Zero Day Weekly: ICANN hacked, critical GitHub vuln, too much Sony drama
This week a critical GitHub vuln was found, ICANN was hacked, International Business Times was hacked by the SEA, Microsoft's update blunders continued, a new Boleto malware family was discovered, the Sony drama reached the heights of hysteria, and more. Updated with FBI announcement on the Sony hack attribution, and reactions.
If you use #Git on Windows or OS X, patch your client NOW! Critical code execution vulnerability. http://t.co/Kdzu3sUFbB
-- Sven Slootweg (@joepie91) December 18, 2014
- A critical GitHub vulnerability was found, and you're urged to update our clients immediately. GitHub told ZDNet, "I'd like to clarify that the vulnerability is in Git itself, and because it is client-side only, github.com and GitHub Enterprise are not vulnerable. More details in our blog." Git just announced version 2.2.1, a maintenance release that includes a security fix for a critical vulnerability that affects those using Windows and Mac OS X Git clients. This update also includes new releases with the same security fix for older Git versions. GitHub confirmed that GitHub for Windows and GitHub for Mac are both affected and should be updated immediately
- ICANN hacked: The Internet Corporation for Assigned Names and Numbers (ICANN) announced Tuesday that they have fallen victim to a phishing attack which resulted in the attackers gaining administrative access to some of ICANN's systems, including its Centralized Zone Data Service (CZDS). ICANN believes that the attack was committed in late November using emails sent to staff members that were designed to look like they came from within ICANN. As a result of the attack, the email credentials of several ICANN staff members were compromised. Those credentials were then used to compromise other ICANN systems, including the CZDS.
- News outlet International Business Times was hacked by the Syrian Electronic Army Wednesday. The Syrian Electronic Army, a collective of pro-Assad hackers who have made a name for themselves by claiming the scalps of various media organisations in the last couple of years, apparently took offence to an IBT news article entitled "The Syrian Army Is Shrinking, And Assad Is Running Out Of Soldiers."
- Pirate Bay Tango Down: Last week, the once-dominant torrent search website The Pirate Bay was seized and shut down when police enforcement officers raided a data center in Sweden, confiscating backbone equipment and servers. Speaking to TorrentFreak, The Pirate Bay's crew said there were no direct plans to resurrect the website. Earlier this week, Swedish government emails were hacked in retaliation over the Pirate Bay seizure.
- Microsoft update blunders seem to be going out of control. The last several months have seen a disturbing string of problems in updates released for Microsoft products. Last week we saw four. It's time to worry about what's behind it all.
- RSA detailed a new Boleto malware family this week. The "Onyx" family has strayed from the original "Eupuds" family primarily in the way it infects victims' browsers, according to an RSA report. While Eupuds injects malicious code into various web browsers' memory during runtime, Onyx alters its attack depending on the browser.
- Snapchat's CEO felt 'violated' by Sony hacks. To the amusement of some -- but not to the 4.5 million users exploited thanks to Snapchat's negligent user security practices -- correspondence between Sony and Snapchat's CEO was published online. The Snapchat CEO went public to press and Twitter about feeling violated by hackers, with victims of the Snapchat hacks calling his hypocrisy into full view. The leaked communication revealed much about Snapchat's acquisitions and business plans. Meanwhile, security researchers continue to publish Snapchat security issues online, though they are apparently not Snapchat priorities.
Accidentally reversed parts of the latest @SnapChat iOS tonight with @dtsbourg. Snaps are still "encrypted" with hardcoded string in binary.
-- Frederic Jacobs (@FredericJacobs) December 16, 2014
It was also really easy to determine that @michaelduong is building the App Store releases of @Snapchat iOS. Hackers know who to target.
-- Frederic Jacobs (@FredericJacobs) December 17, 2014
Snapchat loads pinned certificates ( https://t.co/ZCTtMVFgSo) but doesn't seem to validate them. I could MITM. #fail pic.twitter.com/uFLXDHdQOw
-- Frederic Jacobs (@FredericJacobs) December 17, 2014
- Google has updated its End-To-End encryption project, incorporating several post-Snowden contributions from Yahoo's chief security officer, Alex Stamos.
- A built-in backdoor was found in millions of Chinese Android smartphones. A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains the "CoolReaper" backdoor from the manufacturer, that is being used to push pop-up advertisements and install apps without users' consent. The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor's control system.
- Ars Technica announced it was hacked on Wednesday. In a very concise, up-front and open post about the incident, Ars explained that it had been infiltrated and while the situation had been resolved, Ars urged its comment community to change their passwords as a matter of personal security.
Sony hack week in review: Much drama
The week began with Sony threatening news outlets and bloggers to destroy any leaked Sony documents and not to publish any docs, accompanied by a misinformed op-ed by Aaron Sorkin, best described as mansplaining the hack. Both aggressions caused reporters and news outlets to double-down on the story. Sony also sent its teams in to remove users and threads on Reddit about the leaked trove, resulting in a after takedown than with the leaked celebrity nudes (angering the Reddit community), causing some to wonder if Sony's so-called 'Diamond Lane' for fast takedown access, also discovered in the leaks, had come to pass.
#PT Archived: https://t.co/Qj6oPrb20r Expect "Diamond Lane" Del. @Jaliotea @Cyber_War_News @MichaelKelleyBI @tomgara pic.twitter.com/VTKQ3EF0Es
-- Mr. Green (@Mario_Greenly) December 16, 2014
Also Monday, Sony sent out letters to employees outlining the full scope of data that was compromised by attackers shortly before the Thanksgiving holiday, including medical records -- weeks after the hack was first reported. By Thursday no less than three lawsuits were filed against Sony by current and former employees, and many expect this is just the beginning.
Reporters continue to go through the leaks, and it's no wonder Sony doesn't want anyone to report on what they're finding. Emails revealed more racism, but worse. Thursday Techdirt caught The MPAA's Secret Plan To Reinterpret The DMCA Into A Vast Censorship Machine That Breaks The Core Workings Of The Internet with DNS blocking. Further Sony emails revealed collusion between the MPAA and US Attorneys General to target Google and essentially revive SOPA in a campaign called "Project Goliath." Google's legal team struck back with a very angry post Thursday night.
Meanwhile, press played a bizarre he-said, she-said game of fingering North Korea as the perpetrator, which came to a climax when a Pastebin allegedly by Guardians of Peace suggested a terrorist attack on movie theaters if Sony's no-one-heard-of-it-until-now, previously doomed to flop film about killing North Korea's Great Leader wasn't pulled.
The paste was so different than the rest of the hacker group's communication in every way that it caused many following and reporting on the story to question its veracity, or discussing its possibility of being a false flag.
@Cyber_War_News Anyone else think that Sony probably made the terrorist threats to give themselves a way out without seeming to submit?
-- Digital Prisoner (@ndroidFTW) December 18, 2014
Sony pulled the film from theaters, getting more attention for the film than anything, and causing the majority of people who weren't following the nuances of the situation to declare the 'terrorist hackers' had won -- while the greater security communities watched in disbelief wondering if everyone had lost their minds. Spoiler alert: they had.
The threat became a convenient foil for Sony's worsening headlines, and has been re-reported to extremes, fanning flames of terrorist attack hysteria from Hollywood to Fox News, to the US Government. As media attention shifted to the alleged threat, the White House decided that the Sony hack was now a 'serious national security matter'. Despite the lack of credible evidence that North Korea is behind the attack, and the FBI saying there's nothing linking North Korea to the Sony hack, many now believe it to be true, helped along with outlets like the Washington Post stating "intelligence officials" believe with "99% certainty it's gotta be North Korea.
The whole thing turned into even more of a three-ring circus Wednesday when the New York Times and other outlets announced that an 'unnamed source' at the White House said it was North Korea, followed by a named source from the White House Thursday morning saying the White House refused to confirm North Korea as the culprit.
By Thursday, the amount of respected infosec professionals, researchers, hackers and professional security researchers calling the North Korea theory out as BS is truly a news story unto itself. Sony's poor reaction to everything about this attack isn't escaping seasoned infosec industry members. One called it "beyond the realm of the stupid."
While everyone was distracted, more Sony email communication leaks surfaced showing that Sony's North Korea film was made in communication with and received the 'blessing' of the US State Department.
One thing is for sure: The evidence had better be credible and believable, because there are a lot of expert eyes on this. In my opinion, the 'who' isn't the most interesting unanswered question. It's the 'how' -- just how did they exfiltrate that gigantic dump? And of course, the 'why' of it: what aren't we seeing? And I really hope someone writes up an opsec think-piece about all this, because the operational security practices of these attackers is already seeming like the stuff of legends.
Damn, the Feeb's evidence for DPRK involvement is total weak sauce. Nothing new at all. :-( http://t.co/ruFrFifLDB
- the grugq (@thegrugq) December 19, 2014
Update: The US FBI has officially announced that it believes North Korea to be responsible for the attack on Sony Pictures Entertainment. The FBI has not provided evidence to satisfy info sec critics, and simultaneously the Department of Homeland Security has declared what amounts to a war on hackers.
Important reactions to this development:
- goodbye horses (seclists.org)
- Questions remain after FBI charges North Korea with attack on Sony Pictures (CSO Online/Salted Hash)
FBI's #Sony statement sure to leave many #infosec ppl wondering how/why it came to #NorthKorea conclusion so quickly: http://t.co/N0hTgXilra
-- Sara Sorcher (@SaraSorcher) December 19, 2014