CyberInsecure.com

Archive for July, 2008

Google has added a new “Browser Connection” feature to GMail that allows users to force e-mail sessions to always use the more secure “https” (Hypertext Transfer Protocol Secure) protocol. HTTPS is a secure protocol that provides authenticated and encrypted communication. For some reason, this option is turned off by default and the user must enable it.

In the Settings tab, at the bottom, GMail users can now select an “Always use https” option for stronger security, especially when connecting via Wi-Fi. This should help reduce exposure to things like sidejacking and cookie theft attacks.

According to Google, if you sign in to GMail via a non-secure Internet connection, like a public wireless or non-encrypted network, your Google account may be more vulnerable to hijacking. Non-secure networks make it easier for someone to impersonate you and gain full access to your Google account, including any sensitive data it may contain like bank statements or online log-in credentials. “Always use https” option in Gmail is recommended for usage any time your network may be non-secure.

GMail users of the Mobile Application might get some errors during secure HTTP connections, according to some reports.

Days after details of a critical bug in the Domain Name System (DNS) software went public, researchers released attack code that can silently redirect users to unintended sites. Internet security experts warn that this code may give criminals a way to launch virtually undetectable phishing attacks against Internet users whose service providers have not installed the latest DNS server patches. Attackers could also use the code to silently redirect users to fake software update servers in order to install malicious software on their computers.

HD Moore, the creator of the Metasploit penetration testing framework, and a hacker who goes by the alias “I)ruid,” published the attack code in two parts yesterday and today to several security mailing lists and to the Computer Academic Underground Web site.

The two exploits do essentially the same thing, they both poison a DNS server’s cache, and therefore can, at least temporarily, replace the legitimate addresses in that cache with bogus destinations. Users steering to what they believe are valid sites could, if they pull the routing information from a victimized DNS server, be sent instead to a fake site such as a phony banking site, where they could be easily duped into divulging confidential information.

The exploit allows an attacker to poison a DNS server’s cache with a single malicious entry. The new attack code allows a hacker to poison large quantities of domains with one fell swoop. “This second exploit has the potential for a much larger impact and could result in potentially thousands of fake addresses inserted into a DNS server’s cache. The exploits have been added to the Metasploit framework but at the moment can be launched only from systems running Linux.

The single entry exploit of Tuesday gives attackers more anonymity, while today’s exploit requires hackers to have a real DNS server. It would be possible to trace the DNS requests back to the fake server operated by the attacker, then have it taken offline by, for instance, the host provider.

The DNS cache-poisoning bug exploited by Moore’s and I)ruid’s attack code was first announced earlier this month by Dan Kaminsky, director of penetration testing at Seattle-based IOActive Inc. The bug, which Kaminsky uncovered earlier this year, was patched that same day by several major vendors, including Cisco Systems Inc., Internet Systems Consortium Inc. and Microsoft Corp.

Although Kaminsky declined to publicly disclose technical information, he briefed several fellow security researchers after he was criticized for overstating the seriousness of the threat. Those researchers recanted, and said Kaminsky’s research was on target.

Security researcher Aviv Raff has discovered a pair of basic design flaws that could allow malicious phishing and spamming attacks on your iPhone. According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks. iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability. Earlier versions might also be affected.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.). When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

According to Raff, Apple have acknowledged the vulnerability in the Mail application, and are still investigating the issue in the Safari for iPhone. Apple has also acknowledged that iPhone’s Mail application is “spammable” and that this as a security issue.

Until a fix is available, users should avoid clicking on links in the Mail application which refers to trusted web sites. Instead, a user should enter the URL of the website manually in the Safari application. iPhone users should consider stop using the Mail application until Apple fixes this issue, unless they don’t mind to be spammed.

Those security flaws might already be exploited in-the-wild. Proof-of-concept code for both vulnerabilities has reported to be available.

Heinemann-Raintree, publishers of PreK-Secondary nonfiction books for the library and classroom, maintains websites where customers can purchase products online. In January 2007, an unauthorized person was able to obtain access to the database that contains the product information used by the Heunemann-Raintree websites. Heinemann-Raintree informed their customers about this breach in a letter sent in July 15, 2008, signed by Graham Shaw, the President of the company. Affected sites are www.heinemanraintree.com, www.heinemannlibrary.com, and www.heinemannclassroom.com.

The breach allowed to view information appearing on the websites, including information provided by customers who bought Heinemann-Raintree products on the sites. As a result, some person may have been able to view customers’ names, billing and shipping addresses, payment methods, and credit-card numbers.

When the company learned of this unauthorized access, they immediately discontinued operation of the websites, on a temporary basis, and corrected the problem that was allowing the unauthorized access. The websites are now secure and up and running.

As a result of this unauthorized access, it is possible that customers credit card information could be misused, although at this time we have seen no evidence that this has occurred. Credit card processor has been notified of this incident.

Heinemann-Raintree also recommends that affected customers contact their credit card issuer and arrange a new credit card. For questions about this incident, Heinemann-Raintree offers to contact Customer Service Center at (888) 454-2279.

According to Zone-h.org, the official Malaysian Kaspersky Antivirus website has been hacked yesterday by a Turkish cracker. Along with it, the same cracker hacked the official Kaspersky online shop and its several other subdomains. The attacker reported “patriotism” as the reason behind the attack. It seems that SQL injection was the technical way the intrusion was performed.

Both websites has been home page defaced as well as several other secondary pages. The incident, though appearing a simple website defacement, might carry along big risks for end-users because from both the websites, evaluation copies of the Kaspersky Antivirus are distributed to the public. In theory, the attacker could have uploaded trojan-infected versions of the antivirus, infecting in this way the unaware users attempting a download from a trusted Kaspersky’s file repository.

According to Zone-h’s archive, since 2000 there have been 36 web site defacements of international Kaspersky sites, with Kaspersky’s French site getting hacked numerous times during the last few years. There was no malicious software served in those accidents but it seems like an ongoing trend related to web site defacements.

There’s no indication of a malware attack at the site and it seems that users are not at risk in this case. Nevertheless, the attack should be taken very seriously since it could result in a situation where a security vendor’s site is infecting its visitors with malware. Kaspersky.com.my remains offline, presumably in an attempt to audit the site for web application vulnerabilities before putting it back online.

Steven Adair from Shadowserver reports a multi-pronged distributed denial of service (DDoS) attack against the website of President of Georgia, Mikhail Saakashvili (www.president.gov.ge). For over 24 hours the website has been rendered unavailable. The attack began very early Saturday morning (Georgian time). Shadowserver has observed at least one web-based command and control (C&C) server taking aim at the website hitting it with a variety of simultaneous attacks. The C&C server has instructed its bots to attack the website with TCP, ICMP, and HTTP floods.

The server [62.168.168.9] which houses the website has been largely offline since the attack started. Passive DNS records show the system houses several other websites which are mostly unrelated to the Georgian government. However, the server does also host the Social Assistance and Employment State Agency website (www.saesa.gov.ge). This website along with the others on the host have been rendered inaccessible.

The C&C server involved in these attacks is on the IP address 207.10.234.244, which is subsequently located in the United States. Shadowserver recommends blocking and/or monitoring for traffic to this address. Currently it appears the host site for 207.10.234.244 has taken action against this system and appears to now be blocking access to it. However, the server being targeted by the C&C is still unreachable.

Recent DDoS attacks against various other neighbors of Russia to include Estonia have been quite popular in the last few years. We do not have any solid proof that the people behind this C&C server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders. On top of that the domain involved with this C&C server has seemingly bogus registration information but does tie back to Russia.

Update (July 22): Georgian authorities denied this attack. According to Interfax, Georgian press center claimed that the website worked without difficulties and the reports about a DDoS attack are false.

More than two weeks ago Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. Microsoft began investigating active, targeted attacks leveraging this potential vulnerability. Recently, Symantec honeypots began detecting the vulnerability in the Access Snapshot Viewer ActiveX control exploited in a Neosploit wrapper. The Neosploit toolkit is an advanced exploit framework to compromise web site visitors.

The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

This vulnerability was recently added into a new version of Neosploit. The attack consists of an encrypted block that is similar to some of the Mpack variants. This primary encoder serves the Access Snapshot exploit. Once this exploit has been attempted, the user is presented with a malicious iframe, which redirects the user to a copy of Neosploit. This adds an Access Snapshot exploit to the Neosploit repertoire, albeit in an unusual way. According to Symantec, this method of adding an exploit to Neosploit was chosen because the author does not control the source of Neosploit.

As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated SQL injection attacks. Among those sites there are top-visited government, commercial, and hobby sites. The sites fall victim to SQL injection attacks and subsequently begin serving exploits to each of their visitors.

It is recommended that all Internet Explorer users, including those who do not have the Access Snapshot viewer installed, update their IPS signatures and set the kill bits mentioned in this Microsoft Security Bulletin. Switching from Internet Explorer to Firefox or Opera would also help you avoid this vulnerability (and probably many others).

During the first two weeks of July 2008, Finjan detected over 1,000 unique Website domains that were compromised by Asprox toolkit attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, this might be just the tip of the iceberg for the scope and impact of this attack.

Among the compromised websites Finjan found websites of respectable organizations, governmental institutes, healthcare organizations and other high-ranked websites. The malicious code is still being served by most of the websites and the toolkit is still in use.

Among the many websites that were compromised, there are various advertisement networks that were also used to direct users to compromised advertisements. One of the advertisement networks was atdmt.com, which Microsoft plans to acquire as part of Microsoft’s Advertiser and Publisher Solutions Group.

Among compromised legitimate websites (on some of them the malicious code no longer exists) there are government websites:

marysville.ca.us, the official website of the City of Marysville, registered by Marysville Police Department.

www.censocultural.ba.gov.br, the official website of the cultural data bank of the Department of Culture and Tourism of the State of Bahia, Brazil.

www.sfgov.org, official website of the government of the City and County of San Francisco.

Compromised healthcare websites:

nhs.uk, the official website of the National Health Service in the UK.

samedical.org, the official website of the South African Medical Association.

Other compromised legitimate websites:

Cocacolabrazil.com

Snapple.com, one of the largest soft drink makers in the US

uci.edu, official website of the University of California

The Baltimore Times Website

BMW official site in Mexico

Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain. These domains are part of a fast-flux network hosted on the botnet itself, a technique widely used by another well-known Storm botnet.

The attack toolkit is designed to inject a <script> tag into legitimate [.asp] webpages. Each of the 160 different domains hosting .js points to the location of the malicious file which was unique to each and every one of them. The malicious script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation: MDAC Vulnerability, QuickTime rtsp Vulnerability, AOL SuperBuddy ActiveX Control Code Execution Vulnerability. Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine.

Roaring Penguin Software Inc. analysis shows that spam coming from top free email providers (Gmail, Yahoo Mail and Hotmail) is increasing. Three weeks of spam data research between June 13 to July 3, 2008, reveal that spammers are abusing Gmail’s privacy preserving feature of not including the sender’s original IP in outgoing emails.

Spammers are increasingly using free e-mail providers to avoid IP address-based reputation systems. These systems track mail sent by various IP addresses and assign each IP address a rating. Some anti-spam software operates largely or exclusively on the basis of the IP address rating.

Roaring Penguin’s data shows that between June 13 and July 3, the percentage of US-originated spam originating from the top 3 free e-mail providers rose from about 2% to almost 4%. Roaring Penguin believes that spammers are using Google’s service in particular to send spam, relying on the fact that blacklisting Google’s servers is impractical for most organizations. According to their data, the probability that an e-mail originating from a Google server is spam rose from 6.8% on June 13 to 27% (!) on July 3.

Spammers and phishers are interested in clean IP reputation of free email providers and in the ability to freely create multiple bogus accounts that are being automatically registered by breaking the CAPTCHA based authentication. A CAPTCHA is a test designed to tell humans apart from computers (spam bots). It typically involves typing a word seen in an image or heard on an audio recording. All this allows them to reach the widest possible audience and ensure the successful receipt of their spam/scam.

David Skoll, CTO of Roaring Penguin Software, said: “The effectiveness of IP address-based reputation systems has increased the market value of a good IP address, making spam gangs concentrate their development efforts on breaking CAPTCHAs to create free e-mail addresses from which to spam. We predict a gradual but long-term decline in the effectiveness of IP address reputation systems.”

Patients at a Greensboro doctors’ office have been notified that their personal information - including Social Security numbers and addresses - was stolen in May. In a letter mailed to patients, Greensboro Gynecology Associates said a backup tape of their computer database was stolen. The letter was dated June 16, but some letters weren’t postmarked until July 9.

The medical practice said a backup tape of patient information was stolen on May 29 from an employee who was taking the tape to an off-site storage facility for safekeeping. The stolen information included patients’ name, address, Social Security number, employer, insurance company, policy numbers and family members. The tape did not include treatment or specific medical data. The data was not encrypted, but Greensboro Gynecology Associates said the stolen data isn’t likely to be accessed.

The practice at 719 Green Valley Road Suite 305 said personal information for its physicians and other staff members also was on the stolen tape.

It is unclear how many patients were affected, how the theft occurred and whether anything else was taken. The practice’s letter said the theft had been reported to police. However, officials with the Greensboro Police Department and the Guilford County Sheriff’s Office said they had no such report on file.

Greensboro Gynecology Associates said they are consulting with computer security experts to prevent similar thefts in the future.