6 Sep 2011
Scotland Yard Tightens the Pincers on Anonymous
It’s been another wild and crazy week for the security community.
Scotland Yard arrested two suspected members of Anonymous and LulzSec Thursday.
Meanwhile, the major players in the browser market – Google (Nasdaq: GOOG), Microsoft(Nasdaq: MSFT) and the Mozilla Foundation – have chopped Dutch certificate DigiNotar off at the knees, apparently because it was slow to warn that hackers had broken into its network and issued rogue SSL security certificates.
Further, a security researcher released information that hackers could use to leverage Google’s massive bandwidth and launch large-scale distributed denial of service (DDoS) and SQL injection attacks.
The Star Wars Galaxies gaming site was also hacked this past week, and the hacker posted the user IDs and passwords of 23,000 of the site’s members on the Web.
Finally, a survey by security vendor Veriphyr has found that healthcare organizations are suffering data breaches hand over fist.
Ho, Hackers! The Game’s Afoot!
Scotland Yard arrested two suspects in separate counties Thursday, reportedly under suspicion of conducting online attacks under the handle “Kayla.”
“Kayla” was allegedly among those behind the February Anonymous intrusions perpetrated on HBGary Federal, a company claiming to provide security to the United States federal government.
The attackers defaced HBGary’s website, stole and published 71,000 internal emails from the company, and posted a message denouncing the HBGary.
Lack of Speed Kills
On Monday, Google learned that some users of its encrypted services in Iran suffered attempts at man-in-the-middle attacks, where someone tries to intercept communications between two parties.
The attacker used a fake SSL certificate issued by Dutch root certificate authority DigiNotar.
It seems an intruder had broken into DigiNotar’s systems back in July and stolen up to 200 rogue, or fraudulent, SSL certificates, some for major domains.
DigiNotar had known about the breach since July 19 but apparently had not disclosed the information.
In response, Google, Mozilla and Microsoft all revoked trust in the DigiNotar root certificate in their browsers.
“These certificates could be used as part of attacks designed to harvest user Gmail credentials and gain access to sensitive data,” Norman Sadeh, cofounder of Wombat Security Technologies, told TechNewsWorld.
Disabling DigiNotar’s root certificate authority was justified because “security across the Internet is a shared responsibility and our root certificate authorities must be held to the highest standard,” Don DeBolt, director of threat research at Total Defense, told TechNewsWorld.
Google spokesperson Chris Gaither declined comment.
Leveraging Google’s Bandwidth for Hacks
A security researcher has disclosed on the IHTeam blog how attackers can use Google’s servers to launch a DDoS attack.
Hackers can also use the technique to launch SQL injection attacks, one of the top 10 vectors of attack, according to the tester, who goes by the handle “r00t.ati.”
The tester posted the information Monday after Google’s security center had failed to respond to a notification of the threat sent Aug. 10.
Google posted a message on the IHTeam blog Friday apologizing and stating it has tweaked its security.
“This is a serious issue, and even if Google fixes these two vulnerable pages, bad actors will likely comb Google’s pages from now on looking for a similar vulnerability,” Total Defense’s DeBolt remarked.
“My understanding is, this is not a software vulnerability, but rather a description of service misuse that we have not seen in practice,” Google spokesperson Jay Nancarrow told TechNewsWorld.
Multiple social networking and online translator sites could also be used by hackers to launch attacks in the same way, Nancarrow pointed out.
The Force Isn’t Strong With This One
This past week, a hacker broke into the Star Wars Galaxies gaming site, stole the user IDs and passwords of 23,000 members, and posted them on the Internet.
All the passwords are in plain text, the hacker said.
SWGalaxies isn’t the only gaming site to have been victimized in recent months. Earlier this year, the Sega website and the Sony (NYSE: SNE) PlayStation Network were hacked, with data on more than 100 million users stolen in each case.
Are game sites more vulnerable than others? Not necessarily, but they often aren’t as heavily fortified as, say, banking sites. That needs to change, Todd Feinman, CEO of Identity Finder, told TechNewsWorld.
“Any institution that stores personal information, including a password, should be held to a higher standard and be accountable for loss of sensitive data,” Feinman stated.
Healthcare and Privacy
More than 70 percent of respondents to an online survey on privacy breaches concerning protected health information have suffered at least one breach in the past 12 months, according to a study conducted by security vendor Veriphyr.
Hospitals and health systems constituted 52 percent of the 90 respondents, Veriphyr CEO Alan Norquist told TechNewsWorld. Half the responding organizations had more than 1,000 employees.
The two leading types of breaches “involve legitimate insiders misusing their legitimate access to patient data by accessing the records for reasons other than healthcare,” Norquist said.