Tuesday, September 04, 2012

How the FBI might've been owned (12M Apple records)

In recent news, hackers claimed to have stolen 12 million Apple device records from an FBI agent's laptop. I thought I'd post some comments.

The bug they claimed to have used isn't the current Java 0day, but a previous 0day. That Java 0day was being actively exploited in March 2012, as described in this MS TechNet article on CVE-2012-0507. The hackers claimed to have done this hack "during the second week of March 2012", which fits this timeline.

This was soon after the February 3 2012 release of an intercepted FBI conference call. This was a conference call of about 40 law enforcement agents from various parts of the world. Hackers were able to listen into the conference call because they somehow were able to intercept the e-mail message sent to all the agents listing the time and code to get in.

This e-mail was also published. That e-mail was sent directly to all 40 agents in the "To:" field (rather than "Bcc:"), which means their e-mail addresses were all exposed. That means every hacker on the Internet now has a list of the 40 officers in charge of hunting down LulzSec. The e-mail address of Chris Stangl (the guy whose notebook was hacked) is among those 40.

The obvious attack is for hackers to is to phish all 40 of those e-mail addresses. The phishing message would appear to come from the same sender, and simply point to a website hosting a Java app with that exploit. It might look like:
From: "Lauster, Timothy F. Jr."<Timothy.Lauster@ic.fbi.gov>
Subject: Interception of Anon/Lulz Conference Call

Our conference call of January 27 was intercepted by hackers
associated with LulzSec. An audio recording was posted to the
Internet. More details can be found here:
Please contact me if you have any questions.

SSA Timothy F. Lauster, Jr.
Federal Bureau of Investigation
202-651-3211 (w)
202-651-3193 (f)
Where the URL would consist of some innocent looking site, but which would in fact host an evil page hosting a Java 0day. I'd guess that hackers got about 20% of those on the original list (or 8 out of 40).

The hackers can repeat this for every new 0day. For example, when the Metasploit module was released last week with yet another Java 0day, they could've phished that list of 40 agents yet again. Frankly, the FBI should consider all those e-mails burned. They should just assign the agents new addresses, then point the old ones to a special server that scrapes them for phishing 0day, to be notified every time hackers come up with new techniques.

One thing I'm trying to point out here is that hackers aren't necessarily smart, but operate from a set of well-known principles. If I have an e-mail list of victims, and a new 0day appears, I'm immediately going to phish with it. It's not Chinese uber APT hackers, it's just monkeys mindlessly following a script.

Or, it could've worked the other way around. Maybe that's how they intercepted that e-mail to be begin with, having used the Java 0day against Stangl's notebook computer. My point here is only that if I were a hacker who was a fan of LulzSec/Anonymous, and somebody dumped that list of FBI agents hunting LulzSec, I would certainly phish it at every opportunity.

Since that original e-mail list is all over the Internet, and the addresses should all be changed anyway, I'm reproducing it here for reference:

MIME-Version: 1.0
acceptlanguage: en-US
Accept-Language: en-US
Content-class: urn:content-classes:message
Subject: Anon-Lulz International Coordination Call
Date: Fri, 13 Jan 2012 19:21:49 -0000
X-MS-Has-Attach:X-MS-TNEF-Correlator:thread-topic: Anon-Lulz International Coordination Call 
From: "Lauster, Timothy F. Jr."<Timothy.Lauster@ic.fbi.gov>
To: "Reichard, Gerald A." <Gerald.Reichard@ic.fbi.gov>,
    "Gillen, Paul G" <paul.g.gillen@garda.ie>,
    "Gallagher, Colm" <colm.gallagher@garda.ie>,
    "Helman, Bruce C. Jr." <Bruce.Helman@ic.fbi.gov>,
    "Sporre, Eric W." <Eric.Sporre@ic.fbi.gov>,
    "Buckler, Lesley" <Lesley.Buckler@ic.fbi.gov>,
    "Geeslin, Robert C." <Robert.Geeslin@ic.fbi.gov>,
    "Plunkett, William R." <William.Plunkett@ic.fbi.gov>,
    "Roberts, Stewart B." <Stewart.Roberts@ic.fbi.gov>,
    "Brassanini, David" <David.Brassanini@ic.fbi.gov>,
    "Stangl, Christopher K."<Christopher.Stangl@ic.fbi.gov>,
    "Patel, Milan" <Milan.Patel@ic.fbi.gov>,
    "Ng, William T." <William.Ng@ic.fbi.gov>,
    "Adams, Melanie" <Melanie.Adams@ic.fbi.gov>,
    "Culp, Mark A." <Mark.Culp@ic.fbi.gov>,
    "Arico, Nicholas J." <Nicholas.Arico@ic.fbi.gov>,
    "Tabatabaian, Ramyar" <Ramyar.Tabatabaian@ic.fbi.gov>,
    "Penalosa, Jensen" <Jensen.Penalosa@ic.fbi.gov>,
    "Bales, Will" <Will.Bales@ic.fbi.gov>,
    "Burton, Kevin C." <Kevin.Burton@ic.fbi.gov>,
    "Nail, Michael A." <Michael.Nail@ic.fbi.gov>,
    "Grasso, Thomas X." <Thomas.Grasso@ic.fbi.gov>,
    "Thomas, Christopher T." <Christopher.Thomas@ic.fbi.gov>,
    "Caruthers, John" <John.Caruthers@ic.fbi.gov>,
    "Phoenix, Conor I." <Conor.Phoenix@ic.fbi.gov>,
    "Hunt, Chad R." <Chad.Hunt@ic.fbi.gov>,
    "Willett, Bryan G." <Bryan.Willett@ic.fbi.gov>,
    "Patrick, Kory D." <Kory.Patrick@ic.fbi.gov> 

A conference call is planned for next Tuesday (January 17, 2012) to 
discuss the on-going investigations related to Anonymous, Lulzsec, 
Antisec, and other associated splinter groups. The conference call was
moved to Tuesday due to a US holiday on Monday.

Date: Tuesday, January 17, 2012 
Time: 4:00 PM GMT
BridgeTN: 202-393-2430
Access Code: 6513211# 

Please contact me if you have any questions. 

SSA Timothy F. Lauster, Jr. 
Federal Bureau of Investigation 
202-651-3211 (w) 
202-651-3193 (f)

Other links:
explanation of UDID
finding your UDID
FBI denies it was their laptop


Anonymous said...

So, another theory.

1. Hackers steal userlist from one of iOS developers. 1mln+ accounts.
- relatively small database (only 1mln revealed, no proof more exists)
- database with users all around the world (classic profile for app developer)
- fileds in database used on a regular basis by developers
2. Hacker attribute this leak to FBI-Apple collaboration:
- picks anti-Anonymous FBI agent
- picks specific filename (mind the first letters! cooperation between private sector and law enforcement)
- picks reliable exploit which was active during a specific timeframe
- adds some "reliable" details (Dell Vosotro, exploit name etc)
3. Profit.

Disinformation can be a powerful weapon, whole internet is speaking about FBI - Apple cooperation.

Anonymous said...

Your comment could also be a form of Disinformation. Are you in the employ of a Federal Agency or contractor? If they wanted to steel from an iOS developer, they could have an easier time of it and could do it every month for 100's of millions of IDs. I don't think you understand how lax App developers security is. No, this was legit Anon isn't as smart as you credit them in the area of counter information dissemination.

There are usjobs.gov ads for government employees that write in Java, even though Java is one of the main reasons Windows has such a bad rep. But the boss probably only knows Java and loves Oracle so wants to keep his job and keeps pushing it. Get rid of it!

What type of Security Professional for the FBI, CIA, Homeland, or Defense would even allow Java? What type of Security Professional would allow unencrypted csv files on his desktop?

They make dedicated encrypted USB drives for this type work and the drive needs to be unplugged when not in use and stored on person or in a safe. Heck, why doesn't the government just use dumb laptops and force security professionals to remote into a virtual desktop and force agents to use encrypted local USB drives for local files that have a use timeout?

Reason? Security's worse enemy is ease of use. You make something too secure and people complain about time it takes to encrypt/decrypt.

FBI needs people that don't have college degrees. College destroys creativity and is proven to lower it depending on your degree. Yet you could be smartest out there but they won't hire you without one. Even though computer degrees are worthless after 4 years things change so fast.

Unknown said...

So shouldn't the FBI encrypt it's emails or at least only take notice of signed ones?

S said...

@Anonymous 1:03 PM

"Even though computer degrees are worthless after 4 years things change so fast".

Say you learned all it takes to pass a driving license test an were successful at the exam.

Next, the signaling scheme is set to change every now and then, by 10% each time.

Will your core driving capabilities be void after the first 10% signaling changes ? Certainly not.

However, as the years go by with the incremented signaling changes, you will find yourself more and more "crippled" whenever you find yourself in a traffic; if you have never bother learning the new rules; heck you might even crash your car and make victims.

In this analogy, as well as for the computer degree and for the matter, for any type of work subject to new framework implementation; the focus is more on the ability of the recognized professional (degree holder) to keep up with the current standards than the piece of paper attesting of his past achievements.