Data Compromise: The Next Chapter

Updated: The Equation Group hack has been verified.

It seems the Oracle MICROS malware insertion hack went a bit deeper and had a suspicious purpose. Several hotels in the US, run by HEI hotels and resorts, that run the MICROS points-of-sale and hospitality software, have been breached. This means the credit card info for lots of people has been compromised. The list of dates affected by the breach indicate that the MICROS hack went in as early as March, 2015!

It is curious that the Westin City Center in Washington D.C. was included in the list, and was compromised for more than 9 months following September, 2015. This amounts to total operational awareness for whoever is running the breach. Let's admit it: if you wanted to know what is happening in US politics, what better way than to own than the comings and goings in Washington D.C.? I suspect FSB, the entity that has replaced the infamous Russian KGB.

I doubt we have seen a complete list of breaches with MICROS. If you are an IT person, visit Krebs on Security for a good list of IOCs (indicators of compromise). If you use MICROS, then change your passwords immediately.

Recently we saw the DCCC hack and the dox'ing of a huge amount of congress, on Guccifer 2.0's site.

This, once again, speaks of a state actor attempting to disrupt American politics.

But there are still a few hacks that can't be assigned easily to state actors. The recent data breach of Sage software, based in the UK, used for accounts and payroll processing, indicates that hackers are still largely following the money.

My sense is that data compromise is perpetrated on an agenda rather than simply because "people have the right to know", the tired axiom used by the media to depict crusading whistleblowers.

More often than not we are seeing criminals looking for ways to pry money out of rich people. Or directly from banking systems. But that might simply be a cover for state actors, who are building a database much deeper than Google's. And for much darker purposes.

And Now For Something Completely Disastrous

In today's news is another story that strongly correlates to the awful scenario in which the NSA's reputed-to-exist Equation Group has been hacked. This group is responsible for Stuxnet, Duqu, Gauss, and other famous modular virus architectures used to hack, among other victims, the Iranian uranium centrifuges.

This story is developing as I write, but an analysis of the example data provided by the hackers, the Shadow Brokers, by Matt Suiche appears to confirm the hack. Just read that source to see how desperate the situation is.

Here is an example of a state actor being hacked. My fears for the Gauss modular virus architecture used to be that it would get reverse engineered and modified by less scrupulous hackers. Now my fears are that essentially every hacker will possess this toolkit. Some eastern European hacking consortium will productize it, make it easy to use, and disseminate it for bitcoins. It's a virtual Pandora's Box.

Update: The Equation Group hack appears to heavily utilize RC5 and RC6 encryption. Comparison of the code by Kaspersky's GReAT team shows it matches the Equation Group's signature. It's all wrapped up in the magical P and Q constants used by Rivest's RC5/6.

Big Time Infosec Issue!

Updated: five more point-of-sale systems breached. More info on how long the breach existed. And yet more info on where the compromises might have hit you. More identity information for Carbanak.

Did you ever get a message in a email that says: "We're letting you know your card may have been part of a compromise at an undisclosed merchant."? And not to worry because "We're Issuing You a New Card To Help Keep Your Information Safe". In title case, no less (thanks, daring fireball, for that link).

Apparently the time has come when data compromise becomes huge. Anybody who watches Mr. Robot probably knows that credit card hacking is a serious issue, and can get much more serious. We keep closing insecure points as they are discovered, of course. But, it seems, there are still plenty of ways to get into our credit card data stream.

One such way is through the Oracle MICROS system that handles point-of-sale transactions with credit cards (specifically at restaurants, delis, and hospitality points of sale). Apparently it is possible to rootkit these transaction processors, take control of them, and capture your name, credit card number, and secret code as it goes by. And, of course, send that data to the identity thieves.

Update: five more systems are reported by Forbes to be hacked, possibly by the same Russian cybercrime gang. These are UK-based Cin7, ECRS, Bankcard Services' Navy Zebra, PAR Technology, and Uniwell.

What Happened?

According to Krebs on Security, malware was placed on some internal Oracle server at their retail division. They thought it was just a small number of systems until they upgraded their security software to a new version. And at that point, they realized more than 700 systems were compromised! From there, it spread into the MICROS point-of-sale processors that accept your credit card and verify little things like that little gold chip on it. That was supposed to make the credit card SO much more secure.

The bottom line for us, the customers, is that the breach was detected only on July 25, 2016. And here's the catch: they don't really know how long it's even been active. Could be months.

Update: Bad news! There is info from HEI hotels that the breach might have existed since March, 2015.

Who Did It?

This is a very sophisticated hack. This was no script kiddie.

Apparently the Carbanak cybergang is responsible. According to Kaspersky, they stole $1B by attacking bank system intranets in an advanced persistent threat (APT) campaign culminating last February. This gang is a big time threat, and we have stumbled onto one more page in their playbook.

It gets even more interesting. Carbanak is connected to a Mr. Tverinov, as reported by Krebs, and supported by the sleuthing of Ron Guilmette. Artim Tverinov is CEO of InfoKube, a Russian security firm, that builds the LioN anti-virus application. A Trojan horse?

It's not rocket science - Krebs, while communicating with the shadowy Mr. Tverinov through the Vkontakte Russian social-media site, literally eye-witnessed Tverinov's Vkontakte page get deleted! This was followed by a direct-email denial of any and all wrongdoing.

Supposedly Russia arrested 50 alleged members of the Carbanak cybercrime gang on June 1, 2016. Kaspersky Lab helped to identify the hackers charged, but Tverinov wasn't among them.

It also seems that Carbanak was using a C&C server that is tied to the FSB (the successor of the KGB). This according to Security Affairs.

Update: Carbanak is sometimes also known as Anunak.

Where Was I Most Likely Compromised?

This would have occurred at a chain restaurant, or perhaps a modern restaurant that is taking advantage of modern technology. And you would have used your credit card to pay. Unfortunately, this is not too unlikely a scenario, is it?

You might have seen a colorful point-of-sale display on a tablet or monitor (like this one) at a restaurant, hotel, deli, charcuterie, or even a burger chain.

Update: Forbes, in the same article as the above update, reports that your credit card might have been compromised at Donald Trump's Hotel group, Hyatt, Kimpton, or one of 1000 Wendy's restaurants. Also consult the list of hotels in the HEI list.

The Big Android Hack

Qualcomm GPUs and kernel modules are vulnerable to being rootkit'ed. This involves a huge number (900 million) Android devices. They are called the QuadRooter vulnerabilities, as explained by security researcher Adam Donenfeld in his blog post. This affects the Samsung Galaxy 7, the most popular Android device.

On another note, the Blackberry DTEK 50, "the most secure smartphone in the world" utilizes a Qualcomm 8992 Snapdragon 808 Hexa-Core, 64 bit with Adreno 418, 600MHz GPU. And so it is also vulnerable to four of the flaws.

State Actors Up The Ante?

One of the fastest changing landscapes on the planet isn't even a tangible one. It's more of a concept: security. Before we go on, for dear readers confused by modern hacker security terms, check out Kaspersky.

I'm a proponent of good encryption. The reason is simple: everybody needs security. You need to keep your banking passwords secure. You don't want malicious actors (trolls) taking over your Facebook account and somehow ruining your life.

You especially don't want anyone to rootkit your computers! Once that's done, they can steal your identity, install malware for collecting passwords and account names, and so forth. Now go to the next level: your computer might then be used as part of a DDoS attack against Homeland Security. Your computer could wind up as the storage location for the malicious actors' illegal data ... without your knowledge. You become their fall guy.

Yes, there are plenty of good reasons for all of us to keep our passwords safe and distinct.

But encryption is not all black and white, is it? And that's the rub. Enter the relativistic observer, to tell you some of the latest. Things are changing too fast to blink, after all.

It's long been known that people outside the law use the Dark Web to organize, proliferate, distribute, and communicate. And the Dark Web is run using the Tor network. Tor, short for The Onion Router, is a volunteer network of servers running special protocols that relay your browsing history and other data through virtual tunnels.

To be fair, the Tor project has lofty goals. And gets used by "family & friends, businesses, activists, media, and military & Law Enforcement", according to their web site. The US Navy uses Tor for open source intelligence gathering, for instance. The EFF suggests using Tor for maintaining secure correspondence and keeping our civil liberties intact.

For people operating outside the law, the Tor network also maintains their OpSec. The Dark Net is called this because the communication within it has "gone dark". Surveillance doesn't work there.

The Tor network and the Dark Web must be a real pain to law enforcement. Given enough desperation, it might be something they would seek to infiltrate.

So what law enforcement would do is this: create their own honeypot counterfeit Tor server (or relay). But put in their own undetectable flavor of malware. Then they can watch the criminal's Dark Net traffic. And watch the crime happening. Collect the privileged conversations.

These really exist, as doctored Tor relays. There are over 100 malicious relays that have been detected. And who could they be? My guess is state actors like the US, China and Russia. If not them, then who? The criminals themselves? This is a game of spy vs. spy, updated for the 21st century. Could the FBI be doing this? Their arrest of child pornography criminals in January 2016 was supposedly accomplished by cracking Tor.

There is a question as to how invasive such investigations should be allowed to be. I'm not saying that the FBI shouldn't go after child pornographers; they totally should. I just think that *everybody* is too broad a target for law enforcement. Privacy is a basic human right.