CyberInsecure.com

Archive for the ‘Hacked’ Category

Cybercrooks managed to transfer over three million dollars out of the bank accounts of the Duanesburg Central School District over the course of three days in December. The bank managed to recover $2,5 million of the stolen funds, but $500,000 are still missing.

Duanesburg is a town in Schenectady County, New York, with a population of under 6,000. The Duanesburg Central School District serves around 1,000 students and has an annual budget of under $15 million.

District officials learned of the fraudulent transfers when a NBT Bank employee called them on Dec. 22 to confirm several pending overseas transfers totaling $759,000. After stopping the unauthorized transactions, the bank also notified the district that an additional $1,190,400 was transferred out of its accounts on the previous day and another $1,862,400 on December 18.

The district contacted the FBI and the New York State Police, who immediately opened an investigation into the incident. Meanwhile, the bank got in touch with overseas financial institutions and was able to recover $2.5 million of the illegally transferred money.

“Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered. However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds,” the district officials wrote in a letter to parents and community members.

The circumstances that led to the compromise of the bank account are yet to be determined, but chances are that it started with a malware infection, like in many similar cases reported last year. However, there are certain aspects of this incident that suggest the fraudsters are not very skilled in such hits.

For starters, the money was transferred in high amounts. In previous cases, the attackers kept transfers under $10,000 to avoid automated systems flagging them. Furthermore, the money was transferred directly to overseas accounts, which made it possible for the bank to recall it. Skilled fraudsters transfer the stolen money to the accounts of local individuals known as “money mules,” who then withdraw and wire it outside of the country. Wire transfers cannot be reversed.

As a precaution, the district closed all of its accounts and opened new ones with restrictions for online access. It is not clear what these restrictions are, but the FBI and the American Bankers Association recently recommended that online banking be made from dedicated computers.

Credit: Softpedia News

On Monday night in San Francisco an information technology consultant named Austin Heap reported on his blog that the official Web site of Iran’s president, Ahmadinejad.ir, had been attacked by hackers.

Mr. Heap, who has been active in the effort to provide Iranians with tools to circumvent Internet censorship this year, wrote that “someone seems to have had their way with Ahmadinejad’s web servers.” Although the Web site appears to be down now, Mr. Heap wrote that, for several hours, people trying to access it were redirected to a page which contained the following message:

Dear God, In 2009 you took my favorite singer - Michael Jackson, my favorite actress - Farrah Fawcett, my favorite actor - Patrick Swayze, my favorite voice - Neda.
Please, please, don’t forget my favorite politician - Ahmadinejad and my favorite dictator - Khamenei in the year 2010. Thank you.

A screen shot of the Web page with that message is available on Mr. Heap’s blog.

In a later update, Mr. Heap wrote that the site was subsequently inaccessible, and speculated that it was “either intentionally pulled or … is simply being overloaded since so many people are looking to grab a peek at the hack.”

The apparent attack comes three weeks after a group calling itself the “Iranian Cyber Army” launched an attack that briefly redirected users of Twitter to a site that displayed a message that seemed to support Iran’s government.

Mr. Heap founded the Censorship Research Center and explained on its Web site that the group’s technological activism was motivated by a desire to help Iranians use the Web despite the efforts of Iran’s government to prevent them from doing so.

On Tuesday, Iran’s state-run Press TV reported that the country’s intelligence ministry has barred citizens from cooperating with a list of 60 European and American foundations it blames for orchestrating the protests that followed last June’s disputed presidential election in Iran. The ministry also claimed that media organizations like the BBC and Voice of America that have broadcast video uploaded to the Web showing demonstrations back into Iran via satellite are doing so as part of a plot to overthrow Iran’s government.

Credit: The Lede Blog - NYTimes.com

Security researchers warn that the Fox Sports website has been compromised by unknown attackers, who injected malicious code into a custom error page. There are two separate offensive script tags, each of them created by a different infection.

The page was detected by the ThreatSeeker Network system developed and operated by Websense, a Web security vendor. Security researchers investigating the suspicious link determined that it was pointing to a custom “Page not Found” document, displayed in case of a 404 error.

Webmasters deploy such pages in order to help visitors who are looking for a Web resource that is no longer available. They include suggestions or search boxes that can be used to find the new location of the document.

The msn.foxsports.com website is operated by the Fox Sports division of the Fox Broadcasting Company and according to Alexa, it is in the top 330 websites in the world as far as traffic goes. This website is ranked at position 88 in the United States and is part of the MSN network.

The first malicious script tag loads a script for an external domain used in cybercriminal operations before. In particular, this script is part of the latest version of a mass injection attack known as Gumblar. Highly obfuscated code is used to perform various checks to determine a visitor’s browser, operating system or installed software, and then execute exploits for known vulnerabilities.

“After deobfuscation, the page uses PDF and Flash exploits to run malware in order to control a victim’s computer. In addition, a piece of VBScript is executed to download malware,” the Websense researchers explain.

The secondary script tag loads a potentially malicious JavaScript file from a .cn domain. However, the server hosting this threat was offline and the security analysts couldn’t determine its nature. The Fox Sports page seems to be clean now, but there is no way of telling for how long this infection ran until it was discovered.

It is worth noting that a similar issue was found on the MSN Canada website back in June. In that case, a redirect page, invisible to the user, but parsed by the browser, was infected with malicious code.

Credit: Softpedia.com

A Romanian hacker who goes by the handle “unu” has struck again: this time, he demonstrated how a SQL injection vulnerability left personal information in the form of passports exposed on an Intel Corp. Website.

Unu, who previously exposed SQL injection vulnerabilities in The Wall Street Journal and Kaspersky Lab’s Websites, this time focused on an Intel site that runs online registrations for channel partner events. The site, which is currently down, has a message posted that it’s offline for maintenance.

An Intel spokesperson says the company has taken down the site and is “investigating the matter.”

In his blog post on the Intel site’s vulnerability, unu says: “Not only is the website vulnerable to sql injection but it also allows load_file to be executed making it very dangerous because with a little patience, a writable directory can be found and injection a malicious code we get command line access with which we can do virtually anything we want with the website: upload phpshells, redirects, INFECT PAGES WITH TROJAN DROPPERS, even deface the whole website.”

He was able to hack into the front-end Web application and then discovered that server administrators had their passwords stored in clear text, according to the post.

Security experts at Praetorian Security Group who analyzed Unu’s hack say most alarming about the hack is a screenshot that appears to show people who registered for an event, along with their passport numbers, birth dates, and credit card types. “Unu acknowledges that he simply is not showing the credit card numbers, expiration dates, and CW/CID codes but they are also in the table,” they blogged.

Daniel Kennedy, a partner with Praetorian, says the site had been defaced before by someone else before. “So Intel or the supporting vendor has to take a long look at who besides Unu could have been in that database,” Kennedy says.

“Intel realistically has to notify everyone who could be affected … this is passport and credit card data,” he says.

Credit: DarkReading.com, unu123456.baywords.com

Twitter.com was down Thursday evening, and it appears that the microblogging site may have been a victim of DNS hijacking.

The site, which was inaccessible for about an hour starting around 10 p.m. PST, was defaced with the following image before it was taken offline:

The message at the bottom of the image appears to be written in Perso-Arabic script and when translated to English it read:

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?

WE PUSH THEM IN EMBARGO LIST

Take Care.

Twitter’s status blog was also inaccessible.

A Twitter update message posted at 11:28 p.m. said the site was “working to recovery from an unplanned downtime” and indicated that the incident was indeed a hijacking of Twitter’s DNS records:

Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.

Security has been a thorny issue for Twitter in the past. In January, a hacker hijacked CNN anchor Rick Sanchez’s feed and proclaimed the journalist was “high on crack.” Twitter users have also been the target of a password-stealing phishing scam. Disguising itself as a private message that led to a fake Twitter log-in screen, the scam was widespread enough for Twitter to put a warning message on all members’ home pages alerting them of the issue.

Certainly, there is a contentious history between Twitter and Iran. In the wake of supposed results of that nation’s presidential election in June, protesters in Iran used Twitter to skirt government filters to report events, express outrage, and get people out to opposition rallies. Twitter even rescheduled some planned downtime in order to stay accessible for Iranian users in the midst of political upheaval at the request of the U.S. Department of State.

Currently Twitter Blog says:

As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.

Credit: CNET News

Millions of user passwords to social networking sites have been exposed, after a serious SQL injection flaw on the Rockyou.com website left login details - stored in plain text - up for grabs.

RockYou - which develops apps for social networking sites including Facebook, Bebo and MySpace - stored usernames, passwords and email addresses in plain text. That’s bad enough in itself, but then an SQL injection flaw on RockYou’s website exposed the information to prying eyes.

Amichai Shulman, chief technology officer with the data security firm Imperva, said the passwords exposed will often be the same as those users utilize for webmail accounts associated with their social networking profiles, creating yet more potential problems.

The first issue is that RockYou attempted to downplay the entire incident, first by covering it up by not notifying users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and was able to show that not only did he have access to their entire database, but also passwords were stored in the clear. This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites.

The database consists of a table containing partner data, and another table that has stored the credentials for those partner sites that users have entered. This includes social networks such as MySpace but also webmail accounts.

The initial exploit took advantage of a trivial SQL injection vulnerability, a technique that has been well documented for over a decade. The method of vulnerability is extremely basic in execution, yet catastrophic in impact – which RockYou, and the sites users, are now learning the hard way. It is more of a surprise that this had not happen sooner – as the RockYou platform is a swiss cheese of security vulnerabilities and poor practices.

“The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database… since the user names and passwords are by default the same as the user’s webmail account — such as Hotmail, Yahoo or Gmail — this is a major lapse in security,” Shulman said.

“Unfortunately some accounts had already been compromised before the vulnerability was fixed,” Shulman said. “All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk.”

It’s unclear why RockYou left passwords on its systems without encrypting them in the first place. We dropped a note to the developers asking for a response on this point on Tuesday, but are yet to hear back. We’ll update this story as and when we know more.

RockYou has reportedly fixed the issue, but this may have come too late for some.

Credit: The Register, TechCrunch.com

Miscreants took advantage of weak security to hack into two NASA-run websites over the weekend.

The websites of NASA’s Instrument Systems and Technology unit and Software Engineering division were broken into and screenshots illustrating the hack posted online. Hackers appear to have taken advantage of SQL Injection flaws and poor access controls in mounting the attack, reports Gunter Ollmann, an ex-IBM security expert who is now VP of Research at security firm Damballa.

Obfuscated screenshots from the hack were subsequently posted onto a full disclosure mailing list.

The motives and perpetrators of the attack remain unclear at the time of writing. Messing around with sites run by the space agency is a risky business for hackers, as Gary McKinnon and others have discovered, though whether anything will happen over the latest break-in is unclear.

Credit: The Register

A Swiss iPhone developer has released a new application that is capable of harvesting huge amounts of personal data from iPhones, including geolocation data, passwords, address book entries and email account information, all using just the public API.

The application, called SpyPhone, uses the public iPhone API that Apple made available for application developers, and does not need any exploits or hardware attacks in order to access the iPhone’s data. Instead, SpyPhone relies on using the iPhone’s usability and depth of features to its advantage. Once an application is on an iPhone, it has unfettered access to much of the data and settings on the device, a circumstance that SpyPhone’s developer, Nicolas Seriot, exploited.

Seriot has posted the source code for SpyPhone online and gave a talk about SpyPhone’s capabilities at a security conference this week. All of SpyPhone’s operations are conducted in the background, without the knowledge of the iPhone’s user, and the application can be set to email reports on each infected phone back to the attacker.

Once on the iPhone, the application begins looking at the stored data that’s available in various other programs, such as the email address book and the keyboard cache, which keeps a record of every keystroke the user enters in a non-password field, Seriot said. This data normally is used for the iPhone’s autocomplete feature, but can be a gold mine of information for an attacker searching for intelligence on the iPhone’s owner.

By default, the iPhone will tag any photos taken with the device with the date and location of the picture. The user can turn this feature off, but if it’s enabled, SpyPhone can access that data, as well as the log of which WiFi hotspots the device has connected to. All of this gives the attacker a better picture of the iPhone’s owner, his location and his interests, which is valuable data.

Apple has taken pains to keep strict control over what applications can run on the iPhone, but malicious apps have been found in the company’s AppStore in the past. And while Apple has to approve all of the programs in the AppStore, users who have jailbroken iPhones can run any app they choose on their devices. That leaves plenty of opportunity for seemingly innocuous apps that contain malicious components.

Credit: Threatpost.com

UK-based web host Daily has largely restored services following an apparent hack attack on Thursday that replaced content on some sites it hosts with pictures of cartoon penguins. Every file that included ‘index’ and ‘php’ in the name, including those invisible to Google, were defaced.

The images of Linux penguin Tux parodied the ‘hear/see/speak no evil’ monkeys”. Text included on the defacements claimed the hack in the name of ‘Heart_Hunter - TH3_H4TTAB’.

Customers were advised to restore their sites from back-up copies. Daily has begun an investigation into the attack, which bears the hallmarks of a mass defacement. Groups of websites are regularly defaced by TH3_H4TTAB, as defacement archive Zone-H records. In many cases eastern folk music is uploaded onto compromised sites.

A status page on Daily’s status site (http://www.dailystatus.co.uk/) explains: “We have received reports this [Thursday] morning of a small number of customer websites having their index or start page replaced with an image and in some cases text as well.”

The host completed the restore process by 21:00 on Thursday. Daily modified its PHP build as a security precaution. Services were largely restored on Friday but may proceed more slowly than possible after some servers were taken offline in order to mount an ongoing security investigation, a status update from Daily explains:

We are confident there will be no repeat events as all servers are locked down.

Some websites (in particular Database driven sites) will be running at slower speeds as we have taken some web servers from our cluster to carry on with our investigations and diagnosis.

Credit: The Register

A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

According to the hacker an insecure parameter of a script from the pcd.symantec.com website allows for a blind SQL injection attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQL injection attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

The content of the pcd.symantec.com website is written in Japanese and it serves a product called Norton PC Doctor. Accessing most of the website’s sections requires authentication, and in order to exploit the blind SQL vulnerability, the hacker had to use a few specialized tools. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2000 as database back-end.

From the screen shots released by the hacker there are many potentially interesting databases, but the one he chose to look at is called “symantecstore.” One of the tables in this database is named “PaymentInformationInfo” and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.

For demonstration purposes, the hacker extracted 6 of these entries at random, revealing customer names and login credentials with the passwords stored in plain text; a major security oversight. The hacker also notes that passwords for the accounts in a different table called TB_EMPLOYEE are also stored in a similar insecure way. There are 122,152 entries in the SerialNumber column.

Symantec has confirmed the existence of a vulnerabiliy in the pcd.symantec.com:

“A SQL injection vulnerability has been identified at pcd.symantec.com. The Web site facilitates customer support for users of Symantec’s Norton-branded products in Japan and South Korea only. This incident does not affect Symantec customers anywhere else in the world.

“This incident impacts customer support in Japan and South Korea but does not affect the safety and usage of Symantec’s Norton-branded consumer products. Symantec is currently in the process of updating the Web site with appropriate security measures and will bring it back online as soon as possible. Symantec is still investigating the incident has no further details to share at this time.”

Credit: Softpedia News