CyberInsecure.com

Archive for August, 2008

Taiwan’s Criminal Investigation Bureau (CIB) has successfully tracked down and arrested six people in what the CIB believes to be the biggest personal data breach in Taiwan to date. Apparently, the group also managed to obtain personal data on Taiwan’s current and former presidents.

The suspects are believed to have stolen more than 50 million records of personal data, including information about President Ma Ying-jeou, his predecessor Chen Shui-bian and police chief Wang Cho-chiun, the official said. They then offered to sell the information for 300 Taiwan dollars (10 US) per entry, he said.

The hackers, based in Taiwan and China, also swindled victims out of millions of Taiwan dollars through their online bank accounts, he said. They will face up to five years in prison on charges of hacking and fraud.

An official at Taiwan’s Criminal Investigation Bureau said the hackers had tapped into data held by government agencies, state-run firms, telecom companies and a television shopping network. He called it the biggest hacking operation of its kind in Taiwan.

The announcement comes a week after China detected a sophisticated fake diploma scheme, where ten government databases were compromised.

Intel has shipped a BIOS update with a fix for a privilege escalation vulnerability that was discussed by Rutkowska at the Black Hat briefings earlier this month but details on the exploit were withheld until Intel could release its patch.

The patch is rated important and is available to download. According to Intel’s advisory,  software running administrative (ring 0) privilege can under certain circumstances change code running in System Management Mode.

The update would prevent a malicious user from modifying software that is run in System Management Mode (SMM). SMM is a privileged operating environment running outside of OS control. Malicious software running in this environment could therefore perform any number of operations. Administrative level privileges are required to exploit this issue. BIOS updates to correct this issue are available for all affected Intel branded motherboards.

In case of Linux systems, the Ring 0 access is not strictly required to perform the attack, as it’s just enough for the attacker to get access to the PCI config space of the device 0:0:0, which e.g. on Linux can be granted to usermode applications via the iopl() system call.

Affected Intel motherboards: DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, DX38BT and MGM965TW (Mobile).

In its advisory, Intel provides a  walk-through to help identify systems at risk and detailed  instructions on updating your BIOS.

According to ZDNet, the feature which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information.

Here are the steps to exploit this vulnerability (requires physical access to a passcode-protected device) to access the phone, e-mail and SMS messages, Google Maps and the full Safari browser:

Set up a passcode lock (Settings > General > Passcode Lock and enter a 4-digit passcode. iPhone then requires you to enter the passcode to unlock it).

Set up contacts in address book with e-mail address, phone numbers and Web sites.

Turn off/on iPhone and move slider to get to “Enter Passcode” screen.

Tap “Emergency Call” button (buttom left).

Double tap home button.

This pulls up all contacts in the Favorites list.

Tap on the blue arrow next to contact’s name to get full access to e-mail, SMS, Safari, etc.

This particular vulnerability was fixed by Apple for iPhone v1.1.3 and iPod touch v1.1.3 back in January this year, but the issue affects iPhone and iPod Touch 2.0, which means the January fix never made it into the newer versions of the software.

As a workaround, users should remove all Favorites until Apple ships a proper fix. Another method would be setting your home button “Settings->General->Home Button” to “Home”.

Morten Krakvik from the Norwegian Honeynet Project is reporting that MSN Norway is among the latest victims of malvertising, a practice where a bogus advertising provider tricks leading portals into accepting advertisements from its network, which often end up redirecting to live exploit URLs. The recent wave of malvertising that also targeted Digg, MSNBC and Newsweek, is very similar to the malvertising campaigns that took place in February which were targeting popular sites as Expedia, Excite, Rhapsody and MySpace. The only thing the malvertisers keep changing are the fake security software domains that they push through their campaigns.

Vulnerable Flash player versions are:

Adobe Flash 9.0.16
Adobe Flash 9.0.28
Adobe Flash 9.0.45
Adobe Flash 9.0.47
Adobe Flash 9.0.115

According to Krakvik’s analysis, the malicious ad came from bannersrotator.com which is still active (do not visit it) and serving the malicious ad file tunnel28.swf. Currently it is detected by 9 out of 36 anti-virus scanners as SWF:CVE-2007-0071, or SWF.Exploit.

Users are advised to patching their operating system, browser, Flash player and use browser extensions like NoScript for Firefox, as we mentioned countless times before.

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency. The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper’s network. Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can’t always vacuum in traffic within a network, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs. When a user types a website name into his browser or clicks “send” to launch an e-mail, a Domain Name System server produces an IP address for the destination. A router belonging to the user’s ISP then consults a BGP table for the best route. That table is built from announcements, or “advertisements,” issued by ISPs and other networks — also known as Autonomous Systems, or ASes — declaring the range of IP addresses, or IP prefixes, to which they’ll deliver traffic.

BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton “Tony” Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas.

The technique, devised by Pilosov, doesn’t exploit a bug or flaw in BGP. It simply exploits the natural way BGP works. The issue exists because BGP’s architecture is based on trust. To make it easy, say, for e-mail from Sprint customers in California to reach Telefonica customers in Spain, networks for these companies and others communicate through BGP routers to indicate when they’re the quickest, most efficient route for the data to reach its destination. But BGP assumes that when a router says it’s the best path, it’s telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic.

Credit: Wired Blog Network

NASA has confirmed that a computer worm that steals passwords managed to finds its way into laptops aboard the International Space Station. It is not the first time a NASA computer has become infected.

SpaceReg.com identified the infection as W32.TGammima.AG, a worm that spreads by copying itself to removable media devices. Once in place, it steals passwords to various online games, according to anti-virus software provider Symantec, which first spotted the worm 12 months ago.

The infected machines were not considered mission critical, meaning they weren’t responsible for command and control. The NASA spokesman was unable to say if the infected laptops were connected to mission-critical systems. NASA spokesman Kelly Humphries said that NASA downplayed the news, calling the virus mainly a “nuisance” that was on non-critical space station laptops used for things like e-mail and nutritional experiments. NASA and its partners in the space station are now trying to figure out how the virus made it onboard and how to prevent that in the future, according to Humphries.

Because more than one laptop was infected, it’s reasonable to assign blame to an internal network or thumb drive.

The US Computer Emergency Readiness Team (CERT) is warning about attacks in the wild against Linux systems with compromised SSH keys. The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as Phalanx2, which scours the newly infected system for additional SSH keys. As new SSH keys are stolen, new machines are potentially vulnerable to attack.

The CERT advisory makes no mention of the flaw in the Debian random number generator, but that’s most likely the starting point for the attack. The flaw caused SSL keys generated for more than a year to be so predictable that they could be guessed in a matter of hours. Debian fixed the flaw in May.

Once a Linux server using a weak key is identified and rooted, it quickly gives up the keys it uses to connect to other servers. Even if these new keys aren’t vulnerable to the Debian debacle, attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. Additionally, attackers can identify other servers that have connected to the infected machine recently, information that may enable additional breaches.

Phalanx2 appears to be an offshoot of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Fortunately, Phalanx2 is relatively easy to detect. One tell-tale sign: typing “ls” at a command prompt fails to show a directory “/etc/khubd.p2/” even though it can be accessed using the “cd” command. Additionally, the “/dev/shm/” directory may contain files used in the attack.

System administrators should have handled this problem long ago. If they haven’t dealt with it yet, someone will “patch” their systems for them. To mitigate the risk from this attack, US-CERT recommends:

Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.

Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.

Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, US-CERT recommends:

Disable key-based SSH authentication on the affected systems, where possible.

Perform an audit of all SSH keys on the affected systems.

Notify all key owners of the potential compromise of their keys.

Criminal gang has stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds. Thursday night, an unknown hacker, possibly Indian, successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007. With eight million people staying in the hotel group’s 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center’s reports that the average victim of internet crime loses £356, they are sitting on a potential haul of at least £2.84bn.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment. It seems that the hacker from India succeeded in bypassing the system’s security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.

The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity. Once the information was online, experts estimate that it would take less than an hour to write and run software capable of harvesting every record on Best Western’s European reservation system.

Although the security breach was closed on Friday, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies. There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that’s been stolen in the Best Western raid makes this particularly rare. The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there’s enough data there to spark a major European crime wave. Armed with the numbers and expiry dates of customers’ credit cards, fraudsters are equipped to make multiple high-value purchases in their victims’ names before selling on the goods.

The stolen data might also be used by professional organised criminal gangs which specialise in identity theft to apply for loans, cards and credit agreements in the victims’ names. Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell “burglary packs”, giving the home addresses of local victims and the dates on which they are expected to be away from their home.

Best Western Hotels closed the breach at around 2pm on Friday afternoon. Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action. The investigation also include the third-party website that has allegedly facilitated this illegal exchange of information.

Concerned clients are advised to contact Best Western customer service at 0800 528-1238.

Credit: Sunday Herald

Update (August 29): Best Western rejected claims that it had suffered a massive compromise of customer details.  Best Western confirmed on Tuesday that it had suffered a breach at one of its German hotels, but denied Sunday Herald claims that every customer using Best Western European hotels since 2007 had had their booking details compromised.

“We can confirm that on 21 August, 2008, three separate attempts were made via a single logon ID to access the same data from a single hotel,” said Best Western in a statement. “The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s antivirus software.”

Best Western insisted that the compromised login ID only permitted access to reservations data for the Berlin hotel. Moreover, Best Western said the login ID was immediately terminated, and the computer in question had been removed from use.

While the Sunday Herald estimated that eight million people had been affected by the hack, Best Western claimed that only 10 customers had been affected. Moreover, Best Western said that it “purges reservations data within seven days of guest departure, thereby limiting potential data exposure”. The company added that it was working with the FBI and international authorities to investigate the incident further.

More than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally agreed that two separate server intrusions compromised the security of Red Hat’s OpenSSH packages. Red Hat has warned that hackers were able to commandeer its systems and tamper with code - but said that since its content distribution was not hit, it is confident that polluted code has not served up to users.

The first hint that something was wrong came last week when Fedora rebuilt its systems, a reconstruction that was accompanied by extended outages. Fortunately Fedora packages weren’t interfered with following the attack, but Red Hat Enterprise Linux packages were touched up by as yet unidentified miscreants.

According to a critical security advisory issued on Friday, Red Hat detected an intrusion on certain of its computer systems and took immediate action. While checks on its content distribution networks came back clean, it did show that an intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).

Affected Products:

Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

As a precautionary measure, Red Hat released an updated version of these packages, and have published a list of the tampered packages and how to detect them.

In a parallel posting to the Fedora announce mailing list early on Friday morning Paul Frields, Fedora project leader, confirmed that an intrusion by computer hackers had prompted the unprecedented rebuild by the Linux distribution, which is sponsored by Red Hat.

Among the compromised Fedora servers was a machine used for signing Fedora packages. Following a forensic examination, the Linux distribution is convinced that hackers were not able to capture the passphrase used to secure the Fedora package signing key. The passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

As a precaution, Fedora has changed its signing key. Access to the key would have potentially allowed hackers to offer up code with built-in backdoors carrying the Fedora hallmark, the risk Red Hat is grappling with in the case of the doctored OpenSSH packages.

Fedora has carried out checks that suggest the integrity of its packages and source code have not been affected by the breach. It said it was simply playing it safe when it advised users to hold off from downloads last week, a piece of advice that stoked speculation that a security breach was behind the then unexplained outage.

The company said its processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.

The company insists the effects of the intrusion on Fedora and Red Hat are not the same. The Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages. Furthermore, the Fedora package signing key is also not connected to, and is different from, the one used to sign community Extra Packages for Enterprise Linux (EPEL) packages.

Red Hat shipped a critical OpenSSH update to RHEL users that mentions an “intrusion on certain computer system that compromised some Open SSH packages”. Red Hat has also released a shell script which lists the affected packages and can verify that none of them are installed on a system.

A hacker broke into a Homeland Security Department telephone system over the weekend and racked up about $12,000 in calls to the Middle East and Asia. The hacker made more than 400 calls on a Federal Emergency Management Agency (FEMA) voicemail system in Emmitsburg, Md., on Saturday and Sunday, according to FEMA spokesman Tom Olshanski.

The calls, lasting from three up to ten minutes were placed through FEMA’s PBX network, a breach made possible due to an insecurely configured Private Branch Exchange system. FEMA is part of Homeland Security, which in 2003 put out a warning about this very vulnerability.

Calls were made to locations such as Afghanistan, Saudi Arabia, India and Yemen, with Sprint originally detecting the compromise and blocking all outgoing long-distance calls from the location. It appears that the vulnerability was left open by the contractor when the voicemail system was being upgraded. At this point is is unknown who the contractor was or what hole specifically was left open. The hole has since been closed.

It is possible that the hacker did not know he was using FEMA’s network in the first place. There is no shortage of vulnerabilities allowing automated reconnaissance for easily exploitable systems to happen. This type of hacking is low-tech and was popular 10 to 15 years ago. In 2003, Homeland Security and the FBI investigated multiple reports about private industry being breached by these types of hackers. “This illegal activity enables unauthorized individuals anywhere in the world to communicate via compromised U.S. phone systems in a way that is difficult to trace,” according to a department information bulletin from June 3, 2003.

FEMA’s chief information officer is investigating who hacked into the system and where exactly the calls were placed to.

Credit: AP, MSNBC