CyberInsecure.com

Archive for January, 2010

The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that’s bombarding their websites with millions of compute-intensive requests.

The “massive” flood of requests is made over the websites’ SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo.

“What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses,” Shadowserver’ Steven Adair wrote. “This might be a big deal if you’re used to only getting a few hundred or thousands of hits a day or you don’t have unlimited bandwidth.”

It’s not clear why Pushdo has unleashed the torrent. Infected PCs appear to initiate the SSL connections, along with a bit of junk, disconnect and then repeat the cycle. They don’t request any resources from the website or do anything else.

“We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn’t quite look like a DDoS either,” Adair wrote.

Security mavens aren’t sure what targeted sites can do to thwart the attacks. Changing IP addresses may provide a temporary reprieve.

Shadowserver has identified 315 websites that are the recipients of the SSL assault. In addition to cia.gov and paypal.com, other sites include yahoo.com, americanexpress.com, and sans.org. Here is the full list of attacked addresses:
(more…)

Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat.

Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has has caused major disruptions for almost a month.

“Huge numbers of users of the Freenode network ended up getting banned themselves because they would click the link and then they would join the network and flood the network,” one of the hackers, who goes by the moniker Weev, said. “We get his huge rollover effect.”

He added: “We got the the people who run Freenode to actually k-line each other,” a reference to the process of banning a user from an IRC server for spamming or other inappropriate actions.

The malicious javascript exploits a feature that allows Firefox to send data over a variety of ports that aren’t related to web browsing. By relaying the scripts over port 6667, users who click on the link automatically connect to the IRC server and begin spewing a tirade of offensive text and links. The attack doesn’t work with Internet Explorer or Apple Safari, but “might” work with other browsers, Weev said.

IRC channels such as Efnet and OFTC have managed to block the attacks, but at time of writing Freenode operators were still struggling to repel them.

“While we are doing what we can to mitigate the spam, we would ask that you take a careful look at any unusual sites or URLs you might visit in the near future to be sure you are not being tricked into visiting such a site,” a note on Freenode’s website read. Representatives of the network didn’t respond to an email seeking comment.

Security researchers have long known that it’s possible to abuse features designed to make browsers work seamlessly with other internet applications. Web security expert Robert “RSnake” Hansen calls the technique “interprotocol exploitation.”

“It’s the first time I’ve actually seen it used in the wild,” he said. “We’ve been theorizing this attack was possible for some time. Browsers absolutely should not be able to connect to ports unrelated to HTTP.”

Hansen said other internet technologies, such as the Sip protocol for voice over IP, are also ripe for abuse.

Credit: The Register

Over thirty websites of various Representatives and House Committees fell victim to mass defacement yesterday. The incident occurred shortly after President Obama gave his State of the Union address.

The attack seems to be politically motivated as it contained an offensive anti-Obama message. All affected websites are from within the house.gov domain and most of them served House Representatives. However, a few, such as gop.cha.house.gov, republicans.financialservices.house.gov, republicans.oversight.house.gov or resourcescommittee.house.gov, correspond to House committees.

According to Web defacement archive Zone-H, the Red Eye Crew is a prominent hacking group responsible for more than 45,000 defacements in 2009 alone. Around 2,000 of the affected websites are listed as special, meaning they belong to governments, military organizations or important corporations.

Determining a specific point of entry for these attacks without any insider knowledge is hard. However, security researchers from Praetorian Security Group determined that all compromised websites use the Joomla content management system. “But not all of the Joomla CMS web sites [on the same server] are affected. This might indicate that it is a Joomla component that is to blame, however that is just speculation,” they write.

It is worth noting that a significant number of websites within the house.gov domain were defaced last August by a different group. At the time, there was information to suggest that the compromise was the result of default passwords that were left unchanged.

“Unfortunately we won’t know that until someone who manages house.gov provides some details. Server access seems unlikely, because while the sites we checked are hosted on dcserver1.house.gov, not every site hosted on that server is defaced (example congressman Joe Sestak’s web site was fine). The sites are not redirecting anywhere,” the Praetorian Security Group experts conclude.

Credit: Softpedia.com News

If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive.

The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine’s C drive, including files, authentication cookies - even empty hashes of passwords.

This isn’t the first time security researchers at Core have identified security weaknesses in IE. The company issued this advisory in 2008 and this one in 2009, each identifying specific links in the chain that could potentially be abused by an attacker.

“Every time we reported this to Microsoft, they were fixing just one of the features,” Medina said in a telephone interview from Bueno Aires. “Every time they [fixed] it, we managed another way to build the attack again.”

Medina said he has fully briefed Microsoft on his latest attack, which he plans to demonstrate at next month’s Black Hat security conference in Washington, DC. Microsoft’s “rapid response team” didn’t reply to an email, but a statement sent to other news outlets said the company is investigating the vulnerability and isn’t aware of it being exploited in the wild.

The hole is difficult to close because the attack exploits an array of features IE users have come to rely on to make web application work seamlessly. Simply removing the features could neuter functions such as online file sharing and active scripting, underscoring the age-old tradeoff between a system’s functionality and its security.

Based on Medina’s characterization, it appears that fixing the weakness will require changes in a Windows network sharing technology known as SMB, or server message block, as well as the way Windows makes file caches available to a wide variety of applications.

“The things we are reporting are not bugs, they are features,” Medina said. “They are needed for many applications to work, so [Microsoft] can’t simply remove or truncate” them.

IE suffers from at least one other long-standing security bug that can enable attacks against people browsing websites that are otherwise safe to view. It can be exploited to introduce XSS, or cross-site scripting, exploits on webpages, allowing attackers to inject malicious content and code. Microsoft has said it’s unaware of this vulnerability being exploited.

Core’s previous advisories contain a number of workarounds, including setting the security level for the internet and intranet zones to high to prevent IE from running scripts or ActiveX controls.

Credit: The Register

Popular technology site TechCrunch was hit by hackers late on Monday, leaving the site temporarily unavailable.

A notice on TechCrunch.com’s front page on Tuesday morning explains that “TechCrunch.com was compromised by a security exploit”. Access to the site’s story archive has been suspended leaving a two para notice on the hack as the only content visible on the site.

Hackers defaced the front page of the site with a message (recorded by Mikko Hypponen of F-Secure) apparently abusing site admins and including a link to a pornographic content and warez linking website.

The problems began for TechCrunch at around 10:30 pm PST on Monday when unknown hackers modified its home page to only display the word “hi.” The page was later changed to read “We’ll be back shortly,” suggesting that webmasters regained control of the website.

After a while, the site was hacked again and a link called “rapidshare downloads” appeared on the home page. The link actually pointed to DupeDB, a known warez website and was subsequently replaced by a “We’ll be back soon” message.

Hackers took over TechCrunch for a third time and left one offensive message accompanied by a link to the illegal content distribution site mentioned before. A final message from staff after this attack was also repelled, saying “Earlier tonight techcrunch.com was compromised by a security exploit. We’re working to identify the exploit and will bring the site back online shortly.”

Specific technical details regarding the incident are lacking, but a DNS hijacking attack similar to those experienced by Twitter and Baidu is out of the question. According to some sources cited by Praetorian Prefect, TechCrunch was using WordPress 2.8.4 at the time of the incident and 2.9.1 after. This apparent platform upgrade suggests that a WordPress vulnerability might have been exploited.

This defacement was removed by site admins who are in the process of identifying the exploit involved in the hack, securing systems, and bringing TechCrunch back online.

The motives or perpetrators of the attack remain unclear but the timing - a day before Apple’s much anticipated iTab launch in San Francisco - could hardly be worse.

TechCrunch returned to business by Tuesday lunchtime. The site has published a story on the attack, which is still under investigation. Hackers redirected traffic as well as leaving a defacement, TechCrunch explains.

Update (Jan. 27): TechCrunch has been hit by potty-mouth hackers for the second time in 24 hours. The second hack features a foul-mouth rant aimed against site founder Michael Arrington. It also includes a link to the same online smut and warez-peddling Torrents site “promoted” via the previous attack.

Credit: The Register, Softpedia.com News

The first hacker to successfully jailbreak the iPhone says he has pulled off yet another modding marvel, this time penetrating the previously impervious PlayStation 3 gaming console.

The hack by 20-year-old George Hotz, aka geohot, is significant because the PS3 was the only game console that hadn’t been hacked, despite being on the market for more than three years. The feat greatly expands the functionality of the box by allowing it to run unrestricted versions of Linux and a wide range of games that are currently forbidden. The hardware and software designer said it took him five weeks to develop the hack using a combination of modifications to the console’s hardware and software.

“Basically, I used hardware to open a small hole and then used software to make the hole the size of the system to get full read/write access,” he said in an interview. “Right now, although the system is broken, I have great power. I can make they system do whatever I want.”

The first three weeks were spent trying attacks to directly access memory of the console. He eventually settled on his current approach after realizing software approaches alone were insufficient.

A dropout of the Rochester Institute of Technology, geohot said he is declining to provide details to prevent Sony from introducing changes that would stymie the modifications. But a blog post announcing the accomplishment makes clear the hack gives users unprecedented control over their systems.

“I have read/write access to the entire system memory, and HV level access to the processor,” geohot wrote. “In other words, I have hacked the PS3.”

The hack will allow PS3 users for the first time to run unrestricted versions of Linux that have full access to the system’s central processing unit and graphical processing unit. That will greatly expand the kinds of things users can do with the console. For starters, they could use the mod to run emulators that will play PS2 games on the machine, something Sony strictly forbids. It could also allow programs like the VLC media player to run much more robustly. The hack also opens the door to pirated games on the console, although geohot said that’s an activity he’s not interested in pursuing.

Geohot said he doesn’t plan to release the software used to unlock the box until he can make it more reliable. It currently takes about 15 minutes to run and frequently fails to work properly. “If I posted what I have now, people would get fed up with it,” he said.

He praised the PS3 as a “pretty secure system,” that was harder to hack than many hardware systems he has penetrated.

While hacks of the Xbox and the iPhone have led to thriving developer communities that release custom applications for the modded devices, geohot said the challenge of overcoming the security overshaddows those more practical outcomes.

“Personally, it’s a win for me just to do it,” he said. “It’s just cool to have it cracked.”

Credit: The Register

Ladbrokes is investigating the loss of thousands of customer details from one of its databases, but is reassuring gamblers that the information did not include bank details or passwords.

The Mail on Sunday was approached by an Australian man named Daniel who claimed to have access to Ladbrokes’ database of 4.5 million customers. Daniel gave the paper 10,000 customer files to show he was serious.

The man, who claimed to represent a Melbourne-based firm, said he had worked for Ladbrokes as a security consultant two years before. He said he’d been given the information by a relatively junior member of staff.

Ladbrokes said passing on the information was a criminal offense and it was working with police and the Information Commissioner’s Office to identify the culprit.

Ladbrokes said: “We are in the process of contacting the limited number of customers affected by this incident to apologise and to reassure them that the data in question does not include passwords to access customer accounts or any customer banking details.”

The Information Commissioner’s Office thanked the paper for bringing the breach to its attention. The ICO said the story showed the need for prison sentences for those convicted of trading in private data.

Credit: The Register

Initially perhaps conceived as a prank targeting a small community of bikers in central Slovakian region, the worm Win32/Zimuse.A and Win32/Zimuse.B has achieved worldwide notoriety. It is a type of threat that overwrites MBR (Master Boot Record) of all available drives with its own data, making the data stored on the user’s computer inaccessible. Moreover, the restoration of the corrupted data is complicated, requiring specialized software or a provider.

Since the worm’s inception, ESET has detected it on hundreds of computers of its users. Initially after the outbreak, only users in Slovakia were affected – accounting for over 90% of all infections. Presently, the greatest number of infected computers is in the United States, followed by Slovakia, Thailand and Spain, followed with Italy, Czech Republic and other European countries.

The worm uses two ways to spread – either via embedding in legitimate websites, in the form of a self-unpacking ZIP file or as an IQ test program, or via Exchangeable media, such as USB devices. The fact that it relies on USB devices to propagate is responsible for its rapid dissemination, which is likely to increase even further.

To date, the worm’s two variants - Win32/Zimuse.A and Win32/Zimuse.B differ in the method of spread and the timing of activation. While the A-variant needs 10 days to start spreading via USB devices, its B-variant needs only 7 days since infiltration. Moreover, the time needed for the execution of the destructive routine is shortened in the B-variant from the original 40 days to 20.

Moreover, if the right removal method is not used, the worm shifts to its destructive mode. This is similar to making the right choice on which wire to cut, and in what sequence in a bomb-defusing operation.

There is a widely held suspicion that the worm was intended to infect the computers of fans of a motorcycle club in the central Slovakian Liptov region, however, it has spread beyond this target group once it started attacking company networks. What’s more, the infiltration was reminiscent of the well-known OneHalf threat in the worm’s behavior, the country of origin (both originating in Slovakia), and the inflicted damage – causing the total paralysis of the system it attacks.

The infiltration does not posses a degree of sophistication that would encrypt the data on the disk, instead it was designed to corrupt the MBR (Master Boot Record) of physical disk drives. It emulates the old-time threats in that it is timed to go off – in this case in 40 days since the infiltration.

Credit: ESET.eu

Domestic appliance manufacturer Whirlpool has come under fire for failing to clean up a malware infection on one of its sites, months after it was notified of a problem by UK anti-virus firm Sophos.

Sophos tried for months to clean-up its Kitchenaid.com website, without success, before going public on the problem on Friday. The kitchen utensil selling site remains infected with the Badsrc-C (AKA Asprox) strain of malware five months after a Sophos customer reported a problem, which the security firm forwarded to the white goods firm.

The malicious script points towards nowhere at present, so there isn’t an immediate risk. The problem is that this may change at any time, hence the need for remedial action that Whirlpool seems reluctant to take.

“I and several of my colleagues have been trying to talk to contacts at KitchenAid and Whirlpool to inform them of the issue and offer assistance. We have consistently hit brick walls,” reports senior Sophos threat analyst Paul Baccas.

Whirlpool’s lack of action is symptomatic of a wider problem. Reports of malware problems on websites are hard even for security firms to send to the right person, are often disregarded and sometimes met with indignation, Baccas writes.

The Asprox strain of malware still lingering on Kitchenaid.com’s website has been linked to phishing spam. SQL injection attacks on vulnerable website have been a preferred method for spreading malware.

Credit: The Register

Board.ie, the most popular forum in Ireland with millions of unique visitors each month, suffered a serious security breach yesterday. As a precaution, the website was taken offline and a password reset was triggered for all registered users.

“Today, Thursday 21 Jan 2010 at 11:20 GMT the Boards.ie database was attacked by a source external to Ireland. […] In this attack, part of the database which includes our members’ usernames, email addresses and obfuscated passwords was accessed. While our investigations indicate that individual user accounts are not in danger we have taken the step of changing all user passwords,” an official announcement reads.

The website administration has been remarkably opened about this incident and seems to treat it very responsibly. It immediately contacted the Gardai (Irish National Police) and the Data Protection Commissioner. No details regarding the specific attack method or origin have been released, as the investigation is in progress.

An independent security consultancy company has also been asked to advise regarding incident response procedure. “Like all large sites we are regularly the target for disruption and take continual actions to proactively protect your data. This particular attack was completely unprecedented despite our rigorous security measures and while we have no idea if this data will be used for any malicious reasons, we felt it vital to tell you this immediately,” the admins write.

The board.ie community website is built using the widely popular vBulletin forum software. Because of the security features implemented on the platform, user passwords were not stored in plain text inside the database. Even so, a decision to have them reset was taken as a precaution.

When the site will be restored, users will have to request new passwords manually. In order to prove their identity, they are required to have access to the e-mail address associated with the account. Admins are still working on an alternative method for cases where users can no longer access the e-mail that was used to register their account with.

The origins of the boards.ie forum date back to 1998, but the site has existed under the current name since 2000. It has over 220,000 registered members who communicate with each other on a variety of topics that touch on all aspects of life.

Credit: Softpedia.com News