Speaking as bulgarian, my guess is that the eastern block countries were limited to the amount of software/hardware that could be sold in the countries due to Cocom ( http://en.wikipedia.org/wiki/CoCom ) and this possibly brought a whole generation of people that became good at reverse engineering, but most likely also at whole culture that thinks it's okay to reverse engineer almost everything...
One of my friend's mother worked at bulgarian shop that all they did was to translate Norton Commander into russian (basically hex editing here and there), and then it was sold on the russian market.
We had up to 1988-1989 a bulgarian company that was selling bootlegged games under their own name (yes I bought Karateka from them, and it worked on the bootlegged Pravetz-8C - a.k.a Apple ][/c).
But it doesn't stop there - you can (or at least back in the days) find people living in the same apartment building that were able to fix your TV, car, radio, etc. without calling technician.
My father regularly fixed TV sets of neighbors for no money (he's an ex military engineer - worked in radio-location)
But then it was something about russian, or eastern block made hardware - you take any plane, car, tank, radio, etc. - you can open it yourself and start hacking, replace parts, etc. - e.g. even the own-made products were meant to be hackable.
Now this is according to my father, who told me that it was much easier to fix russian produced military vehicles than anything else.
The I-fix-it culture was really thriving, and some thanks to the "communism" (there was never such thing), but lots of kids got free education since 1st grade in computer science, hardware, rocketry, train modeling. The magazines were so cheap (and printed out on cheap paper) - that you can buy dozen of them full with models, etc.
This is no longer the case (I've been living in USA since 1999, but visit my own Bulgaria almost every year).
I wish some of the days are back, but I knew that it was utopia we lived....
Well take it with a grain of salt, typing this while on vacation from my lovely Bulgaria :)
In college I wrote a major research paper on market-style exchanges on the factory floors of Eastern Europe, with the underlying point that you can never really purge all market forces, that "capitalism" is more descriptive than normative.
When I think back on it, well, I'm mostly ashamed for talking out of my ass about what other people actually experienced. It'd be great to hear more of your thoughts on it.
As a kid one of the best things were getting bananas/oranges for New Year, or getting some real dollars so you can buy kinder eggs/pezz/tobleron/etc from the Corecom stores (above). Although you might afford the money, there was no easy way to exchange them.
It was a 'meh' moment for me, when democracy came, and my favourite store (selling cake, soda drinks) start also selling kinder eggs - It was impossible for me to think that I can go and buy as much as I want with ... levas (our currency).
And as such they were no longer interesting :)
I had a happy childhood, maybe because I did not know anyone too rich, or too poor, and the choice was limited... okay maybe that was not the case... But looking at all old bulgarian kid movies, one can see kids roaming the streets without any danger (and it was so - It was normal for me to stroll around while I was 5 or 6 years old). This gets old, a a bit reddit-ish, and it's purely my experience and surely for other people it could've been totally different story.
Its also more dangerous in the US. Since the majority of major web apps are hosted in the US, if you're in the US it is easy for the app's owners to go after you legally. It gets much more complicated if you're in another country. For example, if weev had been in eastern Europe, it would make it much more difficult for ATT to go after him.
In Israel, military service is compulsory for all men when they are 18 years old. The best hackers in the country are detected and lured into cyberwarfare positions where they need to be the best cyber attackers in the world for 3 years.
You bet that these guys are among the best in the world.
The IDF's ICT unit also has a very large budget (it's actually the only unit with an increasing budget despite a 2 billion overall budget drop), and with access to all kinds of technologies that only a government can afford. When the engineers get out of there, they know things that few people know about.
Not exactly true. There are a few different computer groups, one of which requires only three years and it is nowhere near the level of sophistication of an average programmer (they are mostly responsible for the technological infrastructure of the army). The other programs require a degree beforehand (so they only go into the army at about 22) and then require 5 years of service. These are the people who create cool things. But let me say: even the things that they do are closer to things you can think about than what you would find in a sci-fi novel.
You describe the mamram thing, but aman conscripts people who are better at 17 than good compsci grads from the technion at 22. They do 4 years, not like atuda. aman also gets people from talpiot and the best mamram has to offer.
I'm from Eastern Europe myself, and while I know it's anecdotal only, from living for one year in the same dorm-room with a guy like the ones described in the article all I can say it's that it was not about the money (at least not 14 years ago, when I was still a freshman) but more about "hey, I want to see what this piece of closed-source software is actually all about! How can I crack it?". It also "helped" that we were generally quite poor (we still are, comparetavily) and so it made "economic sense" to spend days and days tweaking with assembly code and what-have-you in order not to pay $4.99 for a crappy music player or something similar, and in the process acquiring quite a bit of knowledge (much more valuable) about how such things work.
And the guy I started talking about now works for a pretty important anti-virus company , he's one of the most gifted hackers I've ever met.
There are plenty of job opportunities and the coders are relatively even more overpaid than in the West, so that's not the reason.
The real reason I believe is that people mostly can do this with impunity. There's very little being done for prevent or prosecute credit card fraud. In Ukraine and Russia CCs are still used very little, so this fraud hurts "the West" which is mostly seen as a good thing by the general population. Rampant piracy is practically encouraged for the same reason.
Of course this creates a barrier for doing legitimate business online. For example PayPal simply does not allow merchant accounts from Ukraine and Russia to reduce fraud. These countries are the safe haven for hosting illegal content etc. It would benefit local programmers to clean up the reputation of the country and to my great annoyance people just do not realize this. Crooks are accepted as keynote speakers at business conferences etc (they do make money, so what's the problem?)
From my personal experience I can confirm p. 1, totally disagree with p.2 (there are plenty of good and well payed jobs for IT specialists in xUSSR countries).
About p.3 - exploit-selling is not a respectable profession, but in recent 20 years people have seen too many examples of people becoming rich by illegal and dirty ways and this definitely did bad influence.
I've heard theories that it's as simple as they had older and slower machines, so they thought more carefully about not just the code they were writing but about the machine it was running on as well. In the end, they end up gaining a better understanding than 'spoiled' programmers in the west who could afford to compile, run, edit, compile, run...
There's also the theory that they don't have as much to do, at least not as many distractions.
From my experience with employees who originally came from russia to germany is that they were all pretty smart... most of them were also really good at chess for example, so i guess its something about the education there...seems to be quite math heavy
I've seen this story (NASDAQ being hacked) reported in a couple of places, but it isn't clear to me what damage was done. It's not really possible for them to have messed with the actual trading without anyone noticing. Everyone connecting to an exchange is reconciling the orders they send in against the trade confirmations they receive. You basically design your technology assuming the exchange is going to fuck something up eventually. I'd really like to hear more details about what was going on here.
The matching engine and the ring of servers around it are not accessible via internet. You can only connect to them if you have a server collocated in Carteret, and even then the NASDAQ machines only expose the ports relevant to order entry and feed data.
They could have hacked a customer (say, citigroup) and entered that way, but all they really could do is incur losses for the customer.
> Court documents allege that as a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions in losses, including more than $300 million in losses ...
BULLSHIT. I want to see hard evidence that there were real losses totaling more than $300 million. The justice dept loves inflating loss figures based on sentencing guidelines which mandates minimum losses for stolen info even if they were never used to commit a crime.
It's really not that much money per card for just the Heartland breach alone, even if you assume only a fraction of cards were actually being used.
The Heartland breach was discovered after card companies found a pattern of chargebacks over a number of months. If the cards hadn't been used, the breach likely would have been undiscovered, for years, if at all. It took Heartland months of investigation to find internal evidence they had been breached. The attackers had long since left and attempted to erase their tracks.
An interesting trivia is - one of the guys being charged is "Dmitry Smilianets", CEO of Moscow 5. A rather very prestigious esports organization that has/had good teams in League, Dota2 and Counter strike.
Is anyone aware of a) whether other security auditors or services could have identified these vulnerabilities and b) what it takes to sell to these exploited firms?
My understanding of security is fairly small, but it seems to me that there's a market to be had here ... If the expertise exists to dramatically reduce exposure, it's a question of sales or ease of use. If the expertise doesn't exist yet, someone smart might make a lot of money.
Someone who does security work for me on the side (for about 12 years works now) manages a team that does this at a large consulting company.
I can't remember exactly, but he told me what they bill him out for and it sounded like NY senior attorney level rates.
He travels overseas regularly on longer term assignments. I told him he should go out on his own but he's not entrepreneurial. He also said that a few of the "sales guys" at the firm already did that with some of the other security people last year.
The bigger the network the more likely something like a simple vulnerability scan will take something down. For this reason many organizations don't allow blanket scans to take place which is a shame because if the scan itself is capable of taking down an important system on your network then clearly you have a huge vulnerability!
I remember when I was working as a security consultant doing a "safe" Nessus scan of a relatively small organization that happened to have a mainframe. The mere act of scanning the ports on the mainframe caused it to crash. The whole thing had to be rebooted and it took HOURS. Essentially, a whole day of work was lost.
When we met with the CSO to talk about it he was both happy and sad: Happy that we discovered such a huge vulnerability and sad that he was going to have to explain to his superiors that an action that he undertook (hiring security consultants to perform a scan) cost the business a lot of money.
I later found out that he was fired because of the incident.
That right there explains a lot about the state of IT security in business right now.
software is fundamentally broken in some way that it just gets harder and harder to keep a lid on the more effort we make. There is money to be made selling inflatable rafts before a tsunami, but it's pretty depressing work and pretty much everyone is still going to die. The only semi-workable answers are air gapping and drastically reducing the size of your code base, and neither are working that awesome for people or is anyone much willing to do it. Look at google chromeos. One of the lowest attack surface pcs on the market and it was designed from the ground up assuming they'd get owned regularly. Very few other orgs are doing either one.
I wish more people would get this through their heads. The secretary opening a zero-day PDF is usually all it takes for an entire organization to be owned! Especially organizations with Active Directory and Windows workstations. Here's why:
* Secretary's workstation gets owned via zero day.
* Attacker installs keylogger.
* Attacker "breaks" the workstation's join to the domain.
* Domain admin shows up to re-join the workstation to the domain (to "fix it").
Now the attacker has the credentials necessary to manage all of AD and give themselves rights to whatever they want. Also, since AD doesn't use a salt with password hashes the attacker can now trivially obtain the passwords of every employee in the company along with things like service accounts. It's game over at that point--rebuild everything time.
Sites are susceptible when user input is ... incorrectly filtered for characters used in database commands ...
If you're trying to protect yourself from SQLi by filtering & then running user input, you're doing it wrong. If a supposedly tech-literate site like Ars can't get that right, what hope do we have? (Let alone the banks themselves...)
This is a semantic quibble. Your point could be restated as, "if you're not filtering potentially dangerous data out of your SQL queries (i.e. you're not using a fixed vocabulary of properly-quoted phrases) then you are vulnerable to SQLi."
think of it this way: no matter how you slice it, there are Bad Things you need to keep out of your SQL, and an easy layperson term for doing so is 'filtering'.
the idea that NASDAQ might've been hacked using an SQL injection is pretty scary, as it's a pretty trivial attack to protect against in most cases (mysql_real_escape_string?) - is security in stock exchanges really so lax?
How so? The function does what it's supposed to do. Of course you still have to write the rest of the SQL statement to make use of the escaped input - put all params in quotes (or much better: use prepared statements to begin with).
Anyone not using prepared statements in 2013 is just being stupid - there is no reason to ever be vulnerable to a SQL injection, barring a bug in the database or driver you are using. It's totally unacceptable.
it is when used correctly within quotes (and used with common charsets, but that's a different story altogether). There is no publicly known way to inject the following when the database is encoded in ISO-8859-1 or UTF-8:
"SELECT ... WHERE `field_name` = '" . mysql_real_escape_string($string_value) . "'";
You would think that a way to stop these kinds of attacks for pennies on the dollar would be to have the security companies, banks, retail stores and others involved on the receiving side of these attacks fund hackathons or startup accelerators in every country, like a startup weekend, to give these "kids" a chance at legal startups and to get paid for finding bugs.
If you're going to ignore chilling effects, then by that reasoning the NSA surveillance is totally harmless.
That's a ridiculous argument. The Beltway sniper killed 10 people in 2002, a fraction of the number who died in car accidents that year. But tens of thousands of people had their lives disrupted as they ducked down while filling up at gas stations.
Car crashes in 2002 were in the range of 30,000 deaths. Which is orders of magnitude higher than the sniper.
So in my opinion we shouldn't waste money on NSA wiretapping that doesn't stop terrorism (because if it did it would have stopped the Boston Bombing) and instead invest that time and money into transportation infrastructure.
By doing that we would save more lives, improve our economy and most importantly still have constitutional freedoms.
I'll get downvoted for this, but I think SQL admins should in some way be held accountable for successful injection attacks. Falling victim to this type of exploit which is as old as the hills should be inexcusable. How difficult is it to learn how a UNIX shell works, inside and out? For what these guys get paid and what they are tasked with securing, they should be experts on escaping and quoting and every possible thing one can do with the shell. All the boring stuff. Because that's probably the knowledge these "hackers" leveraged.
If I'm wrong here, if there's more to it, feel free to correct me. I want to be empathetic with the people who set up these SQL databases, but I really cannot understand why anyone can still in 20xx get a shell via SQL statements, at a financial institution no less, after so many years of seeing others fall victim.
Generally, the DBAs have very little role in knowing whether any part of their application is vulnerable to SQL injection, and on top of that they can't mitigate very well against it.
They can do the basic things: don't use the root MySQL user, restrict privileges on each MySQL user, use AppArmor or SELinux to isolate the mysqld process, etc. This does prevent an attacker, in most cases, from instantly uploading a shell as soon as they find any sort of injection vector.
But it does not stop an attacker from reading arbitrary values from any table in any of the databases the MySQL user has read-permissions to (which in many cases is every database on the server).
And if an attacker can effectively dump your database, generally it's a matter of cracking admin password hashes and using those to login and escalate their access. DBAs really play no part in any of that; it is the developers of the application who must be blamed here. It's their job to use good hashing mechanisms, and to prevent admin accounts from being able to escalate privileges and upload a shell to the server. And above all, to code securely and prevent SQL injection in the first place.
Also, this isn't reddit, please don't say "I know I'll get downvoted for this."
Question: Can/do they do "fuzzing" on their database applications? Has anyone built a fuzzer for this purpose that tries an assortment of possible vectors as well as random strings? I still do not understand why the injection vectors cannot be preempted to begin with. It seems to me as if the folks securing the database are unable to predict possible ways someone could exploit what their application considers "valid" queries. If so, why?
Also, I don't follow reddit, so I didn't know they say that.
You're attacking the problem from the wrong angle. The fault lies with whomever builds the application /interfacing/ with the DB, not whomever manages the database.
In an application you may need to read user-selected data from some sort of database. As a simple example, you might accept a user's input of an article ID to fetch said article from a db. That might look something like this:
"SELECT * FROM articles WHERE id = $article_id"
Where $article_id is the input you received from your user. A valid $article_id could for example be "7", an invalid one might be "7 OR 1=1". If the latter value is not escaped, it'd change the statement to read "SELECT * FROM articles WHERE id = 7 OR 1=1, returning all articles.
Any somewhat competent programmer would then check if $article_id contains a value of the expected type (i.e. integer, string, string that looks like an email address, ...) and use an escaping function (in PHP this might be mysql_real_escape_string) to escape any special characters (e.g. turn " into \").
If you're doing things right, you'll use a prepared statement. You'll tell your database driver the format of your query first ("SELECT * FROM articles where id = ?"), then provide the contents for your placeholders (? -> $article_id).
Prepared statements are considered more elegant and comfortable to work with; both approaches are secure when done correctly.
All of this is done by the application developer. Now the DBA only gets to work with the assembled query. How would they be able to tell a valid "OR 1=1" from an injected one?
Nonetheless, your point on holding the responsible party accountable stands -- but it's the developers, not the DBAs.
I assumed (incorrectly) that the person designing the database was also involved in selecting the "prepared statements" or "assembled queries", or was the same person.
Now I'm thinking the problem may be more with the people building the interfaces to these SQL databases, and the languages they are using to build them.
If that's true, then "SQL injection" seems like less of an SQL-specific problem and more of popular label for a more general "santization of user input" in internet-facing programs problem. That problem is as old as the web. And now we encourage every program to be a web-facing application, hosted in "the cloud". Yikes.
Anyway, I think my original comment may indeed be valid: in 200xx, in too many cases, programmer knowledge of escaping and quoting (rules that if I'm not mistaken originated when more people were more familiar with terminals and shells) is inadequate.
To answer your second question, Standard Query Language is very, very complicated, and you would have to be a genius to make a proper input scrubber. That's why you are supposed to use things like parameterized queries and bypass the danger of sql injection entirely. However, security mistakes still happen, and you should code in such a way that database leaks are not catastrophic.
Well maybe there's some light at the end of the tunnel: If hackers had an easier way to gain recognition and being rewarded when they discover vulnerabilities, I'm certain most would choose to disclose their findings rather than try selling them on the black market. I'm working on a startup right now, www.crowdcurity.com, where we want to let any site easily create a bug bounty program (similar to Google, Mozilla, Paypal, etc.) and thereby leverage testers around the world to find vulnerabilities; hopefully initiatives like this will strengthen the security of web apps and websites around the world.
Their actions might have been illegal but they for sure are good at breaking things and their skills should be used instead of throwing them in jail for 20 years. Counsel them and give them a change to reform themselves.
There are still too many computer illiterate people, it's a matter of how people view things.
Blaming the existing systems instead of blaming the hackers, it's like being an astronomer in the middle age. Deciders and business owners will scream and tell their systems are fine, and that the ones who think differently and prove otherwise are at fault.
No it isn't. These people weren't publishing white papers about the lack of security at Nasdaq and other companies, they were using their knowledge to steal money, and the costs were passed back to you, the (presumably) law-abiding customer/credit card user.
Suppose you went out and came home to find your window smashed and your most valuable possessions gone. Would you be happy to have received an unscheduled visit from a private security consultant who decided to pay himself a handsome fee in the form of your stuff? No, you'd call the police to report a burglary.
Just because these guys were using computers and you also use computers does not mean they're basically the same as you and would be your good friends if only those mean old suits would get out of the way and let you run everything.
If those people were not "publishing white papers", maybe it's because computer security sucks everywhere, maybe because there is no true incentive to make things better at all.
I was answering to the question "why were those guys using their skills for criminal activity instead of working on protecting against those crimes ?".
The thing is, I doubt company deciders really care about real computer security at all, and even if they do, the security market is very slim. OSes are not really designed with security first in mind, while they should be the first ones to do research on it, and apply it steadily.
I can find many reasons why the computer security market is still weak: there are not that many crimes because we don't use computers for many important things (even if it's on the rise), intelligence agencies prefer to let those vulnerabilities in place so they can have the upper hand to investigate or spy other countries (not talking about PRISM), and programmers are still a rare supply, and I don't really see any open discussion in university about computer security theory, it's mostly black hats/white hats folks, it's not really productive.
If those guys committed those crimes, either they are not good enough, but that also means nasdaq systems were weak, or that they were actually good enough, but the computer security job market did not propose them enough money, which is why they risked 20 year prison sentences, because it paid more.
You could compare it with the drug market. Right now those substances are illegal, which allows criminals to make huge amounts of money, but the DEA people will also make money, and are often found to work with criminals. That's an example why most of the time, crime pays, while it would be wiser to make those substance legal, and try to help drug users instead. For computer security, it could be a good idea to stimulate the security market by asking universities to create degrees, and maybe make some government programs to work on computer security, instead of letting it rot like that.
> According to one indictment, European credit card numbers sold for as much as $50, while US ones fetched about $10.
This is truly dumbfounding to me. They had normalized, searchable access to millions of credit cards. They presumably had systematic ways of siphoning off money on high balance cards in a way that no one would've ever noticed. And yet, their grand scheme was to hock the numbers piecemeal for 50 a pop?
They had millions of credit cards. It's far easier and safer to sell the cards than try to come up with a scheme that will make an equivalent amount of money using them. Plus with that many they had far more than they could ever use.
That's like saying anyone who runs a SaaS that helps other businesses make money for $50/m is bad at business.
It's easy to farm credit cards and accounts once you have your infrastructure in place, but it's not so easy to actually profit from them. It's time-consuming and a big liability. So you do the next best thing: you dump them.
There I was saying, that even if I have make some security research, from a internet connection not related with me, with hardware not related with me, I've never work on it more than 1 week. This people was 6 months against the same target (owning it) without being detected.
Wow, the US Attorney is really going out of his way to fill this one up with bullshit. I knew something was very wrong when goodin claims hundreds of millions in losses on a carding ring and it didn't take long to find it. The only people that would pay $50 for anything having anything to do with credit cards would be fbi investigators. Hell they're the only ones that would pay one tenth that.
Amazing people are still ignorant of how to properly code a web application. Not to mention all the companies that likely still store passwords using a reversible algorithm and fail to separate and encrypt credit card information. What is this, 1994?
It's not that people don't know how to properly code a web application. It's that coding a web application with a strong and secure perimeter is more expensive, more effort, and difficult to QA (the perimeter) than building one without.
I love the "ship it" here. Deadlines kill security. When you're under the gun to finish something as a dev, the first thing to go is the security mindset. The next thing to go is the "beautiful code" mindset, which leads to even more security issues. The problem is that by definition projects that have a critical deadline will usually be used by thousands of people or handle very important information.
It's a weird issue of "I need it now because it's important" and "I need it working well because it's important". Good, fast, cheap. Pick two.
It can be pretty enlightening to read the few postmortems of big hacks that do get published.
Another seemingly common scenario (aside from a direct attack on the server) is to spear-phish someone else inside the company, not necessarily an admin or anyone technical, into clicking on some flash applet or trojan'd excel doc or something that owns their machine, then install keyloggers, proxies, etc., and work from there until you snag a credential that lets you into the server you actually want.
I'm not sure where you got your info from but non-US cards have always had higher value due to limited supply. The value also depends on the type of info. For example, magnetic stripe data (dumps) is worth more than basic card info (which isn't worth much).
The botnet carding numbers were what I was quoting, not mag stripe dumps. And I was told it was the other way around, that US cards either had higher limits or the banks were more lenient with the credit? Seeing as Americans use credit cards way more than most countries, a multitude of charges would be more easily overlooked. But i'm pretty sure $50 per card is not a realistic rate, even if they're worth more than US cards.
There are a wide myriad of ways that plaintext can be derived from password hashes. Rainbow tables are an option if they're not salted; otherwise the attackers likely had access to fairly significant computing power (considering the amount of money they were raking in) to perform typical dictionary + bruteforce attacks on them.
Yep. And depending on where the attackers are from, it might only be illegal in US jurisdiction anyway. So it's just plain negligence not to do your best. That said, it is a huge attack surface and it sounds like they had a lot of time and resources; they can afford to just wait to get lucky. NASDAQ had to be lucky ALL the time. /devils advocate - obviously someone f'd-up.
I can see it now. NASDAQ brass participating in it's own "slut walk" for "sloppy-seconds" developers and IT managers. "Just because I cut contracts for the lowest bidder doesn't mean I deserve to be penetrated!"