2012年1月9日月曜日

Antisec Cybercrime of Stratfor

アンチセクがストラトフォーに対してサイバー犯罪を犯した。
 国際的ハッカー集団「アノニマス」を名乗るグループは、米情報関連
企業「ストラトフォー」のウェブサイトに侵入して盗んだ利用者86万人分
の個人情報をネットで公開した。電子メールのアドレスやパスワードなど
で、キッシンジャー元国務長官やクエール元副大統領らのアドレスも含ま
れていた。

Antisec
・今後、多数の電子メールの中身を公開して「ストラトフォーは、自身が
 主張しているような“無害な企業”ではない」ことを証明すると表明。

漏洩情報
・顧客情報 860,000件
 75,000emailアドレス
・milの19,000emailアドレス
・FBIの212emailアドレス
・DIAの71emailアドレス
・NSAの29emailアドレス
・CIAの24emailアドレス
・カード情報 17,000件

"intel"、"frogman1"、"swordfish"等をパスワードにしていた軍関係者
もいる。
パスワード解読のアプリもあり、100億パスワードを1秒で解読できる
ようだ。しかし、公開された認証では、パスワードを間違えれば、
アカウントが即時無効になるシステムが多い。

米CERTによると「MD5による暗号化は不適用」とのこと。
MD5で、認証しているソフトウェアは未だに多い。
Stratforのシステムでは、個人情報を暗号化するのに、MD5を使っていた
ため、大量の個人情報が流出したとされる。
しかし、Stratforのシステムは、個人情報を暗号化せずに保存。また、
Antisecではない内部の人による流出との説もある。

Anonymousは、カードを不正利用した金で慈善団体へ寄付したとのこと。
寄付を受け取った慈善団体は、不正利用されたカード口座へ払い戻しが
必要となる。その際、口座毎に、(他銀行への)手数料が発生し、正当な
寄付金から支払うため、慈善団体の寄付金が減ると思う。ほめ殺しの
ような慈善団体への嫌がらせか。

アノニマスメンバー逮捕


---ハッカー集団:キッシンジャー氏ら86万人の個人情報公開---
毎日新聞 2011年12月31日 12時40分
http://mainichi.jp/select/world/america/news/20111231k0000e030116000c.html

 国際的ハッカー集団「アノニマス」を名乗るグループは29日、米情報関連企業「ストラトフォー」のウェブサイトに侵入して盗んだ利用者86万人分の個人情報をネットで公開した。電子メールのアドレスやパスワードなどで、キッシンジャー元国務長官やクエール元副大統領らのアドレスも含まれていた。ロイター通信が30日報じた。
 ロイターによると、個人情報を大量公開したのはアノニマスの一派「アンチセク」。アンチセクは、今後、多数の電子メールの中身を公開して「ストラトフォーは、自身が主張しているような“無害な企業”ではない」ことを証明すると表明した。(ニューヨーク共同)


---アノニマス、共和党員集会妨害をネット予告 米大統領選---
2011年12月27日11時52分
http://www.asahi.com/international/update/1227/TKY201112270147.html

 国際ハッカー集団「アノニマス」を名乗る一派が、米大統領選に向け来月3日に開かれる共和党のアイオワ州党員集会を「平和的に妨害する」と予告する動画をネット上に掲載した。指名獲得争いの流れを決めかねない緒戦だけに、共和党は備えを強めている。
 AP通信によると、州都デモインで反格差デモに参加していた男性が仮面の男から動画を託され、動画投稿サイト「ユーチューブ」に掲載したという。約2分間の動画上の音声は、政治制度が企業寄りだとして批判し、その主張を支持する人に妨害を呼びかけている。
 地元アイオワ大のダグラス・ジョーンズ准教授(コンピューター科学)によると、集計結果をサイト上で一般に知らせる際に数字を改ざんされ、犯人から何ら声明も出ず、誤った結果が流布し続ける事態が最も危険だとした。党員集会は紙で投票し手で集める形だが、結果を反映するシステムが攻撃されれば、公表が遅れただけでも混乱を招きかねない。
 アイオワ州共和党中央委員会のウェス・イーノス氏は朝日新聞の取材に「みんなが注目する党員集会がスムーズに運ぶことが重要だ」とし、セキュリティーを強化する措置を進めていることを明らかにした。(ロサンゼルス=藤えりか)


---盗んだカード情報で「寄付」 アノニマス、NGOなどに---
2011年12月26日19時28分
http://www.asahi.com/international/update/1226/TKY201112260459.html

 国際ハッカー集団「アノニマス」を名乗るグループが25日、米大手民間情報分析会社「ストラトフォー」(米テキサス)のサイトに不正侵入し、顧客のカード情報などを盗んだと表明した。盗んだ情報を使い、NGOや米赤十字社に「クリスマスの寄付」をしたとしている。
 ストラトフォーも被害を認めた。アノニマス側は約4千のクレジットカード情報や住所、電話番号、パスワードといった顧客情報などをネット上に掲載。名簿には日本を含む世界の大手企業や政府機関、警察機関などの名も並んでいる。さらに約9万のカード情報を持っているという。
 アノニマス側は、盗んだ情報を不正利用して寄付した複数の領収書をネット上に掲載。AP通信によると、領収書の宛先となった元州政府職員は、心当たりがないのに、国際NGO「セーブ・ザ・チルドレン」などを含めて計700ドル(約5万5千円)を寄付していたことがわかったという。(ロサンゼルス=藤えりか)


---Researcher: Many Stratfor Passwords Are Weak---
Jan 4, 2012 4:30 am
By Jeremy Kirk, IDG News
http://www.pcworld.com/businesscenter/article/247212/researcher_many_stratfor_passwords_are_weak.html

At Utah Valley University, 120 computers are now working to decode encrypted passwords revealed by the hack of Stratfor Global Intelligence, one of the most significant data breaches of last year.

After the breach occurred over Christmas, the Utah researchers launched a project to study what kind of passwords people use and if they're complex enough to thwart all but the most determined hackers.

Hackers believed to be affiliated with Anonymous released the names, email addresses, credit-card numbers and encrypted passwords of people who have registered with Stratfor, a leading think tank based in Austin, Texas.

The data dump is significant due to Stratfor's high-end clientele, including many people in the U.S. military, government organizations such as the U.S. State Department, international banks including Bank of America and JP Morgan Chase and technology giants IBM and Microsoft.

While the credit-card data, some of which was outdated, might briefly profit cybercriminals, the email addresses and encrypted passwords are far more valuable to nation-states seeking to electronically infiltrate organizations over the long term.

Since the email addresses of hundreds of thousands of people were revealed, those people can be targeted by email with malicious software, said Kevin Young, area IT director and an adjunct professor who teaches information security at Utah Valley University.

The second major threat from the Stratfor breach is how many of the passwords were quite simple and easy to decode, he said. That's dangerous, given it is likely that some people will reuse the same password over and over on systems with sensitive information.

Rather than store passwords in clear text, which is considered dangerous, Stratfor stored a cryptographic representation of victims' passwords called an MD5 hash, generally considered a wise security practice. Young set up the 120 computers in order to decode the MD5 password hashes released by the hackers.

With modest computing power and password cracking programs, many of those MD5 hashes can be decoded into their original password. The simpler and shorter the password, the faster it can be decoded.

Young said he's been able to decode upwards of 160,000 passwords from Stratfor, many in organizations such as the U.S. Marine Corps who "should know better," Young said.

The passwords will not be released by Young for ethical reasons, but will be used as part of a study of trends in how people pick passwords and how resistant those passwords are to cracking attempts.

The tools that Young is using show how important it is for people to use complex passwords, or ones with at least eight or nine characters, a mix of upper- and lower-case letters along with numbers and even punctuation.

Young is using "John the Ripper" -- a well-known cracking application that can use a regular PC, and "oclhashcat," a program designed to use the accelerated calculating speeds of graphics processors. John the Ripper produces some eight to 10 billion passwords a second, while oclhashcat, using a graphics processor, can produce up to 62 billion combinations per second, he said.

Both tools calculate a MD5 hash from a word list, of which different permutations can be defined by the person trying to crack the password. Young also used password lists from other noted data breaches including Sony (17,000 passwords), Rockyou (14 million), PHPBB (278,000) and MySpace (36,000).

Password lists are useful, since there is a good chance that people will have already picked easy ones. Stratfor's data didn't disappoint, and Young found that many of its passwords were contained on the lists from other data breaches, such as "jasper10," "swordfish" and "green101."

Young said his team has just a small budget and will probably calculate possible lower-case passwords as long as eight characters. Beyond that, more computing power is needed, as just calculating all of the possible lower-case word combinations for a 10-character word starting with "A" would consist of some 2.2 TB of data, Young said. All of the permutations of a possible password combination is known as the "word size."

Nation-states would easily have the computing muscle. Young said his 120 computers are "nothing compared to what a concentrated attack from the NSA or China or North Korea could throw at this."


---Hackers reveal personal data of 860,000 Stratfor subscribers---
By Ken Dilanian, Washington Bureau
January 4, 2012
http://www.latimes.com/news/nationworld/nation/la-na-cyber-theft-20120104,0,90925.story

The AntiSec branch of Anonymous releases email addresses and other information for Dan Quayle, Henry Kissinger and hundreds of U.S. intelligence, law enforcement and military officials.

Reporting from Washington
A computer hacking group has revealed email addresses and other personal data from former Vice President Dan Quayle, former Secretary of State Henry A. Kissinger, and hundreds of U.S. intelligence, law enforcement and military officials in a high-profile case of cyber-theft.

The unauthorized release of account information for 860,000 subscribers to Stratfor, a Texas-based company that provides analysis of national and international affairs, makes it possible to identify some subscribers and, in theory, impersonate them in cyberspace, analysts warned.

The data were released in two batches last month by the AntiSec faction of Anonymous, a self-described hacker collective. It also disclosed about 75,000 names, addresses and credit card numbers associated with Stratfor customers, including Kissinger and Quayle. They did not respond to requests for comment Tuesday.

"The exposure is huge," said John Bumgarner, who analyzed the release for the U.S. Cyber Consequences Unit, an independent, nonprofit research institute. "We can assume that a foreign intelligence service has already taken advantage of this information."

Anonymous engages in what it calls civil disobedience to expose secrets, but others have called it Internet terrorism. Group members have hacked into corporate and government databases around the world since 2008, and authorities have arrested alleged members in the Netherlands, Britain, Spain, Turkey and elsewhere.

Bumgarner said the Stratfor data included 19,000 email addresses from the ".mil" domain, meaning members of the military. He also found 212 email addresses from the FBI; 71 from the Defense Intelligence Agency, the Pentagon's spying arm; 29 from the National Security Agency, which conducts global eavesdropping and cyber espionage; and 24 from the CIA.

Bumgarner said he used off-the-shelf software to crack many of the Stratfor passwords. One intelligence officer used "intel" as a password, and a Navy SEAL officer used "frogman1," he said.

After the attack, Stratfor took its website off line and wrote on its Facebook page that it was cooperating with law enforcement. AntiSec said it targeted the company in part because it had poor network security.


---No Shelter From a Cybercrime Storm---
By Richard Adhikari
TechNewsWorld
01/03/12 5:00 AM PT
http://www.technewsworld.com/story/No-Shelter-From-a-Cybercrime-Storm-74084.html

Anonymous hackers let fly with the information they pilfered from Stratfor, dumping on the Web for all to see Friday. Hundreds of thousands of usernames, email addresses and hashed passwords were included. SpecialForces.com, a site that sells military clothing and perso
The Anonymous hacker collective has run riot this holiday season, and security experts predict more pain from cybercriminals at large for the coming year.

Anonymous also announced earlier that it had cracked the systems of gear vendor SpecialForces.com on Tuesday.

As a follow-up to its breach of private think tank Stratfor's systems last week, the hacker collective, or its stepchild Antisec, dumped all the information stolen from the Stratfor break-in on the Web on Friday.

This includes 75,000 names, addresses, and MD5 hashed passwords of all Stratfor's paying customers, as well as about 860,000 usernames, email addresses and hashed passwords for everyone who's ever registered on Stratfor's site. It's not clear whether there's any overlap between the two categories.

MD5, the Message-Digest Algorithm, is a widely used cryptographic hash function used in various security applications and to check data integrity that's been declared unsuitable for further use by the United States Computer Emergency Readiness Team (US-CERT) because of its vulnerabilities.

Stratfor's Followup

Stratfor has taken its website offline and is using technology from CSID to provide 12 months of free identity protection services to victims of the hack into its systems, CSID told TechNewsWorld.

The company's clients include various government agencies and businesses in the United States and abroad. Among them are the United States Army, the U.S. Department of Homeland Security, Google (Nasdaq: GOOG), Apple (Nasdaq: AAPL), Microsoft (Nasdaq: MSFT), Air New Zealand and four Australian banks.

Anonymous also reportedly turned its guns on people who spoke up in support of that Stratfor.
Blitzkrieg on SpecialForces.com

Anonymous apparently hacked the SpecialForces.com website back in August, although it's only making this public recently.

The collective claims it has had about 14,000 passwords and information from 8,000 credit cards from the website's members. It stole the keys to crack encrypted data on SpecialForces.com's servers.

Special Forces Gear, which owns the website, reportedly said the passwords stolen are more than a year old and most of the credit card numbers have expired.

The company has reportedly rebuilt its website and implemented new security measures.
Taking Care of Business

Perhaps Stratfor and SpecialForces.com should have taken more stringent security measures from the outset.

It is indeed possible to stop even determined hackers, suggested Andrew Brandt, director of threat research at Solera Networks Research.

"It just takes a guard or team of guards, equipped with the right tools to get the job done, and an equal or greater degree of determination, to stop them," he told TechNewsWorld.
Hash Table Vulnerability's a Global Website Threat

Meanwhile, a hash table vulnerability that could trigger a flood of denial of service (DDoS) attacks has been found by security researchers Nruns.

The vulnerability was believed to only affect hash tables in Perl and CRuby when first discovered in 2003, but nruns has found that it also affects other mainstream Web dev platforms such as Java, ASP.NET, PHP 5 and Google's v8.

Ruby and Perl are rapid prototyping languages, while Java "is the technology of choice for massive enterprise-grade systems like [those used in] online banking," Jeff Schmidt, CEO of JAS Global Advisors, told TechNewsWorld.

"Monitor and keep up to date on vendor patches," Schmidt advised.

Microsoft issued Security Bulletin MS 11-100 on Thursday to patch the vulnerability in ASP.NET. The patch will be automatically updated and installed on systems that have the automatic updating feature turned on.

"While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible," Dave Forstrom, director of Microsoft Trustworthy Computing, told TechNewsWorld.

PHP has also published a patch for this vulnerability, Qualys Chief Technology Officer Wolfgang Kandek said.
New Cybersecurity Efforts Coming

January will mark the launch of the National Critical Infrastructure Cybersecurity Education Initiative. This aims to develop cybersecurity education programs jointly between the private and public sectors. It also calls for the completion of critical infrastructure frameworks by 2012.

The initiative is being led by the Global Institute for Cybersecurity + Research (GICSR).

The Federal government "needs to incorporate secure configurations and system configuration baselining as a core part of any recommendations for improving security," Dwayne Melancon, chief technology officer at Tripwire, told TechNewsWorld.

"Regardless of the industry -- the Federal government or the commercial sector -- I see a lot of enterprises [that] have documented processes and standards which aren't being followed effectively," Melancon said.

0 コメント: