Kickstarter Hacked and Hashes Leaked

Well, that does it. I didn’t want to post on rumor but now numerous legitimate news sites are editorializing and the CEO of Kickstarter, Yancey Strickler has come out and apologized on the company blog I think it is time for us to discuss and perhaps even criticize. Let us look at some of her comments.

“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data.”

So not only was the site hacked and data leaked, they had no systems in place to detect such a leak and suffered the embarrassment of a third party – in this case a law enforcement agency – notifying them that their site has been owned.

As for the users – kickstarter has obviously fixed whatever vulnerability allowed access and now recommends that all users reset their passwords. A typical response to such an event by a medium enterprise. After all, this isn’t AMEX or anything remotely worth losing sleep over. That said, credit card data obviously changes hands on the site but we can rest assured.

“No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.”

Wow. Thanks Ms. Strickler I think your users will choose a new password and sleep better tonight. But, hang on…

“While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.”

So while by some miracle of luck they used an external payment gateway and thus the card numbers were saved all of the other information is likely floating around on a torrent site in an sqldump.

Realistically how dangerous is this breach to the average user (assuming their password hash isn’t guessed) – more than likely identity thieves would value this information and could likely launch a springboard attack possibly by using social engineering techniques to perhaps call your ISP and request a password reset on your email account. All of the details for phone verification of the user’s identity have kindly be provided. From there who know where access to your mail stream could take him? Sensitive information is routinely sent in the clear over email. Our hypothetical criminal would be best to instead ask the friendly ISP to add a “cc” to an address owned by the attacker so that the mailbox password need not be reset, obviously raising alarm.

I suspect that if we take this data and compare it with other recent(ish) breaches like gawker and Sony we will likely see many of the same accounts. An analysis of this would prove very interesting.

So what should you take from this? Never re-use passwords so that even if they happen to crack your hash (unlikely with a decent non-dictionary password but nonetheless) you are still safe. Understand that your email address if reused can be used to profile your time online and what sites you have subscribed to so perhaps generating some aliases isn’t a bad idea. And I guess the most important lesson is that you don’t matter to these corporate website owners – so be proactive and if necessary feed false data (date of birth, mother’s birth name etc) where you don’t trust the site. Don’t ever rely on a corporation to keep your secrets secret.

This shouldn’t have happened and the CEO’s comments don’t fly with me. Such a large website needs to protect its core asset – its user base. Clearly the users of kickstarter are not worth the trouble.

Linksys “TheMoon” Router Worm

Aside

The SANS ISC has reported on a worm affecting Linksys routers. Essentially the worm queries a potential target router to see if it is vulnerable and then if it meets the requirements uses an exploit in a CGI script to pull down a binary which is then executed. It appears that authentication is not required for the exploit and thus worm to function – even when an admin password is set. The infected router then searches for other vulnerable routers to infect and thus the cycle continues. The full details are on the ISC page and I have just paraphrased.

I would hope that Linksys releases updated firmware for the affected routers in a timely manner. I also expect this would only be able to affect routers enabled for remote administration but as many ISPs enable this on the routers they supply their customers to aid remote troubleshooting in the event of the customer calling tech support and often don’t restrict the source IP I imagine that there exists potential for entire netblocks of DSL CPEs to be infected.

Obviously if you have a Linksys device and have remote administration enabled you should probably disable this feature immediately until an updated firmware is supplied by the vendor.

NY Times Article Reveals NSA Security Controls Allowed Mass Crawl of Intranet

Aside

In a revelation today that has bounded amongst the tech news media the NY Times reported that Snowden was able to effectively use a spiderbot to crawl and mirror mass amounts of classified content. Embarrassing given a SME grade IDS would flag that activity.

What I want to know is did he even bother to forge his User-Agent string to match whatever browser they were using? Did he rate limit the requests to make it look remotely human?

I just can’t even understand why some rudimentary code at the web server side didn’t catch him. If I was serving out X number of pages to a single user and that is well over the assigned threshold then surely the user could be flagged.

If small to medium IT enterprise can work out the kinks in these issues and run reasonably secure businesses knowing that threats may come from within as well as from an external source then why can’t the government? We are talking about the fucking NSA. They should know that the number one rule of tradecraft is to trust nobody, and if you have to trust someone – divulge as little as you can to complete your operation. Hell, in IT we call it the principle of “least privilege”. A piece of software – or in this case a human asset – should have only the minimum level of privileges it requires to perform its task and no more.

Snowden continues to embarrass the government, even from afar. One must wonder about his motives and allegiances.
Sure, I am glad that he revealed to the world that the United States – a country that spews through its propaganda that it is a freedom loving place – actually has secret courts where you could be detained indefinitely for who the hell knows what. But we must ponder what drove him to such action, as he has already claimed the whole program was premeditated. Is Snowden himself an intelligence asset of another sovereign nation or just a whistleblower? We have heard that Assange allegedly was used as an asset by ASIO, the Australian foreign intelligence agency and therefore we must question Snowden and draw our own conclusions.

What Secrets Lurk In Your Cellphone Baseband

Aside

It was only a few months ago that we heard of a DoS for Android devices that mishandled the reception of a bunch of class 0 SMS messages, and the astute readers of this blog will recall this was fixed in Android 4.4 (at least for the Nexus branded devices).

I have spent my spare time playing with cellular basebands from a variety of cellphones of all operating system persuasions and at the risk of sounding alarmist will state – perhaps prematurely – that there are certain “features” that you, the owner of the cellular device likely don’t know about that could potentially violate your privacy in ways that you potentially haven’t even considered. We’re not just talking about relatively well known issues like the misuse of malformed class zero SMS messages as a way to “ping” phones to generate network traffic and thus assist with geolocation. This goes beyond that.

Anyone with a cellular phone needs to know that even if you run an AOSP build that you self compiled (and carefully source audited) that those binary blob drivers – often from Qualcomm – and the cellular baseband in its entirety may betray your attempts at achieving the privacy that should be a basic human right.

I been somewhat surprised at E911 and the way some carriers have implemented this “feature” – which can be invoked without 911 or 112 being dialed, but the real juicy stuff is buried deep in your phone. The ability to listen to your microphone without your consent or knowledge has been documented as fact and known by the FBI, an organization that is proud of stepping on the constitutional rights of Americans, as a “roving bug”.

I would argue that there would be a void in the market for a cellular phone that is provably secure (of course software can have bugs, but at least lay everything on the table and have some of the brightest minds in our industry examine it – keeping the number of lines of code down will make this task easier) and furthermore incorporates integrated encryption – not just over UMTS or other mobile IP services – but over the standard and GSM compressed voice channel. Although quality may be average this has been a long sought after feature.

That said – nothing will ever stop your carrier from finding you using radiolocation. Unfortunately this is just something we cannot design out.

Security Protocols & Evidence Paper, and Some Thoughts

Schneier’s recent blog post on a paper published by Steven J. Murdoch and Ross Anderson entitled, aptly enough – “Security Protocols and Evidence: Where Many Payment Systems Fail” demonstrates what many have probably expected from the beginning. That is – a system designed primarily for transaction authentication may not have the same utility when used for evidentiary purposes.

I recall reading a similar paper published about fifteen years ago on the weaknesses of using RADIUS data from ISPs in court proceedings for offenses such as downloading inappropriate and illegal pornography (I am trying to be tactful; but understand that given the extremely harsh prison terms given to such offenders in many Western nations and their social repugnance, it would appear that clear determination as to whether such an act was committed would be pretty important. Not so.) On more than one occasion the ISP I was working within was ordered to provide RADIUS and later (when they realized we had it – we soon removed it once the privacy implications were made concrete in the rest of management’s head) proxy logs for individuals.

In the dialup era at least we had the ANI information. That too could be spoofed but it provided at least some kind of tangible connection with the user. The court orders generally ask – to paraphrase – “126.112.52.41 is part of one of your dynamic IP pools. Can you please supply logs for the user in possession of a lease for this address on 2000-02-01 03:23:14 UTC” which can present problems, especially when someone’s freedom is at risk and you know that half your equipment hasn’t synchronized to a reliable NTP server since Clinton entered into office.

Their response to an answer of – “this was on the cusp – two people occupied this lease within a few minutes of each other” isn’t to abandon this attempt and scald us for not having decent clock synchronization (the whip of big government’s rod would come later when we were forced to implement Cisco LI – uh legal interception – at our expense or lose our license), but rather to demand the two users and amend their request to include server content including their pop/imap boxes and personal web space. No doubt they had armed police storming these two residences knowing that *one* of them has to be their perpetrator. That isn’t good enough, even when heinous crimes have been committed.

We are fast becoming a society where guilt is assumed and innocent must be proven. Thanks to the PATRIOT ACT and co. your constitutional rights to a fair trial have been scrambled especially if they can connect your “case” to a vague concept they call “national security”. A child making a dry ice bomb and detonating it in a pond near a school could face such “justice” (enclosed in quotes because they have redefined this word. I must get an updated dictionary and reacquaint myself with what justice means today. The answer won’t please me nor anyone who considers themselves a “patriot” or even a free thinker.