Kaspersky hit by cyber criminals?

October 20th, 2010 by - No Comments »

UPDATED: Kaspersky hit by cyber criminals? | IT PRO.

It seems the unthinkable has happened – according to reports an attack hit their site on Sunday and exploited a vulnerability in a third party application. They say the ‘fake anti-virus’ redirection was in place for around three and a half hours.

This is a company that is supposed to be buttoned up tight. You have to give them kudos for full disclosure though, and we know that no-one is impenetrable, but this is a big hit to their name.

I have to harp on those two points of mine – assumption of risk and mitigation of risk. Even the best can get it wrong, as this episode has shown – it only takes one mistake!

Posted in: Tech |
Tags: , , , , ,

TWC Hacked: Details

September 2nd, 2010 by - No Comments »

TWC Hacked: Details.

This intrigued me. I saw this post on Twitter and decided to read it. In a nutshell, this guys forum was hacked by a pissed off user, but the pissed off user hacked the wrong person.

Through some log trawling and excellent forensics he found his hacker and ‘outed’ him not only to the forum, but to … well, I’ll let you read for yourself. There’s a moral there though – you’d better be good at black hat because getting caught is going to hurt.

Perhaps not the most technical of posts, nor the most relevant – but a lesson learned none-the-less.

Posted in: Day to Day |
Tags: , , , , , ,

EDU hacking with SEO?

August 16th, 2010 by - No Comments »

The Strange Case of Doctor Jekyll and Mr. ED.

This is from SANS, posted today by Tom Liston, about hacked EDU sites. Like most people in information security I regularly craft Google queries to seek out compromised and/or misconfigured websites. In this case he was crafting simple queries to see if any EDU websites were root to some of the Viagra and Cialis spam out there. Here’s the queries he used:

site:.edu buy viagra

site:.edu buy cialis

…and so many more. The eye opening thing about this time around is that not only did he find a lot of EDU sites are still ‘hacked’, but a lot of them are now subtly hacked such that the hackers are leveraging these EDU sites to increase their positioning on search engines – SEO.

Sneaky – the links in the EDU site are not effected – the hackers put entries in the .htaccess and Apache’s mod_rewrite to redirect certain traffic. Here’s what he speculated a .htaccess might look like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*(cialis|viagra|levitra).*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*(cialis|viagra|levitra).*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*(cialis|viagra|levitra).*$
RewriteRule .* http://badsite.com [R,L]

Now the hackers are getting even more geeky in utilizing SEO and SEM – this kind of hacking isn’t instant gratification, it’s reputation building almost. The art of hacking has never been a simple thing, and this is a progression don’t you think?

You should read the article to see how he went about this process, and the history behind it. It’s quite informative, as usual.

Posted in: Tech |
Tags: , , , , ,

RockYou Hack: From Bad To Worse

December 15th, 2009 by - No Comments »

From Techcrunch.com – by Nik Cubrilovic

Earlier today news spread that social application site RockYou had suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers. RockYou have yet to inform users of the breach, and their blog is eerily silent – but the details of the security breach are going from bad to worse.

The first issue is that RockYou attempted to downplay the entire incident, first by covering it up by not notifying users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and was able to show that not only did he have access to their entire database, but also passwords were stored in the clear. This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites.

The database consists of a table containing partner data, and another table that has stored the credentials for those partner sites that users have entered. This includes social networks such as MySpace but also webmail accounts.

Data UserAccount [32603388]
================
1|jennaplanerunner@hotmail.com|mek*****|myspace|0|bebo.com
2|phdlance@gmail.com|mek*****|myspace|1|
3|jennaplanerunner@gmail.com|mek*****|myspace|0|
5|teamsmackage@gmail.com|pro*****|myspace|1|
6|ayul@email.com|kha*****|myspace|1|tagged.com
7|guera_n_negro@yahoo.com|emi*****|myspace|0|
8|beyootifulgirl@aol.com|hol*****|myspace|1|
9|keh2oo8@yahoo.com|cai*****|myspace|1|
10|mawabiru@yahoo.com|pur*****|myspace|1|
11|jodygold@gmail.com|att*****|myspace|1|
12|aryan_dedboy@yahoo.com|iri*****|myspace|0|
13|moe_joe_25@yahoo.com|725*****|myspace|1|
14|xxxnothingbutme@aol.com|1th*****|myspace|0|
15|meandcj069@yahoo.com|too*****|myspace|0|
16|stacey_chim@hotmail.com|cxn*****|myspace|1|
17|barne1en@cmich.edu|ilo*****|myspace|1|
18|reo154@hotmail.com|ecu*****|myspace|1|
19|natapappaslie@yahoo.com|tor*****|myspace|0|
20|ypiogirl@aol.com|tob*****|myspace|1|
21|brittanyleigh864@hotmail.com|bet*****|myspace|1|myspace.com
22|topenga68@aol.com|che*****|myspace|0|
23|marie603412@yahoo.com|cat*****|myspace|0|
24|mellowchick41@aol.com|chu*****|myspace|0|
25|baiko0o@aol.com|may*****|myspace|0|
26|indahamzah84@hotpop.com|lov*****|myspace|0|

The initial exploit took advantage of a trivial SQL injection vulnerability, a technique that has been well documented for over a decade. The method of vulnerability is extremely basic in execution, yet catastrophic in impact – which RockYou, and the sites users, are now learning the hard way. It is more of a surprise that this had not happen sooner – as the RockYou platform is a swiss cheese of security vulnerabilities and poor practices.

Where RockYou Went Wrong

Poor password policies

RockYou account creation only enforced password of a minimal length of 5 characters, there was no requirement for mixed-case, numbers or punctuation. The platform actually encouraged simple passwords by not allowing any punctuation at all.

rockyou1

Passwords in the clear

RockYou are still storing passwords in the clear, and transporting user passwords in the clear via email. Despite the attack taking place over 10 days ago now and RockYou knowing about the attack, a user signing up for a RockYou account today will still have their password stored as plain text and emailed to them in the clear.

rockyou2

The password anti-pattern

RockYou prompted users to enter their third-party site credentials directly into the RockYou site when sharing data or an application. The Facebook integration requires proper Facebook authentication, and MySpace integration today applies similar techniques, but for most of the other sites the same old crazy password request form is still present. Telling your users that you will not store their password is not a solution.

rockyou3

Terrible Response

RockYou knew about the breach days ago, and it took a taunt from the hacker for the issue to become well-known and for RockYou to issue a response (although their users are still not aware of the issue, unless they are reading the news online).

The sites privacy policy and the related ’security’ section state:

Our Commitment To Data Security:
RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information. We cannot, however, ensure or warrant the security of any information you transmit to RockYou! and you do so at your own risk. Once we receive your transmission of information, RockYou! makes commercially reasonable efforts to ensure the security of our systems. However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

If RockYou! learns of a security systems breach, then we may attempt to notify you electronically so that you can take appropriate protective steps. RockYou! may post a notice on the RockYou! Sites if a security breach occurs. Depending on where you live, you may have a legal right to receive notice of a security breach in writing. To receive a free written notice of a security breach (or to withdraw your consent from receiving electronic notice) you should notify us using this contact form.

Next time you sign up for a web service, take a moment to see where they stand on informing their users on a data breach, and find out just how much they respect the privacy of their users.

RockYou have been complacent with what is a very serious matter. They have not taken steps to rectify the problems that caused the breach and have not addressed their users in a suitable or adequate manner. An appropriate response would have been to take the site down for a period of a few hours and enforce that users enter new passwords, which would be stored in a hashed or encrypted form. The sad thing is that companies are able to get away with being so complacent, because most users will not find out about this, most users will never be affected by it and there is zero accountability for a users private data from service providers.

If you know of any company with similar policies, such as emailing passwords in the clear – call them out in the comments or email us on tips at techcrunch.com. We will make sure that we followup with each of them, and call them out if necessary.

Posted in: Tech |
Tags: , , , , , ,

Hacked Facebook applications reach out to exploit sites in Russia

October 15th, 2009 by - No Comments »

From: AVG Blogs | Roger Thompson

Hi folks,

All the social networking sites have issues with calling out to exploit pages. Usually what happens is that someone’s website gets hacked, and because they link to it from their MySpace or Facebook page, their contacts and friends sometimes get drawn to the attack sites. This is quite common, and we’ll write about it soon, but today’s story is a little different, in that these seem to be actual Facebook applications that have been hacked. (Please note that the application developer(s) are innocent victims too, and did not intend for their games to be hacked.)

The first one we noticed was CityFireDepartment, which seems to be a sort of online game that allows a player to become a fireman. (Please DO NOT GO to this application until it is cleaned up).

This is how it’s supposed to look… (Click image to enlarge)

facebook1

But what you see instead is something like this (especially if you are not patched)…

facebook2

If you’re not patched, the next thing you see is this… (note the “Your computer is infected” warning in the bottom right corner of the screen):

facebook3

Followed by…

facebook4

And if you have a nifty change notification tool, like WRremote, you’ll see that you are already nailed, with sys files already having been installed.

At first, we thought this was a deliberate hack attempt by the developers, but when we looked at the source code for the web pages, we found this iframe injected into the source…

facebook5

Interestingly, this line changes at least once a day, and calls to a different exploit site, so the bad guys are still exploiting the hole, whatever it is. And also interestingly, some of their users are also telling them they have a problem. Here are some of the comments…

facebook6

Initially, we thought that the applications were deliberately acting as lures, but it now seems to us that they are victims themselves. The difficult part for them will be to find and plug the hole that the data snatchers are using to hack the applications.

The other applications where we have detected the hack include (we don’t include direct links to them in order to save you):

  • MyGirlySpace
  • Ferrarifone
  • Mashpro
  • Mynameis
  • Pass-it-on
  • Fillinthe
  • Aquariumlife

There could easily be lots more, but that’s what we’ve noticed with this particular hack.

It’s a tricky world out there folks, keep safe.

Posted in: Tech |
Tags: , , , , , , , , ,

Newer Entries »