CyberInsecure.com

Archive for the ‘Privacy’ Category

Facebook’s security team has introduced a new security related warning feature that alerts users about potentially malicious third-party websites they are about to visit. Facebook is persistently under attacks from phishers and malware authors who look for creative ways to efficiently exploit Facebook’s huge users base.

New Facebook feature is adding a warning message to links it suspects of being spam or phishing. The message states: “You are about to leave Facebook to visit this address. For the safety and privacy of your Facebook account, remember to never enter your password unless you’re on the real Facebook web site”.

The new feature should slow down ongoing malicious campaigns and make the user think twice before clicking further. Just last August, several worms used Facebook to propagate and infect users. This security improvement arrives just in time, since Trend Micro recently stumbled upon another Facebook phishing site, one of few thousands, probably. The page looks very similar to the actual Facebook login page and asks users to log into their accounts by entering their email addresses and passwords. After providing the required information, users are led to the legitimate Facebook site, tricking them into thinking that their account information is still safe from malicious users, when in fact it was already stolen.

The theft happens when users enter their account credentials on the fake Facebook page. The details written on the fields are logged, and are in turn used by the people behind this operation for different purposes. Email accounts may be used in sending spam to one’s contacts, for example. Leading users to the actual Facebook page after they have entered their account information is a trick to prevent users from discovering the theft.

Facebook, with many other popular social networking sites, is being targeted for fraud purposes, in addition to different malware infection tactics. It would be even more secure if it could integrate freely available blacklists of malicious and phishing sites (such as Google’s Safe Browsing Diagnostic, SiteAdvisor, Phishtank) and implement some URL shortening that would highlight the original domain in order to expose a phishing email.

New tool that can steal users authentication credentials makes websites used for email, banking, e-commerce and other sensitive applications less secure, even when they’re sent through supposedly secure channels.

The toolkit, named CookieMonster, is used in a variety of man-in-the-middle scenarios to trick a victim’s browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user’s browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.

The vulnerability stems from website developers’ failure to designate authentication cookies as secure. On such websites, web browsers are free to send data over insecure http channel, and that’s what CookieMonster causes the browsers to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure non-https portions of the protected website, which makes the browser send the authentication cookie.

CookieMonster is currently in the hands of only about 225 security professionals. In the next couple weeks, the tool will become generally available. According to Mike Perry, the creator of CookieMonster, websites that appear to be vulnerable to the attack include united.com, bankofamerica.com, register.com, netflix.com, and a host of other big-name online destinations. Errata Security’s Rob Graham, who introduced Sidejacking tools a little more than a year ago, says Gmail is not vulnerable as long as a recently implemented https-only option is turned on. But Google Docs, Google’s Blogger.com and Google Finance remain wide open.

More details about the tool can be found here.

German anti-fascist hackers have broken into the secure forum server of one of the world’s largest neo-Nazi groups, Blood & Honour, and copied more than 30,000 pieces of data. Members of Daten-Antifa managed to break the access codes of the forum last week. They copied roughly 800MB of data, including information that was only available to members.

Blood & Honour, founded back in 1987 in the UK by Ian Stuart Donaldson, leader of the notorious skinhead band Skrewdriver, has been banned in Germany since 2000. The Spanish division was closed in 2005 after the arrest of many of its main leaders.

In a statement the hackers said that the databases of the server was accessed in a “laboriously prepared cloak-and-dagger operation” which involved a “house search”.

The data, published online in an archived format 7zip, includes the IP addresses of 31,948 registered users and information about close to 1,200 German neo-Nazis.

German authorities had previously suspected B&H was used by members of the German neo-Nazi scene. “Some people in the far-right extremist scene are going to get very nervous,” Günther Hoffmann from the Center for Democratic Culture told the Frankfurter Rundschau.

Since the data was gathered illegally, police may not be able to do anything with the information from hacked forum.

The data was uploaded to free file hosting service providers (rapidshare and megaupload) and is currently available for free download at http://de.indymedia.org/2008/08/225641.shtml. Torrents are also available. The page also contains information about the software used for zipping, 7zip.

Prince William County Public Schools (PWCS) recently learned that certain personal information relating to a small group of students, staff, and volunteers was inadvertently exposed to the public through the Internet for a period of approximately five weeks this summer. It was determined that a school-based employee, while working on school business from home on a personal computer, inadvertently exposed certain PWCS information to the public through a file-sharing program.

The data, which do not appear to have been compromised, were immediately secured and a number of steps have been taken to address the matter, including the creation of a special telephone “hotline” and paying for individual’s credit protection.

The exposed student information was limited to students who attend, have attended, or have applied to Porter Traditional School since its opening in 2004; a small number of students who attended Montclair Elementary School for several years prior to the 2004-05 school year; a limited number of parent volunteers at Porter Traditional School, and a select number of School Division employees.

An investigation conducted by PWCS has revealed that the student data included names, addresses, and/or student identification numbers for 1625 students associated with Porter Traditional School and Montclair Elementary School. The names and social security numbers of 65 employees were exposed, as well as other confidential information for 257 Division employees. The names, addresses, and email addresses of 736 volunteers at Porter Traditional School were also exposed.

Immediately upon learning of the exposure of confidential School Division data, PWCS secured the information and commenced an investigation to determine the scope and duration of this exposure. To date, the School Division’s investigation has produced no evidence that this information was compromised during this period.

The School Division has contacted all appropriate authorities and credit monitoring companies, and will also provide a credit monitoring service at no charge to the employees whose social security numbers were exposed.

Should any of these individuals have questions regarding the specific nature of any exposed information relating to them, they are asked to contact the special PWCS call center using the telephone “hotline” that has been set up to answer questions from those employees, parents, and volunteers who have received a letter. The number is 703.791.8157, calls should be made from 9 a.m. to 3:30 p.m. on Monday through Friday. Questions can also be emailed to pwcsie@pwcs.edu.

Taiwan’s Criminal Investigation Bureau (CIB) has successfully tracked down and arrested six people in what the CIB believes to be the biggest personal data breach in Taiwan to date. Apparently, the group also managed to obtain personal data on Taiwan’s current and former presidents.

The suspects are believed to have stolen more than 50 million records of personal data, including information about President Ma Ying-jeou, his predecessor Chen Shui-bian and police chief Wang Cho-chiun, the official said. They then offered to sell the information for 300 Taiwan dollars (10 US) per entry, he said.

The hackers, based in Taiwan and China, also swindled victims out of millions of Taiwan dollars through their online bank accounts, he said. They will face up to five years in prison on charges of hacking and fraud.

An official at Taiwan’s Criminal Investigation Bureau said the hackers had tapped into data held by government agencies, state-run firms, telecom companies and a television shopping network. He called it the biggest hacking operation of its kind in Taiwan.

The announcement comes a week after China detected a sophisticated fake diploma scheme, where ten government databases were compromised.

Criminal gang has stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds. Thursday night, an unknown hacker, possibly Indian, successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007. With eight million people staying in the hotel group’s 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center’s reports that the average victim of internet crime loses £356, they are sitting on a potential haul of at least £2.84bn.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment. It seems that the hacker from India succeeded in bypassing the system’s security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.

The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity. Once the information was online, experts estimate that it would take less than an hour to write and run software capable of harvesting every record on Best Western’s European reservation system.

Although the security breach was closed on Friday, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies. There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that’s been stolen in the Best Western raid makes this particularly rare. The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there’s enough data there to spark a major European crime wave. Armed with the numbers and expiry dates of customers’ credit cards, fraudsters are equipped to make multiple high-value purchases in their victims’ names before selling on the goods.

The stolen data might also be used by professional organised criminal gangs which specialise in identity theft to apply for loans, cards and credit agreements in the victims’ names. Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell “burglary packs”, giving the home addresses of local victims and the dates on which they are expected to be away from their home.

Best Western Hotels closed the breach at around 2pm on Friday afternoon. Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action. The investigation also include the third-party website that has allegedly facilitated this illegal exchange of information.

Concerned clients are advised to contact Best Western customer service at 0800 528-1238.

Credit: Sunday Herald

Update (August 29): Best Western rejected claims that it had suffered a massive compromise of customer details.  Best Western confirmed on Tuesday that it had suffered a breach at one of its German hotels, but denied Sunday Herald claims that every customer using Best Western European hotels since 2007 had had their booking details compromised.

“We can confirm that on 21 August, 2008, three separate attempts were made via a single logon ID to access the same data from a single hotel,” said Best Western in a statement. “The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s antivirus software.”

Best Western insisted that the compromised login ID only permitted access to reservations data for the Berlin hotel. Moreover, Best Western said the login ID was immediately terminated, and the computer in question had been removed from use.

While the Sunday Herald estimated that eight million people had been affected by the hack, Best Western claimed that only 10 customers had been affected. Moreover, Best Western said that it “purges reservations data within seven days of guest departure, thereby limiting potential data exposure”. The company added that it was working with the FBI and international authorities to investigate the incident further.

Chief strategy officer for security firm StillSecure and security consultant Alan Shimel woke on Sunday morning to discover that his personal blog, which is frequently visited by readers and press, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and published sensitive documents he filed with the Internal Revenue Service. The attackers also sent crude pornographic images to parents on the Little League baseball team Shimel coached.

Shimel is one of three high-profile researchers in the security world known to have been attacked by unknown criminals over the past week. A personal Gmail account belonging to Petko D. Petkov, of the GNUCitizen ethical hacking collective, was ransacked and 2GB of its contents made public. Logs believed to come from the home blog of Security-Protocols.com researcher Tom Ferris have also been exposed.

It is not new that security researchers have always been the target of computer and internet based attacks. But the recent rash of attacks, which coincided with this year’s Black Hat and Defcon conferences in Las Vegas, are getting more attention in the security world than previous ones.

“You can immediately see how emotional this is,” said one well-known researcher who refused to allow his name to be published out of concern it would make him more of a target. “People are generally worried. You’re always worried you made some stupid mistake.”

Shimel stressed that the breach concerned only his personal blog and email and never extended to StillSecure. Shimel said he reported the breach to the FBI, and Petkov said unnamed law enforcement officials have also been notified. Petkov declined to discuss the attack in detail, except to say it occurred more than a year ago.

Shimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account. “It’s going to make me be a bit more vigilant,” he said. “I don’t think these people are worthy of much attention, except that you should do what you normally do to lock down your infrastructure.”

What separates the fresh attacks from previous ones is the degree of malice. The attackers here seem more interested in injuring the reputations and privacy of their victims than exposing mistakes they may have made in locking down their private information. The miscreants have publicly pledged on a mailing list to wage war against more than two-dozen researchers, firms and journalists in the security world. In addition to Shimel, Petkov and Ferris, others said to be targeted include Dan Kaminsky, Joanna Rutkowska, Gadi Evron, Matasano and Theo de Raadt.

Perhaps the most worrisome part of the attacks is that, so far, no one knows exactly how the they were carried out. In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw. Some posit the passwords were intercepted as a result of a colossal debacle in the Debian distribution of Linux, which for more than a year generated OpenSSL keys that are trivial to crack. Once the keys are broken, encrypted sessions, even those from years ago, can be decrypted.

Others guess that the miscreants gained entry through the victims’ blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes. Indeed, Shimel admits the administrative password for his blog (which was parked at GoDaddy at time of writing) was also used to unlock his Yahoo Mail account.

Credit: Dan Goodin, The Register.

Drivers in Virginia and Washington, D.C. whose driver’s licenses have their Social Security numbers and who got traffic tickets in Maryland will find those numbers and other personal information on a Maryland state Web site. Maryland has never used Social Security numbers when issuing driver’s licenses, but Virginia and the District have.

Traffic citations are listed in Maryland’s court records, which the state makes publicly accessible online. The traffic citation records show a person’s full name, address, sex, height, weight, birth date and driver’s license number, which is sometimes the same as driver`s Social Security number. Currently, a quick search for a popular name on the state’s Judiciary Case Search Web site will instantly pull up thousands of records spanning more than 30 years.

Virginia ended the practice in July 2003, although drivers were able to keep their old licenses until they expired, which in some cases was not until this year. Washington began offering drivers the option of having random numbers on their driver’s licenses instead of their Social Security numbers in 2001. Washington stopped issuing licenses with Social Security numbers on them altogether after federal regulations banned the practice in 2004.

The problem remains since Maryland’s court records date back decades, and drivers from D.C., Virginia or any state that once used Social Security numbers on licenses will find their Social Security numbers online today if they received Maryland tickets during that time.

A spokesman for the Maryland courts system was not immediately able to determine whether the number could be removed from the public record at the person’s request. People who find their Social Security numbers listed on the Web site can place a fraud alert with one of the three major credit bureaus at no charge. People who find their numbers listed on the Website should place a fraud alert with a credit bureau immediately.

More than 120 workers at a Los Angeles hospital looked at celebrities’ medical records and other personal information without permission between January 2004 and June 2006, nearly double the number initially reported earlier this year, according to a state report.

Even after UCLA Medical Center warned employees about severe measures against unauthorized access to medical records, the privacy of a “well-known individual” was breached by two nurses and an emergency room technician who called up the patient’s computerized records in mid-April, according to a critical state report released Monday.

The California Department of Public Health also found that nearly twice as many medical center employees as had previously been reported peeked at confidential medical records at UCLA. Nearly 60 additional employees gained improper access to records between January 2004 and June 2006, the report said, bringing the total number of workers implicated in the growing scandal to 127.

Monday’s report was the fifth by the public health agency following articles in The Times this year about UCLA employees’ prying into the records of celebrities and prominent patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears. After the April violations, the report said, one nurse was fired and the two other employees received warnings.

State regulators continue to fault the hospital for failure to take adequate steps to maintain patient confidentiality. The latest findings detail how one employee — a former administrative specialist who faces federal criminal charges for violating Fawcett’s privacy — looked at the records of 939 patients “without any legitimate reason” from April 2003 to May 2007.

The hospital has proposed firing seven, suspending six for two to three weeks each and providing verbal or written warnings to eight others, three remain under investigation.

Under the legislation, being carried by Sen. Elaine Alquist (D-Santa Clara) and Assemblyman Dave Jones (D-Sacramento), healthcare workers who unlawfully view patient records would be fined from $1,000 to $250,000, depending on the seriousness of the violation. Hospitals and other health facilities would face fines of $25,000 to $250,000 for similar violations.

The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants. The breach in security, which occurred over a two-year period though July. Countrywide detected the breach and alerted federal authorities, according to Suzy Martin, a spokeswoman for the company.

The insider was identified as Rene L. Rebollo Jr., 36, who had worked as a senior financial analyst at Full Spectrum Lending, Countrywide’s subprime lending division. He was arrested at his home in Pasadena and charged with unauthorized access to a financial institution’s computers. Authorities also arrested Wahid Siddiqi, 25, at his home in Thousand Oaks. Authorities alleged that he was a reseller of Countrywide data.

Rebollo appeared in court Friday afternoon and was released on $80,000 bond. Siddiqi was being held on a fraud charge pending a court appearance Monday. The FBI said Rebollo had voluntarily described the scheme. Rebollo said he would charge $400 or $500 for batches of thousands of “leads” — personal and account information that presumably would help outside loan agents solicit new mortgages from the Countrywide applicants, some of whom had been denied loans by the Calabasas company.

Prosecutors suspect the data was eventually sold to companies that would then try to make other loans to the Countrywide customers, said Thom Mrozek, a spokesman for the U.S. attorney’s office. Authorities said they didn’t know whether any of the information had been used for outright fraud, such as identity theft.

Rebollo would copy information on about 20,000 customers at a time on Sunday nights by using a Full Spectrum computer that did not have the same security features that other machines in the office had, according to the affidavit by FBI Special Agent Richard P. Ryan. At that rate, the U.S. attorney’s office said, Rebollo would have compromised up to 2 million customer profiles for about 2.5 cents each — an astonishingly small amount considering the importance of the material.

Mortgage leads are among the most expensive for sale because of the potential payoffs to intermediaries when loans are made. Social Security numbers alone generally fetch dollars, not pennies, since they can be used to open new bank accounts.

A criminal complaint against Rebollo said that he earned about $65,000 a year at Countrywide and had opened a personal bank account for holding what he estimated to be up to $70,000 in proceeds from Countrywide data sales.

The complaint said Siddiqi sold computer discs containing data on Countrywide customers to a witness working for the FBI, taking in $4,000 for about 38,000 customer profiles.

Countrywide spokeswoman Susan Martin said 19,000 customers had so far been identified as having their identities compromised.

Victims were being contacted by mail and would be offered free credit monitoring services for two years. Countrywide Communications Vice President Susan Martin said affected customers would be notified by mail. A special hotline was set up at (800) 669-6607.