This Week in Cybercrime: US Banks Targeted by DoS Attacks

There is a report today in the Chicago Tribune that PNC Bank users were having difficulty accessing the bank’s web site since Wednesday. PNC Bank joins Bank of America, Chase, JPMorgan Chase & Co., U.S. Bancorp, and Wells Fargo which have all experienced attacks this week.

According to a story at Bloomberg’s BusinessWeek, “A group calling itself Izz ad-Din al-Quassam Cyber Fighters claimed responsibility for the assault in a statement posted to the website pastebin.com, saying it was in response to a video uploaded to Google Inc.’s YouTube, depicting the Prophet Muhammad in ways that offended some Muslims.” However, few security experts believe the previously unknown group has the capability to mount such attacks without outside help, e.g., from Iran.

Senate Homeland Security committee chairman Joe Lieberman states flatly that the attacks are the work of Iran, according to a story at the LA Times. Lieberman is quoted as saying, “I think this was done by Iran and the Quds Force, which has its own developing cyber attack capacity. And I believe it was in response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”

Iranian officials deny any involvement.

Samsung issued an emergency update to its Galaxy S III smartphone on Wednesday. This reason was a report last week by a security researcher that the phone was vulnerable to being reset to factory conditions “via a single code embedded in a Web link, QR code, NFC connection, or SMS, supplying the correct factory reset code to wipe the device without warning the owner or asking for permission.” The code is – as expected – circulating on the Internet.

The vulnerability also may affect the Galaxy S II and possibly the Galaxy S, but Samsung is not saying whether it does, and if it does, when a patch will be released.

Telvent, the Canadian company, confirmed this week that it got hacked earlier this month. The company, which says that it manages “more than 60 percent of the total hydrocarbon movements in North American and Latin American pipelines,” saw its systems attacked across the US, Canada and Spain, reported security analyst and reporter Brian Krebs. Krebs states that the attacks were traced to China.

Krebs writes that, “In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.”

Telvent’s letter went on to say that the company has, as precaution, “indefinitely terminated any customer system access by Telvent.”

Social engineering is becoming the favorite way to cyber-attack organizations. This was the thrust of an article by Robert O’Harrow over at the Washington Post, and which has a nice symmetry to the Telvent story. O’Harrow writes about an on-going, highly-organized phishing email campaign that began in the spring and has targeted numerous “targeted intelligence contractors, gas pipeline executives and industrial-control security specialists.” The campaign looks to be the work of a hacker group in China.

O’Harrow reports that the phishing campaign has been successful, quoting from a Department of Homeland Security confidential alert that says, “Multiple natural gas pipeline sector organizations have reported either attempted or successful network intrusions related to this campaign.”

O’Harrow’s Post story is one in his series on cybersecurity, which is worth reading.

Spyware threat is as bad as ever. In another connection to the Telvent and phishing stories, Computerworld reports that hackers using a remote access trojan—spyware that allows an intruder to capture nearly all data from a compromised computer, including keystrokes, screen images, and downloads—are behind a series of systematic attacks against energy firms in Canada and the Philippines, as well as unspecified targets in Nigeria, Egypt, Brazil and Israel. Dell's SecureWorks Counter Threat Unit told Computerworld that the attacks, with a trojan called Mirage, have been ongoing since at least April.

Mirage is designed to be hard to detect by anti-virus and anti-malware programs. It sends and receives data in a form that is largely indistinguishable from the Internet traffic associated with Google searches.

SecureWorks researchers say that in February they uncovered a separate scheme wherein attackers using remote access tools similar to Mirage targeted oil companies in Vietnam in addition to government agencies, an embassy, and businesses in several countries. The researchers say they have evidence that the recent attacks and the ones in February originated in China. Both trojans have several command and control servers in common; those servers have IP addresses that belong to the Beijing Province Network. The same network was cited as the springboard for the 2011 attacks on security vendor RSA and subsequent theft of confidential data about the firm’s SecurID online authentication technology, as well as the so-called GhostNet campaign in 2009 wherein hackers attacked government computers in more than 100 countries

The IEEE also suffered a security incident this week. Late Tuesday afternoon, the IEEE announced that it “has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected.”

“IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.”

To find out more what the “incident” was all about, one had to turn to stories like that in ComputerWorld, since the IEEE was closed mouthed about it. Apparently, a teaching assistant and computer science grad student at the University of Copenhagen by the name of Radu Dragusin accidentally found last week 100,000 unencrypted user names and passwords mistakenly left on an IEEE FTP server.  In addition, ComputerWorld reported, “Dragusin said he was able to access more than 100GB of web server log data containing detailed information on 350 million-plus HTTP requests made by IEEE members over one month.”

Dragusin notified the IEEE on Monday of the problem.

The IEEE sent out an email late Tuesday night to those affected, which included me, stating in part that, “IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. This matter has been addressed and resolved. None of your financial information was made accessible in this situation. However, it was theoretically possible for an unauthorized third party, using your ID and password, to have accessed your IEEE account.”

The letter went on to say that, “IEEE has terminated access to your account under your current password. The next time you log in, you will be required to authenticate through the series of personal security questions you set up at the time you opened the account and to change your password.”

Late yesterday, the IEEE posted an update on the” incident”, saying that, “IEEE follows security best practices based on ISO and NIST standards. We review these standards to ensure that we follow a certain security methodology in our practices and processes. Notwithstanding our precautions, the exposure of the user IDs and passwords nevertheless did occur and we have thoroughly investigated how it happened.”

“We have found the following:

“The incident related to the communication of user IDs and passwords between two specific applications within our internal network resulting in the inclusion of such data in web logs.”

“An anomaly occurred with a process executed in coordination with a proxy provider of IEEE, with the result that copies of some of the logs were placed on our public FTP server. These communications affected approximately two percent of our users. The log files in question contained user IDs and accompanying passwords that matched our directory. The primary logs were, and are, stored in protected areas.”

“Upon discovering this exposure, IEEE immediately removed those files, ceased receiving those log files from the proxy provider, and corrected the interapplication communication that resulted in the logs containing user IDs and passwords. “  

“The affected user accounts were locked down, and only affected users were notified that IEEE is requiring that each affected user change his or her password. Institutional account information was, and remains, unaffected.”

We in the IEEE membership should be personally thanking Dragusin for informing the IEEE about the data leak.