CyberInsecure.com

Archive for March, 2008

A computer system at Antioch University that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year, the school said Friday.

On February 13, 2008, a security incident occurred on one of Antioch University’s computer systems. The University responded aggressively by immediately contacting forensic software investigators to examine its computer system.

After analyzing Antioch’s computer system, the investigators determined that an unauthorized intruder breached one of Antioch’s computer systems on three different occasions: June 9, 2007, June 10, 2007, and October 11, 2007.

The system contains files with Social Security numbers, names, academic records for students and former students, and payroll records for Antioch’s employees and former employees. It also contains names and Social Security numbers for student applicants. So far school administration did not receive reports of identity theft as a result of the intruder’s actions.

No conclusive evidence has been found that the intruder actually acquired, viewed, copied, or otherwise misappropriated any of your personal information. Nonetheless, the school attempts to analyze all available evidence to determine the extent of the intrusion.

The University is working with appropriate federal and state law enforcement agencies to apprehend the responsible party and to determine if any personal information was stolen. Three major consumer credit reporting agencies were contacted to inform them of this incident.

A Toll Free Hotline at 1-866-905-2288 has been set up to assist you with answers to any questions or concerns regarding the data security intrusion. The Toll Free Hotline is available from 9 a.m. to 5 p.m. EDT, April 1 through May 30, 2008. If you call after business hours or find it necessary to leave a message, Antioch University will attempt to return your call within two business days.

Antioch University Security Letter
Antioch University FAQs

A new e-mail spam campaign has been launched on the occasion of tomorrow April Fool’s Day. The responsible ones are the people behind Nuwar a.k.a. Storm and the e-mail, with a subject and a short body text like “Happy April Fool’s Day!” or similar, would have a usual, for Nuwar anyway, all-numeric-IP http link. Following that link brings up a page like this:

If you wait those 5 seconds, it’ll try to download a file named funny.exe to your computer. If you click on the image, it will be kickme.exe. If you click on “click here” link it will try to download foolsday.exe. All of them are nothing but a new Nuwar virus variant and unless you need a new trojan on your machine, avoid April Fool’s Day e-mails from unverified sources.

Jobs.ie was hacked on Thursday, 27 March, resulting in customer data such as CVs being lost. The hackers accessed the job applications area of the site and downloaded personal information from CVs submitted, including job applications. Most of the stolen information relates to archived CVs rather than those of users currently looking for jobs. The company has been in touch with those affected to warn them of the possibility that they may be contacted by malicious parties. The nature of the potential data lost was a cause for concern.

It is still unknown what information was in the data stolen but CVs tend to contain contact information like phone numbers, which means phone calls by criminals might leave customers more open to attack than unsolicited e-mails.

Most people are reasonably aware about the dangers associated with unsolicited e-mails but they might be more inclined to be more responsive to someone who rang them claiming to be from their bank. Users of Jobs.ie to be more wary about potential phone contact made as a result of the breach and to take measures to protect their personal data.

As yet it is still unclear as to how many users of the site were affected. Jobs.ie declined to reveal the full scale of the breach as the firm’s investigation into the attack is still ongoing but a spokesperson for the recruitment website said the hack affected “a small percentage” of Jobs.ie’s customers.

A 24-hour customer helpline has been set up to deal with any further questions or concerns users of the site may have regarding the breach at 01 6808699. Queries can also be sent via e-mail to info@jobs.ie

InstallsCash partnership program offers the affiliates to put a short one line iframe code on their website pages. Next this hidden iframe would be used to silently redirect any visitor to another website to install via an MPack like process the affiliation program. Each successful installation made from the affiliate site would involve a payment.

To cover the tracks, the InstallsCash registrar is, of course, from China (bizcn.com). Fake registrant address is in the US (Iowa City) and the e-mail contact is a free webmail service that is popular in Russia (ydwrtyxamz_at_mail.ru). Obviously, this email account name was randomly chosen.

Subscribers of this “program” will be offered a list of allowed systems of payments. These systems are the regular ones used by online criminals. Having done that, one will be asked to wait for 24 hours until account activation.

After this period a subscriber will receive the IFRAME code, something like:

<iframe src=”http://**************610.php” width=1 height=1></iframe>

The iframe has to be hidden on subscriber’s website and point to some another website, using a strange name randomly chosen and created using a more or less automated method. It seems the affiliator creates or uses a different one for each affiliate. Thanks to these unique names, the software recognizes each of them. Data can be feed into their stats page and then they can calculate the payments.

Basically, subscribers are paid for unique loads of InstallsCash IFRAME, which means that whoever signs up for InstallsCash and installs their code, is infecting and redirecting visitors of his website using this invisible iframe code.

InstallsCash distributer admits and warns: “…they will be updating every 3 days and they will be invisible for every antivirus!”

Registrar is bizcn.com and registrant contact came with another random e-mail address:

Jan Dendinger ycsmmiqtyo_at_mail.ru
Phone +1 3196433xxx Fax: +13.196433xxx
309 East Main Street
West Branch IA 523581
us

It seems that behind InstallCash, IframeCash (September 2006) and IframeDollars (November 2007) are hidden the same people. In November 2007, the RBNExploit blog discussed that iFrameCash and iFrameDollars were possibly linked to the Russian Business Network. This confirms that RBN trading partners are still in business.

McAfee VirusScan blocks and detects the PHP script as JS/Exploit-BO.gen. Some additional files are detected as Downloader-BDH.

A MacBook Pro laptop containing personal information on students and scholarship recipients from “all over the world” was reported stolen on Tuesday, according to campus police reports.

Music Professor Mary Natvig reported her computer stolen on Tuesday sometime between 1:15 and 1:25 p.m. from her unlocked office in the Moore Musical Arts Center.

Further information was not available at press time.

It is unclear whether the information was encrypted, what kind of information, why was personal information stored on a laptop and why would a music professor need to hang around with a laptop full of personal students details and their payments recipients.

Report Credit: The BG News

Tobias Klein has reported a vulnerability in avast! Home/Professional, which can be exploited by malicious, local users to gain escalated privileges.

An input validation error within the 0xb2d60030 IOCTL handler of the aavmker4.sys driver can be exploited to overwrite arbitrary kernel memory via a specially crafted IOCTL request or cause local denial of service attacks (system crash due to a kernel panic).
No special user rights are necessary to exploit the vulnerability.

The vulnerability is reported in version 4.7. Other versions may also be affected.

Technical description: http://www.trapkit.de/advisories/TKADV2008-002.txt

Solution: Update to version 4.8.1169 at http://www.avast.com/eng/download.html

Two independent research teams have demonstrated hacks of the Mifare Classic RFID chip algorithm. The technology is used by transit operators in London, Boston, and the Netherlands. It is also used in access cards in numerous other organizations around the world. Dutch government has already issued a public warning about the security of access keys based on it. The minister of interior affairs, in a letter to parliament, wrote that there are plans for government institutions to take additional security measures to safeguard security.

NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in 2 million Dutch building access passes. One billion passes with the technology have been distributed worldwide, making the security risk a global problem and it had not yet notified other countries.

The manufacturer, NXP Semiconductors, has quickly announced that there is a new version of the Mifare chip called the Mifare Plus with enhanced security 128-bit encryption over the original 48-bit. The strange thing about this is why wasn’t the Mifare Plus introduced earlier? It is unknown how much this enhanced card will eventually cost, but reports say that the original Mifare Classic sold for less than a single dollar. Hence, the low cost of the Mifare Classic might have been a factor here.

German researchers Karsten Nohl and Henryk Plötz have published a paper on how to crack the chip’s encryption and Bart Jacobs, an information security professor, have released the video which can be seen here. The video demonstrates how cryptography could be retrieved from readers attached to access control infrastructure or even sniffed simply by walking pass a Mifare RFID card holder. Duplicate cards are then cloned to gain unauthorized entry. What is really scary is the ease with which the attacks are successfully executed.

Thousands of sensitive medical documents fell out of a truck bed and ended up scattered across the road for just about anyone to see and take. Patient records belonged to LabCorp (Laboratory Corporation of America), one of the world’s largest companies that analyzes blood work, and included medical records, lab results, and possibly billing information.

A spokesperson said a courier left the tailgate of his truck open and several boxes slid out, smashing onto Fredericksburg Road. LabCorp believes the information that scattered all over the road was old documents from 1993 and later and possibly billing information which wouldn’t include people’s Social Security numbers.

It is unclear what kind of sensitive information LabCorp collects and stores and so far LabCorp did not notify the people that were affected. LabCorp responded very quickly to the site of the incident with employees “picking up these documents in between cars, in the bushes, on their hands and knees and all of this was happening while SAPD was detouring traffic.” In an August, 2006 accident LabCorp facility break-in exposed patient data (a computer with sensitive personal information was stolen from its Prospect Plains Road sample-collection center in Monroe Township, NJ), so LabCorp (and probably their patients) are used to such incidents.

An increasing number of sites compromised with a malicious script detected as Troj/Unif-B has been noticed over the past few weeks by SophosLabs.

Since March 1st 2008, almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, around 150 new domains daily.

For 4,500 compromised domains, these targets fall into two categories. First, additional attack sites. Some other site which hits the victim with exploits. Second, redirect or “control” sites. Some other site, controlled by the attacker, which can be used to direct traffic. Typically, these sites direct victims to one of several other attack sites although there may be several redirects in use.

Among other attack vectors there are a few noticeable:

1. Installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
2 .Redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
3. Load exploits intended to install a member of the Mal/Zbot family.
4. Point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.

About 70% of compromised domains point to the GPack attack site are hosted by the same ISP. The same is true for some of the other attacks listed above since targeting server farms is an effective strategy for the attackers.

The grouping within the compromised pages reflects the coordinated attacks that are taking place. Also not surprising are the relationships between some of the groups. It is not unlikely that these sites could be used to make money by selling “traffic flow” since attackers often paying for victims to be directed to their attack sites for a period of time.

Juan Pablo Lopez Yacubian reported that Internet Explorer 7 (also in all MS Vista versions) is affected by a URI-spoofing vulnerability.

An attacker may leverage this issue by inserting strings to spoof the source address of a file presented to an unsuspecting user. This may lead to a false sense of trust because the user may be presented with a source address of a trusted site while interacting with the attacker’s malicious site.

To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web document. The following example exploit is available:

http://es.geocities.com/jplopezy/iespoof.html

Reports indicate that unspecified versions of Firefox are also prone to this issue, but that has not been confirmed.

Currently there are no vendor-supplied patches. If you are aware of a patch or more recent information, please comment.