16 Kasım 2012 Cuma

How the FBI might've been owned (12M Apple records)

To contact us Click HERE
In recent news, hackers claimed to have stolen 12 million Apple device records from an FBI agent's laptop. I thought I'd post some comments.

The bug they claimed to have used isn't the current Java 0day, but a previous 0day. That Java 0day was being actively exploited in March 2012, as described in this MS TechNet article on CVE-2012-0507. The hackers claimed to have done this hack "during the second week of March 2012", which fits this timeline.

This was soon after the February 3 2012 release of an intercepted FBI conference call. This was a conference call of about 40 law enforcement agents from various parts of the world. Hackers were able to listen into the conference call because they somehow were able to intercept the e-mail message sent to all the agents listing the time and code to get in.

This e-mail was also published. That e-mail was sent directly to all 40 agents in the "To:" field (rather than "Bcc:"), which means their e-mail addresses were all exposed. That means every hacker on the Internet now has a list of the 40 officers in charge of hunting down LulzSec. The e-mail address of Chris Stangl (the guy whose notebook was hacked) is among those 40.

The obvious attack is for hackers to is to phish all 40 of those e-mail addresses. The phishing message would appear to come from the same sender, and simply point to a website hosting a Java app with that exploit. It might look like:
From: "Lauster, Timothy F. Jr."<Timothy.Lauster@ic.fbi.gov>Subject: Interception of Anon/Lulz Conference CallAll,Our conference call of January 27 was intercepted by hackersassociated with LulzSec. An audio recording was posted to theInternet. More details can be found here:http://totallyinnocent.com/no-java-exploit-here-at-all.htmlPlease contact me if you have any questions.Regards,TimSSA Timothy F. Lauster, Jr.Federal Bureau of Investigation202-651-3211 (w)202-651-3193 (f)
Where the URL would consist of some innocent looking site, but which would in fact host an evil page hosting a Java 0day. I'd guess that hackers got about 20% of those on the original list (or 8 out of 40).

The hackers can repeat this for every new 0day. For example, when the Metasploit module was released last week with yet another Java 0day, they could've phished that list of 40 agents yet again. Frankly, the FBI should consider all those e-mails burned. They should just assign the agents new addresses, then point the old ones to a special server that scrapes them for phishing 0day, to be notified every time hackers come up with new techniques.

One thing I'm trying to point out here is that hackers aren't necessarily smart, but operate from a set of well-known principles. If I have an e-mail list of victims, and a new 0day appears, I'm immediately going to phish with it. It's not Chinese uber APT hackers, it's just monkeys mindlessly following a script.


Or, it could've worked the other way around. Maybe that's how they intercepted that e-mail to be begin with, having used the Java 0day against Stangl's notebook computer. My point here is only that if I were a hacker who was a fan of LulzSec/Anonymous, and somebody dumped that list of FBI agents hunting LulzSec, I would certainly phish it at every opportunity.


Since that original e-mail list is all over the Internet, and the addresses should all be changed anyway, I'm reproducing it here for reference:

MIME-Version: 1.0acceptlanguage: en-USAccept-Language: en-USContent-class: urn:content-classes:messageSubject: Anon-Lulz International Coordination CallDate: Fri, 13 Jan 2012 19:21:49 -0000X-MS-Has-Attach:X-MS-TNEF-Correlator:thread-topic: Anon-Lulz International Coordination Call From: "Lauster, Timothy F. Jr."<Timothy.Lauster@ic.fbi.gov>To: "Reichard, Gerald A." <Gerald.Reichard@ic.fbi.gov>,    <paul.hoare2@met.police.uk>,    <Raymond.Massie@met.police.uk>,    <trevor.dickey@met.pnn.police.uk>,    <Stewart.Garrick@met.police.uk>,    "Gillen, Paul G" <paul.g.gillen@garda.ie>,    "Gallagher, Colm" <colm.gallagher@garda.ie>,    <pim@nhtcu.nl>,<Gea@nhtcu.nl>,    <michel@nhtcu.nl>,    <olivier.nael@interieur.gouv.fr>,    <olivier.moalic@interieur.gouv.fr>,    <thierry.mezenguel@interieur.gouv.fr>,    <andre.dornbusch@iuk.bka.de>,    <peter.ericson@rkp.police.se>,    <stefan.kronqvist@rkp.police.se>,    <ulrika.sundling@rkp.police.se>,    <Jaap.Oss@europol.europa.eu>,    <valentin.gatejel@europol.europa.eu>,    "Helman, Bruce C. Jr." <Bruce.Helman@ic.fbi.gov>,    "Sporre, Eric W." <Eric.Sporre@ic.fbi.gov>,    "Buckler, Lesley" <Lesley.Buckler@ic.fbi.gov>,    "Geeslin, Robert C." <Robert.Geeslin@ic.fbi.gov>,    "Plunkett, William R." <William.Plunkett@ic.fbi.gov>,    "Roberts, Stewart B." <Stewart.Roberts@ic.fbi.gov>,    "Brassanini, David" <David.Brassanini@ic.fbi.gov>,    "Stangl, Christopher K."<Christopher.Stangl@ic.fbi.gov>,    "Patel, Milan" <Milan.Patel@ic.fbi.gov>,    "Ng, William T." <William.Ng@ic.fbi.gov>,    "Adams, Melanie" <Melanie.Adams@ic.fbi.gov>,    "Culp, Mark A." <Mark.Culp@ic.fbi.gov>,    "Arico, Nicholas J." <Nicholas.Arico@ic.fbi.gov>,    "Tabatabaian, Ramyar" <Ramyar.Tabatabaian@ic.fbi.gov>,    "Penalosa, Jensen" <Jensen.Penalosa@ic.fbi.gov>,    "Bales, Will" <Will.Bales@ic.fbi.gov>,    "Burton, Kevin C." <Kevin.Burton@ic.fbi.gov>,    "Nail, Michael A." <Michael.Nail@ic.fbi.gov>,    "Grasso, Thomas X." <Thomas.Grasso@ic.fbi.gov>,    "Thomas, Christopher T." <Christopher.Thomas@ic.fbi.gov>,    "Caruthers, John" <John.Caruthers@ic.fbi.gov>,    "Phoenix, Conor I." <Conor.Phoenix@ic.fbi.gov>,    "Hunt, Chad R." <Chad.Hunt@ic.fbi.gov>,    "Willett, Bryan G." <Bryan.Willett@ic.fbi.gov>,    "Patrick, Kory D." <Kory.Patrick@ic.fbi.gov>     All, A conference call is planned for next Tuesday (January 17, 2012) to discuss the on-going investigations related to Anonymous, Lulzsec, Antisec, and other associated splinter groups. The conference call wasmoved to Tuesday due to a US holiday on Monday.Date: Tuesday, January 17, 2012 Time: 4:00 PM GMTBridgeTN: 202-393-2430Access Code: 6513211# Please contact me if you have any questions. Regards, Tim SSA Timothy F. Lauster, Jr. Federal Bureau of Investigation 202-651-3211 (w) 202-651-3193 (f)

Other links:
explanation of UDID
finding your UDID
FBI denies it was their laptop

Hiç yorum yok:

Yorum Gönder