Post-Holiday Catch-Up: Hacking, Security, and Spies
By Mark Devlin
January 2, 2012
Think Your Wi-Fi’s Locked Down? Think Again.
Security researcher Stefan Viehböck discovered a huge vulnerability involving Wi-Fi routers and Wf-Fi Protected Setup (WPS). The U.S. Computer Emergency Readiness Team (CERT) has confirmed the discovery as real.
For more detail, see this article at ZDNet, and Viehböck’s paper (PDF).
Here’s a clip from the former (links intact)…
According to Viehböck, he took a look at WPS and found “a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide.” CERT agrees.
How bad is it? CERT states that “An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.”
The problem starts off with each router’s 8-digit PIN associated with either a physical or virtual button for ‘easy setup.’ When PIN authentication fails, a negative acknowledgement is triggered, and that acknowledgement lets a hacker know if the first part of the PIN is correct or not. It’s a bit convoluted, but here’s the bottom line, according to Engadget:
As a result, the 100,000,000 possibilities that the WPS should represent becomes roughly to 11,000.
A tech once told me “NEVER press the easy-setup button to configure a network.” So, for years, I’ve been setting them up manually. It’s more of a hassle, but the tech’s advice seems to have been accurate.
What’s the fix for the WPS flaw? There isn’t one. It’s up to router manufacturers to figure it out and, presumably, offer a firmware upgrade down the road. Back to Engadget for a moment…
Viehbock has promised to release a brute force tool soon, thereby pushing the manufacturers to work to resolve the issue.
The New York Times: Hacked or Not Hacked?
Recent buzz indicated that The Gray Lady might’ve been hacked. On Dec. 28, confused Internet users received an email from The New York Times about their home delivery service. Most recipients had neither a subscription nor home delivery. See this piece at eWeek Security Watch.
The NYT soon said via Twitter, "If you received an e-mail today about canceling your NYT subscription, ignore it. It's not from us."
It turns out that a NYT employee did send out such a message. Problem? It was supposed to be sent to 300 people; instead, it went to more than 8 million.
Wow. Now that’s an email blast.
The upside? Everyone’s justifiably twitchy about hacking and identity theft these days but, in this case, it was just a mistake (A comedy of NYT errors, actually—which also included the offer of a special discount by mistake.) and no subscriber data was compromised.
Anonymous to Think Tank: Merry Christmas! You’ve Been Hacked.
Strategic Forecasting, Inc., or StratFor, is a ‘global intelligence company founded in 1996 in Austin, Texas, by George Freidman. Ironically, StratFor’s ‘primary focus is to help clients with security.’ (Wikipedia is linked above since the StratFor’s site was down at the time of this writing.)
Apparently, StratFor itself could use some help with security as, on Christmas Eve, the Anonymous hacktivist group…
…disclosed that not only has it hacked the Stratfor website (since confirmed by Friedman himself), but has also obtained the full client list of over 4000 individuals and corporations, including their credit cards (which supposedly have been used to make $1 million in 'donations'), as well as over 200 GB of email correspondence…
…according to this brief at Slashdot.
VentureBeat says that Anonymous stole more than 9,000 active credit card numbers in the attack. Why? Turn to the UK’s Telegraph…
One alleged hacker said the goal was to use the credit data to steal a million dollars – including, apparently, from individuals' accounts – and give the money away as Christmas donations. Images posted online claimed to show the receipts.
Beyond the obvious and typical outcomes of an Anonymous hacking, this one’s trickier for at least a couple more reasons…
1) Hackers affiliated with the Anonymous group said they are getting ready to publish emails stolen from private intelligence analysis firm Strategic Forecasting Inc, whose clients include the U.S. military, Wall Street banks and other corporations. See this National Post article for more.
2) U.S. intelligence analysis company Stratfor has warned its members whose emails and credit card information were hacked that they could be targeted a second time for speaking out on behalf of the company. For more on this, see another National Post piece.
Steal from the rich and give to the poor? Hmm. That’s a switch.
U.S. Chamber of Commerce: Hacked…
…not by Anonymous, but Chinese hackers, according to this Wall Street Journal article (via Engadget).
According to the Chamber, less than 50 of its members were compromised but, according to VentureBeat (links removed since they’re generic)…
The Chamber represents over three million US businesses, 96 percent of which are small businesses with 100 employees or less. The agency, situated in Washington D.C., lobbies for free enterprise, competition between US companies and entrepreneurship. Some of its bigger members include Adobe, Microsoft, Visa, and Google.
Besides the China connection, why is this break-in notable? Back to the WSJ…
"What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence," said the Chamber's Chief Operating Officer David Chavern.
Nevertheless, Chamber officials said they haven't seen evidence of harm to the organization or its members.
In this case, hackers not only broke in, but modified Chamber systems with…
…at least a half-dozen so-called back doors that allowed them to come and go as they pleased, one person familiar with the investigation said. They also built in mechanisms that would quietly communicate with computers in China every week or two, this person said.
The Chamber’s CEO said, with a stunning level of passivity…
"It's nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in," said Mr. Chavern, the chief operating officer. "It's the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again."
Seriously? Is the state of presumably high-level security really that bad?
Product Review Suspicions Confirmed…
…at least on sites in China.
One of the great things about the Internet is the availability of user-generated product reviews. I’ve often wondered, though—as you probably have—why does a particular set of reviews seem strangely and consistently positive? Well, in another case of Things Aren’t Always How They Seem…
Cheng Chen of the University of Victoria, Canada, worked as a paid poster in China's "Internet water army", so-called because its soldiers flood websites with posts about particular products. In a paper posted on arXiv, Chen and his colleagues describe how project managers organise teams of paid posters, supplying them with comments and video clips to post, and setting rules for when and how often to post, so that they avoid appearing part of a coordinated campaign.
So far, at least with this study, we’re only talking Chinese sites and Chinese antivirus companies.
Could product reviews be faked and scammed in the U.S.? Of course.
Stay tuned, and be careful out there.