CyberInsecure.com

Archive for the ‘Hacked’ Category

The first hacker to successfully jailbreak the iPhone says he has pulled off yet another modding marvel, this time penetrating the previously impervious PlayStation 3 gaming console.

The hack by 20-year-old George Hotz, aka geohot, is significant because the PS3 was the only game console that hadn’t been hacked, despite being on the market for more than three years. The feat greatly expands the functionality of the box by allowing it to run unrestricted versions of Linux and a wide range of games that are currently forbidden. The hardware and software designer said it took him five weeks to develop the hack using a combination of modifications to the console’s hardware and software.

“Basically, I used hardware to open a small hole and then used software to make the hole the size of the system to get full read/write access,” he said in an interview. “Right now, although the system is broken, I have great power. I can make they system do whatever I want.”

The first three weeks were spent trying attacks to directly access memory of the console. He eventually settled on his current approach after realizing software approaches alone were insufficient.

A dropout of the Rochester Institute of Technology, geohot said he is declining to provide details to prevent Sony from introducing changes that would stymie the modifications. But a blog post announcing the accomplishment makes clear the hack gives users unprecedented control over their systems.

“I have read/write access to the entire system memory, and HV level access to the processor,” geohot wrote. “In other words, I have hacked the PS3.”

The hack will allow PS3 users for the first time to run unrestricted versions of Linux that have full access to the system’s central processing unit and graphical processing unit. That will greatly expand the kinds of things users can do with the console. For starters, they could use the mod to run emulators that will play PS2 games on the machine, something Sony strictly forbids. It could also allow programs like the VLC media player to run much more robustly. The hack also opens the door to pirated games on the console, although geohot said that’s an activity he’s not interested in pursuing.

Geohot said he doesn’t plan to release the software used to unlock the box until he can make it more reliable. It currently takes about 15 minutes to run and frequently fails to work properly. “If I posted what I have now, people would get fed up with it,” he said.

He praised the PS3 as a “pretty secure system,” that was harder to hack than many hardware systems he has penetrated.

While hacks of the Xbox and the iPhone have led to thriving developer communities that release custom applications for the modded devices, geohot said the challenge of overcoming the security overshaddows those more practical outcomes.

“Personally, it’s a win for me just to do it,” he said. “It’s just cool to have it cracked.”

Credit: The Register

Board.ie, the most popular forum in Ireland with millions of unique visitors each month, suffered a serious security breach yesterday. As a precaution, the website was taken offline and a password reset was triggered for all registered users.

“Today, Thursday 21 Jan 2010 at 11:20 GMT the Boards.ie database was attacked by a source external to Ireland. […] In this attack, part of the database which includes our members’ usernames, email addresses and obfuscated passwords was accessed. While our investigations indicate that individual user accounts are not in danger we have taken the step of changing all user passwords,” an official announcement reads.

The website administration has been remarkably opened about this incident and seems to treat it very responsibly. It immediately contacted the Gardai (Irish National Police) and the Data Protection Commissioner. No details regarding the specific attack method or origin have been released, as the investigation is in progress.

An independent security consultancy company has also been asked to advise regarding incident response procedure. “Like all large sites we are regularly the target for disruption and take continual actions to proactively protect your data. This particular attack was completely unprecedented despite our rigorous security measures and while we have no idea if this data will be used for any malicious reasons, we felt it vital to tell you this immediately,” the admins write.

The board.ie community website is built using the widely popular vBulletin forum software. Because of the security features implemented on the platform, user passwords were not stored in plain text inside the database. Even so, a decision to have them reset was taken as a precaution.

When the site will be restored, users will have to request new passwords manually. In order to prove their identity, they are required to have access to the e-mail address associated with the account. Admins are still working on an alternative method for cases where users can no longer access the e-mail that was used to register their account with.

The origins of the boards.ie forum date back to 1998, but the site has existed under the current name since 2000. It has over 220,000 registered members who communicate with each other on a variety of topics that touch on all aspects of life.

Credit: Softpedia.com News

Network Solutions announced that several hundred websites hosted on its infrastructure fell victim in a mass defacement attack during the past several days. Preliminary findings suggest that a remote file inclusion technique was used to compromise several of the company’s Unix servers.

Network Solutions is one of the top five Internet domain name registrars, managing around 6,5 million domains as of January 2009. Apart from its successful domain registration business, the company also offers other services such as Web hosting, ecommerce or online marketing solutions.

The problems began for Network Solutions last weekend when several customers reported their websites being defaced by hacktivists. Most of the attacked websites had anti-Israel messages posted on their home page and displayed violent images.

At first, the Internet firm thought a vulnerability in a Web application shared by these websites might be the culprit. “We are running a scan to see if we can proactively determine if any hosting accounts are impacted. Proponents of malware and hacking commonly look for websites with vulnerabilities. These include weak passwords, third party applications that aren’t up to date or sometimes weakness could emanate from lack of updated anti-virus software on PCs,” Shashi Bellamkonda, the company’s director for social/new media strategy, wrote on Sunday.

However, it appears that these attacks were made possible by the configuration of the hosting servers themselves, which opened a remote file inclusion (RFI) weakness. Such vulnerabilities stem from improper validation of values being passed to the $_GET of $_POST variables under certain PHP configurations.

“Hackers were able to add a file displaying illegitimate content on top of the customer website content. This was an issue on multiple servers and unknown intruders were able to get through by using a file inclusion technique. There was no danger to any personally identifiable or secure information,” Mr. Bellamkonda announced yesterday in an update on the company’s blog.

Network Solutions is working with affected customers to restore their websites and is closely monitoring the threat. It has yet to decide if the best course of action is to make permanent changes to the configuration of its servers, a decision that might affect the functionality of existent websites.

Credit: Softpedia.com News

In a recent attack on the web server of the BerliOS (Berlin Open Source) open source platform intruders replaced the portal’s home page. The unknown attackers left a message accusing the BerliOS operators of not investing enough time in proper system maintenance – and in protection against attacks.

“Open source mediator” BerliOS, which is part of Fraunhofer Institute (FOKUS), hosts a number of developer projects on its systems. According to the injected message on the, now restored, home page, the attackers were also able to access the svn.berlios.de, download.berlios.de and example.sheep.berlios.de servers.

While the intruders said they didn’t manipulate any site content, they pointed out possible manipulations by others. According to the unknown hackers, BerliOS had already had secret visitors in 2005. The attackers said this was indicated by the presence of a developer.php.de.hacker file stored on the web server.

When asked by The H’s associates at heise Security, BerliOS confirmed the manipulation. The operators say that so far, apart from the traces of the intrusion, they have not found any sign of manipulated files. In a brief reply Jörg Schilling, BerliOS employee and developer of the cdrecord open source software said “Therefore, I currently don’t see a reason to issue a warning”. Schilling didn’t supply any details about the vulnerability the intruders exploited.

Credit: H-Online.com

Google plans to curb its controversial practice of censoring search results in China after uncovering a “highly sophisticated and targeted attack” designed to steal information about human rights activists from its Gmail service and at least 20 other large companies.

The attack that hit Google in mid-December originated in China and was aimed at accessing the Gmail accounts of human rights activists. Although only two email accounts appear to have been breached, “accounts of dozens of US-, China- and Europe-based Gmail users who are advocates of human rights in China” have been routinely breached, most likely as a result of phishing or malware attacks, the company said Tuesday.

The discovery came as Google uncovered similar attacks on at least 20 other companies in the financial, technology, media, and chemical industries. In light of the revelations, Google said it is considering shuttering its Chinese operations altogether.

“These attacks and the surveillance they have uncovered - combined with the attempts over the past year to further limit free speech on the web - have led us to conclude that we should review the feasibility of our business operations in China,” Google’s chief legal officer David Drummond wrote. “We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

Drummond said Google has already used the investigation findings to introduce security improvements. The company is also in the process of sharing its findings with law enforcement authorities and the other targeted sites.

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” Drummond wrote.

He didn’t provide details about the two breached Gmail accounts except to say that “activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” The names of the 20 large companies were also omitted.

Google, whose corporate credo is “Don’t be evil,” entered the Chinese market in 2006 with the promise to censor search results that were objectionable to the country’s government.

Credit: The Register

Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system.

The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18, according to a release issued Monday. It was discovered on December 24 during an internal security review. In all, credentials 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB’s total

“Although the intrusion was limited in duration and scope, SCNB immediately isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server,” the bank, located about an hour east of New York City, stated. “To date, SCNB has found no evidence of any unauthorized access to online banking accounts, nor received any reports of unusual activity or reports of financial loss to its customers.”

The breach represents a variation on more traditional types of attacks on online banking. Cyber crooks typically target customers by surreptitiously planting malware on their computers that log their user name and password. The FBI estimates that small and medium-sized businesses alone have reached $100m.

By contrast, accessing a server that storing online credentials for tens of thousands of customers isn’t the kind of intrusion one hears about every day. Best security practices are clear that passwords should never be stored on servers unless they are encrypted.

The bank began notifying affected customers on Monday evening using first-class mail. The two-week delay “was necessary for making a lot of arrangements so we could come out with an absolutely conclusive statement about what happened,” said Douglas Ian Shaw, the bank’s corporate secretary. Retail customers whose details were lifted will be given two years worth of credit monitoring services at SCNB’s expense.

In the fourth quarter, the bank budgeted $351,000, or about 4 cents per share, to account for expenses related to the intrusion. Additional expenses may be incurred.

Credit: The Register

The same group that used a DNS attack to hijack Twitter last month has defaced the home page of Chinese search engine Baidu.

Baidu, formed in 2000, is China’s number one search engine, dominating the home market for online searches - partly because it had a six year head start over Google. As a result of its huge popularity, it’s no wonder that from time to time hackers might try and take advantage of the site, just as top websites can be in the frame for attack in the West.

Surfers visiting Baidu site on Monday night were confronted by the message “This site has been hacked by Iranian Cyber Army”, together with an image of the Iranian flag. Early speculation suggests the attack involved changing Baidu’s DNS records rather than a direct attack on the site itself, but this remains unconfirmed.

The attack might have been used to point the millions of Chinese users who use Baidu every day towards a site that took advantage of browser exploits to infect computer users with malware. So it’s perhaps fortunate that the Baidu hack involved only political graffiti.

By Tuesday morning, Baidu’s site had been cleaned up.

Credit: The Register, Sophos Blogs

The website of the Pakistani National Response Center for Cyber Crimes was defaced yesterday and hackers mocked the institution through a message on the first page. Furthermore, the attackers claim to have downloaded the database and emails stored on the server.

The National Response Center for Cyber Crimes (NR3C) is operated by the Federal Investigation Agency (FIA), Pakistan’s equivalent of the FBI. The NR3C is similar to the FBI’s Internet Crime Complain Center (IC3) as it provides a single point of contact for organizations to report matters related to cyber-crime. It also offers information security training to government, as well as private sector organizations.

The attack was claimed by someone associated with a hacking group called “PAKbugs.” According to Web defacement archive Zone-H, during 2009, this group was responsible for similar attacks against 1,720 websites, some of them belonging to the Pakistani government.

“Your whole database and e-mails are leaked …. i was really excited to read, see what the [expletive] is private in here lOl,” part of the message left on the NR3C reads. “I Guess, Federal Investigation Dept of Pakistan is in Wrong, Untalented Hands !!” the hacker says.

In a post on the pakbugs.com forum, a user named ZombiE_KsA, who identifies himself as one of the founders of the PAKbugs-Crew, has posted some screenshots to substantiate his claims. One of the pictures shows him logged into the cPanel Webmail administration interface on nr3c.gov.pk. Zone-H attributes a total of 168 defacements to ZombiE_KsA, out of which 62 are on high-profile websites.

“It seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. […] To say this hack has national security implications would not be overstating the matter,” writes Rik Ferguson, solutions architect at antivirus vendor Trend Micro.

It is worth pointing out that pakbugs.com was hacked too, back in September 2009. At the time, an unknown hacker made public a list containing the usernames, e-mail addresses and hashed passwords of all forum members. The PAKbugs forum is a well known cyber-crime hub where people exchange illegal information and programs.

Credit: Softpedia News

Cybercrooks managed to transfer over three million dollars out of the bank accounts of the Duanesburg Central School District over the course of three days in December. The bank managed to recover $2,5 million of the stolen funds, but $500,000 are still missing.

Duanesburg is a town in Schenectady County, New York, with a population of under 6,000. The Duanesburg Central School District serves around 1,000 students and has an annual budget of under $15 million.

District officials learned of the fraudulent transfers when a NBT Bank employee called them on Dec. 22 to confirm several pending overseas transfers totaling $759,000. After stopping the unauthorized transactions, the bank also notified the district that an additional $1,190,400 was transferred out of its accounts on the previous day and another $1,862,400 on December 18.

The district contacted the FBI and the New York State Police, who immediately opened an investigation into the incident. Meanwhile, the bank got in touch with overseas financial institutions and was able to recover $2.5 million of the illegally transferred money.

“Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered. However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds,” the district officials wrote in a letter to parents and community members.

The circumstances that led to the compromise of the bank account are yet to be determined, but chances are that it started with a malware infection, like in many similar cases reported last year. However, there are certain aspects of this incident that suggest the fraudsters are not very skilled in such hits.

For starters, the money was transferred in high amounts. In previous cases, the attackers kept transfers under $10,000 to avoid automated systems flagging them. Furthermore, the money was transferred directly to overseas accounts, which made it possible for the bank to recall it. Skilled fraudsters transfer the stolen money to the accounts of local individuals known as “money mules,” who then withdraw and wire it outside of the country. Wire transfers cannot be reversed.

As a precaution, the district closed all of its accounts and opened new ones with restrictions for online access. It is not clear what these restrictions are, but the FBI and the American Bankers Association recently recommended that online banking be made from dedicated computers.

Credit: Softpedia News

On Monday night in San Francisco an information technology consultant named Austin Heap reported on his blog that the official Web site of Iran’s president, Ahmadinejad.ir, had been attacked by hackers.

Mr. Heap, who has been active in the effort to provide Iranians with tools to circumvent Internet censorship this year, wrote that “someone seems to have had their way with Ahmadinejad’s web servers.” Although the Web site appears to be down now, Mr. Heap wrote that, for several hours, people trying to access it were redirected to a page which contained the following message:

Dear God, In 2009 you took my favorite singer - Michael Jackson, my favorite actress - Farrah Fawcett, my favorite actor - Patrick Swayze, my favorite voice - Neda.
Please, please, don’t forget my favorite politician - Ahmadinejad and my favorite dictator - Khamenei in the year 2010. Thank you.

A screen shot of the Web page with that message is available on Mr. Heap’s blog.

In a later update, Mr. Heap wrote that the site was subsequently inaccessible, and speculated that it was “either intentionally pulled or … is simply being overloaded since so many people are looking to grab a peek at the hack.”

The apparent attack comes three weeks after a group calling itself the “Iranian Cyber Army” launched an attack that briefly redirected users of Twitter to a site that displayed a message that seemed to support Iran’s government.

Mr. Heap founded the Censorship Research Center and explained on its Web site that the group’s technological activism was motivated by a desire to help Iranians use the Web despite the efforts of Iran’s government to prevent them from doing so.

On Tuesday, Iran’s state-run Press TV reported that the country’s intelligence ministry has barred citizens from cooperating with a list of 60 European and American foundations it blames for orchestrating the protests that followed last June’s disputed presidential election in Iran. The ministry also claimed that media organizations like the BBC and Voice of America that have broadcast video uploaded to the Web showing demonstrations back into Iran via satellite are doing so as part of a plot to overthrow Iran’s government.

Credit: The Lede Blog - NYTimes.com