CyberInsecure.com

Archive for March, 2008

A computer system at Antioch University that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year, the school said Friday.

On February 13, 2008, a security incident occurred on one of Antioch University’s computer systems. The University responded aggressively by immediately contacting forensic software investigators to examine its computer system.

After analyzing Antioch’s computer system, the investigators determined that an unauthorized intruder breached one of Antioch’s computer systems on three different occasions: June 9, 2007, June 10, 2007, and October 11, 2007.

The system contains files with Social Security numbers, names, academic records for students and former students, and payroll records for Antioch’s employees and former employees. It also contains names and Social Security numbers for student applicants. So far school administration did not receive reports of identity theft as a result of the intruder’s actions.

No conclusive evidence has been found that the intruder actually acquired, viewed, copied, or otherwise misappropriated any of your personal information. Nonetheless, the school attempts to analyze all available evidence to determine the extent of the intrusion.

The University is working with appropriate federal and state law enforcement agencies to apprehend the responsible party and to determine if any personal information was stolen. Three major consumer credit reporting agencies were contacted to inform them of this incident.

A Toll Free Hotline at 1-866-905-2288 has been set up to assist you with answers to any questions or concerns regarding the data security intrusion. The Toll Free Hotline is available from 9 a.m. to 5 p.m. EDT, April 1 through May 30, 2008. If you call after business hours or find it necessary to leave a message, Antioch University will attempt to return your call within two business days.

Antioch University Security Letter
Antioch University FAQs

A new e-mail spam campaign has been launched on the occasion of tomorrow April Fool’s Day. The responsible ones are the people behind Nuwar a.k.a. Storm and the e-mail, with a subject and a short body text like “Happy April Fool’s Day!” or similar, would have a usual, for Nuwar anyway, all-numeric-IP http link. Following that link brings up a page like this:

If you wait those 5 seconds, it’ll try to download a file named funny.exe to your computer. If you click on the image, it will be kickme.exe. If you click on “click here” link it will try to download foolsday.exe. All of them are nothing but a new Nuwar virus variant and unless you need a new trojan on your machine, avoid April Fool’s Day e-mails from unverified sources.

Jobs.ie was hacked on Thursday, 27 March, resulting in customer data such as CVs being lost. The hackers accessed the job applications area of the site and downloaded personal information from CVs submitted, including job applications. Most of the stolen information relates to archived CVs rather than those of users currently looking for jobs. The company has been in touch with those affected to warn them of the possibility that they may be contacted by malicious parties. The nature of the potential data lost was a cause for concern.

It is still unknown what information was in the data stolen but CVs tend to contain contact information like phone numbers, which means phone calls by criminals might leave customers more open to attack than unsolicited e-mails.

Most people are reasonably aware about the dangers associated with unsolicited e-mails but they might be more inclined to be more responsive to someone who rang them claiming to be from their bank. Users of Jobs.ie to be more wary about potential phone contact made as a result of the breach and to take measures to protect their personal data.

As yet it is still unclear as to how many users of the site were affected. Jobs.ie declined to reveal the full scale of the breach as the firm’s investigation into the attack is still ongoing but a spokesperson for the recruitment website said the hack affected “a small percentage” of Jobs.ie’s customers.

A 24-hour customer helpline has been set up to deal with any further questions or concerns users of the site may have regarding the breach at 01 6808699. Queries can also be sent via e-mail to info@jobs.ie

InstallsCash partnership program offers the affiliates to put a short one line iframe code on their website pages. Next this hidden iframe would be used to silently redirect any visitor to another website to install via an MPack like process the affiliation program. Each successful installation made from the affiliate site would involve a payment.

To cover the tracks, the InstallsCash registrar is, of course, from China (bizcn.com). Fake registrant address is in the US (Iowa City) and the e-mail contact is a free webmail service that is popular in Russia (ydwrtyxamz_at_mail.ru). Obviously, this email account name was randomly chosen.

Subscribers of this “program” will be offered a list of allowed systems of payments. These systems are the regular ones used by online criminals. Having done that, one will be asked to wait for 24 hours until account activation.

After this period a subscriber will receive the IFRAME code, something like:

<iframe src=”http://**************610.php” width=1 height=1></iframe>

The iframe has to be hidden on subscriber’s website and point to some another website, using a strange name randomly chosen and created using a more or less automated method. It seems the affiliator creates or uses a different one for each affiliate. Thanks to these unique names, the software recognizes each of them. Data can be feed into their stats page and then they can calculate the payments.

Basically, subscribers are paid for unique loads of InstallsCash IFRAME, which means that whoever signs up for InstallsCash and installs their code, is infecting and redirecting visitors of his website using this invisible iframe code.

InstallsCash distributer admits and warns: “…they will be updating every 3 days and they will be invisible for every antivirus!”

Registrar is bizcn.com and registrant contact came with another random e-mail address:

Jan Dendinger ycsmmiqtyo_at_mail.ru
Phone +1 3196433xxx Fax: +13.196433xxx
309 East Main Street
West Branch IA 523581
us

It seems that behind InstallCash, IframeCash (September 2006) and IframeDollars (November 2007) are hidden the same people. In November 2007, the RBNExploit blog discussed that iFrameCash and iFrameDollars were possibly linked to the Russian Business Network. This confirms that RBN trading partners are still in business.

McAfee VirusScan blocks and detects the PHP script as JS/Exploit-BO.gen. Some additional files are detected as Downloader-BDH.

A MacBook Pro laptop containing personal information on students and scholarship recipients from “all over the world” was reported stolen on Tuesday, according to campus police reports.

Music Professor Mary Natvig reported her computer stolen on Tuesday sometime between 1:15 and 1:25 p.m. from her unlocked office in the Moore Musical Arts Center.

Further information was not available at press time.

It is unclear whether the information was encrypted, what kind of information, why was personal information stored on a laptop and why would a music professor need to hang around with a laptop full of personal students details and their payments recipients.

Report Credit: The BG News

Tobias Klein has reported a vulnerability in avast! Home/Professional, which can be exploited by malicious, local users to gain escalated privileges.

An input validation error within the 0xb2d60030 IOCTL handler of the aavmker4.sys driver can be exploited to overwrite arbitrary kernel memory via a specially crafted IOCTL request or cause local denial of service attacks (system crash due to a kernel panic).
No special user rights are necessary to exploit the vulnerability.

The vulnerability is reported in version 4.7. Other versions may also be affected.

Technical description: http://www.trapkit.de/advisories/TKADV2008-002.txt

Solution: Update to version 4.8.1169 at http://www.avast.com/eng/download.html

Two independent research teams have demonstrated hacks of the Mifare Classic RFID chip algorithm. The technology is used by transit operators in London, Boston, and the Netherlands. It is also used in access cards in numerous other organizations around the world. Dutch government has already issued a public warning about the security of access keys based on it. The minister of interior affairs, in a letter to parliament, wrote that there are plans for government institutions to take additional security measures to safeguard security.

NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in 2 million Dutch building access passes. One billion passes with the technology have been distributed worldwide, making the security risk a global problem and it had not yet notified other countries.

The manufacturer, NXP Semiconductors, has quickly announced that there is a new version of the Mifare chip called the Mifare Plus with enhanced security 128-bit encryption over the original 48-bit. The strange thing about this is why wasn’t the Mifare Plus introduced earlier? It is unknown how much this enhanced card will eventually cost, but reports say that the original Mifare Classic sold for less than a single dollar. Hence, the low cost of the Mifare Classic might have been a factor here.

German researchers Karsten Nohl and Henryk Plötz have published a paper on how to crack the chip’s encryption and Bart Jacobs, an information security professor, have released the video which can be seen here. The video demonstrates how cryptography could be retrieved from readers attached to access control infrastructure or even sniffed simply by walking pass a Mifare RFID card holder. Duplicate cards are then cloned to gain unauthorized entry. What is really scary is the ease with which the attacks are successfully executed.

Thousands of sensitive medical documents fell out of a truck bed and ended up scattered across the road for just about anyone to see and take. Patient records belonged to LabCorp (Laboratory Corporation of America), one of the world’s largest companies that analyzes blood work, and included medical records, lab results, and possibly billing information.

A spokesperson said a courier left the tailgate of his truck open and several boxes slid out, smashing onto Fredericksburg Road. LabCorp believes the information that scattered all over the road was old documents from 1993 and later and possibly billing information which wouldn’t include people’s Social Security numbers.

It is unclear what kind of sensitive information LabCorp collects and stores and so far LabCorp did not notify the people that were affected. LabCorp responded very quickly to the site of the incident with employees “picking up these documents in between cars, in the bushes, on their hands and knees and all of this was happening while SAPD was detouring traffic.” In an August, 2006 accident LabCorp facility break-in exposed patient data (a computer with sensitive personal information was stolen from its Prospect Plains Road sample-collection center in Monroe Township, NJ), so LabCorp (and probably their patients) are used to such incidents.

An increasing number of sites compromised with a malicious script detected as Troj/Unif-B has been noticed over the past few weeks by SophosLabs.

Since March 1st 2008, almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, around 150 new domains daily.

For 4,500 compromised domains, these targets fall into two categories. First, additional attack sites. Some other site which hits the victim with exploits. Second, redirect or “control” sites. Some other site, controlled by the attacker, which can be used to direct traffic. Typically, these sites direct victims to one of several other attack sites although there may be several redirects in use.

Among other attack vectors there are a few noticeable:

1. Installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
2 .Redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
3. Load exploits intended to install a member of the Mal/Zbot family.
4. Point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.

About 70% of compromised domains point to the GPack attack site are hosted by the same ISP. The same is true for some of the other attacks listed above since targeting server farms is an effective strategy for the attackers.

The grouping within the compromised pages reflects the coordinated attacks that are taking place. Also not surprising are the relationships between some of the groups. It is not unlikely that these sites could be used to make money by selling “traffic flow” since attackers often paying for victims to be directed to their attack sites for a period of time.

Juan Pablo Lopez Yacubian reported that Internet Explorer 7 (also in all MS Vista versions) is affected by a URI-spoofing vulnerability.

An attacker may leverage this issue by inserting strings to spoof the source address of a file presented to an unsuspecting user. This may lead to a false sense of trust because the user may be presented with a source address of a trusted site while interacting with the attacker’s malicious site.

To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web document. The following example exploit is available:

http://es.geocities.com/jplopezy/iespoof.html

Reports indicate that unspecified versions of Firefox are also prone to this issue, but that has not been confirmed.

Currently there are no vendor-supplied patches. If you are aware of a patch or more recent information, please comment.

Security experts at Webroot Software report seeing a new wave of keyloggers (programs that secretly record every character you type), system monitors, and viruses leading up to prime tax filing season. Webroot’s Threat Research Team says that more than 1200 new key-logging programs and 336 versions of system monitoring spyware have been found and defined in the past month alone. Several states warn that con artists have already begun the highly publicized rebate checks associated as a ploy to get you to divulge personal financial information.

The increase might be explained by the fact that fewer taxpayers are using old-fashioned paper forms for preparing and submitting their taxes. According to Webroot’s figures, a record 22 million taxpayers filed their taxes from a home computer last year, up 11 percent from the previous year. Scammers know this and figure that your identity is especially vulnerable to theft when you’re filling out your tax documents with a software program or filing them over the Internet.

Federal government expects to issue economic stimulus rebate checks sometime in May or June. IRS refund checks typically arrive within three weeks of the date when you e-file your return. Some fraudulent e-mail messages contain links to fake government Web sites that request your Social Security number and bank account numbers so that the IRS can process a rebate check. If you resist disclosing the information, the site informs you that you won’t be able to receive your rebate.

Another tax scam involves e-mail messages that target accountants, businesses, and individuals, notifying them of supposed changes in tax laws. These phishing messages direct the recipient to download “updated” tax documents that reflect the new tax laws. The IRS reports having received numerous complaints from people who have downloaded bogus documents to their computer, only to discover that the documents contained malicious code designed to transfer control over the PC to a third party. A growing number of tax-themed e-mail messages contain links to Web sites (not files for download) that attempt to install malware on the visitor’s PC.

WXYZ, the ABC television affiliate in Detroit, reported that a Michigan woman, Maria Mendoza, lost US$4000 when a crook stole her identity and then visited a local H & R Block office to file a tax return, posing as Mendoza. After submitting the return, the scammer asked to receive her $4000 tax refund on the spot, using a Block service called a Rapid Refund debit card.
(more…)

Earlier today SophosLabs reported a new scam designed to fool users into viewing a web site where they would be hit with a malicious script that installs a Trojan. Several different spam messages alerting users to the supposed shooting of the e-Gold founder, for example:

E-gold founder, Douglas Jackson, 51, of Sheridan, Mont., was 4 times shot
and killed Friday night on the Seventh Street ramp at East Seventh Avenue by off-duty County Deputy Daniel Montana Jr.,
police said.

A spokesman for the Jackson’s family told Fox 31 that the autopsy
details show the shots came from 3 to 7 feet away and were fired at a level angle, not from someone lying on the ground.

The investigation is ongoing, said DA spokeswoman Pam Russell.

More details at ********.com

A variety of domains have been used in the scam. Browsing to each of the domains redirects to a malicious page on another server. This page contains a malicious Javascript which attempts to install a Trojan on the victim’s computer. This malicious script is pro-actively detected as Mal/ObfJS-B. The Trojan is detected by runtime HIPs protection as HIPS/FileMod-005. Specific detection for the Trojan and the files it installs has been added as Troj/Agent-GUJ in Sophos Antivirus.

This is yet another example of the attackers using a blend of spam and malicious web sites to infect victims. Such cases provide perfect illustrations of the need for quality security solutions, encompassing anti-spam, web content inspection, URL filtering and runtime protection technologies.