"Anonymous" leak military mails

Anonymous (the hacker group) uploaded 90,000 military email address and associated password hashes onto the bittorrent network on Monday .

The sensitive,leaked, data came from a hack against military contractor Booz Allen Hamilton, which Anonymous hinted had yielded further sensitive information. The loosely knit hacktivist collective claims to have pulled the information from an unprotected server.

Security watchers warn, email addresses and other data obtained(but not released) might be used to mount other attacks,

“Anonymous claims to have erased four gigabytes worth of source code and to have discovered information which could help them attack US government and other contractors’ systems,” Chester Wisniewski of net security firm Sophos notes in a blog post on the hack.

Booz Allen Hamilton declined to comment on the incident.


Certigna publishes SSL private key by mistake

A French provider of SSL certificates appears to have made a bit of a boo-boo in its webserver configuration: publishing its private key for the world to see, and opening up a potentially serious security hole in the world’s web browsers.

SSL certificates serve two purposes on the Internet: to encrypt information, and to verify a webserver’s identity. An SSL certificate is what is used to keep the password you log in to your Internet banking site private, and also serves to ensure that you’re genuinely logging in to the bank’s own server.

This latter function requires that certificate providers don’t issue certificates willy-nilly, instead verifying that the person requesting the certificate has some control over the domain in question. This can be as difficult as a long-winded meetings with business executives, and as simple as placing a secret file somewhere on the web server.

To prevent random users from generating their own trusted certificates, each SSL certificate provider has a ‘private key.’ This is a piece of code which is kept completely secret, and which is used to sign each issued SSL certificate to validate that it has been issued by a trusted authority. These keys are usually closely guarded, as any certificate signed by the key from a trusted authority will be implicitly trusted by a web browser without display any warning messages.

Sadly, French SSL specialist Certigna appears to have failed to keep its secret under lock and key. A visit to the site’s revocation list page – which is fully publicly accessible via a standard web browser – allows anyone and everyone to download the private key and other supposedly secret files, potentially enabling the creation of their own valid Certigna-signed SSL certificates.


It’s a major security breach, and one of which the company appears unaware as they didn’t react to this issue yet.

Facebook, data leak …. or not

Symantec (a computer security company) announced few days ago finding a potentially huge breach, from a faulty API used by developers of Facebook applications. It caused “hundreds of thousands” of Facebook applications to accidentally expose the so-called access tokens that are granted by users to Facebook applications. “Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.,” the researchers said.


The controversy is open as Facebook denies privacy breach allegations by Symantec.“No personal data could have been passed to third parties”, the company says. The company which recently admitted 7.5 Million users are kids.


But while denying Facebook has now fixed the problem, but it could still be a big problem for users, according to Symantec. That’s because these tokens may still be in circulation, stored in server log files or in other places on the Web. One of these access tokens will keep working until the Facebook user changes his password, so Symantec said that concerned users should change their Facebook passwords, like “changing the lock” on their Facebook account.


Symantec announce and issue details available here


Watchdog blackmailed by hacker: names home addresses and passwords leaked

South Korea’s financial watchdog launched an investigation into the leak of 420,000 customer’s personal information from South Korea’s Hyundai Capital, the consumer finance unit of Hyundai Motor Group.

The company, whose president returned to South Korea from an overseas trip earlier in the day, also began its own probe into the leak, which prompted the firm Friday to ask its 2 million customers to change their passwords to prevent further leaks.

The Seoul-based company, which specializes in personal loans, home mortgages and auto financing, said this week it was blackmailed by an unnamed hacker demanding money in return for not releasing the data.

The company, which stressed that key data required for financial transactions was not leaked, said names and home addresses of as many as 420,000 of its some 2 million customers were stolen. It remains unconfirmed whether their mobile phone numbers or e-mail addresses were disclosed as well.

“Investigators will be dispatched to look into the cause of the breach, the possibility of additional leaks and the contents of stolen information,” an official said.

Police said Sunday that a hacker likely used servers in the Philippines and Brazil.


More information from Reuters

Analytics: IT departments leak most data … usually on a Tuesday

Data leak figures !

According to a survey on insider threats published by security firm Orthus this week, data leak is primarly Internal Data Leak, wich we already knew but more surprisingly, IT staff are the most likely to leak the sensitive data about their own company.

“The insider is most likely to be from the IT or customer services department, uses a mobile PC rather than a desktop computer and more often than not will copy the sensitive data to the local hard drive and walk straight out of the door with it – or webmail a copy to themselves,” wrote the authors.

Orthus based its findings on information extracted from data leakage audits conducted since 2006 on its own customer sites using remote agents: an estimated 500,000 hours of user activity within an unspecified number of mainly UK organisations employing 1,000 or more people.


Key results from this survey:

  • Corporate data leakage was most likely to occur through mobile devices with 68% of all events identified linked to mobile rather than fixed desktop systems.
  • Information Technology and Customer Services Departments had the highest incidence of data leakage.
  • Most incidents of data leakage occur during the extended working day (7-7 Monday to Friday).
  • The applications most favoured by users to remove sensitive data were identified as web mail, instant messaging (IM) and social networking web sites
  • The top 4 data leakage vectors were identified as mobile devices, web mail, removable media and corporate email.
  • All data leakage incidents identified could have been prevented. Existing corporate security policies were not implemented,monitored or enforced.



And some more information available here:





Backdoor in OpenBSD since 2001 ?

OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, an even more they claim “to be NUMBER ONE in the industry for security (if we are not already there)” according to their website:

But it is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into the OpenBSD IPSEC network stack around 2000- 2001. If this turns true, and if the early code basis of the IPSEC implementation that is later being used in other operating systems is affected, a new wave of attacks will hit our network in the near future.But it also confirm something we know or believe is and was there, unable to proof so far, the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI.



The Answer is NO according to Theo de Raadt own conclusion:

Well, the allegations came without any facts pointing at specific code.”

Full conclusion available here: http://article.gmane.org/gmane.os.openbsd.tech/22727


The StuxNet connection

A little more on OpenBSD’s IPsec.

Theo confirms that Gregory Perry did work at NETSEC and that Jason Wright and Angelos Keromytis were funded by NETSEC as well. Theo says he wasn’t aware at the time that NETSEC was involved in backdoor or wiretapping projects.

Mickey, an OpenBSD developer from that time period has published a rambling memoir entitled how I stopped worrying and loved the backdoor (A reference to the film Dr. Strangelove) in which he confirms that both Jason and Angelos were funded by netsec. He also makes the point that this served to fund OpenBSD and Theo indirectly as well. Many of his claims are verifiable by looking at the OpenBSD CVS commit history and honestly I’d noticed some of it myself and thought it was odd. He describes encounters with agents of various TLAs.

Probably the most straightforward interpretation of Mickey’s story simply confirms what we already knew: funny stuff was going on in the source tree at that time and people crossing international borders sometimes receive some heavy arm-twisting by the US government, even if they are American citizens such as Jacob Appelbaum andMoxie Marlinspike. It’s not hard to imagine that pressure being applied to someone seeking to continue working or studying in the US.

I was planning to let this particular dog lie (well, at least until I had a working exploit :-), but suddenly a New York Times article drops a clue which adds another unbelievable twist to the plot. They report that it was a joint US-Israeli hacking effort which developed theStuxnet attack on Iran’s uranium enrichment centrifuges. (For all the hyperbole surrounding Stuxnet, everyone agrees it is the most effective and sophisticated targeted attack on a nation’s specific industrial process.) For its part, it was the US’s Idaho National Laboratory which provided significant background research into the security properties of Siemens industrial control “SCADA” systems like the ones which run Iran’s centrifuges. The INL slide deck really says it all, with diagrams and photos of US government security researchers testing out attack models against racks of Siemens gear of the same sort used in Iran.

But I’d remembered seeing Idaho National Laboratory once before – in Jason Wright’s CV. He’d written a paper for the U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program entitled Recommended Practice for Securing Control System Modems. This was in January 2008, about the time the Stuxnet project is believed to have gotten going. In 2009, he published Time Synchronization in Heirarchical TESLA Wireless Sensor Networks pdf at a conference on Resilient Control Systems.

When speaking at SecTor, a data security conference in Canada, Jason’s bio describes him as:

Jason Wright is a cyber security researcher at the Idaho National Laboratory working with SCADA and Process Control system vendors to secure critical infrastructure assets. He is also a semi-retired OpenBSD developer (also known as a “slacker”) responsible for many device drivers and layer 2 pieces of kernel code.

So we know Jason Wright was hacking on OpenBSD IPsec crypto code at the time the backdoor was alleged to have been added, and that he was pentesting Siemens SCADA systems at the time Stuxnet was being constructed and at the very same national nuclear research lab identified by the New York Times.

This guy sure seems to have a talent for coincidences.