CTO Security Report

Anonymous (Photo credit: Schuilr)

3 Million Iranian Bank Accounts Disclosed

Anonymous (Photo credit: Schuilr)

3 Million Iranian Bank Accounts Disclosed

Iranian ATM’s are dispensing PIN and Password changes instead of money this week following the public disclosure of three million bank account details by an Iranian security researcher. While the disclosure of these accounts is unfortunate, what is more troubling is the process that led to this disclosure. A year ago Khosrow Zarefarid warned the CEO’s of the banks in Iran that a banking flaw could expose their customers. Even after submitting accounts found using the technique he warned them about, he received no response. Seeing no other course of action, the researcher disclosed the accounts in a bid to bring the situation to light. Such “grey-hat” actions often happen when security is not taken seriously at organizations such as banks, and the ensuing fiasco could have easily been avoided with proper communication and effort on behalf of Iranian banks.

F1 Racing Sites Attacked by Anonymous

Elements of the Anonymous collective are currently targeting F1 racing Federation websites in an effort to disrupt and publicise a campaign against the F1 race being held in Bahrain. This effort comes as the F1 race is being held in Bahrain despite well-documented human rights abuses in that country. At the time of writing, f1-racers.net had been defaced and elements within Anonymous were still planning to increase the level of disruption. The Formula One federation is aware of the attempts by Anonymous to disrupt its activities.

Defaced Site: http://f1-racers.net/

Anonymous Starts Their Own Pastebin Lookalike

Fed up with Pastebin’s promises to moderate and censor posts containing sensitive information such as passwords, bank accounts, and addresses, Anonymous members have struck out on their own. The result is a pastebin clone which is hosted by an organization sympathetic to Anonymous, the People’s Liberation Front. This new paste site does not have information on what is contained in the paste because every paste is encrypted with AES 256 and requires a symmetric key to decrypt inside of the browser. This key is contained with the URL generated for the post when it is uploaded to the server. The advantage is that posts cannot be read by the hosting provider, since they have stated that they disable all connection logging. Expect to see more members of Anonymous to switch to this new service, which will make Anonymous movements somewhat harder to track — you need to have the URL with the key in order to read the paste, and cannot track trending posts with the service.

15 Year old Boy Hacks >250 Companies

A 15-year-old Austrian boy was discovered to be the culpit behind the web-based attacks on the web presences of over 250 companies. The boy, using attack software, techniques, and anonymization services and programs he found on the internet, mounted a successful campaign in order to win the favor and attention of his hacker peers and garner points on a hacker scoreboard. Within a short period of time the young hacker was attacking as much as 3 websites a day on average. With website/web service security being rather lax in most organizations and applications the news of the age of the attacker is perhaps more of a surprise than the number of targets he successfully breached.

New Android Hacking Concept Emerges

A side-channel attack on login PINs utilizing the gyroscopic sensors inside of Android phones has been developed by security researchers. The attack analyses the slight movements and shifts of the phone as its screen is pressed in order to determine where on the screen the user has pressed. The application runs in the backround and waits for the user to input their pin and unlock the phone for use and does not require any permissions in order to run due to the way sensor permissions are granted in Android platforms.

This attack is unlikely to be very lucrative for normal attackers though — it requires that the user play a game in order for the application to learn how the specific user holds and uses the specific type of phone on which it runs. The payoff could be significant though: Besides being able to sniff PIN logins to the phone, the application can sniff phonepad entries and possibly steal credit card numbers and phone numbers through this method.

Encryption for Google Docs from Cipherdocs

One of the drawbacks to using the Google cloud of internet applications is the lack of proper document confidentiality. Sure, the service lets you grant or revoke permissions to different users via their email address, but what if that user’s email is compromised? What if Google Docs were compromised in some way? Your documents would be open for all to see. A new startup has been bootstrapped with a way to fill this security gap — Cipherdocs.

Cipherdocs has created a plugin for the popular internet browser Mozilla Firefox which allows users to have encryption on-the-fly for Google documents. It even has a keyring available for using Encrypted Google Docs across multiple computers, and only requires that Java be installed along with the Firefox browser and the plugin itself. It is currently free and can be downloaded from http://www.cipherdocs.com/