Saturday, January 21, 2012

LOIC used to run the largest cyber attack ever

We've just seen the largest cyber attack ever done. As you probably already know Anonymous put down government sites (FBI, Department of Justice) and music industry sites in response to a federal raid on the file sharing service Megaupload. 

I want to focus here about the methodology used to run the attack. 

The attach was run using an application called LOIC ( Low Orbit Ion Cannon) that is specifically designed to launch Distributed Denial of Service (DDoS) attacks on websites. Any PC having installed a client of LOIC may be managed from a central user to run a massive attack against a unique target. Basically we could have thousands of users run LOIC generating TCP/UDP/HTTP request towards a website making it unavailable to process anything. 

It is not the same as being part of a botnet since in this case we assume that the PC has been infected with a virus or malware in an undetected way. Equipping a PC with a LOIC client is more typically a aware behavior even if it could happen that some people don't realize what they are really doing.

So, how Anonymous managed to create a huge network of LOIC clients available for its purpose ? Here you can find a video that tell you everything about it 

Friday, January 13, 2012

Android vs IOS security

Veracode published an "infographic" regarding Android VS IoS security that is very nice and full of useful advices. So I also propose it to my readers !

I anticipate you that at the end of the picture it is reported a judgment attributed to Symantec that, right now, the mobile platform is still much more secure than their counterpart PC. 

I generally agree with that but, nevertheless, if you are acting in an Enterprise as CIO or CISO there are so many challenges coming from the deployment of smartphone/tablet into your network you must not let your guard down. 

I've deeply discussed this kind of challenges in previous posts of mine, but I mainly refer to those issues coming from using a personal smartphone/tablet as a work tool. It's something that is becoming the master way for most of the people I know and unfortunately this exposes the corporate network and data to relevant risks. 

So independently from the fact that actually attacks and malwares regarding the mobile devices are not comparable in terms of numbers to the ones regarding the PC world, I can briefly summarize that 

- consumers need to adopts precautions (such as the ones suggested in the infographics down here) to avoid leakage of personal data or payment of unsubscribed premium rate services

- enterprises need to integrate their device & security management framework to guarantee that smartphone/tablet adoption and trends such as BYOD don't impact their security risk profile

Tuesday, January 10, 2012

Hacking smart meter

Smart Meter

Smart grid security is a hot topic in the prediction of security issues for 2012. I've found an interesting video about hacking smart metering coming from the "Chaos Communication Congress". 

It illustrates how it is possible to expose consumer privacy if authentication and encription are not effectively in place. For example the researchers were able to demonstrate that it is possibile to manipulate the data going to the service provider simulating a negative consumption and even the TV movie being watched ! 

28th Chaos Communication Congress
Behind Enemy Lines
Dario Carluccio
Stephan Brinkhaus
DayDay 4 - 2011-12-30
RoomSaal 2
Start time16:00
Event typeLecture
Language used for presentationEnglish

Smart Hacking For Privacy

Advanced metering devices (aka smart meters) are nowadays being installed throughout electric networks in Germany, in other parts of Europe and in the United States. Due to a recent amendment especially in Germany they become more and more popular and are obligatory for new and refurbished buildings.
Unfortunately, smart meters are able to become surveillance devices that monitor the behavior of the customers leading to unprecedented invasions of consumer privacy. High-resolution energy consumption data is transmitted to the utility company in principle allowing intrusive identification and monitoring of equipment within consumers' homes (e. g., TV set, refrigerator, toaster, and oven) as was already shown in different reports.
This talk is about the Discovergy / EasyMeter smart meter used for electricity metering in private homes in Germany. During our analysis we found several security bugs that range from problems with the certificate management of the website to missing security features for the metering data in transit. For example (un)fortunately the metering data is unsigned and unencrypted, although otherwise stated explicitly on the manufacturer's homepage. It has to be pointed out that all tests were performed on a sealed, fully functionally device.
In our presentation we will mainly focus on two aspects which we revealed during our analysis: first the privacy issues resulting in even allowing to identify the TV program out of the metering data and second the "problem" that one can easily alter data transmitted even for a third party and thereby potentially fake the amount of consumed power being billed.
In the first part of the talk we show that the analysis of the household’s electricity usage profile can reveal what channel the TV set in the household is displaying. We will also give some test-based assessments whether it is possible to scan for copyright-protected material in the data collected by the smart meter.
In the second part we focus on the data being transmitted by the smart meter via the Internet. We show to what extent the consumption data can be altered and transmitted to the server and visualize this by transmitting some kind of picture data to Discovergy’s consumption data server in a way that the picture content will become visible in the electricity profile. Moreover, we show what happens if the faked power consumption data reflects unrealistic extreme high or negative power consumptions and how that might influence the database and service robustness.