Change Your Passwords Now: Two Thirds of All Websites Were “Secured” by OpenSSL And Are Vulnerable

HeartBleed
Photo Credit: Codenomicon/HeartBleed.com

News sites and technology blogs are buzzing right now about the next internet security crisis, known as Heartbleed. Before you continue reading, start to make a list of any website or online service that contains your sensitive information, and begin changing important passwords. Let me explain.

SSL/TLS is a means by which websites and users are connected securely. Any time a lock appears in the corner of your web browser window, that means some type or flavor of SSL or TLS is being used to establish a secure connection. Websites that habitually request and store sensitive information, such as Social Security Numbers, credit card numbers, Driver’s License Numbers, dates of birth, identification numbers, email addresses, passwords, phone numbers, physical addresses, and the like typically require trusted users to login on an HTTPS secured website with SSL or TLS security so that the user can trust that only the desired website can see the information.

One brand of SSL/TLS, OpenSSL, has had a big vulnerability up until the recent discovery. An undiscovered loophole called Heartbleed allows cyber criminals and hackers to leech encryption information from your trusted websites in small chunks. Exploited over time, Heartbleed is the equivalent of an experienced lockpicker sitting in front of a safe with hours, or three years in this case, to make his or her way through the key lock.

OpenSSL, designed as a community-operated security alternative to expensive SSL and TLS encryption, has recently released an emergency patch, and will provide permanent closure to the Heartbleed loophole in future versions of the encryption standard. Unfortunately, these changes will only protect against future access; previous illicit access cannot be undone.

Although over two thirds of websites use or have used OpenSSL, not all sites have it or have been vulnerable to a Heartbleed attack. For those who would rather not change all passwords completely, you can check the link in this TechCrunch article to find a list (not regularly updated) of sites affected, or you can go to this Netcraft article and enter the full https:// or https://www. URL for each site you wish to check for vulnerability. On the results page, search/find “RFC6520” and if it appears, that site is or was recently vulnerable. Check to see if a site was vulnerable, and if that site’s vulnerability has been fixed, before going in to change your password. The safest option, however, is to change all passwords.

In addition, the leak of personal and financial information can lead to identity theft. Check your credit report and bank records frequently, and report any suspected cases of identity theft to your local police and to the Federal Trade Commission. For more information on identity theft reporting and the proper agencies to contact, see this Department of Justice page. For more information on Heartbleed, check out this site, created by the team that discovered the vulnerability.

Probable Cause from an Instagram Photo

Photo Credit: "Duce22ceritfied" on Instagram
Photo Credit: “Duce22ceritfied” on Instagram

Sometimes, the abundance of information on social media pays off for law enforcement. The Sheriff’s Office in Palm Beach County, Florida was checking through public Instagram photos when it found a 19-year old convicted felon illegally brandishing firearms in a “selfie,” or a photo one takes of himself usually to post online. The public photo created enough probable cause for a search warrant to be issue. A subsequent search revealed over $250,000 worth of stolen firearms, jewelry, and electronics. He was charged with 142 felony counts and given $60,000 bail, which he could not pay.

After reading this story, you might think twice about the images and information you share online. Although in this case it was “good guys” viewing a “bad guy’s” photos, but it could just as easily have been a teen showing off his or her new driver’s license or credit card to friends on Facebook or sending out a Tweet from your new apartment with the geo-location tag turned on, open invitations for stalking or identity theft. For the law enforcement perspective, this shows that not everything posted on a suspect’s social media accounts is subject to a reasonable expectation of privacy; sharing evidence of your latest crime with the world can also work as an unknown confession for a crime that might otherwise have been undetected.

Article at the Huffington Post

 

A California Student Hacks His Way into the Student Council

Election
Photo Credit: Rama (Wikimedia Commons)

The FBI recently released the story of a 22 year old student at California State University (San Marcos) who tried to hack his way into the student council presidency. Matthew Weaver installed keyloggers and recorded the keystrokes of several students, stealing personal information from over 700 classmates. He then sat at a station in the computer lab and cast multiple votes for himself in the university’s online election. Fortunately, officials detected the excess activity from one computer and sent Cal State police to arrest him. The FBI found he had even made Internet searches for the prison sentence given for identity theft and keylogging, showing evidence of his intent.

This story is of particular relevance today as the special primary election to replace New Jersey Senator Frank Lautenberg begins. Yesterday’s post regarding over-connected homes can easily be connected to networked voting machines in U.S. political elections, although we should hope that there are more security measures in place for those systems than for a student council election at a college…

Beware of an Over-Connected Home

Photo Credit: FutUndBeidl (Flickr.com)

A recent article warns that Internet-connected devices are not always the safest bet for cybersecurity. Many new devices, such as thermostats, refridgerators, lamps, CCTV surveillance cameras, and others, can now be controlled or monitored away from the home via Internet connection and an online mobile device (smartphone, tablet, or laptop). However, these devices do not all share the same security standards and create vulnerabilities. The way Internet scammers obtain victim’s credit card and financial information online is also a way for hackers and cybercriminals to gain access to any Internet-connected appliance in your home. Imagine the types of stalking or malicious personal attacks that could result from this type of online home intrusion: your heat is turned off during the winter, your refrigerator is shut off overnight to spoil your food, or your doors are unlocked for burglars to enter and take what they want.

Online devices have their benefits, but it is important to weigh the minor gains in convenience against the major risks in security. To read more about this concept of “The Cybercrime of Things,” check out the article at The Atlantic by Christopher Mims.

Mobile (In)Security: Hackers Can Use A Laptop To Locate Cell Phones

Photo Credit: Aldude999
Photo Credit: Aldude999

A recent paper published by researchers at the University of Minnesota reports that vulnerabilities exist in the GSM cellular system, commonly used by AT&T and T-Mobile, that would allow hackers to locate someone’s cell phone. According to its principal author, Denis Foo Kune, GSM network towers must ping, or send a brief signal to and from a phone, 3 times in order to locate and connect the closest tower(s) and provide optimal service. This feature, by the way, is sometimes the only means for 911 operators to locate a caller for phones that do not have GPS and E911 capabilities, which is why 911 callers should always provide their exact location in an emergency.

With a computer, two cell phones, a landline phone, and free OsmocomBB software, a hacker can locate himself within the city of a target phone, call the phone, and trace the pings to identify the towers around a particular cell phone. While a precise location may not be available except in regions with “too many” towers, this does raise a privacy issue for GSM phone users. The research paper offers suggestions to major US cellular networks for securing this ping information and improving mobile security.

For more information or to read the paper in its entirety, go to the paper’s listing at the Internet Society website.

Hackers Momentarily Scare Wall Street With A Fake Tweet

Photo Credit: Spencer E Holtaway
Photo Credit: Spencer E Holtaway

Social media sites are no longer “play sites” or just distractions. A single tweet posted by cybercriminals took the markets for a plunge yesterday afternoon. The status, written on the Associated Press Twitter account, reported that there was an attack on the White House and that the President was injured. Bloomberg Businessweek reports that the hackers appear to be the Syrian Electronic Army, a group that launched several other attacks in furtherance of their pro-regime agenda.

The Associated Press quickly responded by declaring that the tweet was fake and that their Twitter was hacked; since then, their accounts have been temporarily suspended. Nevertheless, the Dow Jones Industrial Index took a momentary, 140-point plunge during the 5 minute window between the hacked tweet and its removal. The FBI and SEC are both launching investigations this week into the intrusion and the related market changes.

This unauthorized access of a Twitter account is not the first; CBS, News Corp, PayPal UK, and others have had security issues with Twitter, prompting a call for “two factor authentication,” a method recently adopted by Microsoft’s XBOX Live system. Two factor authentication means that users who wish to login must provide the password AND temporary authentication code sent via text message or email (or by telephone, as eBay uses to confirm some users). Whether two factor authentication is adopted or not, government agencies, policymakers, corporate entities, and individuals will have to take the need for security on social media sites like Twitter more seriously so that these types of real-life consequences can be averted.

Most Tax Messages Are From The Latest IRS Email Scam

743px-Form_1040,_2005

Although taxes may have been due on April 15th, tax- and tax refund-related emails have still been coming out. According to a USA Today survey, almost 95% of emails that appear to come from the Internal Revenue Service have been some form of spam. These emails try to report problems with tax filings or requests for personal information to process refunds. Emails bear the IRS.gov logos and images, but contain phishing links (links that look like they go to one place but are actually going to a look-a-like website.

Organized theft and identity theft rings use these messages and websites to reroute thousands of dollars in tax refunds to their own accounts. In addition, they can use collected personal information to file fraudulent tax returns and scam the IRS into sending them the refunds.

Experts claim the reason for increased IRS based email scams is a result of the IRS not adopting the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, which sites like Facebook, Netflix, PayPal, and Bank of America all use to verify emails. Although DMARC will not completely eliminate phishing emails, it might be a useful tool to ensure taxpayer (and agency) security.

For now, those who file taxes should know that the Internal Revenue Service does not request any information via email; most requests are made by U.S. Mail on letters with coding or reference numbers that you can cross-check with the IRS. Furthermore, if you receive a call requesting information on behalf of the IRS, ask for the employee badge number and callback number, then call the IRS directly to confirm their identity. For more information on IRS scam attempts and how to recognize and report them, check out the IRS Report Phishing page.

WordPress CMS Brute-Force Botnet Attacks

wordpress login imageThe United States Computer Emergency Readiness Team (US-CERT) released a notice warning about massive brute-force botnet attacks to the WordPress Content Management System. Botnets are typically comprised of several (typically personal or business) computers that have (with or without permission) been taken over by a third party for the collective purpose of handling one large task, which in this case would be a potential DDoS (distributed denial-of-service) attack (like the October DDoS attack on US banks). The consensus is that websites using the WordPress platform are being targeted because of the large servers websites are usually hosted on.  “…the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.” (source: Dan Goodin in his ArtsTechnica article)

What does this mean for owners of WordPress websites and blogs? Hackers are fighting hard to breakthough WordPress dashboard/administration login pages and take over the sites and their host servers. Sites with easy passwords and outdated WordPress platforms have been the easiest targets, although there are over 90,000 infected systems at work now. While several website hosting services are blocking IP addresses of brute-force attackers, WordPress site owners have to take their own precautions. One blog recommends changing admin passwords and installing security plugins that record and restrict IP addresses from attackers who repeatedly try to gain access. Matt Mullenweg, the creator of the WordPress platform, suggests changing the administrator username from the default “admin” to something more personal. More advanced WordPress designers and content management system users can work through the PHP and .htaccess files to further conceal the WordPress login page. Everyone, however, using WordPress, Drupal, Joomla, and other systems to create and manage websites should take precautions to protect themselves and the cyber community at large.

Boston Marathon Bombings Referenced in Infected Emails

Photo Credit: [Aaron "tango" Tang]
Photo Credit: [Aaron “tango” Tang]
By now, many have heard about the bombings that took place at this year’s Boston Marathon. Unfortunately, this story has fallen prey to the latest email threat.

The University of Alabama at Birmingham’s Spam Monitoring Lab has detected emails related to the bombings infected with malware by an unknown cybercriminal element. These emails lure readers to open the messages and their attachments, which appear to contain videos and images of the terror incident. Money.ca reports the following as example email subject lines:

  • “2 Explosions at Boston Marathon”
  • “Aftermath to explosion at Boston Marathon”
  • “Boston Explosion Caught on Video” and
  • “Video of Explosion at the Boston Marathon 2013.”

The purpose of these emails is to spread malware across the Internet in an attempt to form a botnet, or a large network of infected personal computers. Researchers at UAB infected one of their own computers in a controlled experiment; the results showed that, 42 seconds after a computer is infected by the malware, it attempts to send out hundreds of infected emails to random addresses. Given the amount of time this botnet has had to grow, they estimate at least 80,000 infected systems. (see LA Times article)

Botnets can be used for several malicious purposes, including coordinated denial of service (DoS) attacks on banks and infrastructure, brute-force attacks like those against WordPress blogs and websites, or the collection of personal information for an identity theft ring. This email scam is just one of many new malware campaigns to form powerful botnets at the expense of legitimate users.

Anyone who receives these emails should avoid opening them and any attachments or links included. Those who might have opened an attachment or link included in an infected Boston bombing email can know they’ve been infected if, by checking their computer’s Internet and network stats, there is an increase in outbound Internet traffic.

Beginning My Cyber Crime Blog

Today marks the beginning of a new project that will merge my personal, academic, and professional interests. I have a particular, persistent, and fairly unique goal I’m pursuing: a career as a federal law enforcement agent. As I depart Rutgers-Newark School of Criminal Justice and transition to The George Washington University Law School this fall,  I want to continue studying, reading, and writing about topics I studied in undergrad, such as cyber crime, white collar crime, policing, and constitutional law. My undergraduate studies have fostered a special interest in cyber crime, an area that goes hand in hand with my lifelong passion for computers and technology. I intend to learn more about and follow this field by way of this blog by merging the technical, legal, criminological, and enforcement aspects of cyber crime in an effort to increase my own understanding (and perhaps that of others).