CyberInsecure.com

Archive for the ‘Hacked’ Category

DivShare, an online service for storing and sharing video, photos, music and documents, has had a security breach. The company announced on its blog tonight that a malicious user had accessed its database, which included user e-mail addresses and other basic profile information.

DivShare is an online file-sharing service with more than half a million members. It is free to sign up for, gives members 5GB of storage and it is possible to download 50GB of data from the service per month.

DivShare members have been warned regarding this security breach by an email from the service. DivShare temporarily took all members’ files offline and implemented a new security system, though full access to the files has now been restored, the company said.

“No financial information has been accessed by any unauthorized parties. We have taken extreme measures to secure the site in the last 12 hours and are currently in the process of rolling out new security precautions,” the statement said. It also says that the company apologizes for allowing this breach to take place and takes every precaution available to ensure that this doesn’t happen again.

While it’s good that DivShare provides information about their security breach, it might be hard to trust again a company that allowed personal information to be accessed by hackers. Although they quickly resolved the issue, the database remains compromised, and this is probably why DivShare recommends all users to change account password and the passwords on any private folders as a security precaution.

According to DivShare website update from 8:30 PM ET, all files are now back online after outages caused by security upgrades. Concerned members of DivShare service can contact support in case of any questions.

Altman Weil online store was compromised by a virus that may have exposed the credit card information of certain store customers. It has been discovered on May 16, 2008 by the company that hosts the online store website. The hosting company remains unnamed in the official Maryland State Attorney General breach notification, but the current hoster of Altman Weil online store seems to be mindSHIFT.

Upon learning of this unauthorized breach and attack, on that same day, Altman Weil immediately authorized the hosting company to shut the site down so that access was no longer possible. Altman Weil assured that the hosting company has preserved logs and electronic evidence, has logged all actions taken, and has not altered or compromised the systems.

According to the hosting company, the server on which the online store located was password protected and had current firewalls and security protection, but it seems like, what company calls “SQL virus”, may nonetheless have accessed credit card information.

This attack is currently under investigation in order to fully determine the extent to which credit card information of customers may have been accessed.

Altman Weil notified all card holders by letter of the situation and the possible risk. They notified police department located in Newton Square, Pennsylvania, where Altman Weil is located on May 23, 2008. Also contacted: Secret Service’s ECTF and Electronic Crimes Working Group, every state Attorney General in the states where potentially affected cardholders reside, Federal Trade Commission, Office of Thrift Supervision, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Board of Governors of the Federal Reserve System.

For more information, Joann Miller at Altman Weil, Inc. can be contacted at 610-886-2006, or via email at: jamiller<at>altmanweil.com.

Cotton Traders clothing firm website was hacked earlier this year and credit card details of up to 38,000 customers were stolen by unidentified attackers. Customer addresses were also stolen in this incident. The firm has not yet released the full details of the breach.

In a statement to BBC News, Cotton Traders said all of its customers’ credit card data was encrypted on the website. The firm brought in industry security experts to resolve the problem and have recently upgraded all security on their website which has been validated by leading industry experts. It added: “We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards.”

The exact method used to hack the Cotton Traders website is unknown. The firm has said customers worried about their cards should contact their card provider.

Hackers broke into South Bend, Ind.-based 1st Source Bank system from the outside and compromised a server containing debit card data. The bank is currently reissuing its entire portfolio of debit cards, probably tens of thousands of them.

The $4.5-billion-asset bank with 79 branches in northern Indiana and southern Michigan began alerting customers last month after an outside monitoring service it uses noticed on May 12 an unusual flow of data from a bank server containing debit card data. The server was immediately shut down. The bank notified law-enforcement authorities and hired outside forensic firms to analyze the breach.

The server that holds debit card information transferred information out. It is unclear what percent of card holders is affected. The hackers got Track 2 data contained on magnetic stripes, including account numbers and PINs in at least some cases. The information how the hackers tapped the server was not released to public.

1st Source Bank is sending out letters reminding their customers to check their recent bank account activity. Out of an overabundance of care, the bank is reissuing new MasterCard-branded debit cards to all customers. 1st Source also is offering customers free credit-report monitoring for a year and called in a forensic computer specialist team from the Washington, D.C., area to shut down the breach immediately and to help determine who was behind it.

Bank officials have yet to tally the cost of mailings to customers, creating new debit cards, consultants’ fees, paying for identity theft protection and employee overtime related to the security breach.

So far no fraud has been discovered as a result of the intrusion.

UK Home Office crime reduction website (crimereduction.homeoffice.gov.uk) was hacked on Monday. The attackers used the hacked website to host an Italian phishing website. Remote file inclusion exploit was used to launch the phished page off the web server hosting Crime Reduction website on homeoffice.gov.uk. As a result of the SQL Injection attack a page resembling the www.poste.it site was served up so that it appeared to come from the homeoffice.gov domain. Poste.it is a website of an Italian bank and is a frequent target of phishing attacks.

According to net security firm, phishing fraudsters used the POST method so that phished data submitted by victims was sent to them. It is unclear why they picked a government page located in the UK to host a phishing attack. Usually phishers pick or register a domain name for the fake website that looks as much as possible to the original website to confuse the victims.

The Home Office pulled the rogue content from its site early on Monday morning. This attack is another example of cybrecriminals abusing security exploits on trusted websites to serve up fraudulent content such as fake phishing pages or install malware. Home Office crime reduction website joins a long list of other UK government sites and US Department of Homeland Security website that were abused by attackers during last months. The fact this time it is a crime reduction website should be extra-embarrassing for this British government department.

Security pros had to take down the University of Arizona-hosted site after script kiddies replaced the lead blog entry with a message “hacked by VITAL.” The hackers redirected visitors of the Phoenix mission’s official web page and a companion site to a third-party destination. That page gave credit to hackers going by the names BLaSTER and Cr@zy_king.

A spokeswoman for the Phoenix Mars Lander mission says a hacker took over the mission’s public website and changed its lead news story with a hacker’s signature and a link redirecting visitors to an overseas website. The site hosted by the University of Arizona has been taken off line while computer experts work to correct the problem.

Over the past few months, millions of websites, some belonging to the US Department of Homeland Security, the United Nations and the UK Civil Service, have been hit by similar exploits. The attacks aren’t the result of vulnerabilities in the database or web services software provided by Microsoft, Apache and others, but rather in the custom-made web applications.

There are no reports that redirected visitors in this latest episode were exposed to links that attempted to silently install malware on their machines. The Phoenix Mars Lander mission’s security staff have already fixed the defacement.

Comcast.net, the portal of US communications provider Comcast, was hacked on Wednesday night. As a result of the attack Comcast subscribers were unable to access their email or other services through the portal for more than two hours. Comcast is the second biggest ISP in the US and a major provider of cable TV services.

The comcast.net front page was replaced by a greeting from hackers on May 28. The defacement was removed after more than two hours. Users were then confronted by a “page under construction” message before the site was restored in the early hours of Thursday morning. The site remained intermittently unavailable even after this time. The exact mechanism of the attack is still unclear, though an injected iFrame that served up content from sites under the control of hackers is suspected. Some form of DNS redirection attack may also have been involved.

Normally defacement attacks simply involve some text message or an image on a website. However, in the case of the Comcast attack it seems some attempt may have been made to snoop on its users’ login credentials.

There are still a lot of speculations about the details of this and why this happened. The defacement was claimed by 2 hackers who left the following message on a white blank page of Comcast.net: “KRYOGENIKS Defiant and EBK RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven”.

Update: Not only  the hackers hijacked Comcast’s domain name for three hours overnight, they also sent subscribers who tried to access webmail and other services to a rogue site that bragged of the exploit.

Comcast lost control of the comcast.net address after the attackers changed registration information stored by its domain registrar, Network Solutions. The unauthorized change redirected people attempting to visit the site to a page that read: “KRYOGENIKS Defiant and EBK RoXed COMCAST. sHouTz To VIRUS Warlock elul21 coll1er seven.” The page was displayed after the attackers altered the site’s IP resolution information, replacing Comcast’s IP address with the rogue address 209.62.20.186. In addition to their cryptic defacement, they altered the address for Comcast’s administrative contact to “69 dick tard lane, dildo room.”

Comcast said there was no immediate evidence that the attackers’ page tried to install malware or steal user credentials. But some reports claimed that email clients were redirected to the impostor address, requesting their login name and password.

It’s still unclear how the attackers accessed the registration settings on store with Network Solutions. A Network Solutions spokeswoman said the company is working with Comcast to figure out how the hackers obtained the login credentials to the account. Comcast is also working with unnamed law enforcement agencies to track down the attackers.

Authorities are investigating the theft of personal information from a computer in a Chester County school district. According to Downingtown Area School District officials, a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9. Numerous files containing the personal information of 70 staff members and several thousand tax payers were apparently copied and distributed to other students. The files apparently contained salary information and social security numbers.

Police said the students involved in the incident have been identified and the data was safely recovered.The district is working to determine how far the breach reached and secure their network from future abuse. Officials believe the student was just attempting to see if he could infiltrate the network, not identity theft. As a precaution, all staff members were notified of the incident and told to check their personal data.

At this point it is unclear if the student will face charges.

Users of Stickam.com, a live webcam chat site with more than two million members, many of them teenagers, have been spammed this month with messages that mention Stickam but promote pornographic live video sites. The spam message pretends to be sent by a friend from Stickam and offers victims to send a message to certain MSN messenger address. If you send messages to the included address, you get a link to a page promoting one woman’s offerings on SlickCams, a live pornography site that appears to be unrelated to Stickam.

Many of the people receiving the spam are assuming that it is coming from Stickam. Stickam says it is not sending the messages — but it is the source of the e-mail addresses to which they are being sent. Hackers broke into a message board system on the site in November and made off with the addresses that are now getting spam.

The spam attack comes at an awkward time for Stickam, which has developed a reputation as a place where teenagers do things they probably shouldn’t be doing in front of webcams. Its image was not helped by the revelation that it is backed by a large online pornography business.

The hacking problem raises questions about whether the site is doing enough to protect its users’ personal information. Stickam released a statement from its chief executive, Steven Fruchter, saying that the spam was “a result of illegal hacking on an old community forum system, which is no longer used.” Stickam.com has alerted the law enforcement authorities and is working closely with them to pursue legal action against those involved. The company was working with “the Secret Service and a specialized Internet security research firm” on a continuing investigation into the hack. He said that the spam problem should not affect people who have joined the site since the break-in, and that Stickam has taken steps “to ensure this type of event can never happen again.”

Credit: David F. Gallagher, The New York Times Bits

Personal information belonging to anybody who got a parking pass at Oklahoma State University (OSU) over the last five years has been compromised, university officials said Wednesday. Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008. The server is believed to have been compromised on November 23, 2007. OSU learned of the breech on March 20, 2008 and blocked access to the server.

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed. The illegal access was limited to the parking and transit server and currently the confidential information has been removed from the database.

OSU contacted and worked with federal law enforcement authorities and as a result of its investigation, OSU believes the intruder’s purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal or inappropriate content.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker. At this point, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.

The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service’s office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.