2011 is the Year of the Hacktivist, Verizon Report Suggests

Verizon Business's Bryan Sartin, who investigates corporate break-ins, saw red this year over hacktivist threats to clients.

Postal workers, department store clerks and elves aren’t the only ones working like crazy this holiday season. For Bryan Sartin, it’s the busiest time of year.

Sartin is a director of investigative response with Verizon Business. He’s the guy you call when you’ve been hacked and he usually doesn’t get much of a Christmas vacation.

“Right before big holidays, particularly Christmas and New Year’s is when the very vast majority of people seem to find out that they’ve been hacked,” he says. “We’ll do as much as 20 percent of our annual caseload during this part of December.”

In 2010, about 92 percent of those cases involved criminals trying to steal money over the internet, but this year everything changed.

The first signs emerged in December 2010, when activists with the online collective Anonymous called for digital sit-ins — known as distributed denial of service attacks — on the websites of companies that had refused to process payments for Wikileaks. Then, in early 2011, attacks on Sony, HBGary and many law enforcement agencies hit the headlines. None of them appear to have been financially motivated.

That’s meant big changes in the kinds of threats that companies are preparing for.

Sartin helps compile a widely watched yearly study of data breaches, and he says that hacktivist and state-sponsored attacks will show up in this year’s report, big time. “That trend has certainly continued this year and it will embody itself in a big way in our upcoming study.”

But for all the high-profile LulzSec and Anonymous attacks this year, Sartin still believes the hacktivist threat — long ignored by corporate IT — is now frequently overhyped.

He says clients often approach Verizon after they see a Twitter message or an internet post threatening an attack on a pre-determined day. The company gears up for an event, bringing consultants on site, and ordering technical staff to be at the ready.

It’s not cheap, and most of the time, nothing happens. “Very commonly, when companies are receiving these kinds of threats in advance, no one ever makes good on them,” he says.

Last year, reported cyber-threats to the New York Stock Exchange, the Federal Reserve, and Facebook never materialized.

In one actual attack — Sartin wouldn’t name the company — criminals broke in and got access to a database filled with encrypted client data. Looking at the logs, Verizon investigators could see that the attackers had downloaded all of the encrypted data — something that would force the company to notify its customers that their data had been accessed. But they didn’t download the one most useful table of all — an unencrypted list of the encryption keys that could be used to decrypt all of the data they had stolen.

“They were stealing data with no interest in deciphering the encryption,” he says. “They were just stealing it to force this company into making a disclosure.”

While the hacktivists may be overhyped, Sartin says they’re often better than the other hackers out there. According to him, many attacks that are thought to be state sponsored, are surprisingly unsophisticated. Known as advanced persistent threat attacks, Sartin calls them “awfully persistent, but not so advanced.”

There’s one more surprise that will show up in the 2012 Data Breach Report, which will include a lot more data sources from Europe and Asia than previous reports.

“In this part of the world, China is the source of a lot of our crimes, but if you go to China … the U.S. is the number one source of electronic crimes,” Sartin says. “Over here we think that all of these advanced persistent threats and things come from China. Over there, they think they all come from here.”

Photo courtesy of Verizon

Does Security Really Matter to OpenX?

On December 1st OpenX finally made a public announcement on their blog about OpenX 2.8.8, which fixed a vulnerability that had already been exploited for some time before OpenX 2.8.8 was released. There post claims “If ever we find an issue, we address it quickly and communicate any updates as soon as possible.” Would anyone think a month is “as soon as possible”. What makes the length of time for the announcement even more troubling is that back on November 8 when we posted about the lack of a public announcement, and other issues, we had many visitors from OpenX visiting the blog so if they hadn’t yet thought it was important to make announcement before that they should by then.

Their post begins with the claim that “OpenX takes security seriously.” It hard to take that seriously considering that that this is third post on their blog titled Security Matters (1, 2) making the same claim and yet they have had to continually released fixes to vulnerabilities after those are already being exploited. It is understandable that software can have vulnerabilities, but when hackers are finding and exploiting them first instead of the developers finding and fixing them first it is an indication that their process for insuring the security of their code is lacking.

While there has been a fair amount of time between new vulnerabilities being exploited, and then fixed by OpenX, it is reasonable to consider that it might not be due a limited number of vulnerabilities but a lack of need to exploit more vulnerabilities. From what we have seen there seems to plenty of ad server running outdated versions of OpenX that hackers have been able to exploit well after new versions are released, so it doesn’t seem unreasonable to think that hackers might know of or could easily find more vulnerabilities in OpenX but as long there are enough ad servers running on outdated versions of OpenX to exploit there would be no need to make OpenX aware of a new vulnerability so that it can eventually be used when they run low on outdated ad servers to exploit.

It also is hard to take them seriously when there is such a public example of them not following their own advice. As part of their post they say “It’s critical to the safe maintenance and operation of any software that you not only maintain a current version of the software, but also take steps to regularly audit accounts that have access to your system.” They correctly state that it is critical to keep software up to date, but you don’t have look far to see that they don’t follow their own advice. The blog that they posted to is running WordPress 2.6.2 (if you want to see when websites are running out of date version versions of WordPress and other software check out our web browser extension for Firefox and Chrome). That version is now over three years out of date. They have failed to apply the last 16 releases that included security updates and 27 overall.

The CHANGELOG.txt file for www.openx.com indicates that it is running Drupal 6.19, which, if accurate, means the Drupal install is a year out of date and they missed a security update for that as well.

Our First WordPress Plugin Security Bug Bounty Payouts

We finally have an opportunity to discuss our first two security bug bounty payouts for WordPress plugins, both for relatively minor issues. We actually paid them out in late October but we were waiting until after one them was finally fixed (the other was fixed within hours of the developer being notified) to write about the issue.

Both NextGEN Gallery and WP e-Commerce suffered from reflective cross-site scripting (XSS) vulnerabilities in the portion of the plugin accessible in the admin area. With a reflective XSS vulnerability if an attacker can get you to visit a specially crafted URL they can cause the website included arbitrary HTML code, most often JavaScript, which they specify. That could be used to cause actions to take place of the web page, another file to be loaded, your browser cookies to be read, among other things.

XSS vulnerabilities are not as big an issue as vulnerabilities that allow adding arbitrary code to a database or into a file. Because these two vulnerabilities are only accessible in the admin area, it limits there severity even more. If they were to be used by an attacker they would be used in a attack to target at an individual website instead of a mass attack. Most attacks on WordPress based websites are mass attacks.

A fix for NextGEN gallery was included in version 1.8.4 and a fix for WP e-Commerce was included in version 3.8.7.3.

Web Browser Based Reflective XSS Protection

The ability to exploit the vulnerabilities is also limited by protections in some web browsers designed to restrict reflective XSS vulnerabilities from occurring. While doing a test with a XSS that attempts to load a JavaScript file from a third-party website that reads cookies associated with the WordPress based website we found that the web browsers performed as follows:

We found that both Chrome 15 and Safari 5, whose protection come the WebKit rendering engine they share, were able to successfully block the attempted XSS.

We found that Internet Explorer 9 only blocked the attempt XSS if you were already logged into WordPress when attempting to access the malicious page. If you were not logged in you would be asked to login and then be taken to the malicious page where the XSS was not blocked. This is due to Internet Explorer disabling the protection for requests originating from the same website. This is one of a number of weaknesses in Internet Explorer’s protection discussed in the paper Bypassing Internet Explorer’s XSS Filter (PDF).

Firefox doesn’t currently provide any similar functionality, but with the NoScript add-on installed we found the attempted XSS was blocked.

Keep in mind that the web browser protections are not full proof and it is possible that XSS attacks could be crafted that can evade the protections.

Testing Security Plugins Against These Vulnerabilities

Now that updates for both plugins have been released the way to prevent these vulnerabilities is to make sure you are running the latest version, which should make sure to with any installed plugins, but what about similar vulnerabilities that developer are not yet aware of? The biggest protection that you have is that targeted attacks are rather uncommon, so you are unlikely to be exposed to this type of issue. Then protection comes from being careful when clicking on links and using a web browser that provides protections against this type of hack.

There are also a number of security plugins for WordPress, some on them specifically claim to protect against XSS. We wanted to see if they would have blocked the exploitation of the vulnerability in either plugin. To test this out a crated a XSS attempts to load a JavaScript file from a third-party website that reads cookies associated with the WordPress based website. We used Firefox without NoScript so that any protection would be from the plugin and not the browser.

For this test, we tested plugins that did not require signing up for any service. We tested the following plugins:

BulletProof Security
Secure WordPress
Better WP Security
TTC WordPress Security Tool

For all four plugins we found that provided no protection. This is rather disappointing as this is just the type of thing they might be useful for. Most times when WordPress based websites are successfully attacked it is due to outdated software, which keeping software updated would have prevented, or it is due to a hacker gaining access to the underlying files that make up WordPress. In a case where the hacker has access to the underlying files the plugins cannot prevent access to the files (making files un-writeable is generally not effective as the hacker generally has the ability to make the writeable again) and the hacker could remove or modify the plugins. They could even modify the software to report that the website is still secure (You probably won’t find much security software of this type warning about this serious weakness, though it doesn’t appear that many hackers bother doing that as the software isn’t popular enough to be worth the time it would take to do that.).

Bitcoin’s Comeback: Should Western Union Be Afraid?

The last time we wrote about Bitcoin, in October, the currency’s future looked grim. A series of security incidents had created an avalanche of bad press, which in turn undermined public confidence in the currency. Its value fell by more than 90 percent against the dollar.

arstechnica

We thought Bitcoin’s value would continue to collapse, but so far that hasn’t happened. Instead, after hitting a low of $2, it rose back above $3 in early December, and on Monday it rose above $4 for the first time in two months. It’s impossible to predict where the currency will go next, but at a minimum it looks like the currency will still be around in 2012.

This presents a bit of a puzzle for Bitcoin skeptics. The original run-up in prices could easily be explained as a speculative bubble, and the subsequent decline as the popping of that bubble. But if that were the whole story, then the value of Bitcoins should have continued to decline as more and more people lost confidence in the currency. That hasn’t been happening.

Of course, the value of Bitcoin could resume falling at any time, but the currency’s apparent stability over the last month has inspired us to give it a second look. How can an ephemeral currency without the backing of any large institution be worth $30 million, as the world’s Bitcoins currently are? In the short run, a currency’s value can be pumped up by a speculative bubble, but in the long run it must be backed up by “fundamentals” — properties that make holding it objectively valuable.

Dollars are valuable because they’re the official medium of exchange for the $14 trillion U.S. economy; euros and yen are valuable for similar reasons. Bitcoin boosters have traditionally suggested that Bitcoin is an alternative to these currencies. But we’ll suggest an alternative explanation: that Bitcoin is not so much an alternative currency as a “metacurrency” that allows low-cost and regulation-free transfer of wealth between nations. In other words, Bitcoin’s major competitors aren’t national currencies, but wire-transfer services like Western Union.

Bitcoin is a bad currency

While Bitcoin isn’t a very good currency, it has the potential to serve as a “metacurrency”: a medium of exchange among the world’s currencies.

The traditional argument for Bitcoins has positioned the peer-to-peer currency as an alternative to conventional currencies like dollars, euros, and yen. Bitcoin boosters point to two major advantages Bitcoins have over dollars: price stability and lower transaction costs. As we’ll see, neither of these advantages is compelling for ordinary consumers.

The argument from stability mirrors the traditional argument for a gold standard. The dollar has lost about 95 percent of its value over the last century. The Bitcoin protocol is designed to never allow more than 21 million Bitcoins to enter circulation, and supporters argue that this guarantees the currency maintains its value over time.

The obvious problem with this argument is that Bitcoins have lost more than 90 percent of their value in five months. It would be pretty foolish for someone worried about the dollar’s 3 percent inflation rate to put their life savings into a currency with that kind of volatility.

Bitcoin boosters forget that the value of a currency is determined by supply and demand. Demand for dollars is driven by the size of the U.S. economy, which doesn’t change very much from year to year. But the demand for Bitcoins is primarily driven by speculative forces, causing its value to fluctuate wildly.

Another oft-touted benefit of Bitcoin is lower transaction fees. Banks make a tidy profit charging merchants to complete credit- and debit-card transactions, and these fees raise the price consumers pay for goods and services. Fans tout Bitcoin payments as a low-cost alternative to traditional credit card transactions.

But this argument ignores the fact that credit cards provide important benefits in exchange for those transaction fees. If you buy something with a credit card and get ripped off, you can dispute the charge and get your money back. In contrast, Bitcoin transactions are irreversible. If you pay a merchant in Bitcoins and he rips you off, (or someone hacks into your computer and makes a fraudulent payment), you’re out of luck.

Of course, third parties may offer Bitcoin-based payment services that offer features such as chargebacks and fraud protection. But such services don’t come free; consumers or merchants would have to pay fees to use them. And there’s no reason to think Bitcoin-based banking services would be any cheaper than traditional ones in the long run.

Paying with Bitcoins also introduces the inconvenience of fluctuating prices. When people buy things with cash or credit cards, their purchases are denominated in the local currency. Dealing in Bitcoins means customers and businesses must regularly convert between dollars and Bitcoins, and must therefore worry about the fluctuating exchange rate between them. That’s a headache few people want.

So Bitcoins are not a compelling alternative to conventional currencies. Although there are a few isolated examples of traditional businesses accepting Bitcoins as payment, these seem to be driven more by the novelty of the concept than by compelling economic or technical advantages.

Bitcoin as a metacurrency

While Bitcoin isn’t a very good currency, it has the potential to serve as a “metacurrency”: a medium of exchange among the world’s currencies. In this role, it has the potential to be a powerful competitor to wire transfer services like Western Union.

The longer Bitcoins continue to exist, the more confidence people will have in its continued existence.

The wire transfer industry is much less consumer-friendly than the credit card industry. Wire transfer fees can be much higher than credit card fees, and wire-transfer networks offer much less robust fraud protection services than do credit card networks.

Moreover, the flow of funds across national borders is heavily regulated. Governments monitor the flow of funds in an effort to stop a variety of activities they don’t like. In the U.S., the focus is on terrorism, tax evasion, gambling, and drug trafficking. (Carrying cash across borders in a suitcase invites similar government scrutiny.)

Bitcoin allows wealth to be transferred across international borders without the expense or government scrutiny that comes with traditional wire transfers. An American immigrant wanting to send cash to his family in India needs only to find someone in the United States to trade his dollars for Bitcoins. He can then transfer the Bitcoins to his relatives in India, who then need to find someone willing to take Bitcoins in exchange for rupees.

This decentralized money-transfer process will be much harder for governments to control than a centralized money-transfer company like Western Union. And that will make the world’s governments upset, since the same technology can be used by an American drug dealer to send profits back to his partners in Latin America.

But there may be little governments can do about this. They can attempt to mandate the reporting of Bitcoin transactions, but there’s no obvious way to enforce such a regulation, since Bitcoin transactions are easy to obfuscate. At most, governments could prohibit the conversion of funds between local currencies and Bitcoins, but this will merely push the currency underground, not eliminate it altogether.

If Bitcoin’s value stabilizes, it will also become a way to store wealth beyond the reach of any government. Cash and gold are bulky, hard to move, and subject to confiscation. In contrast, the encrypted credentials of a Bitcoin wallet can be stored securely on a server anywhere in the world. This could make the currency appealing to anyone wanting to place his wealth beyond the reach of the law — a corrupt government official wanting to hide ill-gotten gains, a political dissident who fears his life savings will be taken, or an ordinary citizen worried about the solvency of traditional banks.

Bitcoin’s role as a way to move and store wealth does not depend on Bitcoins being widely used for commerce. For Bitcoin to work as a viable “metacurrency” only requires that there be a liquid market between Bitcoins and national currencies. Such a market already exists for several major currencies.

Chicken and egg

Of course, there’s a circularity to this argument. Bitcoin’s value as a way to move and store wealth depends on the value of Bitcoins being relatively stable against conventional currencies. And the continued value of Bitcoins depends on people finding nonspeculative uses for it. But if the currency continues to retain its value in the coming months (a big if, admittedly) this would be a sign that the chicken-and-egg problem has been solved. And the longer Bitcoins continue to exist, the more confidence people will have in its continued existence.

Western Union moved $70 billion across borders in 2010, earning about $1 billion in profits. There’s no Bitcoin Inc. to compete directly with Western Union, but the owners of Bitcoins can be thought of as shareholders in a decentralized Western Union alternative. If the Bitcoin network captures a small fraction of Western Union’s money-transfer business, the currency’s current “market capitalization” of around $30 million could wind up looking downright puny.

Photo: ZCopley/Flickr, Graph via bitcoincharts.com