The UK's Serious Organised Crime Agency (SOCA) has shut down 36 web sites that it said were trading in stolen credit card information, including http://ccstore.biz and http://cvvplaza.com.

Here's a twitpic of what the suspended websites look like:  http://twitpic.com/9e0166/full.

This is significant.  Although hacktivism has gotten a ton of attention in recent months, for-profit hacking continues at a costly rate and taking these sites offline is a serious blow.  

Interestingly, law enforcement seems to be conducting arrests in batches--arresting or suspending criminal gangs as a network vs individually.  Just as all of Lulzsec was arrested, now a network of carder sites is paralyzed.  And this approach makes sense since it can help eliminate a swath of criminal activity while potentially scaring others from filling the void.

This week, we released a report (no reg required) on automated hacking.  Many of you asked for the graphic explaining how automated cyber attacks work and some ideas on impeding them.  Here it is:

Download Automated Cyber Attacks

In Austria, a 15-year-old boy has been arrested for hacking into 259 companies during a 90-day spree. In other words, during the last quarter he successfully attacked an average of three websites per day.  In a broader view, cloud-security provider Incapsula published a study showing that 31 percent (!) of website traffic was malicious traffic.

Script kiddies?  Yes.  But what makes the Austrian incident interesting is the speed and effectiveness of the hacks.  How was it achieved?  Automation. 

Automated hacks are not new.  However, recently, we have noticed increased sophistication.

The purpose of this month’s Imperva’s latest Hacker Intelligence Initiative report is to give a "state of the union" when it comes to automated attacks.  Specifically, we describe the key tools and processes hackers use to automate SQL injection and RFI/LFI attacks. We believe these are the two most deployed attack methods and—as in any industry—automation is a key indicator that someone wishes to achieve an economy of scale.  Further, the automated tools being developed are sophisticated.  This means:

• The script kiddies are hitting puberty.  In other words, their attacks will be more effective and through.
• The pool of hackers is likely to increase.  The ease of use of these tools is a key component of their appeal.  During the California Gold Rush in the mid 1800s, few made money.  The real winner?  Levis.  They sold jeans to all prospectors.  In the same way, hacking tools is a cottage industry trying to appeal to those hoping for a few online thrills.

Our report can be downloaded here. 

The report details:

• Commonly used automated SQL injection and RFI/LFI tools.
• How to identify them when they hit your website.
• Some strategies needed to stop them.

Interesting new survey has some interesting results.

Interesting fact #1:  Security professionals fear hacktivism more than anything else.  In the release, they write:

More than half (61 percent) of respondents believe Anonymous and other hacktivist groups are most likely to target their organization -- IT professionals express concern over the high-profile attacks led by hacktivist groups like Anonymous, and followed by cyber criminals (55 percent) and nation states, specifically China and Russia (48 percent).

Interesting fact #2:  Only 4 percent of respondents were concerned about SQL injection.  Seriously?

SQL injection is one of the major topics in hacker forums, and as we described here, the primary modus operandi for hacktivists.  Instead, as we outlined in our report, security teams are concerned with malware and spear phishing which, as we point out, are NOT used in most hacktivist attacks.  And its not just our report, the latest Verizon report shows that 54% of data breaches used applications as the attack vector.  How do you take data from an app?  Mainly through SQL injection.

Even if the 4 percent figure is off by three, four or five fold, this helps explain why hacktivists continue to see success in exposing data.  And once again, this week we see another example of hacktivists exposing data with this Formula One breach.

Oracle released its latest vulnerability list.  What this release highlights is the fact that Oracle should provide work-around instructions rather than dogmatically stick to immediate patching as the single alternative. 

This one has 88 patches.  Only four issues are in the Oracle database server whereas six are in MySQL database server.   Key observations regarding the four database vulnerabilities, two are interesting:

• One vulnerability is severe, ranking 9 on a 10 scale.  What is significant about this issue?  It is the most severe even though exploiting it requires authentication.  In this case, the vulnerability is in a component that is installed by default and  known to have been vulnerable in the past on more than a few occasions.  What does this component do?  It allows users to do geometric searches.  However, geometric search is not used very widely.  Since the geometric search isn’t used very much, so Oracle should recommend, for example, removing the package altogether so only those who need it are exposed to it.
• The second vulnerability is a 7.1 on a 10 scale since it’s a complex exploit—but this seems low.  Why?  This vulnerability requires two procedures:  create library and create procedure.  What is of most interest here it the create library capability which maps the OS module to the database—an inherently dangerous process because you could map any OS native code to be mapped as stored procedures accessible through a DB SQL session.  We suspect that the vulnerability allows server takeover using uncontrolled mapping, and that the patch reduces the ability to map arbitrary modules.  Regardless, a better method would be to simply not allow anyone but an administrator to perform this process. 

Outstanding:

Today, Facebook announced a new feature, “Download Your Archive” on their blog. 

Ironically, one of the first comments on the blog post by a Facebook user is, simply, “Who cares?”  That’s exactly the right response, though probably not for the reasons the commenter intended.

What does the new functionality do?  Is it any good?  We’ve had a chance to look at the output.  Here’s a what you get:  a current catalog of all your friends, pictures, videos and wall posts.  Nothing else.

We have basically agree with Max Schrems:

“We welcome that Facebook users are now getting more access to their data, but Facebook is still not in line with the European Data Protection Law,” said Mr. Schrems, a student at the University of Vienna. “With the changes, Facebook will only offer access to 39 data categories, while it is holding at least 84 such data categories about every user.”

As we detailed in blogs earlier this week on Facebook hacking, there is a lot of data in Facebook.  This new capability still keeps a good chunk of this data out of users’ hands.  For example, Facebook tracks all the websites you visit.  Where are the logs?  Also, the archiving only shows current information.  So if you deleted, say, a photo, that won’t appear in the archive.  What about deleted content?  We know Facebook retains this information as well.  Credit card information is in Facebook if you bought dumb game stuff.  (For a full list of the data Facebook contains, Europe vs Facebook has done a nice job itemizing the list).

Overall, Facebook has only provided the bare minimum.  Why?  One can speculate that:

• They want users to see just how much data they have—it would freak consumers out.
• It’s a lot of work to make this content available.
• They don’t wish to expose too much data for security reasons.

Chances are it’s a combination of the above.  (In fairness, the last bullet above is a legitimate reason to post too much information into an archive.  But I suspect various governments worldwide will force Facebook to include this information in future versions.)

We hope users understand what it means to have a lot of personal data stored in one location.  Cyworld, a social networking site in South Korea, was breached last year and 35M South Koreans had their data exposed to hackers.  No one is sure who hacked the site, theories range from a foreign government to private, for-profit hackers.  Today, Facebook claims 800M+ users.  Privacy is a big driver behind the new archiving feature.  Ironically, many consumers don’t’ seem to care about privacy.   Perhaps security concerns could make them more sensitive to the data they put online.

In the first of this two-part series, we showed how Facebook profile data is very attractive to different of hackers. But how do hackers gain this information?

The main method to gain access to the Facebook account of a specific user is getting the password. This can be done in myriad ways:

• Malware. These are different keystroke loggers which record the user’s activity, including passwords to different applications. The malware is typically installed by employing different social engineering techniques which implore the user to download a particular “cool” but, in reality, malicious) app. Malware may also be installed using drive-by-download techniques where the browser is instructed to download malware in an attacker’s controlled server. Obviously, there are also physical ways such as accessing the victim’s machine when the user’s device is left unlocked and unattended.  Click to BIGGIFY:

• Phishing. This method attempts to deceive the user to divulge their credentials by mocking the Facebook login page. In a past entry of ours, we provided an example of such a phishing kit which creates fake Facebook - as well as about a dozen more - sites. This particular kit became quite popular, whereas the hacker boasted more than 200K downloads. Click to BIGGIFY: 

• Bruteforce. The attacker repeatedly attempts the guess the user’s password. This technique is particularly effective against users who tend to use easy and guessable passwords. This YouTube video presents the “Facebreak” bruteforcer. Click to BIGGIFY:

Hacking methods by individuals is not only confined to password-grabbing. Other methods have shown to be successful in the past:

• Hacking a Facebook’s admin rights. Although this requires more effort on the hacker side and so is not as prevalent, this type of an attack stands out. It is the “holy grail” of attacks as it provides the hacker also with all that “inaccessible” data. Not only of a single user – but of all users. Attackers can achieve these rights by hacking into Facebook’s systems, submitting court orders (see below), or even bribing a Facebook administrator. Recently, a hacker was sentenced after hacking into Facebook’s internal system and extracting parts of Facebook’s source code.
• Building a data-slurping application. Last year a bug in Facebook allowed applications to access users’ private data. Further, Facebook allows the users to set what applications have access to what data. So, even if an application does not initially have permissive rights to access the user’s data, a hacker can entice the user to open up access to these applications.
• Stealing a user’s Facebook cookie. Such a “cookie” contains sensitive information such as the user’s username and password. Consequently, a hacker who steals the cookie can impersonate the real user. In fact, the ultra-popular application, Firesheep, released last year demonstrated how easy it is to steal a user’s cookie. Firesheep’s simple GUI gave people - including those “clueless” in hacking – the ability to steal Facebook cookies from individuals connecting to public terminals, such as in Starbucks. 

The next two methods can also be carried out by lone hackers, private investigators, and simple cyber-voyeurs. While government-sponsored hackers can use these same tactics on a great scale since they have greater advanced communication interception capabilities.

• Eavesdropping. Although Facebook login information are sent in encrypted format- which prevents eavesdroppers from gaining the credentials, the rest of Facebook’s online activities are not usually encrypted. This means that eavesdropping is as simple as “listening” to open WiFi networks. To respond to this issue, Facebook recently (Jan 26^th 2012) Facebook added the option to opt in for SSL for other activities too, see http://www.facebook.com/blog/blog.php?post=486790652130.

We recommend FB users to enable that option, as leaving traffic unencrypted may allow the hackers to listen into the rest of the communication.

Here’s how a hacker could track this information.  First, an innocent message is written in Facebook:

 
 Then, using a sniffing tool, someone can capture the message:

• Monitoring communications. We put this as a separate technique than eavesdropping since eavesdropping includes the connotation of doing something surreptitiously without ever wanting to be caught. But what about public communications?  Facebook is huge and can provide a lot of information if someone can discern noise from something interesting.  Note how recently the FBI issued an RFI to monitor social media. Further if the info is public then anyone can crawl it. For example, on 2010 an individual collected the public profiles of 100 million Facebook users and published it online in a single downloadable file. The consequence is that even if a user had changed their settings after the scraping of their profile – this was too late since people already had their profile details.

In addition to the above methods, government-sponsored hackers have that extra power which allow them to obtain users’ Facebook data – including the “inaccessible” portions:

• Altering the Facebook communication. As mentioned, Facebook credentials are typically sent encrypted under the SSL protocol. However, Tunisia got around this obstacle by injecting Javascript code to the applications’ login page. That extra piece of code allowed all credentials to be re-routed to a Tunisian controlled site.  In another case, the Iranian government was able to spoof SSL and act as a man-in-the-middle tapping into users’ Facebook communications. In Tunisia, for example, targets found that Facebook groups they founded were deleted, as were pictures of protests.
• Legal means. Of course, there are legal routes to obtain the data. Facebook lists the required guidelines for law enforcement to access records. For instance, in the US, the agency must have a subpoena or court order. And, there’s also Max Schrem’s way – simply ask for it under the European data protection law.  

Late in 2011, Max Schrems asked Facebook for a profile the social networking company assembled based on his posts, likes and friends.  Max received a 1200 page PDF file with lots of personal details.  Being a law student, understandably, Max examined the information from a privacy perspective.  But what about security?  We examined the content from Max’s report and asked: 

• What Facebook data do hackers find interesting (part I)?
• How can hackers go about and obtain that data (part II)?

In the first of this two-part series we’ll tackle each question respectively. But before we do, some background on personal information and social media:

• Facebook contains much more data than most people realize.  Again, Max Schrems got a 1200 page document from Facebook.  Max noted that the document contained not just a lot information about him—but on his friends as well.
• Not all of the user’s private data is directly accessible to the user. Although some of the information is accessible via the application (a user can view their pictures, wall, and so forth), some of the data is not as accessible. For instance, dynamic data (such as unsaved chat logs) or geo info (such as IP addresses) are not typically retrieved. These are the things that Max, an EU citizen, requested to receive. Facebook, complying with EU regulations, obliged Max with all of his “inaccessible” data.
• The issue is not confined to Facebook alone.  Webmail apps, for example, hold much more revealing personal information. Further, Google’s recent privacy policy change allows Google to cross-referencing the content with the user’s search queries and GPS location. This type of cross-referencing may potentially have more severe implications, raising many privacy concerns.

So what data does Facebook contain?  It is a treasure-trove for information diggers since it contains:

• Personal Identifiable Information (PII) as well as general personal information. Included in this category are date of birth, home address and even the mother’s maiden name (and yes, some banks still use this information as an identifier). Even social security numbers can be extrapolated from many Facebook profiles, as shown by researchers at Carnegie Mellon University.

This type of data can be used for various purposes. With enough gleaned information, a hacker can even gain control of the user’s other online accounts. For example, using the “Forgot Password” feature which exists in many systems. This feature requires people to identify themselves by supplying an answer to a pre-determined personal question, such as the name of the user’s dog. An information digger can retrieve that type of info from the individual’s Facebook profile (click to BIGGIFY):

Hackers can also use this information to create more credible phishing emails. The email may contain a personalized message requesting that the user click on a link which actually refers to an attacker-controlled site, or even download a malware-laden file.

Hackers can also use this information for extortion purposes. A student in Pennsylvania, for example, was told by hackers that they would post a private video of online unless he wired $500 to a man in Morocco. 

Finally, professional identity thieves can use much of this data to build a better profile of the victim.

• Passwords. Although this may also be considered PII, we found it reasonable to include it as a separate section due to its sensitivity. Gaining access to the victim’s account ultimately gives the hacker the knowledge and control over the user’s password. Consumers are notorious for using the same password across multiple sites, and the Facebook password may just as well be the same password to other online services. In effect, allowing the hacker to impersonate the users to other services.
• Friend-Mapping. Facebook is all about “Friends”. From a hacker’s perspective, this means that getting hold of a victim’s account will also provide the knowledge of the user’s circle of friends.  Once in a circle of friends, a hacker posing as a trusted friend can cause mayhem:
  • This allows hackers to create better scams (aka “419 scams”).  For example, a message could seem to come from a friend requesting the transfer of monetary funds (“This is your friend, Tom. I am stranded in the middle of Paris with no money”). These phishing messages could be similar to those described above - containing links to malware or include malware-laden files. Since they purportedly come from the victim’s friend, the victim may be more susceptible to follow those links.
  • Through friends-mapping, a hacker can also gain enough personal information on the user which can also be used for extortion purposes. For instance, MIT researchers released a piece of software which can determine a user’s sexual orientation according to their circle of friends. Many raised the implications of this to the outing of closeted individuals.  The same approach could be applied to race or religion.
• Organizational structure. Similarly to friends-mapping, hackers can analyze the interleaved connections between individuals and analyze them in order to map out the structure of members of different organizations – as well as units within the organization. This is a stronger concern with other social networks, such as LinkedIn. However, this type of mapping can also be applied in Facebook, especially with businesses adopting “Fan” pages. The organizational structure can be used for corporate espionage, foreign-government and even military intelligence.  
• Business plans. As a professional social network, LinkedIn provides a hotbed for competitive intelligence. But even Facebook provides enough info which is usable for competitive intelligence. In fact, different companies exist which offer exactly this kind of service. Users can follow what their competitors are discussing and what conversations they are participating in.  
• Geo location information. Through geo-location information, a hacker can build a profile of the victim’s whereabouts. There were cases where law enforcement agencies actually were able to use this type of information to find and capture fugitives.  Geo location data is all together more valuable when cross-referencing it with the organizational structure. This can be very useful, say, to gain military intel on the location of the adversary’s military units. In fact, last year an IDF operation was cancelled following a soldier’s status update of the operation’s time and location.

Who then are the hacking groups who would attempt to use or hack Facebook?

• Private hackers: This is your regular hacking for profit types. They just want to make money by duping consumers. As such, their focus is more on gleaning PII and passwords. Private hackers have also been known to perform extortion.  Here's an example of one hacker who is trying to build a business hacking Facebook (click to BIGGIFY):

• Government-sponsored hackers:  These hackers work for governments with the purpose of advancing some national agenda. They may use Facebook data for military intel purposes, uncover dissidents, and squashing dissention.

• Corporate-espionage hackers: These hackers may work for a certain organization or independently. The independent hackers may attempt to glean sensitive business information over time and then sell it to interested competitors. These hackers are mostly focused on corporate structure, business plans, and gaining enough information which will lead them to access other accounts (for you Girl With a Dragon Tattoo fans, think Lisbeth Salander).
• Hactivists: So far, hacktivists have used Facebook as a means of communication as opposed to a resource for taking data.  For example, Anonymous claims to have taken some “revealing” photos of BART spokesperson Linton Johnson from Facebook.  As hacktivism evolves, this will likely change. For example, we could see Facebook data exposed by hacktivists designed to embarrass individuals or an organization.

In 2008, there were a few reports about CAPTCHA bypass services available online.  Today we ask, “Where are they now?”

Short answer:  they are still here and not much has changed.  Here’s an example from one such site, who boast “With our service you will never have to worry about captchas again.”  This same service includes:

And how much does it cost?  Not a lot:

The process of “reading” CAPTCHAs is fairly simple.  To decode a CAPTCHA users install a plug-in that reads CAPTCHAs from a website.

All this underscores the need to beat automation.  Having the ability to block traffic that visits your site with any of the following aberrations is essential:

• Stopping and identifying automated traffic that goes through a site at inhuman speeds.
• IP addresses that come from unusual geographies.  For example, the 2008 articles cited above at the beginning of this blog, many of the CAPTCHA services were based in India.  If you don’t do business in India or with Indian customers, it might make sense to put traffic coming from India under additional scrutiny.
• IP addresses are known to be malicious. 
• Header contains information that identifies itself as a tool.  For example, in the red square below you can see how one attack tool, Havij, identifies itself: