Threatpost for B2B
Mark Zuckerberg is mad as hell, and he’s not going to take it anymore. Actually, he is going to take it, because we all are going to take it, at least for the foreseeable future.
Zuckerberg is upset that the NSA is spying on his users, and even madder that the agency is allegedly using fake Facebook servers to infect targets with malware as part of surveillance operations. In a post on his personal page Thursday, Zuckerberg, co-founder and CEO of Facebook, sounded a bit like a parent at his wit’s end, saying that he was “confused and frustrated” by the way that the U.S. government has been behaving of late.
“When our engineers work tirelessly to improve security, we imagine we’re protecting you against criminals, not our own government,” he wrote.
“The US government should be the champion for the internet, not a threat. They need to be much more transparent about what they’re doing, or otherwise people will believe the worst.”
Now, there are plenty of easy swings to be taken at both Zuckerberg and Facebook on this topic. The humor of the CEO of a company whose business is built upon mining the data it collects from its billions of users and selling the results to advertisers complaining about widespread surveillance is obvious. But there are a couple of clear and important differences between Facebook and the NSA. Facebook is up front about what it is and how it makes money. The user is the product. In return for connecting you electronically to the people you already know so you can avoid talking to them in real life, Facebook shows you marginally relevant ads and gathers untold terabytes of data on user behavior and preferences. That’s called commerce. And users know the deal going in.
What the NSA does is meant to be kept secret and users are not supposed to have any idea whether they’re a target of the agency’s surveillance methods. And in most cases, that’s the way it works. As has been shown, the NSA is extremely good at performing its mission. It’s when the agency goes beyond that mission that things get messy, and that’s what has Zuckerberg and so many others upset right now. A story this week in The Intercept revealed that the agency has allegedly been impersonating a Facebook server as part of a method for attracting surveillance targets and eventually installing malware on their machines. The agency on Thursday denied that impersonates the Web site of any U.S. company.
“NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false,” the agency said in a statement.
Many people, corporations and organizations are angry about the allegations surrounding the NSA and its activities, but Zuckerberg, as the CEO of a multi-billion-dollar company, has some options for expressing his emotions that aren’t available to most people. For example, calling the White House. Well, anyone can call the White House, but most of us won’t get through to the Oval Office. It’s not clear whether Zuckerberg did, either, but he called.
“I’ve called President Obama to express my frustration over the damage the government is creating for all of our future. Unfortunately, it seems like it will take a very long time for true full reform,” he wrote.
“So it’s up to us — all of us — to build the internet we want. Together, we can build a space that is greater and a more important part of the world than anything we have today, but is also safe and secure. I’m committed to seeing this happen, and you can count on Facebook to do our part.”
As name-droppy and petulant as that all may sound, Zuckerberg is right about much of it. True reform, however you’d like to define that, always takes a long time, and that’s especially true when you’re talking about things as important and controversial as national security, surveillance and privacy. People feel a lot of feelings about these topics, and justifiably so. There has been a lot of healthy debate around all of this, and that should continue. But nothing moves quickly in Washington, and changes to the NSA’s mission or priorities won’t be the exception.
More importantly, Zuckerberg is correct that it’s up to us to build the Internet we want. So far, that Internet is a broken, compromised ad platform that’s only good for pictures of kittens and GIFs of dumb celebrities doing dumb things. And that’s fine if that’s the Internet you want. But if you’re interested in something that’s a little more useful and usable and secure, it’s going to take a lot of effort. Security is hard and security at the scale of the Internet has proven to be incredibly hard.
But that doesn’t mean we should cede what ground we’ve gained thus far to governments or attackers or other adversaries. That’s what they’re counting on, and if we give it to them, then we have no one to blame but ourselves.
Image from Flickr photos of Robert Scoble.
VANCOUVER – One is the bug hunter, the other the exploit specialist.
Fang Jiahong and Liang Chen represented the Keen Team at Pwn2Own on Thursday, starting off the second day of the annual exploit festival with a quick takedown of Apple’s Safari browser. They then wrapped up the contest with a successful zero-day exploit of Adobe Flash, the second time the Adobe product was toppled.
For 2½ years, this emerging team of eight vulnerability researchers and exploit developers from China has nudged its way into the fray that is bug hunting and exploitation. Today’s Pwn2Own Safari win netted the Keen Team a $40,000 prize; the Flash bug $75,000. They said they will donate a portion of their winnings to charities representing the families of the missing Malaysian Airlines flight MH370.
Last November, the Keen Team won the Mobile Pwn2Own contest in Japan, cracking iOS 7.0.3 three weeks after the update was available to users. The victory was the first for a Chinese collective since the contest began six years earlier.
Jiahong and Chen, along with the remaining members of Keen Team, have known each other for the better part of a decade, beginning their careers working for Microsoft after graduating from Jiao Tong University in Shanghai with degrees in information security.
Jiahong’s passion, he said, is digging for vulnerabilities, not only in Apple’s various platforms, but also for Microsoft products and mobile platforms. Android is his current area of focus.
“Liang is good at exploiting issues in different systems, advanced exploitations,” Jiahong said. “We have several people working on vulnerability digging, new ways of finding vulnerabilities and researching into other areas of infosec like Web security and mobile. We have a team of people focusing on vulnerability studies including exploitation.”
For their Pwn2Own Safari bug, Chen said Keen Team exploited two vulnerabilities: a heap overflow in the Safari Webkit that gave them arbitrary code execution. That wasn’t enough to pwn the underlying Mavericks version of OS X. Chen said he had to chain together two vulnerabilities to successfully exploit the system.
“We utilized another system vulnerability to bypass the sandbox to get a process running in the user’s context,” he said. The bugs were disclosed to HP’s Zero Day Initiative, which sponsored Pwn2Own and bought all of the vulnerabilities exploited during the contest. Apple was present as well for the disclosure.
“I think the Webkit fix will be relatively easy,” Chen said. “The system-level vulnerability is related to how they designed the application; it may be more difficult for them.”
Chen said the big challenge was bypassing the Safari sandbox because the exposed attack surface is so small compared to Internet Explorer, for example.
“For Apple, the OS is regarded as very safe and has a very good security architecture,” Chen said. “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”
Jiahong can now focus on finding bugs in mobile operating systems, Android in particular. Android’s fragmentation—multiple vendors and hardware carriers each with their own flavor of Android and update policies—requires deeper study of the OS compared to iOS. Researchers, he said, focus only on the latest version of iOS because most users are on the latest rev.
“Google has been very good about security, but vendors write their own code or hardware vendors write their own kernel modules and drivers,” Jiahong said. “Your (research) methodology may not apply to every system.”
VANCOUVER – Successful exploits at the Pwn2Own contest get all the glitz, but the rarities are the exploits that fail.
A group of four young South Korean hackers from ASRT, all of them well shy of their thirtieth birthdays, stood in proxy for Jung Hoon Lee. Lee was home fulfilling a military obligation, a promise that kept him from seeing his Internet Explorer 11 exploit come up short Thursday morning.
HP’s Zero Day Initiative, sponsors of the event, said they bought the vulnerability regardless, and worked with the researchers on breaking down the details. The particulars would also be shared with Microsoft as is customary with all bugs purchased by ZDI, sharing them with the affected vendors.
Registrants at Pwn2Own have 30 minutes to demonstrate their exploit and verify it works by executing the calculator application on the underlying system. In this case, Lee’s exploit was chasing down a vulnerability in IE 11 on a fully patched 64-bit Windows 8.1 machine. A successful exploit would have been worth $100,000.
Generally, entrants in Pwn2Own withdraw if there are difficulties with their exploits. On Tuesday, Microsoft rolled out another patch for Internet Explorer. The cumulative rollup, a regular Patch Tuesday update, repaired a zero-day in Internet Explorer 10 being used in targeted attacks, including Operation SnowMan targeting the U.S. Veterans of Foreign Wars and a separate attack on a French aerospace manufacturer. It was not disclosed whether the patch affected the Lee exploit.
The failure of Lee’s exploit was in stark contrast to others demonstrated to that point, including one by German researcher Sebastian Apelt of Siberas who succeeded against IE 11. Apelt’s exploit worked in less than a minute and was good for $100,000. Earlier on Thursday, a pair of Chinese hackers from the Keen Team successfully exploited a zero-day vulnerability in Apple’s Safari browser to gain control of a Macbook running OS X Mavericks. That exploit was worth $65,000 and the members of Keen Team announced they would donate a portion of that to Malaysian charities.
Soon after the IE setback, Pwn2Own regular George Hotz took down Firefox to collect a $50,000 prize. Hotz is perhaps better known for his jailbreaking exploits against the iPhone and the PlayStation gaming console. Hotz’s attack against Firefox was the fourth time zero-days were exploited in the Mozilla browser during the two-day event.
Hackers from French exploit vendor Vupen took down both Internet Explorer and Firefox on Wednesday as part of a $350,000 haul. Vupen also beat Adobe Reader and Flash. On Thursday, Vupen has another exploit for Chrome worth another $100,000. Once the Keen Team popped Safari today, Vupen withdrew its Safari bug. It also withdrew its Java entry on Wednesday.
Vupen founder Chaouki Bekrar said his researchers prepared for two months in advance on Pwn2Own and had little trouble with IE 11 yesterday, using a a use-after-free vulnerability combined with an “object confusion” to bypass the IE sandbox, Bekrar said.
“It’s definitely getting harder to exploit browsers, especially on Windows 8.1,” Bekrar said. “Exploitation is harder and finding zero-days in browsers is harder.”
Vupen’s successful exploit of Firefox on Wednesday also took advantage of a different use-after-free zero day to bypass ASLR and DEP memory protections in Windows. Bekrar said the bug was found through the use of fuzzers against 60 million test cases.
“That proves Firefox has done a great job fixing flaws; the same for Chrome,” Bekrar said. “Chrome has the strongest sandbox, so that’s even more difficult to create exploits for.”
ZDI announced prior to the event it would buy all the Pwn2Own bugs at a price of close to $1.1 million.
The NSA on Thursday responded to media reports that it has been impersonating Facebook and other sites in order to compromise surveillance targets’ machines, saying that the agency “does not use its technical capabilities to impersonate U.S. company websites.”
It is relatively rare for the NSA to respond directly to reports about its technical capabilities or surveillance methods, even considering the massive volume of reports that have come out in the last nine months about the agency. On Wednesday, The Intercept, citing documents supplied by NSA leaker Edward Snowden, reported that the agency sometimes impersonated Facebook servers as a way to attract targets. The operation was part of a plan to infect millions of machines with the agency’s special brand of malware, according to the report.
It’s well-known that the NSA’s Tailored Access Operations (TAO) unit, which does much of the agency’s offensive work, has a wide range of technical capabilities at its disposal. Typically the unit’s efforts are deployed in small, targeted operations. But the allegation that the agency is now performing large-scale compromises of machines changes that equation.
However, the NSA said in a statement that the allegations are false and that the agency does not perform broad, indiscriminate exploitation operations.
“Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which the capability must be employed,” the statement from the NSA Public Affairs Office says.
A good portion of the discussion around the NSA revelations of the last few months has involved whether the agency has overstepped its bounds and abandoned its legal mission of conducting foreign intelligence operations. U.S. citizens are supposed to be off-limits for NSA operations, except in specific circumstances. The agency says that reports that its officers don’t target users indiscriminately.
“NSA’s authorities require that its foreign intelligence operations support valid national security requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible. NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false,” the statement says.
Several Samsung Galaxy devices are said to have a backdoor that could give an attacker “over-the-air remote control” that could be used to access the phone’s file system and turn some devices into spying tools.
Developers behind the Replicant project, a Cyanogen-based Android OS, discovered the backdoor is included in “most proprietary Android systems” running on Galaxy devices. The Galaxy Nexus S, S, S2, Note, Nexus, both the seven-inch and 10.1-inch Tab 2 and the Note 2 are all affected by the backdoor.
Technically the problem lies in a program – Android’s Radio Interface Layer (RIL) – that runs on the devices’ baseband processor that’s in charge of handling the communication with the modem. That program, Samsung’s IPC protocol, allows the modem to “perform remote file I/O operations on the file system” via a class of requests called RFS commands.
The program affords the user the ability to read, write and delete files on the phone’s storage, according to Replicant developer Paul Kocialkowski in a write up on the backdoor yesterday in a blogpost on the Free Software Foundation.
Kocialkowski goes on to explain that the program is shipped with the aforementioned Galaxy devices and that the way its implemented on certain devices can give it sufficient rights to access and modify user data.
Even when the modem is isolated and cannot directly access the storage, the backdoor can provide remote access to the phone’s data, something Kocialkowski stresses is simply “unacceptable behavior,” regardless of whether it’s something Samsung knew about.
“It is possible that these were added for legitimate purposes without the intent of doing harm by providing a back door,” Kocialkowski said of the RFS commands. “Nevertheless, the result is the same and it allows the modem to access the phone’s storage.”
A further in depth analysis of the backdoor shows that some of the RFS commands are so obviously titled (IPC_RFS_READ_FILE, IPC_RFS_WRITE_FILE, IPC_RFS_RENAME_FILE, etc.) that it’s clear they perform I/O operations on the file system.
Replicant goes on to claim that the commands “were not found to have any particular legitimacy nor relevant use-case,” making it even more interesting that they’re there.
Samsung didn’t immediately respond to a request for comment on Thursday. Dan Rosenberg, a security researcher who has done a lot of work on Android security, said on Twitter that he confirmed that some versions of the Galaxy S4 and Note 3 also are affected by this issue.
It was almost a year ago that an Italian researcher discovered half a dozen bugs in some of the company’s devices, including some that allowed attackers to send premium SMS messages without permission and change a user’s settings without their knowing.
Most recently, in January, researchers from Israel determined that it was possible to bypass a secure virtual private network connection on Samsung Galaxy S4 devices and redirect traffic in clear text to an attacker.
A recent watering-hole attack targeted firms in the energy sector using a compromised site belonging to a law firm that works with energy companies and led victims to a separate site that used the LightsOut exploit kit to compromise their machines.
The attack, which was active during late February according to researchers at Zscaler, follows a familiar pattern seen in many other such attacks. It began with the compromise of a law firm’s site at 39essex[.]com and when users hit the site, they were redirected to a third-party site, which hosted the exploit kit. When victims visited the second compromised site hosting the kit, it performed a number of diagnostic tests on the user’s browser to see what sort of exploits should be delivered.
The kit checks to see whether Java is running, whether the user is running Internet Explorer and what version of Adobe Reader is installed. Once that information is gathered, the LightsOut exploit kit goes to work, firing exploits against the user’s machine.
“Ultimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file exploiting CVE-2013-2465. At the time of research, the binary file was no longer available, which suggests that the attack window has now closed for this particular watering hole. However, other security sources tell us that the site used in the attack is also a known HAVEX RAT CnC,” Chris Mannon of Zscaler wrote in an analysis of the attack.
This most recent attack shares a lot of traits with one that ran last fall, and also targeted firms in the energy and oil sector. In that watering hole attack, the attackers were using Java, IE and Firefox exploits and the malware delivered was used to record system configurations and data on the clipboard and from the keyboard.
The researchers at Zscaler said that the similarities between the two attacks is likely not a coincidence.
“It would seem that the attackers responsible for this threat are back for more,” Mannon said.
Image from Flickr photos of Joe Stump.
The term metadata and the implications of its collection and analysis have been one of the key points in the debate surrounding the NSA’s broad surveillance programs over the last year. Legislators, policy makers and others continue to argue about whether metadata can actually reveal anything about the people behind the phone numbers, but researchers who have studied a new data set say there should be no doubt: metadata is sensitive information.
Researchers at Stanford University’s Security Lab and Society last fall spun up a new program called MetaPhone designed to gather metadata from volunteers’ Android phones and then analyze the data to see what conclusions they could draw. The project’s 546 participants called more than 33,000 unique numbers during the study period, and the Stanford researchers were able to infer highly sensitive information about some of the volunteers, including serious medical conditions, gun ownership and other data.
“At the outset of this study, we shared the same hypothesis as our computer science colleagues—we thought phone metadata could be very sensitive. We did not anticipate finding much evidence one way or the other, however, since the MetaPhone participant population is small and participants only provide a few months of phone activity on average,” Jonathan Mayer of Stanford wrote in a post revealing some of the results of the MetaPhone project.
“We were wrong. We found that phone metadata is unambiguously sensitive, even in a small population and over a short time window.”
By using the data collected from their volunteers’ phones, along with information from public sources such as Google Places and Yelp to help identify the callers’ contacts, the Stanford researchers were able to discover that their volunteers were calling a large variety of businesses that could be considered sensitive. Doctors’ offices, medical device companies, churches, gun shops and even marijuana dispensaries popped up on the list. Some people also called alcohol rehabilitation programs and family planning clinics.
“The degree of sensitivity among contacts took us aback. Participants had calls with Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy, strip clubs, and much more. This was not a hypothetical parade of horribles. These were simple inferences, about real phone users, that could trivially be made on a large scale,” Mayer said.
The conclusion, Mayer said, is clear: Metadata can reveal sensitive information. NSA officials, lawmakers and even President Obama have maintained that metadata does not constitute sensitive information because it doesn’t include the content of calls. Metadata, in general, includes the originating and terminating numbers of a call as well as the length of the call.
“The dataset that we analyzed in this report spanned hundreds of users over several months. Phone records held by the NSA and telecoms span millions of Americans over multiple years. Reasonable minds can disagree about the policy and legal constraints that should be imposed on those databases. The science, however, is clear: phone metadata is highly sensitive,” Mayer wrote.
Image from Flickr photos of Mathias Ripp.
VANCOUVER – The prelude to the annual Pwn2Own contest between sponsor HP’s Zero Day Initiative and Pwnium contest sponsor Google produced not only zero-day exploits for Internet Explorer and Safari, but some skepticism about whether the exploits and details on the vulnerabilities were held for the contest.
The event, known as Pwn4Fun, featured researchers from the two companies who demonstrated exploits against previously unreported vulnerabilities in the Apple and Microsoft browsers. Successful exploitation resulted in more than $80,000 donated to the Red Cross of Canada.
Still, some experts have questioned how long the two companies knew about the vulnerabilities they exploited and questioned why they hadn’t reported them sooner.
Aaron Portnoy of Exodus Intelligence was the loudest among a chorus of critics who took to Twitter to condemn the contest and accused Google in particular of being critical in the past of companies for withholding details on vulnerabilities and exploits or sharing them only with customers.
“What angers me is the blatant hypocrisy originating from the Google team members who run Pwnium, Pwn4Fun and Pwn2Own against other researchers who have sat on 0day,” Portnoy said. “Watching Google take the moral high ground only when it is convenient angers me—and even more so the fact that nobody wants to call them on it.”
Google security engineer Chris Evans told Threatpost that Google had shared the vulnerability with Apple beforehand.
“Google has a policy of not withholding vulnerability details, and the vulnerabilities demonstrated today had already been reported to the vendor, Evans said. “This morning, we demonstrated exploits for these vulnerabilities as part of the competition.”
Google kicked off Pwn4Fun with a run at Safari running on a fully patched MacBook. The successful exploit was good for $32,500 to the Canadian Red Cross. An hour later, HP’s Jasiel Spelman, Matt Molinyawe, and Abdul-Aziz Hariri took down Internet Explorer, a zero day worth $50,000 to the same charity.
HP’s Zero Day Initiative purchased the two bugs, as well as all of the vulnerabilities to be exploited during the Pwn2Own contest; 15 successful exploits during the two-day event would result in close to $1.1 million in payouts.
Google did not share details on the Safari vulnerability. HP ZDI said it exploited a use-after-free vulnerability and a sandbox bypass to gain code execution with process continuation, meaning the exploit would not visually crash the browser, HP said. The company said it also disclosed six more IE zero day vulnerabilities to Microsoft.
“Thinking of user safety, it’s too soon to share details about the exploits or bugs they are based on. We do believe in open sharing within the security community so that we can all learn from each other and push internet security forward,” Evans said via email. “Accordingly, we’ll be publishing details on one of our blogs in the future.”
HP’s Brian Gorenc, manager of vulnerability research for the ZDI, told Threatpost that it was not withholding a zero-day vulnerability for use in the contest.
“We are responsibly disclosing several vulnerabilities and techniques at an event built around responsible disclosure,” Gorenc said. “While we will be demonstrating the exploit publicly, the techniques and vulnerability details will be kept private.”
Gorenc said HP ZDI will provide Microsoft with a white paper that includes a full analysis of the IE vulnerabilities exploited and techniques used in the contest, the same process Pwn2Own contestants must follow as well.
“Vendors are then given 120 days to fix the security flaws, a pretty significant window of time,” Gorenc said. “The time that ZDI spends analyzing all sorts of software helps to secure the internet – which is why contests like Pwn2Own are so important in helping the industry keep dangerous vulnerabilities out of the black market.”
VANCOUVER – A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes.
A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS.
“The Early Random PRNG in iOS 7 is surprisingly weak,” said Tarjei Mandt senior security researcher at Azimuth Security. “The one in iOS 6 is better because this one is deterministic and trivial to brute force.”
The Early Random PRNG is important to securing the mitigations used by the iOS kernel.
“All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,” Mandt said. “It must provide sufficient entropy and non-predictable output.”
The PRNG launches at boot and provides entropy to various kernel exploit mitigations, Mandt said.
Those mitigations include physical kernel map randomization, stack-check guard, zone cookie protections, and kernel map randomizations. Those mitigations are important memory protections that keep the kernel safe from buffer overflow attacks and other exploits targeting how memory is allocated and where code is safely allowed to execute.
IOS 6’s PRNG, Mandt said, suffered from poor entropy sources and poor use of seed data used to generate outputs. Similar to its deployment in OS X, Mandt said, the PRNG in iOS 6 used Mach Absolute Time to derive outputs.
“It could return the same value over and over because it was reliant on clock information,” Mandt said.
This was supposedly addressed in iOS 7 where time-based correlation issues were avoided through the use of a Linear Congruential Generator (LCG). The LCG in iOS 7 leverages information from four state generations, Mandt said, each one producing 16 bits of output. Each time, the lower three bits of each piece of output are discarded because they are considered weak.
Mandt said there are generally known problems associated with LCGs, including serial correlation between outputs making them susceptible to brute force attacks.
Mandt stressed that it is difficult to defend against an attacker who has already exploited an existing vulnerability in iOS or even OS X and is able to then monitor PRNG outputs.
“Having fewer state generations per output makes this less practical,” he said. “This prevents brute forcing of the internal state using a single output.”
Mandt also suggested Apple could avoid the usage of weak bits by passing output through a temper function or choosing a PRNG with less correlation. Hardening mitigations could help too, he said; that could include XOR encryption of stack cookies.
Mandt said he did not disclose the issue to Apple, representatives of which, he said, requested to see his slides 15 minutes before his presentation today.
“Quite a bit of mitigations rely on the PRNG,” Mandt said. “If the generator is broken, all of this is pretty much useless.”
VANCOUVER – It’s become a familiar walk for Chaouki Bekrar. Year after year at the Pwn2Own contest, the controversial Vupen founder is scurried from a small room in the basement of the Sheraton hotel to a suite several floors above. It’s a short journey from where a string of zero-day exploits are executed to where formal disclosure is made to the vendor in question. It’s also where payment is arranged, and on this day, exclusivity is promised to HP’s Zero Day Initiative.
Bekrar, left, made this trek four times on Wednesday, earning close to $400,000 in the process and cementing his place as perhaps one of the most divisive people in security. Vupen, a French company, is well known as an exploit vendor and its magnetic figurehead stands by his well-worm mantra that the zero-days they develop are exclusively for customers, a list that includes a number of NATO governments. Vupen, Bekrar said, will not sell zero-days to repressive regimes.
“I believe our industry is now normal business,” Bekrar said. “Now a lot of companies, most in the U.S., are doing the same research as Vupen and selling to government customers. It’s become common and nothing surprising.
“Not one of our exploits have ever been discovered in the wild,” Bekrar added. “All of our customers use exploits in a targeted way for specific national security missions.”
Vupen, like other research outfits, used to disclose zero-day vulnerabilities to vendors, but that changed in 2010 because most vendors were reticent to support bug bounty programs or compensate bug hunters.
“We were trying to convince vendors to put bounties in place and no one accepted this,” Bekrar said. “We moved to another model which is a paid subscription model; the aim for us is the same, protect our customers.”
Now, Google, Facebook, Yahoo and many other technology companies have instituted some sort of bug bounty program. Microsoft take on bounties—paying for mitigation bypasses—was admittedly a shot across the bow of exploit vendors such as Vupen and a reaction to a growing trend of researchers no longer disclosing directly to Microsoft but instead through a broker.
“I’ve been working on this for a while and this is the first time the research told us that the majority of people were going through brokers,” said Microsoft senior security strategist Katie Moussouris in June when the program launched. “If we can find these holes as early as possible, we can protect against whole classes of attack. We don’t want to wait for a third party.”
Microsoft has paid out a pair of $100,000 bounties for bypasses of its ASLR and DEP mitigations in Windows. A similar program for Internet Explorer vulnerabilities—with smaller payouts—was also launched but only for a month.
“They have a bounty for techniques, however the number of techniques is limited,” Bekrar said. “So the scope of the bounty is pretty small.”
Bekrar and his team of Vupen researchers did earn a $100,000 payout today for the IE 11 zero-day. He said the Vupen exploit took down a use-after-free vulnerability combined with an “object confusion” to bypass the IE sandbox.
“It’s definitely getting harder to exploit browsers, especially on Windows 8.1,” Bekrar said. “Exploitation is harder and finding zero-days in browsers is harder.”
Vupen also successfully exploited Firefox, exploiting another user-after-free bug to bypass ASLR and DEP memory protections in Windows.
“The Firefox zero-day we used today we found it through fuzzing, but it required 60 million test cases. That’s a big number,” Bekrar said. “That proves Firefox has done a great job fixing flaws; the same for Chrome. Chrome has the strongest sandbox, so that’s even more difficult to create exploits for.”
Vupen has a Chrome zero day it plans to exploit tomorrow possibly for another $100,000. It is also registered for a try at Safari, but the Keen Team is first on the docket against Safari and depending on what happens there, Bekrar said Vupen may not try its Safari zero day. Vupen also withdrew a planned Java exploit that required a click-to-play bypass that offered a $30,000 prize.
Vupen also successfully exploited Adobe Reader and Flash running in Internet Explorer 11 on a patched 64-bit Windows 8.1 machine. Each of the Adobe vulnerabilities and exploits were worth $75,000.
The Adobe Reader exploit was the first of Pwn2Own. Vupen chained together a heap overflow exploit and a native PDF sandbox escape to beat Reader XI. The Flash exploit, meanwhile, required three zero-days, Bekrar said, a use-after-free, a JIT spray and a sandbox escape.
“The first motivation for coming to Pwn2Own is the challenge to show that even the most secure browsers and products can still be compromised,” Bekrar said, adding that all of the exploits used at Pwn2Own were developed for the contest and were not shared with customers beforehand.
Mozilla had a busy day with three zero-days disclosed against Firefox. Beyond Vupen, Mariusz Mlynski, a Polish researcher who has been credited with reporting dozens of Firefox bugs, and Juri Aedla, a frequent Chrome bug-finder, won $50,000 each for toppling the Mozilla browser.
More than 162,000 “popular and clean” WordPress sites were recently used in a large-scale distributed denial of service attack (DDoS) that exploited the content management system’s pingback feature.
While the WordPress team is aware of the issue it’s not expected to be patched as it’s a default feature on WordPress, not a flaw, meaning it’s a problem that will likely be left up to site developers to mitigate.
Attackers abused a number of sites that have the feature, essentially XML-RPC requests that make it easy for blogs to cross-reference other blog posts, enabled.
Daniel Cid, the CTO of security firm Sucuri, described the attack, which took down a undisclosed website belonging to one of the firm’s clients, in a blog post on Monday.
According to Cid the attack appears to have used the application-layer (Layer 7) HTTP Flood Attack style of DDoS, which are harder to detect as the requests look like they’re coming from legitimate sites.
In this case they were legitimate sites, 162,000 of them, sending “random requests at a very large scale” to the site’s server, each one with a randomized value that bogged their site down by bypassing their cache and mandating a full page reload each time.
Unlike conventional DDoS attacks that use NTP and DNS, this attack, reflective in nature, used the websites as indirect source amplification vectors. While WordPress sites were the victim this time around, experts say any site could technically be tweaked to dole out this kind of flood attack.
“We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk,” Cid wrote.
Since the POST requests were sent to “/xmlrpc.php request” they’re easy to find in logs, so Cid is encouraging WordPress developers to check theirs to ensure that their sites aren’t vulnerable and attacking other WordPress sites.
Users can look through logs for POST requests to a XML-RPC file like the one below:188.8.131.52 – - [09/Mar/2014:20:11:34 -0400] “POST /xmlrpc.php HTTP/1.0″ 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A\x0A\x0Ahttp://fastbet99.com/?1698491=8940641\x0A\x0A\x0A\x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A” 184.108.40.206 – – [09/Mar/2014:23:21:01 -0400] “POST /xmlrpc.php HTTP/1.0″ 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A \x0A \x0A http://www.guttercleanerlondon.co.uk/?7964015=3863899\x0A \x0A \x0A \x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A”
Developers can also use a scanner the firm came up with this week to check its logs to tell if certain WordPress sites are DDoSing other websites.
If found, Cid claims users can remedy the situation by either disabling XML-RPC pingback or creating a plugin to add a filter to block these kind of pingbacks. Users interested in learning more on how to do that can head over to their blog.
As Johannes B. Ullrich, chief technology officer at the SANS Technology Institute adds, removing xmlrpc.php is not a recommended option as it will “break a number of other features that will use the API.”
Google has fixed several serious security vulnerabilities in Chrome 33, just ahead of the Pwn2Own hacking competition at CanSecWest this week, which surely will reveal several more new bugs in the browser.
The company’s Chrome browser is always at the top of the target list for contestants in Pwn2Own, which rewards them with cash prizes for demonstrating exploits against previously unknown vulnerabilities in the major browsers. A team from VUPEN, along with individual researchers, are lined up to go after Chrome, Internet Explorer, Safari and Adobe Reader and Flash. Google also runs its own Pwnium contest in parallel with Pwn2Own and offers large rewards for new attacks against Chrome.
Pwn2Own is set to begin Wednesday and run through Thursday at the conference, and on Tuesday Google patched four high-risk flaws in Chrome.
 High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.
Google likely will be releasing more patches for Chrome later this week as researchers demonstrate their new exploits.
An ever-shrinking number of vulnerable network time protocol (NTP) servers are being used with customized distributed denial of service (DDoS) toolkits to perform increasingly potent NTP amplification attacks.
According to the DDoS mitigation specialists at Prolexic, who issued a high alert DDoS attack threat advisory this morning, high-bandwidth NTP amplification DDoS attacks are up 371.43 percent in the last 30 days. This increase comes despite a high-level of awareness regarding the fact that vulnerable NTP servers can be exploited to amplify DDoS attacks and a concerted effort throughout the security community to decrease the number of vulnerable NTP servers.
“During the month of February, we saw the use of NTP amplification attacks surge 371 percent against our client base,” said Stuart Scholly, a senior vice president and general manager of security at Akamai Technologies, who recently acquired Prolexic. “In fact, the largest attacks we’ve seen on our network this year have all been NTP amplification attacks.”
Not only did the overall number of NTP amplification attacks increase from January to February, but so too did the average peak bandwidth of DDoS attacks (up 217.97 percent) and the average peak volume of DDoS attacks (up 807.48 percent). In addition, such attacks are affecting more industries than ever as well, including the finance, gaming, e-commerce, Internet, media, education, software-as-a-service (SaaS), and security industries.
Perhaps the most exploitable aspect of NTP is the monlist request. One of the more recent and commonly deployed DDoS toolkits uses an NTP server’s own list of recent server connections – known as its monlist and containing as many as 600 IP addresses – as the payload to create malicious traffic at the target site. While the method is not new, Prolexic claims it is certainly garnering wider use than it previously has.
In their advisory, Prolexic notes that the ongoing effort to purge the Internet of vulnerable NTP servers is driving attackers to develop new tools enabling them to launch potent attacks with fewer servers. As their report makes clear, the existing vulnerable NTP servers are more than capable of reaching crippling DDoS amplification levels.
In a lab environment, Prolexic simulated NTP amplification attacks and found that the method could amplify the bandwidth and volume of DDoS attacks by 300 times and 50 times respectively. The company notes that the results of these test reflect a “perfect storm” scenario and that real-world attacks would be less effective.
Researchers looking into the recently uncovered Turla, or Snake, cyber espionage campaign have discovered some similarities connecting it to older pieces of malware such as Agent.btz, the worm that several years ago infected U.S. military networks and eventually caused the Department of Defense to ban the use of USB drives. However, there is not enough evidence to suggest that the two pieces of malware were created by the same authors, researchers say.
Reports last week detailed the Turla malware’s infection of networks belonging to U.S. government agencies as well as some targets in Ukraine, the U.K. and some other European countries. The malware hides on infected systems, steals data and sends it off to a remote server, much like other cyber espionage tools. Turla seems to have been written by Russian-speaking authors, like Agent.btz and the Red October cyber espionage malware. Turla also uses the same XOR key and log file names as Agent.btz, suggesting a strong link between the two.
However, the details of the Agent.btz attack have been known publicly for six years now, including the specific log file names, and even the XOR key, which was published in 2008 when the attack was discovered. Agent.btz, unlike Turla, was a self-replicating worm and it infected U.S. military networks and had the ability to jump to USB drives connected to compromised machines. After the attack was discovered and remediated, the Department of Defense prohibited the use of USB drives on its networks. Both Turla and and Agent.btz have files with identical names, and Red October and Turla both use a file called “thumb.dd”.
With all of that detail known publicly, researchers say that there is not enough evidence to say conclusively that Turla is directly connected to Agent.btz or Red October.
“We cannot make such a conclusion based only on the listed facts”, said Aleks Gostev, Chief Security Expert at Kaspersky Lab. “All the information used by developers was publicly known – at least by the time of Red October and Gauss/Flame creation. First of all, it wasn’t a secret that Agent.btz used ‘thumb.dd’ as a container file to collect information about infected systems.
“Secondly, the XOR key used by developers of Turla and Agent.btz to encrypt their log files was also published in 2008. It’s unknown since when this key was first used in Turla, but we see it for sure in the latest samples of the malware (created in 2013-2014). At the same time, there is some data that Turla’s development started in 2006 – before any known sample of Agent.btz. Which leaves the question open.”
Researchers at Kaspersky Lab, who uncovered the Red October cyber espionage campaign, said that it’s possible that malware was programmed to scan for the “thumb.dd” file on infected machines in order to steal whatever data the file contained. Red October was a highly specialized tool designed to infect specific systems and steal data. Gostev said that there also are some similarities between the Flame and Gauss malware and Agent.btz, including some similar naming conventions. A possible explanation, he said, is that the authors of Flame and Gauss were familiar with the analysis of Agent.btz and adopted some of the same techniques.
“Summarizing all the above, it is possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties. Were the people behind all these programs all the same? It’s possible, but the facts can’t prove it,” Gostev said in his analysis of the Turla connection to other malware.
The open-source content management framework Joomla pushed out version 3.2.3 of its product last week, fixing a SQL injection zero-day vulnerability that could have let attackers steal information from databases or insert code into sites running the CMS.
While little is being disclosed by Joomla, according to a security notice on its site the problem carried a high severity rating and affected versions 3.1.0 through 3.2.2 of the CMS before being patched on Thursday.
According to researchers at security firm Sucuri the SQL injection vulnerability may be linked to an exploit discovered last month involving weblinks-categories id. The exploit appears to have “not escaped properly,” according to Sucuri’s CTO Daniel Cid. Cid goes on to reference the exploit-db.com description, writing that the vulnerability “seems very easy to exploit.”
Another write-up of the vulnerability, over at scip VulDB, claims the problem is not only easy to exploit but also that it can be launched remotely and without authentication.
“Affected by this issue is an unknown function of the file /index.php/weblinks-categories. The manipulation of the argument id with the input value 0%20%29%20union%20select%20password%20from%20%60k59cv_users%60%20–%20%29 leads to a sql injection vulnerability. Impacted is confidentiality, integrity, and availability,” reads part of the vulnerability summary.
On the release announcement for version 3.2.3 Joomla’s Production Leadership Team writes that its goal is to provide “regular, frequent updates,” to Joomla.
The fact that it took over a month to fix surprised Cid however.
“What really shocked us is that Joomla took almost a month to release a patch for it.” Cid told PCWorld yesterday.
The Joomla update, which developers are encouraging users apply immediately, also addresses two medium severity core XSS vulnerabilities that also stem from “inadequate escaping” along with a problem with inadequate checking in that allowed unauthorized logins via Joomla’s Gmail login module.
Joomla was last forced to patch a zero day last August after attackers were spotted abusing sites running Joomla or WordPress, taking them over and redirecting users to the Blackhole Exploit Kit.
At the time it discovered the vulnerability, security firm Versafe reported that 57 percent of the attacks it had seen that year came from sites hosted on Joomla’s CMS.
UPDATE: a previous version of this story mistakenly stated that Microsoft’s March patch Tuesday would be the last one providing support for Windows XP. Windows XP’s last patches will in fact be shipped with next month’s patch Tuesday release.
Microsoft has finally pushed a fix for a stubborn and widely publicized Internet Explorer zero day vulnerability known to have been exploited in a number of recent attacks targeting the website of Veterans of Foreign Wars, a French aeronautical firm, and at least three other sites.
This fix is part of Microsoft’s March edition of Patch Tuesday, a five bulletin affair resolving some 23 vulnerabilities of varying severity.
The top priority this month is – of course – the cumulative update to IE. This bulletin resolves one publicly disclosed bug and 17 privately disclosed ones. On unpatched systems, these vulnerabilities could give an attacker the ability to remotely execute code if a user is compelled to visit a maliciously crafted website. Upon successful exploitation, the attacker would achieve the same rights as the victim. As always, individuals with more privileges would be more impacted by these bugs.
Among this group of vulnerabilities is the now-notorious IE zero day, which is precisely why this bulletin should be considered the highest priority for installation this month. Qualys CTO Wolfgang Kandek noted in an email to Threatpost that – if it weren’t for the zero day fix – one would likely consider this an uneventful patch cycle.
The second critically rated bulletin – also of high installation priority according to Kandek – resolves an issue in Microsoft DirectShow, a Windows-based API for streaming media content. This privately reported vulnerability could allow remote code execution if a user opens a specially crafted image file. Upon exploitation, the attacker would have the same rights as the user.
The few remaining important bulletins resolve two elevation of privilege bugs in the Windows kernel-mode driver, a security feature bypass flaw in the Windows Security Account Manager Remote (SAMR) protocol, and another security feature bypass problem in Microsoft Silverlight.
As a side note, this patch tuesday release pushes us one month closer to the end of an era: after April’s patch Tuesday release, no longer will Microsoft provide security fixes for it’s more-than-a-decade old and once-ubiquitous XP operating system. It’s well-known that XP has for some time been marred by security vulnerabilities. Despite this, the operating system still commands 29.53 percent of the market, according to the market share statistics firm, Net Marketshare.
“All of today’s bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won’t have access to patches for these problems anymore,” says Kandek. “This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available.Your best choice is to migrate away from Windows XP to a newer version of the operating system.”
Kandek cites different figures than Net Marketshare, claiming that his scans suggest that XP commands 14 percent of the operating system market. Whichever figure is most accurate – and 15 percentage points is a rather large gulf–entirely too many organizations and individuals are still running the archaic operating system, and things are only going to get worse for those people.
Attackers have increased their exploitation of an Internet Explorer zero day vulnerability (CVE-2014-0322) set to be fixed by Microsoft in its regularly scheduled patch Tuesday release later this afternoon.
According to a Websense report, the exploit source code deployed in at least two incidents – one targeting a French aerospace manufacturer and another targeting the website of Veterans of Foreign Wars – appears to have been made public. This publication and the subsequent addition of the zero-day to popular crimeware kits seems to have spurred the uptick, at least in part. As Websense notes, once exploit code like this goes public, generating attacks using it is essentially as easy as “copy and paste.”
Another factor contributing to the IE zero day vulnerability’s increased exploitation is likely the sheer amount of press it received, especially after researchers announced they would demonstrate a total bypass of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) at CanSecWest in Vancouver this week. This EMET bypass is both relevant and significant because the Redmond, Wash., computer giant urged its customers to install and run EMET as a temporary mitigation against this very same zero-day.
In addition to the two websites listed above, Websense reports that three others have been targeted using the same bug: hatobus[dot]co[dot]jp, a Japanese travel site hosted in Tokyo; english[dot]com[dot]tw, the site of a Taiwanese English school hosted in San Antonio, Texas; and chemistry[dot]hku[dot]hk, a Hong Kong University Chemistry Department website hosted in Hong Kong.
It all began with a typo-squatted variety of giffo[dot]asso[dot]fr, the website of the French aerospace company. The attackers set up giffo[dot]assso[dot]net and hosted a malicious iframe there that led to another part of the same domain where the exploit was actually located.
Once this attack began garnering media attention, other criminals began copying it, deploying the same code on different lure sites with different payloads.
Both other attacks were essentially copycats as well. Interestingly, in the case of the Taiwanese English school, the exploit was rather flagrantly hosted on the homepage of that website. The Hong Kong University Chemistry Department attack deployed redirecting iframes similar to those in the other incidents.
“It’s evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries,” wrote Websense’s Elad Sharf. “We could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it “evolved” in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected “under the radar” targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware.”
Despite everything that has transpired in the last year, Edward Snowden sounded calm, reflective and in some ways wistful yesterday discussing the fallout and consequences of the multitude of NSA programs and methods he’s revealed. Snowden bemoaned the fact that the NSA specifically and the intelligence community in general have shifted its focus to offensive operations, implying that defense should be focus. But now that those agencies have the tremendous offensive powers they’ve accumulated in the last decade, they’re never giving them back.
Whatever your feelings are about Snowden, listening to him speak about why he did what he did, what he hoped to accomplish and how he feels about the public reaction is informative. He spoke Monday for about an hour from an undisclosed location in Moscow and, while he touched on many subjects, Snowden returned several times to the idea that the NSA and other government agencies have hijacked the Internet for their own purposes, all in the name of protecting us from…something.
“The result has been an adversarial Internet, a global free-fire zone for governments. This is a global issue. They’re setting fire to the Internet,” Snowden said during a discussion at the South By Southwest conference.
In one sense he’s correct. Governments around the world are indeed using the Internet as a platform for offensive operations against foreign governments, terrorist groups and, in some cases, their own citizens. They’re hoarding zero-day vulnerabilities, developing sophisticated malware and building entire catalogs of hardware tools that can compromise every conceivable communications platform. Those are simply the facts. And the NSA is at the forefront of these operations. One part of the agency’s mission is to conduct offensive cyber operations against foreign targets, and the NSA is as good as it gets in that game.
“If you’re a target of the NSA, it’s game over no matter what,” said Chris Soghoian of the ACLU, who participated in the Snowden discussion.
That’s the part of the NSA’s mission that Snowden’s disclosures have centered on, the amazing technical capabilities and the large-scale surveillance programs. But Snowden said Monday that one of the big problems at the agency, where he worked as a contractor, is that the focus on offense has come at the expense of defense, which is the second half of the NSA’s mission. The agency is charged with defending the country’s electronic communications against foreign intruders, but Snowden argues that NSA Director Gen. Keith Alexander and his predecessor, Michael Hayden, made a conscious choice to minimize that mission in the years after 9/11.
“It was Michael Hayden and Keith Alexander in the post-9/11 era who made a very specific change. They elevated offensive operations over the defense of our communications,” he said. “This is a problem because America has more to lose than anyone else when an attack succeeds. It doesn’t make sense for you to be attacking all day and never defending your vault.”
But what Snowden didn’t say is that it was Congress who continued to hand new capabilities to the NSA–indeed it was eager to do so as part of the massive ramp-up of anti-terror programs after 2001. The Section 215 metadata and Section 702 intelligence-gathering provisions in the Foreign Intelligence Surveillance Act and USA PATRIOT Act, respectively, have given the NSA unprecedented ability to vacuum up massive amounts of data, and advances in technology have provided the capability to store and search that data for decades to come. And the deep bench of technical talent the agency has amassed has given it the ability to develop a wish list of spy tools, exploits and implants to do the targeted work that mass surveillance doesn’t accomplish.
Given those abilities, and more importantly, the legal authority to use them, the NSA is, of course, going to do so. If you have a Ferrari, you don’t leave it sitting in the garage, you drive the hell out of it. Technology advances, regardless of our desire for it to slow down sometimes, and, as Bruce Schneier often says, attacks only get better, not worse. And the NSA is the apex predator of this environment. The agency hasn’t abandoned its defensive mission, not by a long shot, but offense is sexy and provides tangible results to show the higher-ups.
Offense is the present and it’s also the future. And, to borrow a phrase, the future will retire undefeated.
Image from Flickr photos of Tim Lucas.
Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to fix the SSL certificate validation error.
Unlike that release, which fixed just the one vulnerability, significant though it was, iOS 7.1 is a major security release containing patches for a large number of vulnerabilities in a bunch of different components. Webkit, the framework underlying Safari, got a major security upgrade in iOS 7.1, with Apple fixing 19 separate memory corruption issues. Nearly half of those vulnerabilities were discovered by the Google Chrome security team, and many of the 19 bugs were identified last year.
Among the code-execution vulnerabilities patched in the new release are a pair of buffer overflows in ImageIO, a library that enables the reading and writing of multiple image formats. Apple also fixed a code-execution flaw in the kernel caused by an out of bounds memory access issue in the ARM ptmx_get_ioctl function. There also is a fix for a vulnerability in the way that Office Viewer handled certain Microsoft Word documents.
Along with the more serious code-execution bugs, Apple also pushed out a fix for a vulnerability in the iTunes Store that could allow an attacker to trick a user into downloading a malicious app from the store.
“An attacker with a privileged network position could spoof network communications to entice a user into downloading a malicious app. This issue was mitigated by using SSL and prompting the user during URL redirects,” Apple said in its advisory.
There were patches for several other less-serious vulnerabilities, as well. The full list of fixes is included in the Apple advisory.
An ongoing investigative report has revealed that a man posing as a private investigator may have compromised millions of Americans’ personal and financial records from 2007 to 2013.
The news is the latest fallout from last year’s discovery that Experian, one of the “big three” national credit reporting agencies, indirectly sold consumer data to a Vietnamese national, Hieu Minh Ngo, 24, who was masquerading as a Singapore-based P.I.
Ngo pleaded guilty last week and Krebs on Security reporter Brian Krebs, who has been following the story since last year, acquired a transcript of his guilty plea proceedings, according to a post on his blog today.
According to those proceedings (.PDF) Ngo peddled that data through ID theft websites, giving more than 1,300 customers access to a cache of personally identifiable information (PII) belonging to 200 million Americans, including addresses, previous addresses, phone numbers, email addresses, dates of birth, along with the coup de grâce, their Social Security numbers.
Ngo’s customers ponied up around $1.9 million for about 3.1 million queries on Americans over the course of 18 months. The corresponding database, owned by Ohio-based U.S. Info Search, contained the information on 200 million U.S. citizens.
We learned the basics about the case back in October: Experian-owned entity Court Ventures, an aggregator of electronically available public records data, had a deal worked out with a third-party group, U.S. Info Search, that gave both firms complete access to each others’ databases. Using regular cash wire transfers from a bank in Singapore, Ngo was able to secure monthly access to that database.
While it’s unclear exactly how many Americans may have had their information compromised, Krebs theorizes that since each query exposed multiple records, information about a staggering number of citizens, perhaps as many as 30 million records, may have been divulged.
“At this point the government does not know how many U. S. citizens’ PII was compromised, although that information will be available in the near future,” U.S. Attorney Arnold H. Huftalen told Judge Paul Barbadoro in a U.S. District Court in New Hampshire last Monday, according to the report.
Huftalen goes on to add that the way Ngo sold the information, via identity theft websites, customers could access the information by merely just typing in the name of an individual and a state, which makes it much more difficult to get an exact number of those at risk.
Ngo sold customers “fulls,” essentially batches of the information previously described, but also portioned out access to limited bits of information. Ngo charged individuals via Liberty Reserve, a Costa Rica-based currency service.
According to a U.S. Secret Service-led investigation, all of Ngo’s customers claimed they intended to “engage in criminal fraud,” and the government believes the “fulls” were used by carders, criminals who buy, sell, and trade stolen credit card data online, to takeover identities, engage in bank, credit card and ATM fraud, along with the filing of fake U.S. personal income tax returns.
Experian hasn’t said much about the case, citing an ongoing federal investigation but as Krebs notes, in a December hearing the company’s Senior Vice President of Government Affairs Tiny Hadley did acknowledge the incident, stressing that it didn’t find out until the U.S. Secret Service informed them.
“We were a victim, and scammed by this person,” Hadley told Missouri Senator Claire McCaskill at the time.
Hadley later indirectly admitted that the company knows that customers have had their identity stolen but still went on to downplay the incident, adding that “there’s been no allegation that any harm has come.”