations seemed to be connected wirelessly, one could assume that the listed password was indeed the password used to connect to the wireless network. Also, the listing of the tech support personnel name, company and phone number is a social engineer’s dream.

The Bible verse, “Strain at a gnat, but swallow a camel” really came to mind when we left. They went to exorbitant levels to protect individual patient privacy, but then left the keys of the kingdom out in plain view. Hopefully this isn’t an example of every doctor’s office, but a little knowledge about how a social engineer attacks a network would come in a long way in not just protecting one patient’s privacy, but the security of the whole patient database.

]]> http://cyberarms.wordpress.com/2012/01/10/medical-office-insecurity-hippa-gone-wild/feed/ 0 D. Dieterle Doctor GasMask http://cyberarms.wordpress.com/2012/01/09/israel-hackers-counterhack-and-steal-saudi-credit-cards/ http://cyberarms.wordpress.com/2012/01/09/israel-hackers-counterhack-and-steal-saudi-credit-cards/#comments Mon, 09 Jan 2012 19:09:52 +0000 D. Dieterle http://cyberarms.wordpress.com/?p=3137 ]]>

On Saturday a pro-Palestinian hacker, who seemed to be from Saudi Arabia, leaked thousands of Israeli credit cards stolen from websites frequented by Israeli shoppers.

Israeli officials denounced the leak, and compared the theft to terrorism. According to Reuters, Israeli Deputy Foreign Minister Danny Ayalon stated in a speech that the attacks were “a breach of sovereignty comparable to a terrorist operation, and must be treated as such,” and “Israel has active capabilities for striking at those who are trying to harm it, and no agency or hacker will be immune from retaliatory action.“

Reports have surfaced that the hacker was actually from Mexico, not Saudi Arabia. And also that Ayalon’s personal website was re-directed after his speech to point to an Islamic website that stated through Google Translate, “We declare war in cyberspace, do not be afraid of these monkeys.”

In a tit for tat type move, Ynetnews.com news just released a report stating that Pro-Israeli hackers breached Saudi shopping sites and that they have thousands of Saudi credit cards and personal information. “If the leaks continue, we will cause severe damage to the privacy of Saudi citizens,” one of the Israeli’s stated.

But it does not sound like the Israeli group will stop with just the credit card counter hack. “We could not stay silent after the pompous boasting of the Saudi hacker. A few Israeli hackers came together and decided on various responses for each cyber activity that would be carried out against Israel, including responses beyond the cyber world.”

He added that they would counterattack in the cyber realm for any terrorist attack against Israel, “If a terror attack were to take place, we will make every effort to publish the terrorist’s personal details and those of his family.”

I am a staunch supporter of Israel, but in this feud with continuous attacks and retaliations, one has to ask, when does it end?

]]> http://cyberarms.wordpress.com/2012/01/09/israel-hackers-counterhack-and-steal-saudi-credit-cards/feed/ 0 D. Dieterle http://cyberarms.wordpress.com/2012/01/03/japan-building-automatic-cyber-defense-virus/ http://cyberarms.wordpress.com/2012/01/03/japan-building-automatic-cyber-defense-virus/#comments Wed, 04 Jan 2012 02:07:58 +0000 D. Dieterle http://cyberarms.wordpress.com/?p=3130 ]]>

Japan steps it up a notch in the cyber war arena. Apparently the Japanese government has hired IT product giant Fujitsu to create a cyberweapon virus that will automatically seek out and destroy enemy viruses:

“The three-year project was launched in fiscal 2008 to research and test network security analysis equipment production. The Defense Ministry’s Technical Research and Development Institute, which is in charge of weapons development, outsourced the project’s development to a private company. Fujitsu Ltd. won the contract to develop the virus, as well as a system to monitor and analyze cyber-attacks for 178.5 million yen.”

That’s a cool 2.3 million to create an offensive cyber defense system that will not only detect an attack, but will backtrack and seek out the attacker, even when attackers bounce through several proxy systems.  According to the article the “virus” will disable the incoming attack and record forensics data.

The defensive program almost acts like a human immune system tracking down and weeding out invading viruses. Systems like these are needed when facing the latest advanced threats.

Actually computer scientists and engineers are currently studying the human immune system to try to replicate it for computer defense.

Though automated cyber defense systems are classified, from what public data is available the US has had this capability for at least a couple of years now. US computer security company Rsignia comes to mind immediately. Rsignia creates cutting edge security devices used by the US government and in the US-CERT Einstein program.

We covered Rsignia’s Cyberscope automated offensive cyber weapon system back in 2010.

Cyberscope has the ability to detect and automatically counterattack incoming threats. It has several options that it can use in response. For example it can simply shut the attacking stream down or intercept the data that it being ex-filtrated, manipulate it, and feed it back to the attack. Or better yet, it can even infect the proxy machines used and turn them into bots to counter attack the infiltrator.

These were the capabilities openly discussed in mid-2010, who knows how far the US has advanced since.