Week in security: FBI malware, billion password leak – Chinese hotel goes mad | WeLiveSecurity

Week in security: FBI malware, billion password leak – Chinese hotel goes mad

With Black Hat 2014 in full swing in Las Vegas, it was never going to be a quiet week - but revelations about FBI malware and a trove of a billion passwords inspired furious debate too.

With Black Hat 2014 in full swing in Las Vegas, it was never going to be a quiet week – but revelations about FBI malware and a trove of a billion passwords inspired furious debate too.

With Black Hat 2014 in full swing in Las Vegas, it was never going to be a quiet week in the world of security – with hacks ranging from the surreal to the terrifying demonstrated, and vicious argument over the week’s most controversial presentation – which claimed that aeroplane communication systems could be hacked via in-flight Wi-Fi.

Even outside the presentations at the Mandalay bay, ripples were spreading through the secret world of Tor, with suspicions seemingly confirmed that the FBI had been using malware against site users on the hidden service to identify the MAC addresses of “hidden service” users.

Visit the wrong site – get malware from Feds

The story, broken by  Wired’s Kevin Poulsen offered adetailed analysis of the attacks, and their context: “For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind thepowerful Tor anonymity system.”

Most high-profile arrests of the administrators of Tor “hidden service” sites have relied on alleged perpetrators leaking information in the real world – as in the case of the arrest of alleged Silk Road founder Ross Ulbricht.

The FBI’s technique relied on a now-replaced version of the Tor browser bundle but used malware to send addresses to a server in Virginia, according to The Tor Projecct – but raised legal questions over what a government agency was doing using malware against suspects, malware which remained on computers “for years”, according to Poulsen. Even Tor’s most ardent defenders find “hidden” child pornography services difficult to define as “freedom  of speech” – but there are legal questions to be answered about the FBI’s methods.B

X marks the spot: Billion-password trove is ‘biggest ever’

Passwords are often posted online in thousands or millions – but this week, a security company revealed the existence of a treasure-trove thought to be the biggest in history: 1.2 billion usernames and passwords, along with 542 million email addresses.

The stolen credentials were in the possession of “CyberVor” – “vor” meaning “thief” in Russian – and had been stolen from 420,000 different websites, before being unveiled by Milwaukee Firm Hold Seurity, along with the New York Times.

Others were a little more skeptical of this hoard, the cyber equivalentP of finding both the Ark of the Covenant and the Holy Grail in one place – with Forbes questioning why the main use of this awe-inspiring collection of data had been thus far to send spam, and selling passwords to allow others to send more spam. This is not high-profit business – and with a billion passwords, you should surely be able to do soemething a bit bigger. It’s also unclear how new the credentials really are. Forbes also questioned Hold Security’s role as the company is a small player, with much to gain from publicity.

Point of sale terminals under assault

Point of sale systems are becoming scarier by the week – after  last week’s article here on We Live Security, Lysa Myers reports another very good reason not to use plastic to pay for anything in American stores.
A new PoS malware warning was issued this week by Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC),

The malware, which had already been detected for some time by ESET (Win32/Spy.Agent.OKG) is referred to as “Backoff” by US-CERT. Thetechnical details can be found here. There is also a report you can download as a PDF (click cover on the right).

Backoff brute-forces its way onto remote desktop access systems that have access to Point-of-Sale systems, and installs a RAM scraper which harvests credit card numbers. This sort of malware is multiplying – as Myers puts it, POS terminals are “low-hanging fruit”, and small businesses a particular target.

Myers’  guide to securing POS systems can be found here.

 DoS is dead: Cybercriminals prefer malware

America’s Computer Emergency Response Team has made headlines with grim regularity for years – but the British version just celebrated its 100th birthday. (A hundred days, this is).
The new agency has a firm grasp of fashions in cybercrime – claiming htat denial-of-service attacks were on the way out, and malware was “in”, with 25% of incidents reported to the agency related to malware, in what it described as a “cat and mouse” game between gangs and corporations.

During its first 100 days, the organization has dealt with 500 businesses, and says communication is critical in cases such as the co-ordinated action against GameOver Zeus. CERT said that it was ‘critical’ that, “information flows freely between Government and industry”No security conference would be complete without a few attacks against defenseless household appliances – last year, an e-toilet fell victim, and a Tesla Model S was hacked in motion by a group of Chinese students only last week. So Black Hat had to go one better: a presentation claimed that in-flight Wi-Fi could be used to hack aeroplane systems, and similar hacks could baffle ships and lead soldiers into ambushes.
Santamarta’s presentation focuses on major brands, and widely used systems – and he claims that 100% of systems under test had vulnerabilities. Weak encryption and “backdoors” which could allow hackers control over communication are rife in all systems under test,according to RT. Some attacks can be performed with an SMS, Santamarta claims.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it,” Santamarta says.

“Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.”

The companies concerned responded quickly to expalin that while such hacks might work in the lab, the world was a rather more complex place

 Internet of Evil Things

Meanwhile, the Internet of Things once again fell victim to a hacker – who turned an entire Chinese hotel mad using only an iPad. Today’s fashion for high-end electronics in luxury hotels allowed a hacker to wreak havoc in 200 suites at once in a five-star hotel in China via an aging ‘internet of things’ system – switching off lights, changing the TV channel, raising blinds and fiddling with the temperature, according to Sky News.

Security researcher Jesus Molina said that his hack was pulled off using an in-room iPad and the hotel’s ‘internet of things’ system, and began simply because he was “bored”.  “I thought about looking to see if a similar system controlled the door locks but got scared,” says Molina, according to Wired’s report.

That did not stop him from switching on and off the “Do Not Disturb” signs on hotel rooms, according to the South China Morning Post.