2.12.16

900,000 Germans knocked offline, as critical router flaw exploited

As many as 900,000 Deutsche Telekom customers were knocked offline on Sunday and Monday as an attempt was made to hijack broadband routers into a botnet.
Malicious hackers are commandeering vulnerable Zyxel and Speedport routers, commandeering them into a botnet which they can command to launch huge denial-of-service attacks against websites. The vulnerability exploits the TR-069 and TR-064 protocols, which are used by ISPs to manage hundreds of thousands of internet devices remotely.
In this particular case, an attack was able to fool the vulnerable routers into downloading and executing malicious code, with the intention of crashing or exploiting them. Compromised routers could then be commanded to change their DNS settings, steal Wi-Fi credentials, or bombard websites with unwanted traffic.
As the SANS Internet Storm Center describes, Deutsche Telekom customers would be wise to ensure that their routers are patched with a newly-released firmware update:
Affected user are advised to power off their router and power it on again after 30 seconds. During bootup the router should retrieve the new firmware from the Telekom servers.
More details (in German) of the patch are available on Deutsche Telekom’s website and in the following YouTube video:
According to a statement issued by Germany’s BSI, the attack on the vulnerable routers also attempted to disrupt government systems but failed due to preventative measures.
Meanwhile, customers of Ireland’s biggest telcoms provider, Eir, were experiencing problems accessing the internet via their ZyXEL-built Eir D-1000 broadband routers mere days after a security researcher published proof-of-concept code demonstrating how they could be easily hijacked remotely by a malicious attacker.
Researchers at Fox IT have pinned the blame for the attack against Eir customers on an updated version of the Mirai botnet, which recently launched a massive IoT-powered attack against the website of security blogger Brian Krebs and knocked major websites offline after similarly assaulting DNS service Dyn.
Germany, Ireland… I think it would be no surprise at all to hear that there are broadband routers being used in other parts of the world which are similarly prone to hijacking via similar or the same flaws.
Obviously it’s important that the vulnerable devices either get patched or replaced as soon as possible, but there are surely more mitigations that ISPs can put in place to make future attacks harder to accomplish?
For instance, if ISPs want the functionality to remotely manage customers’ routers surely it would be sensible to only allow connections from the ISP’s own managed network – and not from anyone on the internet, wherever in the world they might be.


26,500 National Lottery accounts accessed by cybercriminals
Around 26,500 National Lottery players in the UK have had their online accounts accessed by cybercriminals, operator Camelot has revealed.
The operator was first alerted to a security incident on November 28th, during routine online security monitoring.
Camelot believes that its own systems were not compromised, stating that it is of the opinion that usernames and passwords had been stolen elsewhere.
“We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited,” it added.
“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”
Camelot has since suspended victim’s accounts, along with initiating a compulsory password reset.
Those affected have been alerted through an email. One player, Nigel McKee took to Twitter to ask National Lottery if the email was genuine, which was later confirmed by the company.
The email stated: “We regret to inform you that your account has been subject to an unauthorized login.
“However, please be assured that we don’t hold full bank account details.. and no money has been deposited or withdrawn from your account”.
Other players reacted in anger on Twitter after being alerted of their accounts being compromised, with one user, Richard C writing: “My account has been potentially breached. Not good at all.”
The Information Commissioner’s Office in the UK released a statement confirming that they are investigating the incident after being alerted by Camelot:
“We are aware of this incident and we have launched an investigation,” a spokesperson commented.
“The Data Protection Act requires organizations to do all they can to keep personal data secure – that includes protecting it from cyberattacks. Where we find this has not happened, we can take action.”
It added that it is seeking to talk to Camelot about the incident, to establish the facts around this data breach.
“We’d like to reassure our customers that protecting their personal data is of the utmost importance to us,” Camelot said.


30.11.16

Cryptography: How something nerdy went mainstream

Cryptography is one of the fundamental aspects of information security. It is used to encrypt or encode messages so that their content may not be read, modified, or hidden by an unauthorized third party. In this way, it helps information to meet three key requirements to be secured: confidentiality, integrity, and availability.
This method takes place in most of our daily activities. Think, for example, when you send an email – if the email provider did not use encryption techniques, the content might be intercepted and read by unknown people.
Let´s take another example, such as a message sent via WhatsApp. This app, as with many others, uses encryption. In fact, the implementation of end-to-end encryption was completed in 2016, which now means that only the sender and receiver may read the communication.
As its co-founders noted in April: “No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.”
Although this method may seem to be new, the concept is literally over one thousand years old. Do you know how a hieroglyphic was read the first time? By using the Rosetta Stone, a piece of stone containing the script of a decree issued by an Egyptian emperor in his own language and in Greek; since the latter was a commonly known language, it was used to transcribe the message into Egyptian and worked as a key to decipher it. This is the reason it was considered a milestone in the history of civilization, language and encryption. However, as you may also imagine, it was not the only one.
Encryption is popular in its own way today. It is a technique that does not only date back to the history of civilization, but also to spies and security agencies, among others.. With this in mind, in this article we would like to tell you about three cases in which encryption features as a “key” in the film industry.
#1 The Imitation Game
This 2014 film tells the story of Alan Turing, the pioneering 20th century British mathematician and logician who was instrumental in developing computer science. In the UK, the security services hired him for a significant mission: to work out how Enigma machine worked, so that they could understand the encoded message system used by the Nazis.
We then see how Turing prepared a team of mathematicians and cryptologists in order to analyze the machine, something totally mysterious to the Allies. After much work, and some luck, Turing and his colleagues work out how the machine worked and manage to intercept the German communications. The rest is history; Turing’s work became immortal for being key to diverting the German advance, and helped the Allies to win the second world war.
#2 Zodiac
Zodiac is a 2007 mystery-thriller by David Fincher, based on the story of a notorious serial killer in the US. Known as the Zodiac Killer (as he called himself). The killer was mostly active during the decades of 1960 and 1970 around San Francisco, California. But it was not until his second murder that he became well-known.
Zodiac was fame hungry and he courted the press. To begin with, he sent a letter to the main newspapers in San Francisco, introducing himself and leaving an encrypted message without further reference. As if it was a game, the killer explained that the encrypted messages had been sent from different locations and to different media outlets, and that they revealed his identity. He also demanded the publication of the messages on the front pages of the newspapers; otherwise, he would kill more people.
In the years after this original letter, the Zodiac Killer continued to taunt the authorities by sending letters and encrypted messages. Although a thorough investigation was carried out, the killer was never found. Today, the case remains one of the most popular unsolved crimes in the US.
#3 The Da Vinci Code
The Da Vinci Code, based on Dan Brown’s novel of the same name, was one of the most anticipated films in 2006, mainly due to the popularity of the book: it sold more than 80 million copies and was translated to 44 languages. The important thing for us is that the story is about Robert Langdon, professor of religious iconology and symbology, who becomes involved in solving a crime in the Louvre Museum.
To get to the heart of the issue, Langdon must decipher the messages and riddles left to move on to the next clue that will take him closer to the identity of the murderer. However, what he does not know is that in fact his search will take him near the location of one of the biggest mysteries (or legends) in history: the Holy Grail.
Throughout the film, we can see how the professor uses his knowledge of semiotics to decipher the multiple riddles. The most thrilling scene is probably when he finds a Cryptex, the quintessential encryption item, created based on Leonardo Da Vinci’s designs.
As you may see, the concept of encryption has been used in many interesting ways along history, and also in the fiction world. These three movies are some of many examples that have contributed to increasingly the visibility and popularity of encryption, which used to be reserved only for a few but today, in the digital age, it is key to protecting our information as users in an interconnected world.