CyberInsecure.com

Archive for December, 2008

RBS WorldPay admitted last week that hackers broke into its systems. RBS WorldPay (www.rbsworldpay.us) is a leading single-source provider of electronic payment processing services. The attack against the electronic payment services firm leaves to to 1.5 million payroll and gift card holders in the US at risk of fraud. Up to 1.1 million social security records were also exposed as a result of the breach.

The affected pre-paid cards include payroll cards and open-loop gift cards. PINs for all PIN-enabled cards are being reset as a precaution. RBS WorldPay has pledged to make sure its customers are not left out of pocket as a result of any fraud stemming from the attack. The firm is also offering 12 months complimentary membership to a credit monitoring service to those whose personal information was exposed as a result of the breach.

RBS WorldPay notified law enforcement and regulators about the attack on 10 November but waited until 23 December before publishing advice to potentially affected customers. The timing of its announcement raises suspicions that the firm is releasing bad news at a time when it is likely to go largely unnoticed.

The attack has been linked to the fraudulent misuse of 100 payroll cards, all of which have since been deactivated. Details of the attack itself, much less who might have pulled it off, remain sketchy.

RBS WorldPay has pledged to improve its security defenses to prevent similar attacks in future. RBS WorldPay has urgently taken a number of important steps to mitigate risk in response to this situation. The issue, which affected pre-paid cardholders and other individuals, was identified on November 10 and law enforcement agencies and federal regulators were notified by RBS WorldPay shortly thereafter. RBS WorldPay’s internal security professionals and outside experts are working with federal and state law enforcement authorities in an investigation of this event.

RBS WorldPay’s statement on the attack, and its response, can be found at http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf

Researchers have uncovered a weakness in the internet’s digital certificate system that allows them to forge counterfeit credentials needed to impersonate virtually any website that relies on the widely used security measure. Using more than 200 PlayStation 3 game consoles, the researchers are able to create a secure sockets layer certificate for any website of their choosing. The forged certificate causes all the major browsers to display a message indicating the website the user is visiting is legitimate because it’s been vetted by a trusted certificate authority using supposedly robust cryptographic measures.

Such attacks could make it easier for phishers to impersonate the sites of banks and other sensitive online services. The findings were presented Tuesday at the 25th annual Chaos Communication Congress in Berlin by researchers from Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, Eindhoven University of Technology (TU/e) in the Netherlands and independent labs in California.

The attack is based on known weaknesses in the cryptographic hash function known as MD5. In 2004, researchers from China showed it was possible to generate the same MD5 fingerprint for two different messages using off-the-shelf computer hardware. Three years later, a separate group of researchers - many who participated in Tuesday’s presentation in Berlin - built off of those findings by showing how to have almost complete freedom in the choice of both messages.

The latest findings take the known MD5 weaknesses a step further by showing how so-called collisions allow for the creation of valid digital credentials used by certificate authorities, which are appointed organizations that validate the authenticity of websites used for banking and other sensitive online activities. Once the researchers have generated the rogue certificate authority certificate, they can create SSL certificates for any site that will be accepted by just about any web-connecting device.

The vulnerability in the web’s SSL system is made possible by a handful of certificate authorities who continue to rely solely on MD5 to sign certificates. Even though the number amounts to a tiny fraction of authorities, all web browsers continue to accept MD5 hashes. The researchers didn’t identify the certificate authorities by name.

The researchers began their proof-of-concept attack with more than 200 PlayStation 3 consoles running in a Linux cluster, which they used to generate millions of possible certificates. Once they found a pair that had a special collision in the MD5 hash, they requested a legitimate website certificate from one of the authorities that relies only on MD5 to generate signatures.

After copying the signature into a rogue certificate authority credential, they had the ability to generate widely accepted website certificates for any site of their choosing.

To prevent misuse of their certificate, they set it to expire in 2004, so only machines that are badly out of date can be tricked by their attack. Still, Appelbaum says, it should now be clear that MD5 is irretrievably broken and can no longer be trusted.

Credit: The Register

According to TrendLabs Malware blog, a ZLOB variant is being used by cyber criminals in this recent spin on the malware social networking scene. Users of Friendster, a social networking site hugely popular in Asia, may have recently received an email via the site’s internal messaging utility that entices them to view a video.

Users receiving email via Friendster may feel safe since the email arrives within the Friendster zone. However, the email links to an external site. In this particular case, the link is a front for a quick redirection which leads the user to a fake video site. The user cannot view the fake video because he lacks an updated version of the player (in this case, what pretends to be Adobe Flash Player). The name of the site is “YuoTube”–the cybercriminals’ attempt to appear like the legitimate and popular video site, YouTube.

Friendster link scores much on credibility, because it often arrives via messages sent through social networking sites’ internal messaging functionality. The sender will often appear to be one of the user’s contacts; this increases likelihood that users will click on the link.

Malware from WORM_KOOBFACE family (one of the earliest being WORM_KOOBFACE.E, and the latest being WORM_KOOBFACE.AC) specializes in propagating via social networking sites. They propagated mostly in Facebook but have been seen to expand operations to other networking sites like Hi5 and Bebo. These worms have the capacity to hurdle CAPTCHAs.

Users are advised to be wary of unsolicited messages. Also, only download software and software updates from the software vendor’s sites or via auto-update features, not via popups that appear during browsing.

According to researchers from CyberCrime & Doing Time blog, a Google search showed that the web is littered with more than one million links pointing to a single rogue domain. While the links appear to point to trusted domains, people who click on them are taken to a malicious website that claims they need to install security software or offers to stream video.

Miscreants are exploiting weaknesses in webpages operated by the federal government, media companies, and even Microsoft to trick unwitting visitors into installing harmful software that takes over their computers. Sites like Microsoft.com, IRS.gov, countless media outlets, magazines, universities, and other websites can be found in the search engines in this way.

The scam takes advantage of websites which have a “URL redirect” on them. A URL redirection program allows the website owner to “send” users to another website, while keeping track of where they went. They are often used in conjunction with an exit page that says something like “You are now leaving our site and being redirected to a new location.” The problem is that many of those sites actually allow other people to use their URL to redirect traffic as well. The miscreants have managed to cause Google to “learn” many of these URLs by placing them on sites they control.

Currently the redirections are injected for the domain 00119922.com, which was registered December 19th to infect users. An example search terms results the Microsoft open redirector as the number one search result on Google:

Some of the other sites with open redirectors being targeted by attackers include: dbrecovery.com, togshop.com, wnbc.com, mrm.mms.gov, countrycurtains.com, portugal-info.net, cyberswim.com, nbcsandiego.com, thebostonchannel.com, thepittsburghchannel.com, hermanstreet.com, viadeo.com, nationalgeographic.com, barronscatalog.com, click2houston.com, lucy.com, wgal.com, rexart.com, kitv.com, bookmatestore.com, attarbazaar.com, titlenine.com, vermontteddybear.com, readthehook.com, theessentials.com, martlmadidebeli-gristianoba.com

The attacks can be especially useful in tricking users to install software. Many of the Microsoft links, for example, appear to relate to an Internet Explorer download, so users are already prepared to install software on their machines. However, the Microsoft links redirect users to a site that runs a fake computer scan that purports to find dangerous malware, then offers a rogue “anti-virus program” for users to run.

Other exploited websites offer video streaming, so visitors may not be surprised when they’re told they need to install a new codec - and that’s exactly what happens.

The perpetrators of this scam have planted comments all over the web that cause search queries such as “download fruityloops 6 free” (and many relating to porn) to return high-ranking results that point to popular sites that are vulnerable to the exploit.

Trend Micro has released a patch to address a vulnerability in HouseCall 6.6. This vulnerability may allow an attacker to execute arbitrary code. Visitors to the publicly available HouseCall application may receive an older, vulnerable version of the control.

The vulnerability involves a problem with versions 6.51.0.1028 and 6.6.0.1278 of the HouseCall ActiveX Control. Successful exploitation of the flaw creates a mechanism for hackers to inject hostile code onto vulnerable systems. According to Secunia, which discovered the bug and published an advisory on Sunday, the vulnerability is caused by a use-after-free error in the HouseCallActiveX control (Housecall_ActiveX.dll). This can be exploited to dereference previously freed memory by tricking the user into opening a web page containing a specially crafted “notifyOnLoadNative()”callback function.

Users of Trend Micro’s HouseCall antivirus scanner need to upgrade to version 6.6.0.1285 following this discovery. Details on Hot Fix B1285 and update can be found in here.

Microsoft admitted its SQL Server database software is vulnerable to code injection attacks. It’s not a new flaw since Microsoft issued a pre-patch advisory confirming a remote code execution vulnerability affecting its SQL Server line. The security bug affects Microsoft SQL Server 2000, Microsoft SQL Server 2005 and Windows Internal Database, in certain configurations. Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are immune from the flaw.

The software giant stated that although exploit code exists it hasn’t received any reports of attacks. The vulnerability publicly disclosed with exploit code more than two weeks ago

Secunia reports that the flaw is the same bug discovered by SEC Consulting, which published an advisory on the security bug on 4 December. SEC Consulting only did this after months of dialogue with Microsoft.

A separate zero-day vulnerability became the subject of an out-of-sequence patch. That flaw is being hit far harder than the SQL server bug, which arguably presents a lower general risk for internet hygiene. Microsoft said it’s investigating the SQL Server flaw, which past form would suggest is a candidate for a patch in either January or February as part of Microsoft’s regular Patch Tuesday update cycle.

Hackers often use vulnerabilities in database software to plant malicious script that hijack internet sessions to serve up exploit code from systems under their control. The tactic forms the basis of drive-by download attacks, a class of assault that’s become a preferred distribution route for Trojan code over recent years.

More details and workarounds can be found in the advisory.

Telegraph.co.uk reports that developers have found a way to exploit vulnerabilities within the software’s code to allow them to customise their PlayStation Home experience beyond the options provided by Sony. PlayStation Home, a Second Life-like virtual world that providea PS3 users with a three-dimensional social gaming space in which to interact and communicate with other players, was launched on Dec 11.

One hack uses a combination of the Apache web server and DNS re-direction to allow users of PlayStation Home to watch their own movies on display screens within the game, and change text and music to whatever they choose. A second hack enables players to download any file they want from PlayStation Home’s servers, such as a fellow user’s profile or avatar, the cartoon-like representation of themselves they create to appear in the virtual world.

The most worrying vulnerability found in the Home software is the security loophole that allows tech-savvy users to upload any file to the Home server, or delete any file from the Home server. It raises the spectre of malicious hackers spreading viruses and malware across the PlayStation Home platform, or even launching sustained attacks on the virtual world’s servers to force it offline.

There’s speculation that Sony may legitimately open the Home platform to third-party developers to build and create additional features for the online universe. Having an official avenue for “hacks” and “tweaks” could prevent more serious and potentially damaging hacking attempts, and could also help to build an ecosystem of users and developers around the Home platform.

The growth of malware targeting online games is worrying. Items accumulated in virtual world accounts have very real financial value, which leads to an underground market for stolen virtual world accounts.

Microsoft released an emergency patch today to address a critical bug in Internet Explorer (IE) that attackers have been exploiting for more than a week. The MS08-078 critical security update for Internet Explorer (960714) is available for download. This patch does not replace the IE security patch that came out earlier this month (MS08-073), both of these patches have to be installed.

As previously noted, this is a critical update for versions IE 5.0.1, IE 6, IE 6 SP1, IE 7 and IE 8 Beta 2. The vulnerability is being exploited in the wild, usually with the help of compromised websites that suffered SQL injection. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update fixes the problem by modifying the way Internet Explorer validates data binding parameters and handles the error that results in the exploitable condition.

“In response to the threat to customers and mindful of the challenges customers face deploying updates during this time of year, Microsoft immediately mobilized security engineering teams worldwide to develop, test and deliver a security update of appropriate quality for worldwide distribution in the unprecedented time of eight days,” the company said Tuesday.

Users should review Microsoft Security Bulletin MS08-078 and apply the update as soon as possible. Users may also want to consider using alternative browser (Firefox) with an add-on that efficiently protects from malicious websites attacks (NoScript).

The open-source group Mozilla has released the final security patch for the Firefox 2 branch and a new version of Firefox 3 to plug several security flaws that could lead to remote code execution attacks, browser crashes and information disclosure issues.

Mozilla released eight different bulletins with details on the security flaws. Three of the bulletins carry a “critical“ label, meaning they can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing. One of the bulletins carry a “high severity” rating, meaning it can be used by hackers to gather sensitive data from sites in other windows or inject data or code into those sites, requiring normal browsing actions.

Patched in Firefox 3.0.5:

MFSA 2008-69 XSS vulnerabilities in SessionStore

MFSA 2008-68 XSS and JavaScript privilege escalation

MFSA 2008-67 Escaped null characters ignored by CSS parser

MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters

MFSA 2008-65 Cross-domain data theft via script redirect error message

MFSA 2008-64 XMLHttpRequest 302 response disclosure

MFSA 2008-63 User tracking via XUL persist attribute

MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

Some of the bugs only affect Firefox 3, others Firefox 2. Mozilla is not planning any more updates for Firefox 2. Google-powered anti-phishing protection will also no longer be available for Firefox 2 users.

All Firefox versions users are advised to apply the update that is released via the browser’s automatic patching mechanism.

Update (December 19): A “clerical error” by Mozilla Corp. omitted one of the security patches that was supposed to be included in the Windows version of latest Firefox 2.0.0.19 release. Mozilla will release Firefox 2.0.0.20, which will include the omitted patch, as early as Friday and no later than Monday. As per its policy, Mozilla was to officially retire the older browser Tuesday, but it must now delay that until Version 2.0.0.20 is available.

Opera released an update to its popular web browser on Tuesday that fixes vulnerabilities it described as “extremely severe”. The update fixes seven security bugs, some of which were previously known.

Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text input. A critical bug with similar arbitrary code injection risks involving the handling of long host names in files has also been patched. The latest version of the software also lances a cross-site scripting flaw, involving XSLT templates, as well as bugs in feed preview.

Fixed vulnerabilities in Opera 9.63 include:

Manipulating text input contents can allow execution of arbitrary code.

HTML parsing flaw can cause Opera to execute arbitrary code.

Long hostnames in file: URLs can cause execution of arbitrary code.

Script injection in feed preview can reveal contents of unrelated news feeds.

Built-in XSLT templates can allow cross-site scripting.

Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas.

SVG images embedded using <img> tags can no longer execute Java or plugin content.

More details of these various fixes can be found on Opera Software’s website. The advisory covers Windows but other versions of the browser running on Mac and Linux also need updating against the similar cross-platform risks.