OSCE Breached; Internal Documents Posted by Anonymous

The Organization for Security and Cooperation in Europe decided in 2011 to take on cyber security as one of its missions. The reality of threats in cyber space for the OSCE has become even more real now that their internal network has been breached in early November, 2012 by an unknown person or persons and the stolen files uploaded to Par-AnoIA.net. There has been no public acknowledgment from the OSCE that they have even had a breach. Frane Maroevic, Deputy Head of Press and Information for the OSCE told me in an email that "We condemn any illegal publication of confidential documents and will not comment on any such material."

The documents that Anonymous have posted are clearly genuine although it isn't known how they were obtained nor has anyone claimed responsibility for the attack. In addition to election monitoring reports and briefing books for Ukraine, Bosnia and the United States, there are internal RESTRICTED documents as well as emails and contact lists whose contents could be leveraged by bad actors to target members of OSCE and others with spear phishing or other types of targeted attacks.

Several of the documents referred to the "Informal Working Group Established Pursuant to PC Decision 1039" along with a list of its members. The purpose of this group is to establish "a breakthrough on Confidence Building Measures (CBM) designed to enhance cyber security. Our goal must be to maintain the momentum so as to outline a set of Confidence Building Measures in time for adoption at the Ministerial Council in Dublin." I asked Mr. Maroevic if he saw the value in demonstrating such CBMs right now in the face of their own breach. As of the time of this posting there's been no response from Mr. Maroevic.

The Dublin Council meeting mentioned in that document is scheduled to meet on December 6-7, 2012, however a captured Bi-weekly work schedule shows a meeting of the 1039 Working Group happening in Ireland on November 13, 2012 at 15:00. I expect this incident will be the highlight of their meeting especially since the names and email addresses of all of the members were part of the collection of documents posted to Par-AnoIA.net.

I'll update this post with any new developments from OSCE and/or from our examination of the documents.

UPDATE (09NOV12 2314GMT): A source representing Anonymous has claimed credit for the attack against OSCE. They breached the oscepa.at server which is the OSCE Parliamentary Authority hosted by Telekom.at; an Austrian service provider. The attack vector was not revealed although it may have been SQLi or perhaps an employee was compromised via a malicious payload delivered in a .pdf attachment.

Mr. Maroevic told me after my original article was posted that due to the sensitivity of the issue, the OSCE was unable to comment any further.

Add to Cart View detail

LinkedIn Either Failed To Meet Industry Standards Or Standards Need To Be Raised

In light of this breach of 6.5 million LinkedIn password hashes (mine was included in that group), I took a closer look at LinkedIn's "Security" section of its Privacy Policy:

Personal information you provide will be secured in accordance with industry standards and technology (emphasis added). Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

The first question that I had after reading this was what's the "industry standard" that LinkedIn should be held to? It didn't salt its password hashes and it used an encryption algorithm (SHA1) that has been proven unreliable and which NIST discourages for certain applications. In 2010, a German researcher demonstrated how he could crack a SHA1 encrypted password using 6 characters in 49 minutes at a cost of $2.10 using Amazon's cloud service.

LinkedIn apparently doesn't have a CSO or CISO which for a publicly traded company communicates the message that security is not a priority. Considering that they still don't know how this breach occurred and the minimal attention payed to password security, I can't help but wonder how secure the credit card information is which LinkedIn stores for its premium account holders.

I'm closing my LinkedIn account in protest for LinkedIn's poor handling of this breach. I still haven't been notified by the company that my password was one of the 6.5 million stolen and I hate the fact that security is so far down their priority list. LinkedIn was a professional convenience but it's no longer worth the risk as far as I'm concerned. 

Add to Cart View detail

The Stratfor E-mail Address Scandal That Isn't

The Guardian just ran a sensational story about hundreds of British government and NATO email addresses being exposed via the Stratfor hack. The L.A. Times ran a similar story featuring other exposed email addresses from various U.S. agencies and organizations including the White House. In fact, my email was among those exposed. My response is - big deal. I publicize my email address on the Web. It's one of many that I use for different purposes. An email in and of itself means very little. An email with a ridiculously easy password could be a problem if the person was foolish enough to use that same combination on his work email address but for most people, especially those in large corporations and the U.S. Government, that's next to impossible to do because of specified password requirements and two-factor authentication. And in the case of obtaining free reports via Stratfor's marketing strategy, why bother using a strong password as long as it and its associated email address are different from ones that you use for work? In fact, programs like Anonymizer give you throw-away email addresses and passwords to use for just such an occasion.

One of the articles that I read claimed that the Stratfor breach included 3 email addresses from the White House. Well, two of those were President@whitehouse.gov and Prez@whitehouse.gov. Does anyone seriously believe that either of those are real? They're most likely the invention of someone who, like me, wanted to read one of Stratfor's "free" reports. Stratfor doesn't validate those email addresses and every time you want to download another free report you need to invent a different email address to register under. That's why Stratfor has so many email addresses in its system. People who want a freebie report are loading them up with valid and invalid email addresses like "Prez@whitehouse.gov".

So what are the repercussions to have your email address listed along with hundreds of thousands of others? Spam and spear phishing attacks are pretty much it and both of those can be easily avoided if you've paid any attention to network breaches in the past year. In the rare case that you used your work email address along with your work password, you're pretty much screwed (and deserve to be for being so carless) but by now you've changed your password anyway. The worst part of the Stratfor hack wasn't the release of those email addresses. It was Stratfor's atrocious handling of its members credit card data and the awful state of its own network security. The worst part may be yet to come, if and when Anonymous releases the contents of those emails between Stratfor analysts and their corporate and government clients. Once that happens, you'll be wishing that all you had to worry about was an exposed email address with a weak password.

Related:
An Open Letter to George Friedman and Stratfor
Was Stratfor Breached By An Insider?

Add to Cart View detail