Revenge Hacking is The New Black in the Cybercrime Underworld

Revenge hacking encompasses the expansive set of motivations behind cybercrime. Every victimized industry has seen some form of cyber-attack backed that links back to their own hostile actions or policies toward the attackers.

Motives range from low profile disgruntled ex-employees to self-publicizing groups like Anonymous providing occasional media updates about their attacks on ISIS cybertargets. Sovereign states have long been suspected of hacking behavior and even Vladmir Putin is reported to be in on the act. Sexual revenge or jealousy was behind the infamous theft of subscriber data from the dating site Ashley Madison, specifically set up to facilitate affairs involving married individuals.

The latest set story circles around the Buzzfeed hack that surfaced in retaliation for identifying an alleged Saudi Arabian member of the OneMore hacking group.

Revenge hacking is not confined to the “outlaws”. Corporations have occasionally felt the urge to strike back at their tormentors, which is probably illegal everywhere in the world. Sometimes it’s considered as a pre-emptive strike to ward off a perceived threat. However, taking out a target server that appears to be the source of a threat could be extremely ill-advised. That server could be a component of a public utility, hospital, municipal authority or anything really. Hackers can compromise a server and use it as a proxy for launching attacks originating from half way across the globe.

No network or website can prevent hacking attempts from taking place. Even brand new simple WordPress blog sites are not immune. Automated systems are constantly probing for easily cracked access credentials. Such systems cost practically nothing to run and represent the bottom end of the attack spectrum. Strong passwords represent the simple and obvious defense, easily available through free online password generators.

At the other end of the scale are what could be considered “professional hackers” and the criminal element. Technically minded individuals with varying degrees of talent but with time on their hands occupy the middle ground. Large corporations present a happy hunting ground because the bigger the IT infrastructure, the greater the number of attack surfaces to be explored and exploited. This is the constant battleground between the security experts and technologies that form the defensive zone, and the attackers.

There is no central record for collating data on thwarted hacking attacks. That makes it impossible to measure the success levels of the security defenses. Security teams are only as good as their last failure, as in many walks of life. However, despite the high-profile names of the victims, the count of those that have not yet suffered the same fate greatly outnumbers the number of victims.

Every new technology and every new online service is highly likely to contain security vulnerabilities. The incessant drive to deliver newer functionality to outstrip the competition will constantly expose weaknesses. New functionality means new systems being exposed. The reality is that the game is loaded in favor of the hackers, who only have to breach a security system once to reach the prize and the headlines.

Corporations will continue to spend on security measures because there is no other option if they are to remain ahead of the risk of attack. Add the unpredictable nature of motivation for revenge hacking and the element of surprise is added to the mix. The only unknown is the motive for the next high profile attack.

The Slow Pace of Linux Kernel Updates is a Frightening IoT Security Problem

When patching holes in your core security kernel takes upwards of three years on average from discovery to patch release, it obviously raises concerns. Add in the view of security analysts that the basic approach of the security design is outdated and not responsive when under attack, and the picture grows ever more worrisome. It is a very big scenario indeed when you consider the vast number of devices out there that are exposed to the hacking fraternity and which probably never receive OS updates ever.

Linux drives the majority of the world’s Internet-connected devices. Its open source nature provides a stark contrast to proprietary platforms such as iOS and Windows in the speed of bug fixing and patch development. The security aspects being highlighted in recent debates have a lower impact on servers housed in data centers than they do on exposed devices in the IoT world. The latter is the real cause for concern.

Device manufacturers deploy Linux on everything from digital video recorders to vacuum cleaners. The cost is attractive and it is customizable and scalable. The downside is that native Linux does not offer patch push functionality to devices in the way that, say, Microsoft does. Often derided for many aspects of Windows development, nobody can deny that Microsoft appears to do all in its power to ensure that connected devices receive frequent OS updates and patches. At the same time, a vast number of connected Linux devices may never receive an OS update in their lifetime.

At the core of the problem is the often very poor code quality and risible security of the countless device drivers that vendors add. This on top of the disjointed not-thought-through nature of the IoT landscape. The Linux security kernel faces challenges not of its own making but which potentially pose a major threat to the Internet itself. Recent massive DDoS attacks launched by botnets of zombie IoT devices generated an unprecedented a level of traffic. An attack measured at over 600 Gbps raises the possibility that even bigger attacks may be possible. Those traffic levels can swamp the routers that connect the Internet’s backbone with its spokes.

Manufacturers and vendors must take a share of the blame for failure to develop code that at least attempts to provide adequate security protection. One senses that the quick buck mentality overrules the genuine need to make drivers and the like robust enough. Of course, there is no money in building security features into vacuum cleaner device drivers. Only attractive functionality might increase the bottom line. Developing security aspects is a cost that may not be justifiable in the boardroom.

Criticism has been levelled at Linus Torvalds and the Linux community for taking a bug fixing approach rather than overhauling the security kernel design. Torvalds is infamous for his tendency to drive his own path forward and ignore arguments for change that potentially have merit. The security debate may be the single biggest challenge to his authoritative approach since 1991 when Linux was first released. Architecture that is 25 years old was not designed to cope with security demands and ever increasing hacking threats of 2016. It does appear that the time has come for a major rethink that will adequately cope with the nature and shape of foreseeable threats of the next 25 years.

IoT CCTV Devices Harvest the Biggest DDoS Ever Recorded

Security experts have long assessed the IoT (Internet of Things) as being a hacker’s paradise in its current format. Last week saw the biggest DDoS attack ever recorded, in terms of hostile traffic bandwidth. French web host OVH was the victim. DDoS attacks have been around for a long time in Internet terms. What is startling about this and at least one other recent attack is that the hostile botnets did not consist of infected PCs but of cameras, digital video recorders and other devices. About 150,000 of them at its peak.

The significant weakness of the IoT is that each and every connected device presents an attack surface. Any device that is connected to the Internet is a potential victim of hacking and hostile takeover, as major corporations are only too well aware. The growth in real life IoT networks is racing ahead of development of adequate security protection for their component parts. There are literally millions of Internet-connected devices that hackers can potentially harvest into zombie networks.

The devices involved in the OVH attack were capable of generating traffic totaling an estimated 600 Gbps when combined. This level of usage threatens to significantly disrupt the Internet for other users. Theoretically, multiple botnets with that capability could “break” the Internet in a geographical region by rendering it so slow as to be practically unusable. Even a 300 Gpbs flow may be enough to put at risk the heavy duty routers that connect the backbone and spokes of the Internet.

At issue is the sheer number of inadequately secured devices out there. The primary sources of a botnet DDoS attack on the website of security writer and independent journalist Brian Krebs in Jan 2015 were home routers. The attack was so heavy and prolonged that the DDoS mitigation service of his web host Akami could not cope over a sustained period. Back then, Krebs predicted that even CCTV cameras were potential zombies. That scenario came true in 2016 with a botnet attack from 25,000 of them.

There is no single solution that will protect all devices from hacking attacks. The most obvious and basic one is for users to change the default access credentials. For most home routers and connectable devices, the factory setting is admin/admin for user name and password. Users are also expected to apply frequent updates and patches to less-than-robust firmware. However, there is such a large percentage of homeowners who are simply either unaware or not technically competent, or both, that the onus must lie with vendors.

Not only that, but owners have no way of knowing if their devices have been compromised. Unlike PCs, laptops and mobile devices, there is no established practice of users hardening security on the majority of dumb-terminal devices. Until progress is made in this critical area of security, the IoT is the soft underbelly of the connected landscape. Devices are manufactured and supplied to perform a function. That is akin to having authority but no responsibility – having the capability to utilize the Internet but security is seen as being somebody else’s problem. This is that attitude that must be changed.

Street Fighter V Gives Killer Punch to User Security

The latest version of Capcom’s Street Fighter V for Windows includes an update that installs an unpublicized rootkit. The company claims it is intended to prevent players from cheating but its poor design allows any installed software to access the rootkit. It is an open back door to full kernel privileges and provides the capability to take over the user’s machine. A hacker’s dream.

What is a rootkit?

The term Rootkit comes from the Linux world where Root is the equivalent of Administrator in Windows. Users or components with this level of authorization have godlike powers over the device to more or less do anything that pleases them. Kit signifies a toolkit of utilities that can perform a range of tasks as the controller of the rootkit demands.

A rootkit is not necessarily malevolent of itself but is generally considered to be cloaking malware, or potential malware at least. Hackers use them to conceal their activities and to run stealth applications such as botnet stations in a DDOS attack, keyboard loggers and spam relays. A decade ago, Symantec, vendors of Norton Utilities debated the true definition of the term and when rootkits are legitimate.

What happens next?

Capcom tweeted that they are backpedaling on that initiative and rolling back those “security measures”. It is difficult to reconcile the concept of security with the release of such a potentially damaging rootkit and does bring into question the decision making process within the Capcom software engineering division. The action delivered a big negative hit to the company’s reputation.

It’s not the first time that a big name software vendor resorted to deploying a variety of rootkit as a means to address a legitimate objective. As well as Symantec, Sony was the original offender that brought the issue into public awareness in the first place in its messy music anti-piracy move.


Symptoms of rootkit infection

Because they operate at the lowest level on a device and implement cloaking measures, users may be unaware of the presence of a rootkit. Symptoms may reveal themselves only when the rootkit is operating stealthily. Screen components, such as the taskbar or system tray may disappear. General slowness is a good indicator. Malware that generates network traffic, such as spam relays and DDOS configurations, may cause a user to think that “the Internet is slow today”. There is no one signal that definitively indicates the presence of rootkit.

How to defend against rootkits

The obvious first step, which all computer users should by now adopt as a normal routine exercise, is to keep anti-virus systems up to date. This presents a difficulty for the older generation, whose devices present a rich picking ground for hackers. However, once installed, all anti-virus applications automatically check for and install the latest updates.

More security conscious users will find a variety of rootkit detection and removal tools online to add an extra layer of defense. The quandary is – just because the tool detects the rootkit while it is running, can it identify the source in a corrupted firmware module, for example? Malware rootkit authors are extremely clever and ingenious in devising the mechanisms to install and launch their tools. Rootkits come in a wide variety of guises and the only sure way to remove them is to strip the device and start with a clean software build.

Yahoo 2014 Security Breach Exposes the Harsh Reality of Internet Security

Yahoo suffered a major security breach, affecting hundreds of millions of users – but we only found out about it 2 years later. This incident, combined with the 2012 DropBox breach, demonstrates the harsh reality of internet security: most breaches either go undetected, or unreported, for years.

The background to Yahoo’s security breach

Yahoo is the latest major player to reveal a previous hacking security breach and theft of user data. What the company describes as a “state-sponsored actor” stole 500 million user details in 2014. Yahoo has not yet revealed which state is under suspicion, how they came to this conclusion, or the mechanism he used to breach security.

The Recode website was first to publish the story on Sep 22 and later that day Yahoo confirmed the news on its Tumblr site. It follows hot on the heels of the recent Dropbox revelation that almost 70 million encrypted user access credentials were hacked and stolen in 2012. Dropbox has only now disclosed the extent of that breach. The Yahoo incident has implications for the proposed $4.8 billion Verizon takeover of Yahoo. Disgruntled users may launch a class action suit that could impact Yahoo’s balance sheet and depress the stock.


What happened?

The stolen data is reported to consist of passwords hashed using the bcrypt algorithm. The hacker also took user names and personal information, including birth dates, phone numbers, email addresses and both unencrypted and encrypted security questions and answers. A reputed cybercriminal named Peace offered the data for sale on an underground website, which brought the incident to light. He did not access more sensitive data such as bank and credit card details, which are stored in a different system.


What happens next?

Yahoo says they issued an alert email to all impacted users, prompting them to change any passwords that they have not amended since 2014. They also urge users to consider using a stronger authentication method than mere passwords. Yahoo also disabled all unencrypted security questions and answers.

Even though the stolen data is relatively innocuous in itself, it poses risks to users that are much greater than simply having their email accounts hacked. Criminals use this information to attempt other hacking attacks. They may also attempt to access an individual’s network of contacts for phishing and social engineering scams.


What can users do about it?

While Yahoo and other online service providers execute strenuous attempts to protect data, the lessons for us users are clear. We really do need to learn and utilize stronger account authentication measures. This self-discipline need not cost a penny but inertia holds us back.

There is still a large number of Internet users, including seasoned IT pros who should know better, who re-use the same favorite passwords over and over for multiple online accounts. Hackers know this all too well. They use known passwords to attempt to break into other accounts. This opens avenues for exploiting financial information and possible bank account or credit card fraud.

As well as using stronger passwords that free password generator services provide, we need to consider options such as two-step authentication. Many online services offer this in an effort to reduce and prevent unauthorized access and hacking. There are both free and paid password manager services that will store strong passwords that may be impossible to memorize. Many will automatically fill in the details when you visit a website and are asked to sign in.

Whichever option we choose to take, we must take action to improve our online protection. Break-ins like these will inevitably happen again despite the best efforts of the service providers. Doing nothing is no longer an option.