CyberInsecure.com

Archive for the ‘SQL Injections’ Category

Security researchers from Armorize warn that attackers have managed to inject visitor infecting code into the popular soccer news website goal.com. The rogue iframe has been inserted, probably through SQL injection techniques, into multiple goal.com pages including the main English one.

“From what we’ve collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com’s content,” the researchers write.

Furthermore, they believe the attacker was only testing his exploits which led to the compromise being picked up by the company’s automated scanners.

If this is true, it would make for a very odd behavior giving that goal.com is a pretty high-profile target to waste on simple tests. The website has over 200,000 unique visitors per day and ranks 379 on Alexa. The pool of potential victims is very varied because it covers over 200 countries with content in 22 languages.

The injected iframe takes visitors through a series of redirects meant to determine the version of their browser, OS and other software.

The results influence what exploits are loaded. In this drive-by download attack, the cyber criminals are using a known exploit toolkit known as g01pack. An interesting feature of this pack is a fake admin/stats page intentionally protected with weak or default passwords to throw researchers off.

During their supposed testing, the attackers behind this compromise used exploits for Java (CVE-2010-1423), Windows (CVE-2010-1885, CVE-2006-0003) and Adobe Reader (CVE-2009-0927).

According to the Armorize analysts, the exploit code was “mutated,” a detection evasion technique used in addition to the regular obfuscation.

Fortunately, most domains involved in the attack were blacklisted by Google’s Safe Browsing service, which means that Firefox and Chrome users are protected. However, the AV detection rate for the installed malware remains pretty low (37%) at the time of writing this article.

Credit: Softpedia.com News

The website of the European Space Agency (ESA) has been hacked into and a list of FTP accounts, as well as email addresses and passwords for administrators and editors have been leaked. The www.esa.int Web server was compromised by a well known Romanian grey hat hacker who uses the online moniker of TinKode.

The hacker posted details of the compromise on his blog in full disclosure style. However, the method he used was not revealed. The published data includes FTP accounts for a range of ESA subsites with passwords in clear text. A list of database users with hashed passwords was also disclosed, together with the SHA1-hashed server root password.

The site administrator and editor credentials were exposed in plain text, as well as email addresses and passwords corresponding to website user accounts. The passwords are in readable form, but TinKode took the measure of partially hiding them before publishing. There is also a list of associated proxy user names and passwords.

At the time of writing this article the www.esa.int website remains on line so it is not clear if the agency was alerted of the compromise in advance or not. TinKode is known for exposing vulnerabilities in high profile websites, the latest of which was an SQL injection in MySQL.com.

His past targets include Sun Microsystems (now Oracle), the Royal Navy, the U.S. Army and Kaspersky Portugal. ESA is not even TinKode’s first space agency, the hacker previously compromising several NASA websites.

His full disclosure style can sometimes lead to abuse. For example, an XSS vulnerability he revealed in YouTube’s commenting system went on to be exploited by 4chan users to harass Justin Bieber fans.

Credit: Softpedia.com News

Hackers have compromised the database of MySQL.com, as well as the French, German, Italian, Japenese and other localized versions of the website, ironically by exploiting an SQL injection vulnerability.

A hacker took credit for the compromise by reporting it on the popular Full Disclosure mailing list. The report included information about the vulnerable parameter, a list of tables from several databases and a list of database users with hashed passwords.

Soon afterwards, another hacker published a more complete report on his blog claiming that it was he and a friend who discovered the vulnerability a few months ago and that it wasn’t supposed to be made public. As proof for his claim he links to a previously private thread on Team Insecurity Romania’s (ISR) forum where the vulnerability has been discussed since January 3, 2011. The disclosure also includes more information like cracked passwords for some database and blog accounts, including that of Robin Schumacher, MySQL’s director of product management.

Mr. Schumacher’s blog password is made up of only four digits, which is why cracking it from the hash was trivial. The password of Kaj Arnö, the former vice president of the MySQL Community in the Database Group at Sun Microsystems, was also disclosed.

The incident proves just how common these vulnerabilities are. If the creators of MySQL, the most widely used database engine in the world, can’t secure their own website against SQL injection attacks, what reasonable expectation of security can one have from websites that aren’t run by experts?

It’s worth pointing out that SQL injection is a very dangerous attack vector. Unlike cross-site scripting, which can be used to inject rogue code into pages, SQLi vulnerabilities can also be exploited to extract sensitive data like private customer information from databases.

Credit: Softpedia.com News

Security vendor Imperva warns that hackers are selling access to hacked websites and servers that belong to government, military and educational institutions. The company provides a screenshot of a list of compromised websites as advertised by the hacker, which contains information such as the level of access, the owner, traffic and price.

For example, one of the most expensive items is MySQL root access and high value information from www.scguard.army.mil, the website of the South Carolina National Guard. It costs $499. For the same price, one could acquire root access to the U.S. Army Communications-Electronic Command Web server (cecom.army.mil) or control of the admin panel for the General Staff of the Albanian Army (gs.mil.al) website. Root access to the Department of Defense Pharmacoeconomic Center Web server (www.pec.ha.osd.mil) is $100 cheaper.

Even though they are visited by several hundred thousand users, unauthorized access to compromised local government sites is not that expensive. Access to Utah.gov and Michigan.gov costs 99$ and 55$ respectively. Full control of the University of South Carolina Beaufort website can be bought for $88 and control over edu sites from other countries comes at similar prices.

But this hacker doesn’t only offer access to already compromised sites and Web servers. He can also be hired to hack them on request.

Gaining access to a “normal” website costs just $9.99, while the price for a high profile one varies depending on the target.

Even more worryingly, information extracted from the hacked sites is also put up for sale. Databases containing the names, emails, addresses, phone numbers and fax details cost just $20 per 1,000 records.

According to a discussion about the legitimacy of this seller on a known hacking forum, users seem to agree that he is not a scammer.

However, one fellow hacker holding a grudge has exposed all URLs to the SQL injection vulnerabilities he exploited to compromise those sites and servers. So now, not only is access to these sites available for purchase on Google-indexed page, but the method of getting it for free is also available for those with the know-how.

Some of the sites on the hacker’s list have been taken offline since Imperva’s report came out. This suggests that owners are working to fix the problems.

Credit: Softpedia.com News

CitySights NY, a company organizing sightseeing tours in New York, notified 110,000 former customers that their credit card details were compromised after unidentified individuals hacked its website.

In a letter to the New Hampshire Attorney General’s Office, Twin America, CitySights’ parent company, revealed that the security breach was the result of an SQL injection attack.

The intrusion occurred on September 26, when hackers exploited a SQLi weakness to upload a backdoor script on its Web server. The company learned of the compromise on October 25, when a Web programmer spotted the unauthorized code and alerted his superiors.

Twin America notified the FBI and contracted outside experts to investigate the extent of the breach. It was determined that attackers obtained access to the customer database.

Compromised information includes customer names, addresses, emails, as well as credit card numbers, expiration dates and CVV2 security codes. Social Security or drivers’ license numbers were not exposed.

The company is offering all affected individuals a one-year free subscription to credit monitoring and theft insurance services from Experian. A 50% discount coupon for one of its tours was also sent along with the notification letter.

Following the breach, Twin America strengthened the security of its infrastructure. Taken measures include changing all administrative passwords and increasing their complexity, restricting access to the server’s admin panel to a limited number of IP addresses, identifying scripting vulnerabilities and fixing them, installing a Web application firewall and having an independent penetration test done.

Even though free credit monitoring services are available, we advise affected customers to cancel their credit cards and obtain new ones. Recent reports suggest that cybercriminals can wait over an year before abusing stolen financial information, precisely because they know people monitor their statements following a breach.

Credit: Softpedia.com News

Savannah, the collaborative development platform maintained by the Free Software Foundation, was taken offline earlier this week after unknown attackers exploited an SQL injection vulnerability to compromise accounts.

Savannah is running on Savane2, an open source software forked from the original SourceForge code after the system changed its licensing and went proprietary. The platform has grown to offer support for the CVS, Subversion, Git, Mercurial, GNU arch and Bazaar revision control systems, a bug tracker and a mailing list.

An announcement posted Monday on the savannah.gnu.org website, informed users that the repository was compromised and progress was underway to restore it from an older backup. Apparently the attackers used a method known as SQL injection, which exploits insufficient input validation weaknesses in order to make arbitrary queries in the underlying database.

In this case, it was used to extract password hashes corresponding to accounts on the system. It also seems that these hashes were not sufficiently strong, as the hackers managed to crack them via brute-force.

Savannah admins initially restored the system from a backup made on the 23th of November and re-enabled write access to the repositories so that project admins can recommit their changes.

However, the procedure was suspended yesterday after traces of the attack were also found for the 23th. The plan then switched to restoring everything from a backup made on the 22th.

Read-only SQL injection attacks dating back to January were also discovered, however they did not result in account compromises. “After fishing through logs, it appears that there was no other account cracking,” the team announced today.

Other actions taken so far as a result of this incident include resetting account passwords and fixing the SQL injection vulnerability. The code was also audited and no other similar flaws were found.

However, before the Web interface is brought back up, Savannah administrators plan to implement better hashing with crypt-md5 or crypt-sha2 and to enforce the use of stronger passwords.

Credit: Softpedia.com News

Visitors to Amnesty International’s Hong Kong website are being bombarded with a host of lethal exploits, including one that attacks an unpatched vulnerability in Microsoft’s Internet Explorer browser, researchers at security firm Websense said.

The injected IE attack code resides directly on the pages of amnesty.org.hk, an indication that the perpetrators were able to penetrate deep into the website’s security defenses. The code exploits a vulnerability disclosed last week that gives attackers complete control over machines running default versions of IE 6 and 7. Version 8 isn’t vulnerable, thanks to security protections built into the browser.

It’s the second report in a week that the previously unknown vulnerability is being actively exploited to install malware on IE users’ machines. Last week, antivirus firm Symantec warned that an undisclosed website had been compromised so that it was laced with code that targeted the flaw.

The attackers then sent emails that lured a select group of people in targeted organizations to the booby-trapped page, causing those who used IE versions 6 and 7 to be infected with a backdoor trojan.

The underlying security bug resides in a part of IE that handles CSS, or Cascading Style Sheet, tags. As a result, the browser under-allocates memory, allowing data to be overwritten in memory vtable pointers. By spraying memory with special data, an attacker can cause IE to execute code.

A security protection known as DEP, short for data execution prevention, prevents the attack from working. DEP is turned on by default in IE 8. Microsoft has advised those who must use IE 6 and 7 to use a security tool known as EMET to add DEP to those earlier versions.

Not that Microsoft or Amnesty International should be singled out. Last month, a zero-day vulnerability in Mozilla Firefox was exploited on the Nobel Peace Prize website.

The Amnesty International website is serving a variety of other exploits that attack previously patched vulnerabilities in Apple’s QuickTime media player, and Adobe’s Flash and Shockwave players.

Credit: The Register

Members of the Anonymous collective have hacked copyprotected.com, a website run by the Motion Picture Association of America (MPAA) to provide information about the copy protection awareness icon.

The “Copy Protection Awareness Icon” was launched by the MPAA back in 2005 and according to the association “is used on certain DVD and Blu-ray discs to remind consumers that their purchased disc contain copy control technologies that prevent unauthorized copying of content.”

The copyprotected.com website normally serves as an information portal, but earlier today it began displaying the logo of The Pirate Bay (TPB) with the caption “Operation: Payback”, which is a name used by a notorious group of hacktivists called Anonymous, for its ongoing distributed denial of service (DDoS) campaign against the recording and film industries.

In addition, the hacked copyprotected.com website displays the group’s Operation Payback manifesto, originally published on tieve.tk. After a few seconds the page redirects visitors to thepiratebay.org. However, the torrent site’s administrators have previously denied involvement in Anonymous activities.

The group uses TPB’s logo and name, because Operation Payback is a response to DDoS attacks launched against torrent trackers by Aiplex Software, a company working for film studios.

Anonymous claims be a spontaneous movement with no leaders, but there is a core group of people in charge of choosing targets and organizing the attacks.

It’s not clear whether this defacement was sanctioned by these senior members or was the result of others acting on their own, especially since the method is different than the group’s modus operandi so far.

Operation Payback has been running for almost a month and consisted of daily DDoS attacks against numerous websites belonging to organizations involved in anti-piracy efforts.

“You are forcing our hand by ignoring the voice of the people. In doing so, you bring the destruction of your iron grip on information ever closer. You have ignored the people, attacked the people and lied to the people. For this, you will be held accountable before the people, and you will be punished by them,” the Anonymous manifesto reads.

Credit: Softpedia.com News

Several websites from the TechCrunch Network, including TechCrunch Europe, MobileCrunch and CrunchGear fell victim to a code injection attack, which served malware to visitors. Founded in 2005, TechCrunch is one of the most popular technology blogs on the Internet. Since then it has evolved into a network or websites operated by the same organization.

Yesterday users started receiving malware warnings from their browsers and antivirus programs when accessing several of these sites.

TechCrunch Europe confirmed the problems on eu.techcrunch.com via its Twitter feed. “We’re aware of the (annoying) malware warning about the @TCEurope site, thanks everyone. Trying to fix ASAP,” the annoucement read.

The warnings were caused by malicious JavaScript code injected into the website’s pages, which was loading an exploit kit hosted on an external domain. The exploits tried to infect visitors with a version of the Zbot trojan, which is commonly used by cybercriminals to steal online banking credentials, credit card details and other sensitive information.

In addition to TechCrunch Europe, MobileCrunch (mobilecrunch.com) and CrunchGear (crunchgear.com) were also affected. The compromises were part of a larger mass injection attack targeting sites hosted at RackSpace.

The corresponding Google Safe Browsing diagnostic pages reveal that all three websites were hosting suspicious content yesterday.

TechCrunch uses WordPress as a platform across its network, but the same infection was reported on sites running Drupal, pointing to a problem within the hosting environment and not the Web applications themselves.

“Ideally TechCrunch will post a message on its site (on the TechCrunch Europe site, at least) informing users about the incident and advising that they check their PCs with an up-to-date anti-virus.

“I don’t see any message to that effect yet on that site – but I’m hopeful,” Graham Cluley, senior technology consultant at Sophos, commented.

Credit: Softpedia.com News

Security researchers warn that a new mass injection attack affecting websites hosted at Rackspace and Media Temple. The compromises result in rogue JavaScript code being added to legit .js files used by the affected websites.

The new attack was reported by Denis Sinegubko, the creator of the Unmask Parasites website scanner. “Right before this week-end I noticed an increased number of sites hosted on MediaTemple and RackSpace coming to Unmask Parasites with the same problem — their sites are blocked by Google and their diagnostic pages mention the following five domains: ‘myads .name’, ‘adsnet .biz’, ‘toolbarcom .org’, ‘mybar .us’, ‘freead .name’,” the Web security expert notes.

What’s rather unusual about this attack is that the malicious code is not necessarily inserted into the .html files or .php scripts. In fact, this is hardly the case. Instead, the attackers add the rogue code to static .js files that already exist on the server.

Another noteworthy aspect of these injections is that the malicious JavaScript snippet is not added on new lines in the tainted files. It’s actually prepended to the first line in the document, making automatic removal a bit harder, since removing the entire line would also break the legit code. According to Sinegubko, automatic cleaning scripts should not remove stuff after “this.O=58441;var gr0=0;”.

The rogue JavaScript first performs a check to see if the visitor is a search engine crawler or a real user. The malicious payload will not be served to search engine bots. Real visitors will also only be targeted once after which a cookie will be set in their browser preventing them from being attacked in the future. There’s obviously no point in trying to re-infect a user that’s already been infected or on who’s computer the exploit failed.

The attackers serve the payload from multiple websites, most likely for redundancy and to make filtering harder. The rogue code will calculate a URL and load the malicious content from it. Sinegubko explains that there are 5 domains and 36 subdomain variations on each. That means 180 possible malicious URLs.

Websites hosted at both companies have been targeted in mass injections attacks before. However, their security staff haven’t found any particular vulnerability being exploited or any security hole in their own infrastructure. The Unmask Parasites creator suggests that this might be related to overly generous file permissions. He suggests changing the permissions of static static content files like .js, which hardly even get modified to 444 or even 400, if the Web app doesn’t need to change them either.

Credit: Softpedia.com News