CyberInsecure.com

Archive for April, 2009

Yesterday, a French hacker claimed to have gained access to Twitter’s administration panel, and based on the screen shots that he included featuring internal data for accounts belonging to U.S President Barack Obama, Britney Spears, Ashton Kutcher, and Lily Allen, as well as a detailed overview of different sections behind the scenes of Twitter.

The hacker going under the handle of Hacker Croll featured 13 screenshots of Twitter’s admin panel, and commented that “The images were taken from the Admin area that was secured with .htaccess.” It’s still unclear whether any data belonging to account holders was modified, but one has to assume that given the access obtained, there’s a high chance that he was able to download anything he wanted to.

The screenshots were obtained through the account of a Twitter employee who reported that his Yahoo! Mail account got compromised on the 27th. The attack comes two weeks after multiple variants of Mickeyy’s XSS worm hit the continuously growing micro-blogging service.

Interestingly, Hacker Croll goes into more details regarding the compromise on a different forum - “one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.” and that he “used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection“.

The Twitter admin hack appears to be the result of a successful social engineering attack against one of Twitter’s employees — similar attack took place in January this year. Similar password reset attack contributed to the successful hacking of Sarah Palin’s personal email account in September last year.

Update (May 01): According to Twitter official announcement:

This week, unauthorized access to Twitter was gained by an outside party. Our initial security reviews and investigations indicate that no account information was altered or removed in any way. However, we discovered that 10 individual accounts were viewed during this unauthorized access.

Personal information that may have been viewed on these 10 individual accounts includes email address, mobile phone number (if one was associated with the account), and the list of accounts blocked by that user. We have personally contacted Twitter users whose accounts were compromised via this unauthorized access.

Password information was not revealed or altered, nor were personal messages (direct messages) viewed. Twitter takes security very seriously so we will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data.

Credit: ZDNet.com Security Blogs

Security researchers demonstrated how to take control of a computer running Microsoft’s upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday.

Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. They demonstrated how the software works at the conference. “There’s no fix for this. It cannot be fixed. It’s a design problem,” Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack.

While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it’s not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim’s computer. The attack can not be done remotely.

VBootkit 2.0, which is just 3KB in size, allows an attacker to take control of the computer by making changes to Windows 7 files that are loaded into the system memory during the boot process. Since no files are changed on the hard disk, VBootkit 2.0 is very difficult to detect, he said. VBootkit 2.0 is a follow-up to earlier work that Kumar and Kumar have done on vulnerabilities contained in the Windows boot process. In 2007, Kumar and Kumar demonstrated an earlier version of VBootkit for Windows Vista at the Black Hat Europe conference.

However, when the victim’s computer is rebooted, VBootkit 2.0 will lose its hold over the computer as data contained in system memory will be lost.

The latest version of VBootkit includes the ability to remotely control the victim’s computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user’s password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected.

Credit: Sumner Lemon, IDG News Service, PCWorld.com

Adobe Reader is prone to a remote code-execution vulnerability according to recent SecurityFocus advisory. Proof-of-concept exploit code has been published for a new zero-day vulnerability haunting Adobe’s widely deployed PDF Reader software.

In a brief note posted to its PSIRT blog, Adobe confirmed it was investigating the issue, which affects Adobe Reader 9.1 and 8.1.4.  “We are currently investigating, and will have an update once we get more information,” according to Adobe’s David Lenoe.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users. Reader 8.1.4 and 9.1 for Linux are vulnerable; other versions or platforms may also be affected.

Adobe’s PDF Reader software is a popular target for malware authors so, in the absence of a patch, users should consider using an alternative product. The exploit popped few days after F-Secure warned about Adobe Acrobat Reader, suggested to uninstall it from the system and move to an alternative such as Foxit Reader.

Credit: ZDNet Security Blogs

Security problems surrounding protocol handling and Web browsers have surfaced again — this time with Google Chrome and Microsoft’s Internet Explorer. The “high severity” vulnerability affects Google Chrome versions 1.0.154.55 and earlier.

According to an advisory from the Google Chrome team, there’s an error in handling URLs with the a chromehtml: protocol that could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.

If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker’s choice. It can be exploited by malicious hackers to launch universal cross-site scripting (UXSS) attacks without user interaction under certain conditions.

IBM’s Roi Saltzman, the researcher credited with finding and reporting the issue to Google, has released an advisory to explain the attack vectors and impact. He warns that the flaw opens the door to two major attack vectors:

Bypass the Same Origin Policy restrictions for any site (this has the same impact as Universal XSS)
Enumerate victim’s local files and directories

“It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles’ heel and has been widely used previously to attack other various applications,” Saltzman said.  Proof-of-concept code for this issue is publicly available.

Credit: ZDNet Security Blogs

As if the fact that Adobe Acrobat Reader is bloated and slow isn’t enough, more than 47 percent of attacks this year exploit holes in it. With all the Internet attacks that exploit Adobe Acrobat Reader people should switch to using an alternative PDF reader, a security expert said at the RSA security conference on Tuesday.

Just last month, Adobe issued a fix for an Acrobat Reader hole that attackers had been exploiting for months, after issuing a patch for a critical vulnerability in Flash player the month before.

In 2008, the favored targeted attack vector was Microsoft Word, which had 15 known vulnerabilities (compared to Acrobat Reader’s 19) and which represented 34.5 percent of the attacks (compared to 28.6 percent for Acrobat Reader).

Top-level executives, defense contractors, and other people who have access to specific sensitive corporate or government information are subject to targeted attacks where an attacker sends a file that has malicious code embedded in it. Once the file is opened, the computer is infected typically with a back door that then steals data.

PDF and Flash browser plug-ins are also used in attacks known as “drive-by downloads” in which malware is surreptitiously downloaded onto a computer while the user is surfing the Web. The number of PDF files used in attacks rose from 128 between January 1 and April 16 last year to more than 2,300 in that same time period during this year, said Mikko Hypponen, chief research officer of security firm F-Secure.

Adobe “has a lot to learn from, of all places, Microsoft,” which offers regular security patches on a monthly basis as part of Patch Tuesday, Hypponen said.

Part of the problem is people don’t expect that Acrobat Reader upgrades necessarily contain important security patches like they do with Microsoft software, he said.

Hypponen did not recommend a PDF reader, but said Acrobat Reader alternatives are listed on the PDFReaders.org Web site. An obvious Acrobat Reader alternative for Windows would be Foxit Reader. A ZIP package with a latest version that needs no installation can be downloaded here.

Credit: CNET News

One of Brazil’s biggest banks has suffered an attack that redirected its customers to fraudulent websites that attempted to steal passwords and install malware, according to an unconfirmed report.

The redirection of Bradesco was the result of what’s known as a cache poisoning attack on Brazilian internet service provider NET Virtua.

DNS cache poisoning attacks exploit weaknesses in the internet’s domain name system. ISPs that haven’t patched their systems against the vulnerabilities are susceptible to attacks that replace the legitimate IP address of a given website with a fraudulent number. End users who rely on the lookup service are then taken to malicious websites even though they typed the correct domain name into their browser.

“That’s pretty serious when you’re talking about a banking organization,” said Paul Ferguson, a security researcher with anti-virus provider Trend Micro. “If people are trying to log in to their account and they get rejected, they’ll try again and again with the same user name and password.”

DNS cache poisoning has been around since the mid 1990s, when researchers discovered that DNS resolvers could be flooded with spoofed IP addresses for sensitive websites. The servers store the incorrect information for hours or days at a time, so the attack has the potential to send large numbers of end users to fraudulent websites that install malware or masquerade as a bank or other trusted destination and steal sensitive account information.

In 1998, Eugene E. Kashpureff admitted to federal US authorities that on two occasions the previous year he used cache poisoning to divert traffic intended for InterNIC to AlterNIC, a competing domain name registration site that he owned.

Makers of DNS software were largely able to prevent the attacks by adding pseudo-random transaction ID numbers to lookup requests that must be included in any responses. Then, last year, IOActive researcher Dan Kaminsky revealed a new way to poison DNS caches, touching off a mad scramble by the world’s ISPs to fix the vulnerability before it was exploited.

The article from Globo.com cited a Bradesco representative who said that about 1 percent of the bank’s customers were affected by the attack. It went on to suggest that customers who were paying attention would have noticed Bradesco’s secure sockets layer certificate generated an error when they were redirected to the fraudulent login page.

Interestingly, it also said that a domain used for Google Adsense was redirected to a site that used malicious Javascript to install malware redirected machines. The attacks have since been resolved, the article stated.

It’s still not clear exactly how the caches were tainted. Representatives for the ISP and the bank hadn’t responded to requests for comment at time of publication.

Credit: The Register

Government and corporate Windows PCs were among the ranks of a 1.9 million botnet recently discovered by net security firm Finjan.

Finjan security researchers discovered the control server of the botnet after tracing back an infection from a corporate client. Evidence on the cybercrime server, which was hosted in the Ukraine, showed it had been in use since February 2009, and controlled by a cybergang of six people.

Trojan downloader malware planted on insecure websites was used to distribute the malware that seeded the botnet, via drive-by download attacks. The core group of cybercrooks were assisted by a vast affiliate network.

Yuval Ben-Itzhak, chief technology officer at Finjan, said the malware that created the botnet used a variety of Internet Explorer, Firefox and PDF vulnerabilities to spread. He added that only four out of 39 anti-virus scanners detected the malware.

Ben-Itzhak told El Reg that the cybercrooks behind the botnet made their money by auctioning off access to compromised machines through underground forums, typically charging $100 for 1,000 machines. The miscreants almost made money from selling data looted from compromised machines, he added.

The cybercrooks collectively compromised computers in 77 government-owned domains (.gov) from the UK, US and various other countries.

The malware that featured in the attack allowed hackers complete control of compromised PCs, nearly all of which were running Windows XP. A variety of malicious actions, from reading emails to copying files, keystroke logging, and spam distribution were all possible.

Since discovering the botnet, Finjan has supplied information to the server to UK and US law enforcement agencies. The command server is now out of commission. Finjan has informed affected corporate and government agencies about infected computer names, in a move that will hopefully result in a clean-up operation.

Credit: The Register
Credit: Finjan.com MCRC Blog

Today, a web site defacement group known as “The Peace Crew” has successfully hijacked the DNS records for high profile New Zealand web sites, through what Zone-H claims to be a SQL injection at New Zealand’s based registrar Domainz.net, in order to redirect the visitors to a defaced page featuring the infamous Bill Gates pieing photo, as well as anti-war messages.

The mass defacement affected major Microsoft sites in New Zealand including WindowsLive.co.nz, MSN.co.nz, Microsoft.co.nz, Hotmail.co.nz, Live.co.nz next to HSBC.co.nz, Sony.co.nz, Coca-Cola.co.nz, Xerox.co.nz, Fanta.co.nz, F-Secure.co.nz and BitDefender.co.nz.

Here’s Microsoft’s comment, according to NZHerald:

MSN have responded by issuing a short statement from MSN business manager Liz Fraser this afternoon. “The cause of this discrepancy has been identified and we are currently working with our Microsoft technology and security teams in the US to resolve the matter as quickly as possible today. “We apologise for any inconvenience this may have caused,” the statement said.

Once control to the domain registrar’s web panel was obtained, members of the Peace Crew used fatih1.turkguvenligi.info and fatih2.turkguvenligi.info as primary DNS servers delivering the defaced pages, and making it look like the sites themselves have been compromised.

The group is not new on the defacement scene, in fact one of its members has been keeping himself pretty busy during this month by having already defaced thirteen web servers belonging to NASA, using the same template.

Credit: ZDNet.com Security Blogs

Computer spies have broken into the Pentagon’s $300 billion Joint Strike Fighter project — the Defense Department’s costliest weapons program ever — according to current and former government officials familiar with the attacks.

Similar incidents have also breached the Air Force’s air-traffic-control system in recent months, these people say. In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.

The latest intrusions provide new evidence that a battle is heating up between the U.S. and potential adversaries over the data networks that tie the world together. The revelations follow a recent Wall Street Journal report that computers used to control the U.S. electrical-distribution system, as well as other infrastructure, have also been infiltrated by spies abroad.

Many details couldn’t be learned, including the specific identity of the attackers, and the scope of the damage to the U.S. defense program, either in financial or security terms. In addition, while the spies were able to download sizable amounts of data related to the jet-fighter, they weren’t able to access the most sensitive material, which is stored on computers not connected to the Internet. The intruders compromised the system responsible for diagnosing a plane’s maintenance problems during flight, according to officials familiar with the matter. However, the plane’s most vital systems — such as flight controls and sensors — are physically isolated from the publicly accessible Internet.

Former U.S. officials say the attacks appear to have originated in China. However it can be extremely difficult to determine the true origin because it is easy to mask identities online.

A Pentagon report issued last month said that the Chinese military has made “steady progress” in developing online-warfare techniques. China hopes its computer skills can help it compensate for an underdeveloped military, the report said. Investigators traced the penetrations back with a “high level of certainty” to known Chinese Internet protocol, or IP, addresses and digital fingerprints that had been used for attacks in the past, said a person briefed on the matter.

The Chinese Embassy said in a statement that China “opposes and forbids all forms of cyber crimes.” It called the Pentagon’s report “a product of the Cold War mentality” and said the allegations of cyber espionage are “intentionally fabricated to fan up China threat sensations.”

Pentagon officials declined to comment directly on the Joint Strike Fighter compromises. Pentagon systems “are probed daily,” said Air Force Lt. Col. Eric Butterbaugh, a Pentagon spokesman. “We aggressively monitor our networks for intrusions and have appropriate procedures to address these threats.” U.S. counterintelligence chief Joel Brenner, speaking earlier this month to a business audience in Austin, Texas, warned that fighter-jet programs have been compromised.

Maybe this is the reason why General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could “think like the bad guy.” Applicants, it said, must understand hackers’ tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems.

In the Pentagon’s budget request submitted last week, Defense Secretary Robert Gates said the Pentagon will increase the number of cyberexperts it can train each year from 80 to 250 by 2011.

With warnings that the U.S. is ill-prepared for a cyberattack, the White House conducted a 60-day study of how the government can better manage and use technology to protect everything from the electrical grid and stock markets to tax data, airline flight systems, and nuclear launch codes.

U.S. computer networks, including those at the Pentagon and other federal agencies, are under persistent attack, ranging from nuisance hacking to more nefarious assaults, possibly from other nations, such as China. Industry leaders told Congress during a recent hearing that law enforcement and other protections are too outdated to fend off threats from criminals, terrorists and unfriendly foreign nations.

Just last week, a former government official revealed that spies had hacked into the U.S. electric grid and left behind computer programs that would let them disrupt service. The intrusions were discovered after electric companies gave the government permission to audit their systems, said the ex-official, who was not authorized to discuss the matter and spoke on condition of anonymity.

Cyberthreats are also included as a key potential national security risk outlined in a classified report put together by Adm. Mike Mullen, chairman of the Joint Chiefs of Staff. Pentagon officials say they spent more than $100 million in the last six months responding to and repairing damage from cyberattacks and other computer network problems.

Short said the $60 million, four-year contract with US-CERT uses the ethical hackers to analyze threats to the government’s computer systems and develop ways to reduce vulnerabilities.

Faced with such cyberchallenges, Obama ordered the 60-day review to examine how federal agencies manage and protect their massive amounts of data and what the government’s role should be in guarding the vast networks that control the country’s vital utilities and infrastructure.

Credit: SIOBHAN GORMAN, AUGUST COLE and YOCHI DREAZEN, WSJ.com
Credit: Yahoo News

Hacktivists have launched denial of service attacks against music industry association IFPI.org and lawyers involved in the prosecution of the four Pirate Bay defendants in the wake of a guilty verdict against the quartet last Friday. The four Pirate Bay Defendants - Peter Sunde, Fredrik Neij, Gottfrid Svartholm and Carl Lundström - were found guilty, sentenced to one year in prison, heavy fines but intend to appeal.

The assault has rendered IFPI.org - the main website of the International Federation of the Phonographic Industry - intermittently unavailable or sluggish for a time on Monday morning. Discussions involving 250 hackers on irc.anonnet.org talk about retaliation on the IFPI and lawyers involved in the case and a desire to take the website off the internet throughout Monday, at a minimum. Discussion on the attack can be found at irc channels at anonnet.org.

“They want to get the message across that the IFPI can not mess with the internet and that the internet is serious business,” coldblood, an admin at anonnet.org told El Reg. “This is very much like the Scientology thing started more than a year ago now,” he added.

Operation Baylout, as the attack is called, also involved the reported defacement of the Swedish website of the IFPI.

Meanwhile limited distributed denial of service attacks against some Torrent tracker sites continued in the wake of guilty verdict against the four defendants in the high-profile Pirate Bay trial last Friday.

The main victim of attacks by as yet unidentified vigilantes (or possibly simple griefers) was free-torrents.org, reports security tools firm Arbor Networks. The assault against free-torrents.org has been going on for around a month, and so is hardly a new development. Arbor’s findings (below) contradict rumours that large-scale denial of service attacks against multiple Torrent trackers were underway.

All in all, except for free-torrents.org getting attacked by a Black Energy botnet run out of China (using the C&C at hack-off.ru), we can’t corroborate this spate of attacks. Free-torrents.org has been getting pounded by this botnet since mid March, 2009, in fact. But none of the other major sites appear to be receiving such packet love.

Jose Nazario, manager of security research at Arbor Networks, notes that the trial involved the people who ran Pirate Bay, not the site itself, which remains operational. Even if The Pirate Bay was taken down something else would surely replace it. Nonetheless The Pirate Bay is a major interchange (most of the Pirate Bay swarms also include other trackers), so disrupting TPB may have an impact on BitTorrent traffic as a whole, at least for a short period.

Credit: The Register