CyberInsecure.com

Archive for the ‘Targeted Attacks’ Category

People flocked to Google Wednesday evening to figure out what was happening with the UltraDNS service, which suffered a DDoS attack at the height of the last-minute shopping season.

An attack directed at the DNS provider for some of the Internet’s larger e-commerce companies–including Amazon, Wal-Mart, and Expedia–took several Internet shopping sites offline Wednesday evening, two days before Christmas.

Neustar, the company that provides DNS services under the UltraDNS brand name, confirmed an attack took place Wednesday afternoon, taking out sites or rendering them extremely sluggish for about an hour. A representative who answered the customer support line said the attacks were directed against Neustar facilities in Palo Alto and San Jose, Calif., and Allen Goldberg, vice president of corporate communications for Neustar, confirmed that at about 4:45 p.m. PST, “our alarms went off.”

Goldberg said the company received a disproportionately high number of queries coming into the system, and analyzed it as an attack. Neustar deployed “a mitigation response” within minutes of the attack, he said, and brought matters under control within an hour. The response limited the problems to Northern California, he said.

In addition to the high-profile sites, dozens of smaller sites that rely upon Amazon for Web-hosting services were also taken down by the attack. Amazon’s S3 and EC2 services were affected by the problems, according to Jeff Barr, Amazon’s lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.

For a brief period Wednesday evening, “ultradns” was the top search term on Google, likely as frantic technicians at Web sites attempted to figure out what was going on with their sites.

Web sites need DNS providers to translate the character-based URLs that people can remember to the IP addresses that Web sites actually use to list themselves on the Internet. When a DNS provider is overwhelmed with malicious requests for IP addresses, the system can overload and prevent legitimate users from reaching their destinations.

Amazon’s Web Services Health Dashboard declared an all-clear around 6:40 p.m. PST, saying that DNS resolution had returned to normal. Amazon and several other big sites seemed to recover around 5:40 p.m., but some other sites continued to report problems until around 6 p.m.

Needless to say, the timing of such an outage could not have been much worse, as holiday procrastinators rushed to make sure they could get one-day shipping for gifts to be delivered before Christmas Day on Friday.

UltraDNS suffered a similar attack earlier this year, which took out Amazon, Salesforce.com, and other sites. Goldberg described Wednesday’s attack as smaller than that one, in that it affected fewer customers.

However, Amazon is no small customer. Goldberg declined to comment on specific customers affected by the outage, and said Neustar had not yet determined the source of the attack.

One expert thought the attack might have been more widespread.

“This was wider than just UltraDNS,” said Bill Woodcock, research director at Packet Clearing House, which operates domain name servers and supports Internet exchange points around the globe.

“It’s difficult to tell at this point how much is a DDoS attack and how much is collateral damage from the attack that is being felt in other ways,” like a domino effect, he said. “There were routing problems at some major European exchanges at the same time that caused major Internet service providers’ routers to encounter a higher load and pass fewer packets.”

Credit: CNET News, Webware

Twitter.com was down Thursday evening, and it appears that the microblogging site may have been a victim of DNS hijacking.

The site, which was inaccessible for about an hour starting around 10 p.m. PST, was defaced with the following image before it was taken offline:

The message at the bottom of the image appears to be written in Perso-Arabic script and when translated to English it read:

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?

WE PUSH THEM IN EMBARGO LIST

Take Care.

Twitter’s status blog was also inaccessible.

A Twitter update message posted at 11:28 p.m. said the site was “working to recovery from an unplanned downtime” and indicated that the incident was indeed a hijacking of Twitter’s DNS records:

Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.

Security has been a thorny issue for Twitter in the past. In January, a hacker hijacked CNN anchor Rick Sanchez’s feed and proclaimed the journalist was “high on crack.” Twitter users have also been the target of a password-stealing phishing scam. Disguising itself as a private message that led to a fake Twitter log-in screen, the scam was widespread enough for Twitter to put a warning message on all members’ home pages alerting them of the issue.

Certainly, there is a contentious history between Twitter and Iran. In the wake of supposed results of that nation’s presidential election in June, protesters in Iran used Twitter to skirt government filters to report events, express outrage, and get people out to opposition rallies. Twitter even rescheduled some planned downtime in order to stay accessible for Iranian users in the midst of political upheaval at the request of the U.S. Department of State.

Currently Twitter Blog says:

As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.

Credit: CNET News

Hackers on Thursday exploited a vulnerability on Ain’t It Cool News (http://aintitcool.com) that redirected anyone visiting the movie review site to a server containing a malicious Adobe Reader file.

The attack targeted a vulnerable PHP script on one of AICN’s servers that automatically appended the malicious link to banner ads served on the site, its publisher, Roland De Noie, said. As a result, anyone visiting the site over a 90-minute period on Thursday morning was silently redirected to speedconnection.cn which served a malicious file named annonce.pdf.

The booby-trapped PDF, according an analysis by researchers at Praetorian Prefect, exploited two vulnerabilities in Adobe Reader that the company has already fixed. When the file is opened by unpatched versions of Reader, it launches malicious shell code that hijacks the machine. Only 12 of the 41 major anti-virus programs currently detect the trojan, according to VirusTotal analysis.

In September, Mozilla found that more than half of Firefox users used insecure versions of Adobe Flash. It wouldn’t be surprising to find a similarly large proportion of the population using out-of-date versions of Reader, too.

“The point of weakness was actually our own ad server,” De Noie said. The unknown attackers “had cracked through a PHP server flaw and appended this link to all the ads.”

AICN has yet to warn its users that they may have been attacked. De Noie said his staff was still collecting information. The attack came as a shock to some AICN readers, many who consider themselves enthusiasts of science-fiction, fantasy and horror films.

Credit: The Register

Miscreants took advantage of weak security to hack into two NASA-run websites over the weekend.

The websites of NASA’s Instrument Systems and Technology unit and Software Engineering division were broken into and screenshots illustrating the hack posted online. Hackers appear to have taken advantage of SQL Injection flaws and poor access controls in mounting the attack, reports Gunter Ollmann, an ex-IBM security expert who is now VP of Research at security firm Damballa.

Obfuscated screenshots from the hack were subsequently posted onto a full disclosure mailing list.

The motives and perpetrators of the attack remain unclear at the time of writing. Messing around with sites run by the space agency is a risky business for hackers, as Gary McKinnon and others have discovered, though whether anything will happen over the latest break-in is unclear.

Credit: The Register

UK-based web host Daily has largely restored services following an apparent hack attack on Thursday that replaced content on some sites it hosts with pictures of cartoon penguins. Every file that included ‘index’ and ‘php’ in the name, including those invisible to Google, were defaced.

The images of Linux penguin Tux parodied the ‘hear/see/speak no evil’ monkeys”. Text included on the defacements claimed the hack in the name of ‘Heart_Hunter - TH3_H4TTAB’.

Customers were advised to restore their sites from back-up copies. Daily has begun an investigation into the attack, which bears the hallmarks of a mass defacement. Groups of websites are regularly defaced by TH3_H4TTAB, as defacement archive Zone-H records. In many cases eastern folk music is uploaded onto compromised sites.

A status page on Daily’s status site (http://www.dailystatus.co.uk/) explains: “We have received reports this [Thursday] morning of a small number of customer websites having their index or start page replaced with an image and in some cases text as well.”

The host completed the restore process by 21:00 on Thursday. Daily modified its PHP build as a security precaution. Services were largely restored on Friday but may proceed more slowly than possible after some servers were taken offline in order to mount an ongoing security investigation, a status update from Daily explains:

We are confident there will be no repeat events as all servers are locked down.

Some websites (in particular Database driven sites) will be running at slower speeds as we have taken some web servers from our cluster to carry on with our investigations and diagnosis.

Credit: The Register

A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

According to the hacker an insecure parameter of a script from the pcd.symantec.com website allows for a blind SQL injection attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQL injection attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

The content of the pcd.symantec.com website is written in Japanese and it serves a product called Norton PC Doctor. Accessing most of the website’s sections requires authentication, and in order to exploit the blind SQL vulnerability, the hacker had to use a few specialized tools. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2000 as database back-end.

From the screen shots released by the hacker there are many potentially interesting databases, but the one he chose to look at is called “symantecstore.” One of the tables in this database is named “PaymentInformationInfo” and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.

For demonstration purposes, the hacker extracted 6 of these entries at random, revealing customer names and login credentials with the passwords stored in plain text; a major security oversight. The hacker also notes that passwords for the accounts in a different table called TB_EMPLOYEE are also stored in a similar insecure way. There are 122,152 entries in the SerialNumber column.

Symantec has confirmed the existence of a vulnerabiliy in the pcd.symantec.com:

“A SQL injection vulnerability has been identified at pcd.symantec.com. The Web site facilitates customer support for users of Symantec’s Norton-branded products in Japan and South Korea only. This incident does not affect Symantec customers anywhere else in the world.

“This incident impacts customer support in Japan and South Korea but does not affect the safety and usage of Symantec’s Norton-branded consumer products. Symantec is currently in the process of updating the Web site with appropriate security measures and will bring it back online as soon as possible. Symantec is still investigating the incident has no further details to share at this time.”

Credit: Softpedia News

The University of East Anglia has confirmed that a data breach has put a large quantity of emails and other documents from staff at its Climate Research Unit online. CRU is one of the three leading climate research centres in the UK, and a globally acknowledged authority on temperature reconstructions.

CRU declined to say whether it would attempt to halt the data breach. In a statement a spokesman said:

We are aware that information from a server used for research information in one area of the university has been made available on public websites. Because of the volume of this information we cannot currently confirm that all of this material is genuine.

A 61MB ZIP file was posted on a Russian FTP server late last night, local time. It contains over a thousand emails, and around three thousand other items including source code and data files. Emails are peppered with disparaging remarks and a crude cartoon of sceptical scientists is also included in the archive - suggesting the hacker roamed wide across the University’s servers.

A spokesman confirmed there had been a hack, and that staff documents had been published, but declined to say whether the University would be seeking to halt further dissemination of the data.

This information has been obtained and published without our permission and we took immediate action to remove the server in question from operation. We are undertaking a thorough internal investigation and we have involved the police in this enquiry.

CRU has been the centre of controversy for its roles in creating global temperature reconstructions, and maintaining the archive of temperature data. Recent temperature reconstructions characterise post 1980 temperatures as unprecedentedly warm, and downplay historical periods of warm weather. This is the so called “Hockey Stick” controversy, and many (but far from all) of these reconstructions involve key CRU staff.

In August, Phil Jones admitted CRU had failed to keep the raw data, which would permit outside parties to create their own temperature reconstructions. More recently, CRU dendroclimatologist Keith Briffa defended his sampling methodology which saw the inclusion of one tree core from the Yamal Peninsula create a Hockey Stick shaped graph, dubbed the “hottest tree in the world”.

The documents also appear to highlight a chummy relationship between sympathetic journalists - particularly the New York Times Andrew Revkin - and activist scientists.

Credit: The Register

P.S. A 61.93 megabyte file called Hadley “CRU FOI2009 zip” is already available at Mininova.

Two major Australian atheist websites were taken offline by distributed denial of service attacks earlier this week.

The organisations, the Atheist Foundation of Australia and Global Atheist Convention, have been in the news down under for organising a Global Atheist Convention in Melbourne early next year.

The attack, on Tuesday, took the sites offline for about 24 hours. It is not clear where the attack originated - Australia lacks a violent religious minority. The group also tried to run an atheist bus advert campaign but had their slogans rejected.

Admins added extra RAM and improved caching to get the site back online.

The attack has been reported to the Australian Federal Police, the Sydney Morning Herald said.

Credit: The Register

A largely unsuccessful attack on Polish government systems last month reportedly originated in Russia.

Details are scarce but it seemed that the attack coincided with the 70th anniversary of the outbreak of World War Two. Polish newspaper Rzeczpospolita reported that the assault targeted Polish government systems and took place at the same time Russian Prime Minister Vladimir Putin visited Poland.

Pawel Bialek, deputy head of Poland’s Internal Security Agency (ABW), said it was able to thwart the attack, without going into details, Infowar Monitor reports.

Nazi Germany and the Soviet Union infamously invaded and carved up Poland in September 1939 under the secret terms of the Molotov–Ribbentrop non-aggression pact. Polish hackers attacking Russia might make sense in the context of the anniversary of infamous invasion; it’s harder to understand why Russian hackers might have it in for Poland, but then again perhaps they don’t need much provocation before cracking open the attack tools.

Disputes between Russia and its neighbours have regularly spilled out onto the internet over recent years. For example, cyberattacks accompanied the armed conflict between Russia and Georgia over the fate of Russian-language speaking regions of Georgia last year. Security researchers subsequently blamed the attacks on civilians and Russian cyber-crime gangs.

The internet infrastructure of Estonia was ripped apart in April 2007, following a dispute over the relocation of Soviet-era war memorials and graves.

Credit: The Register

Peruvian hackers have reacted to the country’s dramatic defeat to Argentina on Saturday by defacing the site of Argentinian manager Diego Maradona and dubbing him a cry-baby.

A picture of a tearful Maradona was pasted on the website, alongside the message “Te Hicimos Llorar” (We made you cry). Maradona is pictured in tears and wearing a Boca Juniors top, whereas on the night he was wearing a suit. But such was the torrential downpour during the latter stages of the game, it would be difficult to tell if someone was crying or not.

The defacement goes on to add: “For the biggest cry baby of all time - you won over us at football, but we won on the internet”, above a picture of the Peruvian national team. The defacement, captured by net security firm Sophos, is claimed in the name of Elite-Peruvian.

Peru equalized against Argentina in the last minute of normal time, only for Argentina to score an injury time 2-1 winner in Saturday’s game in Buenos Aires.

World Cup qualification games between El Salvador and Honduras in 1969 infamously acted as a lightning rod for wider tensions between the two neighbours over issues such as immigration, and led to a four-day war (known as La guerra del fútbol). Forty years on we get a website defacement, which counts as progress of sorts, we suppose.

Maradona famously knocked England out of the 1986 FIFA World Cup with the infamous “Hand of God” goal. This was followed by an outstanding solo dribble and goal that showcased his extraordinary talent as an attacking midfielder.

“The message for Maradona [from the hack] is clear,” said Graham Cluley, a security consultant at Sophos. “Don’t leave your web security to the Hand of God - secure your systems and follow best practices instead to keep hackers locked out.”

Credit: The Register