CyberInsecure.com

Archive for August, 2008

Opera Software has updated its Web browser with fixes for at least seven documented security problems. Details on one more vulnerability, a cross-site scripting issue reported by Chris Weber, currently remains classified.

Opera warned that one of the seven flaws is rated “extremely severe” because of the risk of arbitrary code execution.

Improvements and fixes included in Opera 9.52 are:

1. (extremely severe): When Opera is registered as a handler for a given protocol, it can be started by external applications. In some cases, being started in this way can cause Opera to crash. To inject code, additional techniques will have to be employed. This bug affects Opera for Windows.

2. (highly severe): Scripts are able to change the addresses of framed pages that come from the same site. Due to a flaw in the way that Opera checks what frames can be changed, a site can change the address of frames on other sites inside any window that it has opened. This allows sites to open pages from other sites, and display misleading information on them.

3. (currently a secret): Fixed an issue that could allow cross-site scripting, as reported by Chris Weber of Casaba Security: details will be disclosed at a later date.

4. (moderately severe): Custom shortcut and menu commands can be used to activate external applications. In some cases, the parameters passed to these applications are not prepared correctly, and may be created from uninitialized memory. These may be misinterpreted as additional parameters, and depending on the application, this could allow execution of arbitrary code. Successful exploitation requires convincing the user to modify their shortcuts or menu files appropriately, pointing to an appropriate target application, then to activate that shortcut at an appropriate time. To inject code, additional means will have to be employed. This flaw affects Opera for Microsoft Windows, Linux, FreeBSD and Solaris.

5. (less severe): When insecure pages load content from secure sites into a frame, they can cause Opera to incorrectly report the insecure site as being secure. The padlock icon will incorrectly be shown, and the security information dialog will state that the connection is secure, but without any certificate information.

6. (less severe): As a security precaution, Opera does not allow Web pages to link to files on the user’s local disk. However, a flaw exists that allows Web pages to link to feed source files on the user’s computer. Suitable detection of JavaScript events and appropriate manipulation can unreliably allow a script to detect the difference between successful and unsuccessful subscriptions to these files, to allow it to discover if the file exists or not. In most cases the attempt will fail.

7. (not severe): It has been reported that when a user subscribes to a news feed using the feed subscription button, the page address can be changed. This causes the address field not to update correctly. Although this can mean that that misleading information can be displayed in the address field, it can only leave the attacking page’s address in the address bar, not a trusted third party address.

Websense Security Labs published a research of recent Facebook phishing email picked up by their “Honeyjax” system recently. Websense has been tracking various Facebook attacks for years, althoughh attacks on Facebook and MySpace in the last few weeks are nothing new. There have been continual, targeted Facebook attacks for some time now.

The attack starts with an enticing spam email, letting you know that something had been written about you, and that you’d probably want to read more about it. An average user would probably want to know what was written about them, especially because it’s on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high.

The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was “friends” with, and writing a comment on the test user’s wall. Writing on the wall triggered an automatic email to the test user’s email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam.

Like most malicious Web pages these days, the source code of the blogspot Web page is obfuscated. De-obfuscating it shows us that they are using javascript to change the URL location and automatically redirect a user to the phishing site.

Interestingly enough, this particular attack has been going on for over six months. The phishing URL above was registered in July 2008, but several domains have been used in this ongoing attack. It’s nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages:

A record:

IP 202.111.175.39

Route 202.111.160.0/19 CNC Group CHINA169 Jilin Province Network

NS record:

ns2.xinnet.cn, ns2.xinnetdns.com

IP 123.100.7.203, 202.10.71.53, 123.100.7.207, 202.10.71.57

Route 123.100.0.0/21, 202.10.64.0/21 Temporary Obj for CNC-H

The attack is spreading by viral social networking. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends’ walls, allowing them to spread within the walls of the social networking world.

As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we’re going to see more and more MySpace, Facebook, and other social networking attacks, says Websense. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.

Dominion Enterprises today announced that a computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008. Dominion Enterprises is a leading marketing services company serving the wide-ranging needs of many industries including real estate, apartments, specialty vehicles, employment, automotive and travel.

The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and social security numbers of 92,095 applicants who submitted credit applications to IFMG’s family of special finance Web sites.

Dominion Enterprises has alerted law enforcement and works with authorities on the criminal investigation into the security breach. With the help of experts in data and network security, the company has taken immediate steps to enhance the security of IFMG’s systems and to protect the personal information that applicants submit on IFMG Web sites.

Dominion Enterprises is mailing letters to the individuals whose personal information it can determine was illegally accessed. The company is offering one full year of free credit monitoring services to all affected parties, and has provided information about additional resources where consumers can learn how to help protect themselves from identity theft.

According to a post on the Bluetack Internet Security Solutions site, Newsweek.com is suspected of running rogue banner advertisements that try to trick visitors into installing fraudulent anti-malware programs. Newsweek.com is one of several high-profile websites accused of exposing its readers to dangerous ads.

The malicious ads have been appearing on Newsweek’s website via feeds that carry the Washingtonpost.com address. The ads redirect users to a site that falsely claims users’ PCs are infected with malware and urges them to buy and install software that will remedy the problem. The banner graphic posed as an ad for www.easy-forex.com, which bills itself as an online foreign currency exchange.

Malvertizing-like symptoms can be seen all over the net, on sites like MSNBC, Facebook, lime.com, Hotmail, MySpace and Yahoo. The ads are extremely hard to spot because they can sit dormant for days before the attacks begin. The use of multiple affiliates to buy and sell online ads also makes it hard for sales staff at established websites to separate legitimate ads from those that are designed to defraud or attack.

Recently, malicious hackers started using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In those attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.

The attack is coming from Adobe Flash-based advertising on legitimate sites, including Digg, MSNBC.com, and, yes, Newsweek. Once the clipboard has been hijacked, the user can’t copy anything else over it, in some cases, until the machine is retstarted.

According to SecurityFocus, a new public zero-day Windows vulnerability is being exploited in the wild. Microsoft Windows is prone to a remote code-execution vulnerability due to an unspecified error in ‘NSlookup.exe’. Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

According to the alert, the issue is being actively exploited in the wild but details on the attacks are currently unavailable. At this moment there are no workarounds or vendor-supplied patches.

A video of a proof-of-concept exploit in action was released by Argentinian researcher Ivan Sanchez who is credited for this vulnerability disclosure.

A new phishing attack circulating via email messages and target Apple MobileMe users. These messages claim that there is a problem with the user’s billing information and instruct the user to follow a web link to update personal information. Clicking on this link directs the user to a web page that contains a seemingly legitimate web form requesting personal and financial information. Any information entered in this form is not sent to Apple but rather, to a malicious attacker.

Hundreds of Mac users have already been deceived by this phishing scam according to data obtained by CardCops, a credit card protection service owned by the Affinion Group. Sensitive information belonging to several hundred people with Mac.com email addresses being traded in underground forums frequented by identity thieves. The details include social security numbers, birth dates, mothers’ maiden names, credit card numbers and other sensitive information. This event coincided with the glitches in the roll-out Apple’s MobileMe service.

The information was phished using emails that began circulating around the same time Apple began its ill-fated transition from Mac.com to Me.com. The scams bore subjects such as “Billing problem.” The phishing email purporting to come from Apple looks clean and sleek, the text courteous and professional, hardly the kind that instantly gives away an email as a fake or scam. Below is a screenshot of the said email:

A number of links in the email body directs the victim to legitimate Apple pages, and only one link (the clicking here link) is directed to the phishing site. Once users click on the link, they are directed to http://www.******tevideos.net/store.apple.com/us, a site that is not associated with Apple. It displays a Web page fashioned to look like one from the Apple Web site, and asks the user to update their billing information.

Users following the link while using Apple’s Safari browser are taken to an authentic-looking page purporting to belong to Apple. It asked users to reinstate their accounts by entering all kinds of personal details. Internet Explorer warned that the page was a scam, but Safari and Firefox did not.

Users, especially Apple service users, are implored to be wary about clicking on links from emails that appear to be legitimate.

Chief strategy officer for security firm StillSecure and security consultant Alan Shimel woke on Sunday morning to discover that his personal blog, which is frequently visited by readers and press, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and published sensitive documents he filed with the Internal Revenue Service. The attackers also sent crude pornographic images to parents on the Little League baseball team Shimel coached.

Shimel is one of three high-profile researchers in the security world known to have been attacked by unknown criminals over the past week. A personal Gmail account belonging to Petko D. Petkov, of the GNUCitizen ethical hacking collective, was ransacked and 2GB of its contents made public. Logs believed to come from the home blog of Security-Protocols.com researcher Tom Ferris have also been exposed.

It is not new that security researchers have always been the target of computer and internet based attacks. But the recent rash of attacks, which coincided with this year’s Black Hat and Defcon conferences in Las Vegas, are getting more attention in the security world than previous ones.

“You can immediately see how emotional this is,” said one well-known researcher who refused to allow his name to be published out of concern it would make him more of a target. “People are generally worried. You’re always worried you made some stupid mistake.”

Shimel stressed that the breach concerned only his personal blog and email and never extended to StillSecure. Shimel said he reported the breach to the FBI, and Petkov said unnamed law enforcement officials have also been notified. Petkov declined to discuss the attack in detail, except to say it occurred more than a year ago.

Shimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account. “It’s going to make me be a bit more vigilant,” he said. “I don’t think these people are worthy of much attention, except that you should do what you normally do to lock down your infrastructure.”

What separates the fresh attacks from previous ones is the degree of malice. The attackers here seem more interested in injuring the reputations and privacy of their victims than exposing mistakes they may have made in locking down their private information. The miscreants have publicly pledged on a mailing list to wage war against more than two-dozen researchers, firms and journalists in the security world. In addition to Shimel, Petkov and Ferris, others said to be targeted include Dan Kaminsky, Joanna Rutkowska, Gadi Evron, Matasano and Theo de Raadt.

Perhaps the most worrisome part of the attacks is that, so far, no one knows exactly how the they were carried out. In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw. Some posit the passwords were intercepted as a result of a colossal debacle in the Debian distribution of Linux, which for more than a year generated OpenSSL keys that are trivial to crack. Once the keys are broken, encrypted sessions, even those from years ago, can be decrypted.

Others guess that the miscreants gained entry through the victims’ blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes. Indeed, Shimel admits the administrative password for his blog (which was parked at GoDaddy at time of writing) was also used to unlock his Yahoo Mail account.

Credit: Dan Goodin, The Register.

Popular BitTorrent client µTorrent has silently patched a vulnerability that created a means for hackers to load malware onto PCs of file sharing users by persuading them to open a poisoned Torrent file. The vulnerability has been confirmed in version 1.7.7 of µTorrent. Earlier versions may also be vulnerable.

News of the bug emerged in a posting by Rhys Kidd to a security mailing list on Monday. He claimed that the flaw had been present as a zero-day vulnerability in the software for the last two years. The flaw is caused by a stack-based buffer overflow vulnerability and offered far more potential for damage than either salted (empty or impossible to play) files or media files that attempt to induce users to install fake codecs (often contaminated with malware) once users attempt to play downloaded content.

BitTorrent Mainline version six and beyond are also vulnerable because BitTorrent, Inc. makes use of µTorrent source code. The two software packages make up over 18.8 percent on the installed P2P client base, creating plenty of scope for mischief even though the bug would have been far from straightforward to misuse, since reliable exploitation is difficult although not impossible.

The new version of µTorrent, released earlier this month, fixes the flaw, even if release notes fail to mention this point. Version 1.8 RC7 of the software silently patched the flaw, according to security notification service Secunia, which advises users to update to version 1.8.0 of µTorrent. BitTorrent is also vulnerable but yet to deliver a patch, according to Secunia.

A new urgent patch for Joomla fixes a critical password-reset forgery issue that could compromise Joomla content management system. The open-source group warns in an advisory that the issue affects Joomla version 1.5.5 and all previous 1.5 releases. The exploit is publicly available and being actively exploited already.

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, Joomla maintainers warn that the only way to completely rectify the issue is to upgrade to version 1.5.6 or patch the /components/com_user/models/reset.php file.

In order to patch the /components/com_user/models/reset.php, after global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
$this->setError(JText::_(’INVALID_TOKEN’));
return false;
}

Drivers in Virginia and Washington, D.C. whose driver’s licenses have their Social Security numbers and who got traffic tickets in Maryland will find those numbers and other personal information on a Maryland state Web site. Maryland has never used Social Security numbers when issuing driver’s licenses, but Virginia and the District have.

Traffic citations are listed in Maryland’s court records, which the state makes publicly accessible online. The traffic citation records show a person’s full name, address, sex, height, weight, birth date and driver’s license number, which is sometimes the same as driver`s Social Security number. Currently, a quick search for a popular name on the state’s Judiciary Case Search Web site will instantly pull up thousands of records spanning more than 30 years.

Virginia ended the practice in July 2003, although drivers were able to keep their old licenses until they expired, which in some cases was not until this year. Washington began offering drivers the option of having random numbers on their driver’s licenses instead of their Social Security numbers in 2001. Washington stopped issuing licenses with Social Security numbers on them altogether after federal regulations banned the practice in 2004.

The problem remains since Maryland’s court records date back decades, and drivers from D.C., Virginia or any state that once used Social Security numbers on licenses will find their Social Security numbers online today if they received Maryland tickets during that time.

A spokesman for the Maryland courts system was not immediately able to determine whether the number could be removed from the public record at the person’s request. People who find their Social Security numbers listed on the Web site can place a fraud alert with one of the three major credit bureaus at no charge. People who find their numbers listed on the Website should place a fraud alert with a credit bureau immediately.