CyberInsecure.com

Archive for the ‘Hacked’ Category

In a recent attack on the web server of the BerliOS (Berlin Open Source) open source platform intruders replaced the portal’s home page. The unknown attackers left a message accusing the BerliOS operators of not investing enough time in proper system maintenance – and in protection against attacks.

“Open source mediator” BerliOS, which is part of Fraunhofer Institute (FOKUS), hosts a number of developer projects on its systems. According to the injected message on the, now restored, home page, the attackers were also able to access the svn.berlios.de, download.berlios.de and example.sheep.berlios.de servers.

While the intruders said they didn’t manipulate any site content, they pointed out possible manipulations by others. According to the unknown hackers, BerliOS had already had secret visitors in 2005. The attackers said this was indicated by the presence of a developer.php.de.hacker file stored on the web server.

When asked by The H’s associates at heise Security, BerliOS confirmed the manipulation. The operators say that so far, apart from the traces of the intrusion, they have not found any sign of manipulated files. In a brief reply Jörg Schilling, BerliOS employee and developer of the cdrecord open source software said “Therefore, I currently don’t see a reason to issue a warning”. Schilling didn’t supply any details about the vulnerability the intruders exploited.

Credit: H-Online.com

Google plans to curb its controversial practice of censoring search results in China after uncovering a “highly sophisticated and targeted attack” designed to steal information about human rights activists from its Gmail service and at least 20 other large companies.

The attack that hit Google in mid-December originated in China and was aimed at accessing the Gmail accounts of human rights activists. Although only two email accounts appear to have been breached, “accounts of dozens of US-, China- and Europe-based Gmail users who are advocates of human rights in China” have been routinely breached, most likely as a result of phishing or malware attacks, the company said Tuesday.

The discovery came as Google uncovered similar attacks on at least 20 other companies in the financial, technology, media, and chemical industries. In light of the revelations, Google said it is considering shuttering its Chinese operations altogether.

“These attacks and the surveillance they have uncovered - combined with the attempts over the past year to further limit free speech on the web - have led us to conclude that we should review the feasibility of our business operations in China,” Google’s chief legal officer David Drummond wrote. “We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

Drummond said Google has already used the investigation findings to introduce security improvements. The company is also in the process of sharing its findings with law enforcement authorities and the other targeted sites.

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” Drummond wrote.

He didn’t provide details about the two breached Gmail accounts except to say that “activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” The names of the 20 large companies were also omitted.

Google, whose corporate credo is “Don’t be evil,” entered the Chinese market in 2006 with the promise to censor search results that were objectionable to the country’s government.

Credit: The Register

Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system.

The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18, according to a release issued Monday. It was discovered on December 24 during an internal security review. In all, credentials 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB’s total

“Although the intrusion was limited in duration and scope, SCNB immediately isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server,” the bank, located about an hour east of New York City, stated. “To date, SCNB has found no evidence of any unauthorized access to online banking accounts, nor received any reports of unusual activity or reports of financial loss to its customers.”

The breach represents a variation on more traditional types of attacks on online banking. Cyber crooks typically target customers by surreptitiously planting malware on their computers that log their user name and password. The FBI estimates that small and medium-sized businesses alone have reached $100m.

By contrast, accessing a server that storing online credentials for tens of thousands of customers isn’t the kind of intrusion one hears about every day. Best security practices are clear that passwords should never be stored on servers unless they are encrypted.

The bank began notifying affected customers on Monday evening using first-class mail. The two-week delay “was necessary for making a lot of arrangements so we could come out with an absolutely conclusive statement about what happened,” said Douglas Ian Shaw, the bank’s corporate secretary. Retail customers whose details were lifted will be given two years worth of credit monitoring services at SCNB’s expense.

In the fourth quarter, the bank budgeted $351,000, or about 4 cents per share, to account for expenses related to the intrusion. Additional expenses may be incurred.

Credit: The Register

The same group that used a DNS attack to hijack Twitter last month has defaced the home page of Chinese search engine Baidu.

Baidu, formed in 2000, is China’s number one search engine, dominating the home market for online searches - partly because it had a six year head start over Google. As a result of its huge popularity, it’s no wonder that from time to time hackers might try and take advantage of the site, just as top websites can be in the frame for attack in the West.

Surfers visiting Baidu site on Monday night were confronted by the message “This site has been hacked by Iranian Cyber Army”, together with an image of the Iranian flag. Early speculation suggests the attack involved changing Baidu’s DNS records rather than a direct attack on the site itself, but this remains unconfirmed.

The attack might have been used to point the millions of Chinese users who use Baidu every day towards a site that took advantage of browser exploits to infect computer users with malware. So it’s perhaps fortunate that the Baidu hack involved only political graffiti.

By Tuesday morning, Baidu’s site had been cleaned up.

Credit: The Register, Sophos Blogs

The website of the Pakistani National Response Center for Cyber Crimes was defaced yesterday and hackers mocked the institution through a message on the first page. Furthermore, the attackers claim to have downloaded the database and emails stored on the server.

The National Response Center for Cyber Crimes (NR3C) is operated by the Federal Investigation Agency (FIA), Pakistan’s equivalent of the FBI. The NR3C is similar to the FBI’s Internet Crime Complain Center (IC3) as it provides a single point of contact for organizations to report matters related to cyber-crime. It also offers information security training to government, as well as private sector organizations.

The attack was claimed by someone associated with a hacking group called “PAKbugs.” According to Web defacement archive Zone-H, during 2009, this group was responsible for similar attacks against 1,720 websites, some of them belonging to the Pakistani government.

“Your whole database and e-mails are leaked …. i was really excited to read, see what the [expletive] is private in here lOl,” part of the message left on the NR3C reads. “I Guess, Federal Investigation Dept of Pakistan is in Wrong, Untalented Hands !!” the hacker says.

In a post on the pakbugs.com forum, a user named ZombiE_KsA, who identifies himself as one of the founders of the PAKbugs-Crew, has posted some screenshots to substantiate his claims. One of the pictures shows him logged into the cPanel Webmail administration interface on nr3c.gov.pk. Zone-H attributes a total of 168 defacements to ZombiE_KsA, out of which 62 are on high-profile websites.

“It seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. […] To say this hack has national security implications would not be overstating the matter,” writes Rik Ferguson, solutions architect at antivirus vendor Trend Micro.

It is worth pointing out that pakbugs.com was hacked too, back in September 2009. At the time, an unknown hacker made public a list containing the usernames, e-mail addresses and hashed passwords of all forum members. The PAKbugs forum is a well known cyber-crime hub where people exchange illegal information and programs.

Credit: Softpedia News

Cybercrooks managed to transfer over three million dollars out of the bank accounts of the Duanesburg Central School District over the course of three days in December. The bank managed to recover $2,5 million of the stolen funds, but $500,000 are still missing.

Duanesburg is a town in Schenectady County, New York, with a population of under 6,000. The Duanesburg Central School District serves around 1,000 students and has an annual budget of under $15 million.

District officials learned of the fraudulent transfers when a NBT Bank employee called them on Dec. 22 to confirm several pending overseas transfers totaling $759,000. After stopping the unauthorized transactions, the bank also notified the district that an additional $1,190,400 was transferred out of its accounts on the previous day and another $1,862,400 on December 18.

The district contacted the FBI and the New York State Police, who immediately opened an investigation into the incident. Meanwhile, the bank got in touch with overseas financial institutions and was able to recover $2.5 million of the illegally transferred money.

“Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered. However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds,” the district officials wrote in a letter to parents and community members.

The circumstances that led to the compromise of the bank account are yet to be determined, but chances are that it started with a malware infection, like in many similar cases reported last year. However, there are certain aspects of this incident that suggest the fraudsters are not very skilled in such hits.

For starters, the money was transferred in high amounts. In previous cases, the attackers kept transfers under $10,000 to avoid automated systems flagging them. Furthermore, the money was transferred directly to overseas accounts, which made it possible for the bank to recall it. Skilled fraudsters transfer the stolen money to the accounts of local individuals known as “money mules,” who then withdraw and wire it outside of the country. Wire transfers cannot be reversed.

As a precaution, the district closed all of its accounts and opened new ones with restrictions for online access. It is not clear what these restrictions are, but the FBI and the American Bankers Association recently recommended that online banking be made from dedicated computers.

Credit: Softpedia News

On Monday night in San Francisco an information technology consultant named Austin Heap reported on his blog that the official Web site of Iran’s president, Ahmadinejad.ir, had been attacked by hackers.

Mr. Heap, who has been active in the effort to provide Iranians with tools to circumvent Internet censorship this year, wrote that “someone seems to have had their way with Ahmadinejad’s web servers.” Although the Web site appears to be down now, Mr. Heap wrote that, for several hours, people trying to access it were redirected to a page which contained the following message:

Dear God, In 2009 you took my favorite singer - Michael Jackson, my favorite actress - Farrah Fawcett, my favorite actor - Patrick Swayze, my favorite voice - Neda.
Please, please, don’t forget my favorite politician - Ahmadinejad and my favorite dictator - Khamenei in the year 2010. Thank you.

A screen shot of the Web page with that message is available on Mr. Heap’s blog.

In a later update, Mr. Heap wrote that the site was subsequently inaccessible, and speculated that it was “either intentionally pulled or … is simply being overloaded since so many people are looking to grab a peek at the hack.”

The apparent attack comes three weeks after a group calling itself the “Iranian Cyber Army” launched an attack that briefly redirected users of Twitter to a site that displayed a message that seemed to support Iran’s government.

Mr. Heap founded the Censorship Research Center and explained on its Web site that the group’s technological activism was motivated by a desire to help Iranians use the Web despite the efforts of Iran’s government to prevent them from doing so.

On Tuesday, Iran’s state-run Press TV reported that the country’s intelligence ministry has barred citizens from cooperating with a list of 60 European and American foundations it blames for orchestrating the protests that followed last June’s disputed presidential election in Iran. The ministry also claimed that media organizations like the BBC and Voice of America that have broadcast video uploaded to the Web showing demonstrations back into Iran via satellite are doing so as part of a plot to overthrow Iran’s government.

Credit: The Lede Blog - NYTimes.com

Security researchers warn that the Fox Sports website has been compromised by unknown attackers, who injected malicious code into a custom error page. There are two separate offensive script tags, each of them created by a different infection.

The page was detected by the ThreatSeeker Network system developed and operated by Websense, a Web security vendor. Security researchers investigating the suspicious link determined that it was pointing to a custom “Page not Found” document, displayed in case of a 404 error.

Webmasters deploy such pages in order to help visitors who are looking for a Web resource that is no longer available. They include suggestions or search boxes that can be used to find the new location of the document.

The msn.foxsports.com website is operated by the Fox Sports division of the Fox Broadcasting Company and according to Alexa, it is in the top 330 websites in the world as far as traffic goes. This website is ranked at position 88 in the United States and is part of the MSN network.

The first malicious script tag loads a script for an external domain used in cybercriminal operations before. In particular, this script is part of the latest version of a mass injection attack known as Gumblar. Highly obfuscated code is used to perform various checks to determine a visitor’s browser, operating system or installed software, and then execute exploits for known vulnerabilities.

“After deobfuscation, the page uses PDF and Flash exploits to run malware in order to control a victim’s computer. In addition, a piece of VBScript is executed to download malware,” the Websense researchers explain.

The secondary script tag loads a potentially malicious JavaScript file from a .cn domain. However, the server hosting this threat was offline and the security analysts couldn’t determine its nature. The Fox Sports page seems to be clean now, but there is no way of telling for how long this infection ran until it was discovered.

It is worth noting that a similar issue was found on the MSN Canada website back in June. In that case, a redirect page, invisible to the user, but parsed by the browser, was infected with malicious code.

Credit: Softpedia.com

A Romanian hacker who goes by the handle “unu” has struck again: this time, he demonstrated how a SQL injection vulnerability left personal information in the form of passports exposed on an Intel Corp. Website.

Unu, who previously exposed SQL injection vulnerabilities in The Wall Street Journal and Kaspersky Lab’s Websites, this time focused on an Intel site that runs online registrations for channel partner events. The site, which is currently down, has a message posted that it’s offline for maintenance.

An Intel spokesperson says the company has taken down the site and is “investigating the matter.”

In his blog post on the Intel site’s vulnerability, unu says: “Not only is the website vulnerable to sql injection but it also allows load_file to be executed making it very dangerous because with a little patience, a writable directory can be found and injection a malicious code we get command line access with which we can do virtually anything we want with the website: upload phpshells, redirects, INFECT PAGES WITH TROJAN DROPPERS, even deface the whole website.”

He was able to hack into the front-end Web application and then discovered that server administrators had their passwords stored in clear text, according to the post.

Security experts at Praetorian Security Group who analyzed Unu’s hack say most alarming about the hack is a screenshot that appears to show people who registered for an event, along with their passport numbers, birth dates, and credit card types. “Unu acknowledges that he simply is not showing the credit card numbers, expiration dates, and CW/CID codes but they are also in the table,” they blogged.

Daniel Kennedy, a partner with Praetorian, says the site had been defaced before by someone else before. “So Intel or the supporting vendor has to take a long look at who besides Unu could have been in that database,” Kennedy says.

“Intel realistically has to notify everyone who could be affected … this is passport and credit card data,” he says.

Credit: DarkReading.com, unu123456.baywords.com

Twitter.com was down Thursday evening, and it appears that the microblogging site may have been a victim of DNS hijacking.

The site, which was inaccessible for about an hour starting around 10 p.m. PST, was defaced with the following image before it was taken offline:

The message at the bottom of the image appears to be written in Perso-Arabic script and when translated to English it read:

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?

WE PUSH THEM IN EMBARGO LIST

Take Care.

Twitter’s status blog was also inaccessible.

A Twitter update message posted at 11:28 p.m. said the site was “working to recovery from an unplanned downtime” and indicated that the incident was indeed a hijacking of Twitter’s DNS records:

Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.

Security has been a thorny issue for Twitter in the past. In January, a hacker hijacked CNN anchor Rick Sanchez’s feed and proclaimed the journalist was “high on crack.” Twitter users have also been the target of a password-stealing phishing scam. Disguising itself as a private message that led to a fake Twitter log-in screen, the scam was widespread enough for Twitter to put a warning message on all members’ home pages alerting them of the issue.

Certainly, there is a contentious history between Twitter and Iran. In the wake of supposed results of that nation’s presidential election in June, protesters in Iran used Twitter to skirt government filters to report events, express outrage, and get people out to opposition rallies. Twitter even rescheduled some planned downtime in order to stay accessible for Iranian users in the midst of political upheaval at the request of the U.S. Department of State.

Currently Twitter Blog says:

As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.

Credit: CNET News