Breaking

New York Times subscriber list may have been compromised

• This story was first reported minutes before the recording of this episode of TechSNAP, so further information and verification were not possible
• An email was sent to users asking them to reconsider cancelling their home delivery subscription
• The email seems to have been targeted at anyone with a NYTimes.com accounts, not just current home delivery subscribers
• Some people who received the message say that the NYTimes was the only 3rd party that had their email address
• The email appears to have a correct DKIM signature, meaning it was signed with the private key of the email.newyorktimes.com domain
• The email was sent via Epsilon Interactive, a mass emailing company that has previously been compromised
• NYTimes First Responses: Blog.NYTimes.com Twitter
• Email Headers
• It is unclear if the email was the result of the compromise of Epsilon’s servers (and the NYTimes private key), or was accidentally sent to all subscribers instead of the intended subset

WiFi Protected Setup (WPS) flaw exposes millions of devices to trivial attack

• WPS was created to allow users to more easily setup secure wireless networks
• WPS uses either an 8 digit PIN number, or a ‘push to connect’ button on both the AP and Client device
• This security vulnerability specifically targets the 8 digit PIN number
• The 8 digit PIN results in a key space of 10^8 (100 million) keys
• However, the last digit in the PIN is actually a checksum, used to detect typographic errors
• The attack described below exploits a flaw in WPS where the attacker is able to determine by the response from a failed attempt, that the first 4 digits of the PIN matched
• This combined with the last digit being a checksum, effectively narrows the key space of possible PINs to 10^4 + 10^3 (11,000) keys
• Even this key space should be enough to keep attackers out, however it was discovered that many devices do not implement any type of failed login banning, making brute force attacks much easier and faster
• It was also observed that rapid brute force attempts also seemed to have a Denial of Service effect on the targeted AP, exhausting its processor time responding to the authentication requests
• Affected vendors include: Belkin, Buffalo, D-Link, LinkSys, NetGear, TP-Link and ZyXel
• As of yet, there have been no new firmware offerings to resolve this issue
• DD-WRT does not support WPS so is not vulnerable
• To work around the problem, you can disable WPS on your AP, or if it is supported, set a long lockout time for failed attempts
• Technical Details
• Vulnerability Announcement

GSM Phones vulnerable to hijacking

• Security researcher Karsten Nohl, known for his research into exploiting GSM to tap/eavesdrop on mobile phone calls, is set to present new research that he says allows an attacker to impersonate your phone, making calls and sending text messages to expensive premium services operated by the attacker
• Such attacks are commonly executed against corporate land line PBX systems, breaking in to systems and then placing expensive per-minute calls, collecting large sums of money, and then disappearing before the victim gets their next phone bill and notices the problem
• In the days of dialup, computer viruses that cause your computer to much similar expensive phone calls in the middle of the night were also fairly common
• The vulnerability only effects the older 2G GMS network, however most all phones still support GMS as a fallback when newer 3G networks are not available
• “We can do it to hundreds of thousands of phones in a short time frame,” Nohl told Reuters
• Security Research Labs (the company Nohl works for) runs a website where they rank the various mobile providers based on their ease of Impersonation, Interception and Tracking
• “None of the networks protects users very well,” Nohl said.
• SRLabs plans to release data collection software, allowing users to participate in data collection to grow the improve the database
• SRLabs research is focused in Europe and did not review any North American telcos

Anonymous claims responsibility for compromise of StratFor website, releases customer information via pastebin

• The website of US security think tank Strategic Forecasting Inc (Stratfor) was compromised by attackers under the banner of the Anonymous movement
• Other members of Anonymous stated that the attack was not an official operation, and that because Stratfor is a media source, they are protected by freedom of the press, a highly valued principle in the Anonymous movement
• The pastebin posts are only flagged as #antisec and #lulzxmas, and may have been falsely attributed to anonymous by the media
• Stratfor has suspended the operation of its website and email
• The attackers have obtained the credit card details, password, and addresses of 4000 of Startfor private clients
• The attackers claimed to have stolen 200GB of data, including emails and research
• The goal of the #lulzxmas campaign was apparently to make 1 million dollars in donations to charities using stolen credit cards
• Other twitter posts claim the total number of stolen credit cards was in excess of 90,000. Of these, two lists containing 3956 items and 13,191 items respectively, have been published
• The data is said to include the CVV values for the credit cards, it is against the PCI-DSS standard to store the CVV value specifically for this reason, so that when a database is compromised, the CVV value is NOT disclosed, so that online stores that use the CVV value can still prevent fraud
• It also appears that the users’ passwords were stored in plain text. The data that was released via pastebin had the passwords MD5 hashed, but even if that is how they were stored in the database, that is insufficient protection
• Most of these funds will likely be charged back, actually costing the charities money
• Stratfor describes itself as a provider of strategic intelligence for business, economic, security and geopolitical affairs
• Stratfor’s said that they were working with law enforcement to attempt to apprehend the attackers
• “Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me,” wrote Mr. Friedman (Chief Executive of Startfor) in an email to clients
• “Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications,”
• Purported Client List
• Client Details

Round Up:

• Apple fined $1.2 Million in Italy for making customers pay for support that should have been under warranty
• Siemens publicly admits to security vulnerabilities after US Department of Homeland Security issued an advisory warning all critical infrastructure operators to ensure their Siemens systems are not reachable from the Internet. Siemens expectsing to release the first security update/fix late next month
• pfSense 2.0.1 release now available!
• How hackers gave Subway a $3 million lesson in point-of-sale security
• Update: China Denies Responsibility, claims they are under same attacks
• Merry Christmas from the FreeBSD Security Team
• Fjord cooled data center in Norway, worlds greenest data center?
• Chinese Software Developers’ Forum hacked, 6 million plain text user credentials posted online Analysis of most used passwords