CyberInsecure.com

Archive for June, 2008

Apple has shipped a new Mac OS X update that addresses 25 documented vulnerabilities that could lead to arbitrary code execution attacks. Apple fixes in this 2008-004 Security Update code execution flaws in Launch Services, SMB File Server, System Configuration, VPN and WebKit.

Fixes for six highly critical Ruby, a popular open-source scripting language, vulnerabilities are also included. The update also installs a Tomcat patch that addresses nine vulnerabilities, the most serious of which may lead to a cross-site scripting attack.

Here is the list of vulnerabilities from Apple’s security bulletin:

Alias Manager (CVE-2008-2308): A memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier.

CoreTypes (CVE-2008-2309): This update adds .xht and .xhtm files to the system’s list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload.

c++filt (CVE-2008-2310): A format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X 10.5.

Dock (CVE-2008-2314): When the system is set to require a password to wake from sleep or screen saver, and Exposé hot corners are set, a person with physical access may be able to access the system without entering a password. This issue does not affect systems prior to Mac OS X 10.5.

Launch Services (CVE-2008-2311): A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation. If the “Open ’safe’ files” preference is enabled in Safari, visiting a maliciously crafted website may cause a file to be opened on the user’s system, resulting in arbitrary code execution. This issue does not affect systems running Mac OS X 10.5 or later.

Net-SNMP (CVE-2008-0960): An issue exists in Net-SNMP’s SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. Additional information is available from US-CERT.

Ruby: Multiple memory corruption issues exist in Ruby’s handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays. Also, if WEBRick is running, a remote attacker may be able to access files protected by WEBrick’s :NondisclosureName option.

SMB File Server (CVE-2008-1105): A heap buffer overflow exists in the handling of SMB packets. Sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution.

System Configuration (CVE-2008-2313): A local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This issue does not affect systems running Mac OS X 10.5 or later.

Tomcat: Tomcat version 4.x is bundled on Mac OS X v10.4.11 systems. Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Further information is available via the Tomcat site.

VPN (CVE-2007-6276): A divide by zero issue exists in the virtual private network daemon’s handling of load balancing information. Processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution.

WebKit (CVE-2008-2307): A memory corruption issue exists in WebKit’s handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2.

Updates can be retrieved and installed using Mac OS X’s integrated update feature.

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward. The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy. It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com.

The financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company’s retail properties.

An online chatter was detected in June by Affinion Group Inc.’s CardCops, a group of investigators who track payment-card theft for financial institutions. In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant. CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.

Along with the card numbers, their three-digit “security codes” and expiration dates, the thieves had the cardholders’ names, addresses and phone numbers. The data had been organized in the same way, indicating the numbers likely came from the same database. The vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.

When cardholders were contacted, the first eight said they had bought things online or through mail order from Montgomery Ward. Further investigation showed that there is a high probability that the entire database of Montgomery Ward was breached.

Direct Marketing Services immediately informed its payment processor and Visa and MasterCard and closely followed a set of guidelines, issued by Visa, on how to respond to a security breach, including a report to the U.S. Secret Service. Those guidelines from Visa are largely technical, and do not require the organizations that have been hacked to come clean to the affected consumers, not just to the financial industry. Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state.

As a result, scores of breaches covering hundreds of millions of consumer accounts have been disclosed by banks, universities, corporations and retailers in recent years. Direct Marketing Services now plans to contact consumers.

It is not clear whether the hackers were inflating their claim when they offered 200,000 records or whether the official number of 51,000 is accurate.

New Microsoft Internet Explorer 6 vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. A proof-of-concept code for this vulnerability is already available. The vulnerability could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 and Firefox do not appear to be affected by this issue.

The vulnerability is caused due to an input validation error when handling the “location” or “location.href” property of a window object. The vulnerability was first published in an article in Chinese Security E-zines, called pstzine, two days ago. The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008.

Until a patch is available, IE6 users should disable scripting in the browser. Another option  might be an upgrade to Microsoft Internet Explorer 7 or usage of alternative browser to help mitigate the risk.

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket domain on the 18th of June.

The domains that were hijacked are icann.net, icann.com, iana-servers.com, internetassignednumbersauthority.com, iana.com.
ICANN is responsible for the global coordination of the Internet’s system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols. The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.

NetDevilz left the following message on all of the domains :

You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group)

The hackers redirected visitors to Atspace.com (82.197.131.106) free hosting again. Atspace was used when during the Photobucket DNS hijacking. Since the NetDevilz hacking group declined to reveal how they did it, many consider cross-site scripting or cross-site request forgery vulnerability as the methods used to hijack domains.

Israeli hacking group broke into sites of Izz al-Din al-Qassam, the terrorists military wing, and some leftist movements. Hacked websites were defaced and previous information replaced with words of Israeli national anthem. Currently the website of Izz al-Din al-Qassam displays a white screen and words in Arabic announcing technical difficulties.

The hacker group, which calls itself Fanat al-Radical (the fanatical radicals), also said that it broke into additional terror organizations’ sites and those of various leftist movements. According to this group unnamed representative, they searched for relevant sites, whether leftist or anti-Zionist, and looked for loopholes. The group consists of young adults from 16 to 18 years of age.

In addition to the Hamas military wing’s site, they also broke into the Balad political party site (http://arabs48.com/balad), that of the Hagada Hasmalit (the left bank, http://www.hagada.org.il), the Kibush (occupation, kibush.co.il) site and more. The Left Bank site, considered by the group as another site identifying with the left, was defaced “due to its blatant anti-Zionist contents”. The hacked sites are now equipped with an Israeli flag, the words of the Israeli national anthem “Hatikva” with vowels and pictures of Palestinian babies and children dressed as suicide bombers. A short explanation of why this specific site was broken into to begin with is also included.

Fanat al-Radical is a new group of hackers whose members were members of another group called Kamikaz Team. According to them, since they didn’t want to include politics in Kamikaz, a parallel group that supports the destruction of Arab sites was created. The group feels that its first hacking campaign was successful, but they do not intend on stopping here. They said that they plan an additional attack in the future.

A spam campaign that sends personalized phishing emails through Yahoo! Groups has recently been reported by TrendLabs researchers, Jake Soriano and Grace Ermitanyo (who provided detailed analysis about this attack). Phishers appear to have sent phishing emails through Yahoo! Groups via either the standard posting methods through Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate.

The success of this phishing attempt further depends on how the group mailing list is actually moderated. There are settings in Yahoo! Groups spam abuse prevention that allow the moderator to approve all messages before they are sent out to members.

The phishing email provides a link that redirects the recipient to a website with a fake form. The form steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These details are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals.

In one particular case, clients of the Royal Bank of Scotland (rbs.co.uk) are targeted. In phishing email the URL is different from the actual bank domain and redirects to rtsrv.co.uk.

Moderators of Yahoo! Groups are advised to read about their options related to keeping their members safe from spam and phishing attempts at the Yahoo! Groups FAQ on spam abuse prevention.

A security breach discovered on Monday, June 9, compromised names and social security numbers of 5,000 employees, contractors and board members in state Department of Consumer Affairs (DCA). About 2,800 of the people on the list are current, full-time employees of the DCA.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich. The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information. Some of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board. The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone’s name. However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver’s license numbers. This kind of information is very easy to obtain though.

The DCA is the main state agency charged with protecting consumers in California. From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.

The incident is still being investigated, and it can not be disclosed who had received the document. So far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

The state Department of Consumer Affairs (DCA) has sent warning letters to all 5,000 affected. The DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list. The DCA had not yet determined how much these protections were going to cost.

Anyone concerned about identity theft can visit http://www.privacy.ca.gov/, for more information on how to protect themselves.

Email communication in the Marshall Islands was paralysed Tuesday after hackers launched a “zombie” computer attack on the western Pacific nation’s only Internet service provider. The Marshall Islands is a Micronesian island nation in the western Pacific Ocean, located east of the Federated States of Micronesia and south of the U.S. territory of Wake Island.

The attack starting early Tuesday, in which hackers used computers taken over by viruses to flood the Internet provider with spam emails, caused a complete shutdown of email traffic into the nation of around 55,000 people. More than 18 hours after the initial attack Tuesday incoming email service to the monopoly provider had still not been restored.

The government-owned National Telecommunications Authority (NTA) was hit with a sudden increase in incoming email, which it described as an attack by “zombie computers”, said an NTA spokesman. While NTA customers could send and receive emails to each other through the local system, virtually no non-NTA emails had been received since Monday, impacting local businesses, banks and government offices.

“Some malevolent person unleashed infected computers to flood NTA with mail,” said an unnamed local information technology expert. “The fact that there were so many messages sent shows a degree of sophistication to the attack.”

Local officials said this attack was believed to be the first on the country’s only Internet service provider.

Maryland State Attorney General was notified by Balmar Incorporated about a breach that occurred between April 4, 2008 and April 30, 2008, in which sensitive customer information was compromised. Balmar is a provider of print and graphic communications services, as well as a regional provider of on-site production and administrative services, recently experienced a data security breach in its e-commerce site server.

Balmar has reason to believe that the personal information of 7 of its online customers who reside in the State of Maryland may have been accessed sometime between April 4, 2008 and April 30, 2008 without proper authorization. The personal information affected may include customer names, addresses, telephone numbers, emails, and credit card information.

Balmar has determined that at least one fraudulent credit card transaction has occurred as a result of this incident. A full analysis of their e-commerce server logs revealed on March 27, 2008, an individual initiated several SQL-injections queries on the main page of Balmar e-commerce website from an IP address in Viet Nam. Random queries were attempted over time through March 31st. By March 31st, the individual had gathered enough information to pipe the queries to a search bot. By April 4th, the search bot was able to access and transfer data from e-commerce server to a web page.

Once discovered, Balmar reported the incident to the Virginia State Police and the FBI; contacted the web page host to demand that the page be disabled; removed all credit card information from the affected area of the database and moved it to a secured area of the database that cannot be accessed by the method used during the incident; installed an additional database security solution to detect and prevent any future attempted security breaches; sent notice to affected customers by letter and e-mail.

Balmar’s investigation of this incident is ongoing. For more information, call 1 (800) 265-2724 or email bseger<at>balmar.com.

Security researchers from SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat, Apple’s instant messaging and video chat software, and Limewire.

SecureMac, a Mac-specific anti-virus vendor, researchers discovered the Trojan in June 19. The Trojan, AppleScript.THT, was classified as a “critical” threat. SecureMac’s warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot.org, and on the same day that rival security vendor Intego provided more information about the bug.

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger’s and Leopard’s Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user interaction, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it’s injected after a successful attack using another vulnerability, such as a browser bug.

Users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application. MacScan 2.5.2 (a software by SecureMac) can also protect your system against this threat if you got the latest Spyware Definitions update (2008011), dated June 19th. SecureMac recommends that users download files only from trusted sources and sites.