Friday, 25 April 2014

Anonymous Cambodia Isn’t Giving Up After the Arrest of Two Members

Anonymous Cambodia defacement page  
 Anonymous Cambodia defacement page
Earlier this week, we learned that two members of Anonymous Cambodia were arrested. Other hacktivists have announced their plans to attack Cambodian government websites in response to the arrests.

The suspects are Bun King Mongkolpanha, aka “Black Cyber” or “Machine,” and Chu Songheng, aka “Zoro.” They’re both 21 and students at the SETEC Institute in Phnom Penh. Mongkolpanha has reportedly admitted hacking websites, but Songheng said he was only trying to learn how to hack.

They were arrested on April 7 after an eight-month investigation by local authorities and the US Federal Bureau of Investigation. The suspects face up to two years in prison for hacking and disrupting numerous government websites.

We’ve attempted to get in touch with the individual behind the Anonymous Cambodia Twitter account, but the account has been inactive since news of the arrests broke. However, in the meantime, Anonymous Cambodia has set up a new Facebook page where they’ve announced their plans.

The hacktivists have published several messages written in Khmera. They claim that they have a lot of supporters that will help them launch attacks until the arrested individuals are released. It’s worth noting that their Facebook page already has over 12,000 likes.

The list of targets includes a number of websites belonging to private organizations, but also ones belonging to the Cambodian government and the national police. The hackers have already leaked some data and they’ve published a video to show their supporters how to launch distributed denial-of-service (DDOS) attacks.

The hacktivists say the arrest of two members doesn’t stop them from continuing their operations against the government.

“You arrested only two of us, but still we can continue our work and will be stronger than before. Ten times to 1,000 times and 10,000 times. It will never end,” they wrote on Facebook.

It’s Insanely Easy to Hack Hospital Equipment

Photo: Getty Images
Photo: Charles Thatcher/Getty Images
When Scott Erven was given free rein to roam through all of the medical equipment used at a large chain of Midwest health care facilities, he knew he would find security problems–but he wasn’t prepared for just how bad it would be.
In a study spanning two years, Erven and his team found drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.
Erven’s team also found that, in some cases, they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.
“Many hospitals are unaware of the high risk associated with these devices,” Erven says. “Even though research has been done to show the risks, health care organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”
Erven works as head of information security for Essentia Health, which operates about 100 facilities–including clinics, hospitals and pharmacies–in Minnesota, North Dakota, Wisconsin and Idaho. Essentia decided to open its facilities to a full-scale evaluation in 2012, and in a remarkable and laudable move, allowed Erven to publicly reveal some of his findings.

“Many hospitals are unaware of the high risk associated with these devices.”
—Scott Erven
Erven won’t identify specific product brands that are vulnerable because he’s still trying to get some of the problems fixed. But he said a wide cross-section of devices shared a handful of common security holes, including lack of authentication to access or manipulate the equipment; weak passwords or default and hardcoded vendor passwords like “admin” or “1234″; and embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network.
Although Erven and his team don’t know whether any of these devices are connected directly to the internet–they plan a subsequent test to determine this–many of them are connected to internal networks accessible via the internet. Hackers could gain access to the devices by infecting an employee’s computer via a phishing attack, then exploring the internal network to find vulnerable systems. A hacker who happens to be in the hospital could also simply plug his laptop into the network to discover and attack vulnerable systems.
“There are very few [devices] that are truly firewalled off from the rest of the organization,” he says. “Once you get a foothold into the network … you can scan and find almost all of these devices, and it’s fairly easy to get on these networks.”

Everything Was Tested, And Most Of It Was Hackable

Erven, who plans to present some of his findings today at Thotcon in Chicago, began his research after a security consultancy performing a penetration test on an Essentia Health network discovered some devices connected to the network that had security issues. This, combined with previous research done by other security experts showing problems with insulin pumps, defibrillators and hardcoded passwords in medical devices, prompted Essentia to take an extensive look at all of its equipment.
“We had management backing to see what our risk exposure is across all health care systems,” he says. “We tested every single device in our environment–various radiology stuff and MRIs, ultrasound and mammography systems, cardiology, oncology. We tested all of our lab systems, surgery robots, fetal monitoring, ventilators, anesthesia.”
One of the main problems they found lay with embedded web services that allow devices to communicate with one another and feed digital data directly to patient medical records.
“A lot of the web services allow unauthenticated or unencrypted communication between the devices, so we’re able to alter the info that gets fed into the medical record … so you would get misdiagnosis or get prescriptions wrong,” he says. “The physician is taught to rely on the information in the medical records … [but] we could alter the data that was feeding from these systems, due to the vulnerabilities we found.”
Erven says an attacker can collect data passing from medical devices to patient records, then replay it so that the same data gets passed into other records.
They also found problems with refrigeration systems for blood and pharmaceutical storage and cryogenics that aren’t protected.
“They all have a web interface that allow you to set the temperature range,” he says. Although he says the systems include email alerts and wireless pagers that notify lab and hospital staff if the temperature falls outside certain boundaries, the systems are only protected by hardcoded passwords, and once in the system, an attacker can turn off the email pager notification features or alter the settings to change when an alert is sent.
Storage systems for X-rays and other images were equally vulnerable. Erven says the images are generally backed up in centralized storage units that require no authentication to access. While some of the front-end systems that physicians and other staff use to access the images do use hardcoded passwords and log who accesses the images, Erven says the backup is completely unprotected “and there is no logging if you go in the backdoor way and grab those images.”
They also found surgery robots connected to internal networks. Although the robots generally have software firewalls to block connections to them, Erven and his team found that simply running an off-the-shelf vulnerability scanner against the firewall caused it to turn off and fail open.
“But we haven’t figured out yet what we can do once those fail open,” he says.

The Worst Problems

Some of the most disturbing problems they found involved infusion pumps, ICDs (implantable cardiovascular defibrillators that deliver shocks to a patient who shows signs of going into cardiac arrest) and CT scans. They found a number of infusion pumps that have a web administration interface for nurses to change drug dosage levels from their workstations. Some of the systems are not password-protected, while others have hardcoded passwords that are weak and universal to all customers.
With the CT scan, they could alter configuration files and change radiation exposure limits that set the amount of radiation patients receive.
Though targeted attacks would be difficult to pull off in most cases they examined, since hackers would need to have additional knowledge about the systems and the patients hooked up to them, Erven says random attacks causing collateral damage would be fairly easy to pull off.
That’s not the case with implantable defibrillators, however, which could be targeted.
“We found a couple of defibrillator vendors that use a Bluetooth stack for writing configurations and doing test shocks [against the patient] when they’re implanted or after surgery,” he says. “They have default and weak passwords to the Bluetooth stack so you can connect to the devices. It’s a simple password like an iPhone PIN that you could guess very quickly.”
A fictional defibrillator attack had a prominent role in an episode of the TV show Homeland in 2012 but the risks of such an attack are real. Physicians for former Vice President Dick Cheney had the wireless capability of his defibrillator disabled in 2007 to prevent terrorists from conducting such an attack to kill him.
Although the picture of hospital equipment that Erven and his team uncovered was gloomy, there was one bright spot among all the bad news — anesthesia equipment and ventilators are generally not networked and don’t allow web administration, so someone would have to have physical access to the devices to alter them.

Hospitals Are Unaware of the Dangers

Erven says that the health care industry is just now waking up to the security problems with medical equipment, and that the problems exist because medical equipment has only ever been regulated for reliability, effectiveness and safety, not for security.
“The vendors don’t have any types of security programs in place, nor is it required as part of pre-market submission to the [Federal Drug Administration],” Erven notes. “There’s no security assessment before it goes to market.”
Last spring, the FDA and DHS issued a notice to the health care industry about problems with hard-coded passwords in medical devices after two researchers found them in about 300 medical devices, including ventilators, pumps, defibrillators and surgical and anesthesia devices.
The alert advised health care facilities to examine their systems for problems and put controls in place to protect them from unauthorized users. But Erven says health care facilities can only do so much to wall-off devices; vendors must do more to secure the devices with encryption and authentication before they sell them to customers and fix the ones that are already in the field. FDA guidelines for medical devices now place the onus on vendors to ensure that their systems are secure and patched, and customers should demand they do so.
Although vendors often tell customers they can’t remove hard coded passwords from their devices or take other steps to secure their systems because it would require them to take the systems back to the FDA for approval afterward, Erven points out that the FDA guidelines for medical equipment includes a cybersecurity clause that allows a post-market device to be patched without requiring recertification by the FDA.

FBI informant linked to foreign website hacking: Report

 FBI informant linked to foreign website hacking: Report

A hacker who became an informant for the Federal Bureau of Investigation (FBI) directed hundreds of cyber attacks against the websites of foreign governments, including Brazil, Iran, Pakistan, Syria and Turkey; the New York Times reported today.

It was unclear whether the FBI explicitly ordered the digital attacks, but court documents and interviews suggest ”that the government may have used hackers to gather intelligence overseas,” the Times wrote.

The figure at the centre of the case is Hector Xavier Monsegur, who had become a prominent hacker with the activist group Anonymous, which has staged cyber assaults on MasterCard, PayPal and other commercial and government targets.

Monsegur was arrested by the FBI and became an informant, helping the law enforcement agency identify other members of

Monsegur instructed a fellow hacker, Jeremy Hammond, to extract data from a long list of foreign government websites. And then that information which included bank records and login details was uploaded to a server “monitored” by the FBI, the Times reported, citing court papers.

The vast target list for hacking added up to more than 2,000 Internet domains, including the Polish Embassy in Britain and the electricity ministry in Iraq, according to an uncensored court document cited by the Times.

Monsegur and Hammond had previously worked together to sabotage servers for Strafor Global Intelligence, an intelligence consultant firm based in Austin, Texas.

“After Stratfor, it was pretty much out of control in terms of targets we had access to,” Hammond told the Times in an interview from a federal prison in Kentucky, where he is serving a 10-year sentence for the Stratfor attack and other hacking.

Hammond said he and Monsegur learned of a vulnerability that could be exploited in web-hosting software called Plesk, which permitted back door access to thousands of websites.

A court sentencing statement said that Monsegur directed other hackers to pull data from Syrian government sites, including banks and various ministries, according to the Times.

“The FBI took advantage of hackers who wanted to help and support the Syrian people against the Assad regime, who instead unwittingly provided the US government access to Syrian systems,” said the court statement quoted by the Times.

Monsegur’s location is unknown and his sentencing hearing has been delayed repeatedly, fuelling speculation that he remains an informant for the US government, the Times wrote.

The report reinforces allegations that the US government has exploited flaws in Internet security to spy on foreign targets.

The FBI was not immediately available for comment.

EE and Three's voicemail systems hacked using number-cloning trick

With the phone hacking scandal still playing out in the courts, it should be safe to assume that UK mobile operators have put measures in place protect customers' own voicemail inboxes. Unfortunately, that's only half true. We know thanks to an investigation by The Register, which showed that two of the big four carriers had neglected to close a loophole that allows nefarious third-parties to spoof a customer's phone number and immediately gain access to their voicemails. Those two companies? EE and Three.
Armed with a target's phone number and VoIP calling system, researchers were able to trick both carriers' voicemail systems into believing a call originated from one of their SIMs. Attempts to hack into Vodafone and O2, however, were unsuccessful. Vodafone blocked attempts with PIN requests, while O2's systems always timed out. When pressed about the issue, Three simply pointed to the voicemail security pages on its website and warned users to set a PIN (which isn't enforced by default). EE immediately set about fixing the flaw and sent out an announcement just a few hours later telling customers it had "patched the issues raised in the article." The company said it also plans to run "a full review of all [its] voicemail platforms," to head off any future issues.

Mozilla offers $10,000 bug bounty to avoid Heartbleed-style code errors

Bag of money
Mozilla has unveiled a new $10,000 bug bounty programme to try and ensure that its Firefox browser does not contain any errors, in a bid to avoid any painful security flaws such as the recent Heartbleed and ‘go to fail’ bugs.
The firm said in a blog post that it is looking for people to help it uncover errors before it pushes out in a new certificate verification library, to be included in Firefox 31 at the end of July.
Security researchers will have until the end of June to help spot any bugs and report them to the firm. Daniel Veditz, security lead at Mozilla, wrote: “As we’ve all been painfully reminded recently correct code in TLS [transport layer security] libraries is crucial in today’s internet and we want to make sure this code is rock solid before it ships to millions of Firefox users.
“To that end we’re excited to launch a special Security Bug Bounty program that will pay $10,000 for critical security flaws found and reported in this new code before the end of June.”
There are a number of criteria that bug hunters must adhere to in order to claim any reward. The vulnerability must:
•    Be in, or caused by, code in security/pkix or security/certverifier as used in Firefox.
•    Be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”).
•    Be reported in enough detail, including testcases, certificates, or even a running proof of concept server, that we can reproduce the problem.
•    Be reported to us by 11:59pm, 30 June 2014 (Pacific Daylight Time).
“We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption,” Veditz explained.
“Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP [online certificate status protocol] responses would be.”
Other security bugs can still be worth up to $3,000 under the firm's wider Security Bug Bounty scheme, Veditz added.
The move comes in the wake of several high-profile coding errors that have sent the tech community scrambling. The Heartbleed flaw revealed that the majority of the world's web servers were not secure and millions of users of major sites were at risk.
To counter this threat web giants such as Facebook, Google and IBM have joined forces with the Linux Foundation to work more closely on the open source tools they use, to try and ensure such a major issue does not happen again.

Chinese government sticks with Windows XP over ‘expensive’ Windows 8

China flag
The Chinese government has said Windows 8 is too expensive to be used as a replacement to Windows XP and is instead looking to patch millions of machines running the ancient operating system despite support ending earlier this month.
According to a report on Chinese state news agency Xinhua, National Copyright Administration deputy director Yan Xiaohong said the government was aware of the security issues posed by the use of Windows XP and was considering its next step.
"Security problems could arise because of a lack of technical support after Microsoft stopped providing services, making computers with XP vulnerable to hackers," he said.
"The government is conducting appraisal of related security products and will promote use of such products to safeguard users' information security.”
While Microsoft is hoping firms will use the end of XP to move to a new platform, such as Windows 7 or Windows 8, or the new 8.1 Update release, Yan said the costs involved for purchasing new hardware to run the Window 8 software made this unfeasible.
"Windows 8 is fairly expensive and will increase government procurement costs," he said. Windows 8 costs the equivalent in China of $142, Xinhua noted.
Several governments have had to pay a heavy price for not upgrading their systems from Windows XP before the end-of-support deadline. The UK government struck a £5.5m deal with Microsoft for an additional year of support, while the Dutch government was also forced to make a similar agreement.