Security Weekly News 30 December 2010 – Full list

Category Index

Hacking Incidents / Cybercrime

 
Server was cracked using 'local file inclusion' weakness and hacking group then worked through system to access passwords and source code, sources say

 
Security researchers warn that a new mass injection attack is underway directing the visitors of hundreds of websites to a malicious Java applet which downloads a trojan.
According to Denis Sinegubko, the creator of the Unmask Parasites Web scanner, the malicious code is added at the end of HTML pages on compromised websites and takes the form of an obfuscated JavaScript function.
When parsed by the browser, this function adds a rogue IFrame to the HTML document, which loads a new.htm page from aubreyserr.com, medien-verlag.de or yennicq.be.
According to statistics from Google's Safe Browsing service, around 2,000 websites link to these domains, giving a rough estimation of the attack's impact so far.
The page called by the IFrame loads a Hidden.jar applet deceptively titled 'Java Update.' This is a Java OpenConnection-type downloader whose only purpose is to download and execute a file called host.exe.

 
BackTrack Site Compromised  [www.backtrack-linux.org]
There's nothing like having your butt kicked Christmas morning, which is exactly what happened to us today. We were owned and exposed, in true fashion. The zine also mentioned other sites, as well as the ettercap project being backdoored.

 
addons.mozilla.org disclosure  [blog.mozilla.com]
On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.
The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.
It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla's infrastructure. This information was also sent to impacted users by email on December 27th.

 
Recently, there have been reports in the news that an unauthorized third party viewed and modified ettercap forums database (hosted on our Project web service). Among other things, this exposed hashed values of ettercap forum user passwords. (In other words, if you have an ettercap account/password and you're using the same password other places, such as your SourceForge account, it would be in your best interest to change them. And not do that anymore.)
Before I go on, I want to make it very clear that this had no effect on our downloads service, our hosted apps, SCMs, forums, etc.

 
Dumb admin over at Awakenedlands.com
Here's all their code and a decrypted users table 35k of emails and 16k of
md5 decrypted hashes.
I also include most of the tables name and data, and column names.
users list: http://bit.ly/hFW7Ak
code: http://bit.ly/gN5KFk

 
Software engineer Bruce Dang led Microsoft's analysis of the Stuxnet worm.
BERLIN – It is a mark of the extreme oddity of the Stuxnet computer worm that Microsoft's Windows vulnerability team learned of it first from an obscure Belarusian security company that even the Redmond security honchos had never heard of.
The sophisticated worm, which many computer experts believe was created as a specific attempt to sabotage Iran's nuclear power plant centrifuges, has written a new chapter in the history of computer security. Written to affect the very Siemens components used at Iran's facilities, some analysts have even speculated it may have been the work of a state, rather than of traditional underground virus writers.

 
In this Dec. 22, 2010 photo, attorney Daniel Balsam, who hates spam so much that he launched a Website Danhatesspam.com, poses outside in San Francisco. From San Francisco Superior Court small claims court to the 9th U.S. Circuit Court of Appeals, San Francisco-based Balsam has been wielding a one-man crusade against e-mail marketers he alleges run afoul of federal and state anti-spamming laws with dozens of lawsuits filed even before he graduated law school in 2008. (AP Photo/Eric Risberg)
SAN FRANCISCO — Daniel Balsam hates spam. Most everybody does, of course. But he has acted on his hate as few have, going far beyond simply hitting the delete button. He sues them.
Eight years ago, Balsam was working as a marketer when he received one too many e-mail pitches to enlarge his breasts.

Unpatched Vulnerabilities

 
A remote code execution vulnerability against Internet Explorer was announced recently, and a proof-of-concept exploit has already been added to the Metasploit products.
Microsoft doesn't have a patch out yet, but it has published a workaround which protects against this exploit, and others of a similar sort.
I urge you to familiarise yourself with the workaround, because it improves your general security posture as well as mitigating this particular problem.
The vulnerability was published earlier in the month on a full-disclosure security list. Full disclosure means that you simply tell the world about a newly-found bug, and let the world sort things out. The theory behind this is that it prevents sluggish software vendors from simply ignoring the problem and not fixing it. The disadvantage, of course, is that it alerts the Bad Guys at the same time as everyone else.

 
Hi folks,
Exists an SQL-Injection on http://people.joomla.org/events.html?groupid=1%20or%201=0%20union%20select%20all%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70;%20–
I hope which affect to any site that use this plugin, extension or
module too.

Software Updates

 
Version 3.0.4 of WordPress is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES.

 
Windows/Mac/Linux: VirtualBox 4.0 makes creating virtual operating systems a lot less bothersome. The interface is easier to get around, the virtual machines easier to move or wipe away, display and hardware compatibility is improved, and new 'extensions' can add new capabilities.

Business Case for Security

 
Burglary warning for residents  [www.northumbria.police.uk]
Advice in relation to house burglary:
* ensure your windows and doors are securely locked
* avoid leaving valuables where they can be seen through windows or within easy reach of windows and doors
* never leave your car keys on view or within easy reach of the door
* fit a house alarm
* install outside security lighting which is triggered by movement
* Make a list of your property and mark it with your postcode
* Use timers for lights and radios if you are going out at night
* Report any suspicious activity to police

Web Technologies

 
IEEE Security and Privacy published an article that my group and I wrote some months ago, it's titled : Splitting the HTTPS Stream to Attack Secure Web Connections. You can find it here, check it out !

 
A study of HTTPOnly and SECURE cookie flag settings for the top 1000 websites serving HTTPS content
A basic HTTPS request was sent to to the top 1000 websites. The HTTP responses were investigated to observe the usage of HTTPOnly and SECURE cookie flags. Here is what was found:

 
NoScript vs Insecure Cookies  [hackademix.net]
Mike Perry's Automated HTTPS Cookie Hijacking just made Slashdot's front page, so I decided to spend some time nesting a countermeasure inside NoScript's request intercepting guts.
The original idea comes from an email conversation I had with pdp just after his GMail account had been compromised: he suggested to mark every cookie with the "Secure" attribute, causing the browser to send it exclusively over HTTPS connections.
Later he detailed this concept as a feature of his yet to be developed BrowserSecurify plugin:

Network Security

 

 
I received my Loggly beta account (thanks to them!) a few days ago and started to test this cloud service more intensively. I won't explain again what is Loggly, I already posted an article on this service.
For me, services like Loggly are the perfect cloud examples with all the pro and cons. Smallest organizations may find here a perfect tool to analyze their logs with limited efforts and, at the opposite, there are two main issues regarding the security of your data sent to the cloud.

 
After suffering a massive outage last week, Skype CIO Lars Rabbe has now detailed what went wrong.
One of the root causes? A bug in the Skype for Windows client (version 5.0.0152).
Rabbe kicks off by explaining that a cluster of support servers responsible for offline instant messaging became overheated on Wednesday, December 22.
A number of Skype clients subsequently started receiving delayed responses from said overloaded servers, which weren't properly processed by the Windows client in question. This ultimately caused the affected version to malfunction.

 
Several years ago, I had some fun: I streamed live audio, and eventually video, through the DNS.
Heh. I was young, and it worked through pretty much any firewall. (Still does, actually.) It wasn't meant to be a serious transport though. DNS was not designed to traffic large amounts of data. It's a bootstrapper.
But then, we do a lot of things with protocols that we weren't "supposed" to do. Where do we draw the line?
Obviously DNS is not going to become the next great CDN hack (though I had a great trick for that too). But there's a real question: How much data should we be putting into the DNS?

 
I noticed while running a vulnerability scan with Nessus, that Citrix Provisioning Servers's TFTP service would crash. This service is used for the PXE booting Citrix's virtual machines, so it is rather important.
I began to wonder if I could cause it to crash with my own evil packet. Of course, I could just sniff the traffic generated by Nessus, but that takes away from the challenge and it wouldn't tell me the exact portion of the packet that caused the crash.
I did a bit of research on TFTP by reading the RFC. In addition, I found that the Wikipedia article has a pretty good description as well as some nice pretty pictures. I thought the packet most likely to cause a crash would be the RRQ (read request) and specifially the filename attribute, since it has the most manipulatable data. I then fired up Scapy.

 
Following our earlier post on nasty network address ranges, ISC reader Tom wrote in with some interesting logs. His information ties a recent wave of Java exploits to several addresses in the same 91.204.48.0/22 netblock. The latest exploits in this case start with a file called 'new.htm', which contains obfuscated code as follows

 
WPA-PSK Wordlist Download – 13GB  [hashcrack.blogspot.com]
Looks like my lists got compiled into a large collection of wpa passwords – well worth the bandwidth. =)
Although since its a wpa wordlist, everything below 8 chars long was removed, which is bad for other practical uses.

 
VM Detection by In-The-Wild Malware  [www.networkforensics.com]
A large number of security researchers use Virtual Machines when analyzing malware and/or setting up both active and passive honeynets. There a numerous reasons for this, including: scalability, manageability, configuration and state snapshots, ability to run diverse operating systems, etc..
Malware that attempts to detect if it's running in a Virtual Machine (then change its behavior accordingly to prevent analysis by security people) is not a subject of academic fancy. A recent search of VirusTotal showed they receive at least 1,000 unique samples a week with VM detection capabilities. (This search was performed by searching for known function import names from non-standard DLLs.) Personally, my first encounter with malware that behaved completely differently inside a Virtual Machine (from a real host) was approximately eight years ago.

Mobile Security

 
Antid0te  [antid0te.com]
Address Space Layout Randomization (ASLR) and more for jailbroken iPhones.
If you are interested in the techniques used to add ASLR to your iPhone here are the slides of my talk at POC 2010. [PDF]
If you want to see the ASLR in action have a look at the GDB output for MobileSafari without ASLR and with ASLR.
In the meanwhile part of my Antid0te research has been applied to the dynamic linker of Mac OS X Snow Leopard. By rebasing the dynamic linker dyld you can make your Mac OS X Snow Leopard installation more resilient against attacks. Read the full article here.

 
Breaking GSM Security With a PhoneWhatever assurances have been given about the security of GSM cellphone calls, forget about them now.
Speaking at the Chaos Computer Club (CCC) Congress here today, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network 'sniffers,' a laptop computer and a variety of open source software.

 
According to security experts, an 'SMS of death' threatens to disable many current Sony Ericsson, Samsung, Motorola, Micromax and LG mobiles. In a presentation given to the 27th Chaos Communication Congress (27C3) in Berlin on Monday, Collin Mulliner and Nico Golde, security researchers at TU Berlin, claimed that sending malicious text or MMS messages represents a relatively simple means of crashing current mobile phones. Some of the bugs discovered have the potential to cause problems for entire mobile networks.

Privacy

 
Firefox 4 will not include a 'do not track' privacy option to block targeted advertising, according to the web browser's maker Mozilla.
The Firefox 4 browser will not ship with what we envision is the end-to-end solution. We don't think any browser can today.
– Firefox browser maker Mozilla
On Monday, an AFP report stated that Firefox 4, which is due for release in early 2011, would include a 'do not track' privacy option to foil behavioural advertising. Behavioural or targeted advertising products track a user's behaviour online, and serve ads based on the user's perceived interests.

 
Posted by: Giorgio in Anonymity, Mozilla, NoScript
Latest NoScript (2.0.9) supports the Do Not Track tracking opt-out proposal, joining AdBlock Plus in this experiment.
From now on, a web browser with NoScript installed warns every HTTP server it contacts that its user does not want to be tracked, i.e. that his data must not be collected for profiling and persistent identification purposes. I believe this is a safe assumption about the feelings of most if not all NoScript users.

 
Earlier today I mentioned the report from a reader who had enjoyed his first enhanced pat-down. This reader, Ari Ofsevit, has noticed the same thing many others have reported: the high variability in whether airports with the new scanning systems are actually making passengers go through them. For instance, last month when I was traveling through San Diego (home of the original 'don't touch my junk' contretemps), I was allowed to choose between the new machines and the plain old metal detectors. I chose the old ones.

 
A 56-year-old rape survivor with a pacemaker refused a groping by TSA agents at Austin Bergstrom airport, and was subsequently arrested, pushed to the floor, dragged, and banned from flying from the airport.

General

 
Is your friend really a friend on Facebook?  [articles.orlandosentinel.com]
Scammers go where the people are – Facebook.
Facebook is the latest hot spot for swindlers in search of new victims.
And the world's most popular social-networking website can be a gold mine for such crooks, experts say.
Scams on social-media sites are much the same as the ones you may have received as e-mail, said Kevin Johnson, a consultant for Secure Ideas, which does security research.
Advertisement
'The big difference in the [social-networking] scams is the level of trust that the users have,'' he said. 'People trust them more than they trust e-mail.'

 
After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:
Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.

 
 [www.newscientist.com]
Banknotes go electric to outwit counterfeiters
GOOD old-fashioned cash is to go down the electronic route, now that it is possible to stamp simple electronic circuits directly onto banknotes.
Modern banknotes contain up to 50 anti-counterfeiting features, but adding electronic circuits programmed to confirm the note's authenticity is perhaps the ultimate deterrent, and would also help to simplify banknote tracking.
Silicon-based electronic circuits are clearly too thick to be incorporated into thin and fragile banknotes, but semiconducting organic molecules might be a viable alternative.

 
So far, the analyses of OpenBSD's crypto and IPSec code have not provided any indication that the system contains back doors for listening to encrypted VPN connections. The OpenBSD developers started the code audit to investigate allegations made by Gregory Perry, the former CTO of crypto company NetSec. In an email to OpenBSD founder Theo de Raadt, Perry had accused developer Jason Wright and others of having built back doors into the IPSec stack. De Raadt made the email public and presented Perry's allegations for discussion.

Tools

 
Happy Holidays everyone! This is the latest version of the Social-Engineer Toolkit codename "Happy Holidays". This release adds new Metasploit-based client-side attacks (4 in total), many optimizations on the SET web server including proper threading to make it run faster as well as an overall of optimizations through the entire code base. The next version 1.2 will be an overhaul of function calls and centralization of modules to allow easier additions for third party contributions.
Also added in this release is a new set_config option that will automatically disable the auto redirection on the Java Applet so in examples with Multi-Attack where you use Java Applet + Credential Harvester it will now only redirect once the credential harvester is executed. This is especially useful when you get your payload execution and harvest credentials all within one attack.

 
syslog2loggly  [github.com]
Perl script to send Syslog events to the Loggly cloud via HTTPS (www.loggly.com) http://blog.rootshell.be/2010/12/27/send-events-safely-to-the-loggly-cloud

 
The PlugBot  [theplugbot.com]
PlugBot is a hardware botnet project. It's a covert penetration testing device (bot) designed for covert use during physical penetration tests. PlugBot is a research project led by Jeremiah Talamantes, a Penetration Tester and Security Researcher for RedTeam Security.

 
Ephemeral Diffie-Hellman key exchange (EDH or DHE, depending on where you look) allows two parties with no prior knowledge of each other to establish a shared secret. In SSL, DHE is used together with some method of authentication (most commonly RSA) in the handshake phase. Ephemeral DH is valued because it provides perfect forward secrecy — the session keys cannot be recovered if the authentication method is broken (e.g., someone retrieves the server's private key).

 
WAYBACK WEBAPP HACKING  [www.room362.com]
Archive.org allows you to check the history of sites and pages, but a service most are not aware of is one that allows you to get a list of every page that a Archive.org has for a given domain. This is great for enumerating a web applications, many times you'll find parts of web apps that have been long forgotten (and usually vulnerable).
This module doesn't make any requests to the targeted domain, it simply outputs a list to the screen/or a file of all the pages it has found on Archive.org.

 
THC-IPV6  [freeworld.thc.org]
Last update 2010-12-26
A complete tool set to attack the inherent protocol weaknesses of IPV6
and ICMP6, and includes an easy to use packet factory library.
Download the current version here:
thc-ipv6-1.4.tar.gz

 
Hello!
I hope you had nice fun with Nessus bridge, but here's the OpenVAS bridge.
It is one of the PoC codes for my upcoming talk tomorrow at BerlinSides: http://www.berlinsides.org/node/14

 
This Plugin send Growl messages to OSX Systems running Growl when a session is created and when a session is shutdown, Each message will contain information about the session it is reporting on. Do make sure to configure you Growl application to receive the messages and set a password to do this go to Preferences -> Growl -> Network and select 'Listen for incoming connections' and 'Allow remote application registration' and set the password in the password field, after this go to General and stop and start Growl so the settings will take effect. If the notification will be a remote one you will have to open the UDP Port 9887

 
Blackbuntu Community Edition 0.1  [security-sh3ll.blogspot.com]
Linux Live-CD based on Ubuntu 10.10 which was specially designed for security training students and practitioners of information security.

 
What is pyrit?  [forum.intern0t.net]
Pyrit allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack against one of the world's most used security-protocols.
WPA/WPA2-PSK is a subset of WPA/WPA2 that skips the complex task of key distribution and client authentication by assigning every participating party the same pre shared key. This master key is derived from a password which the administrating user has to pre-configure e.g. on his laptop and the Access Point. When the laptop creates a connection to the Access Point, a new session key is derived from the master key to encrypt and authenticate following traffic. This "shortcut" eases deployment of WPA/WPA2-protected networks for home- and small-office-use at the cost of making the protocol vulnerable to brute-force-attacks against it's key negotiation phase; it allows to ultimately reveal the password that protects the network. This vulnerability has to be considered exceptionally disastrous as the protocol allows much of the key derivation to be pre-computed, making simple brute-force-attacks even more alluring to the attacker. For more background see this article on the project's blog.
The author does not encourage or support using Pyrit for the infringement of peoples' communication-privacy. The exploration and realization of the technology discussed here motivate as a purpose of their own; this is documented by the open development, strictly sourcecode-based distribution and 'copyleft'-licensing.
Pyrit is free software – free as in freedom. Everyone can inspect, copy or modify it and share derived work under the GNU General Public License v3+. It compiles and executes on a wide variety of platforms including FreeBSD, MacOS X and Linux as operation-system and x86-, alpha-, arm-, hppa-, mips-, powerpc-, s390 and sparc-processors.
Setting Up Pyrit With Cuda Caperbilities

Funny

 

 

 
Web Service Details: LUHNChecker  [webservices.seekda.com]
Validates Credit Cards to ensure proper input. This is a FREE CDYNE service ran off of our secure servers.

 
Garfield and Santa  [www.gocomics.com]

 

 
TSA fun  [media3.washingtonpost.com]

 
no comment  [i.imgur.com]

 
Worst hurdle race ever  [www.noob.us]

 

 
Incident handling  [imgs.xkcd.com]

 
A man is dating three women  [img822.imageshack.us]

 
This is a letter sent in by a Cleveland Browns season ticket holder in 1974 to management asking them to please terminate other fans from making paper airplanes out of the programs and sailing them around the stadium. You'll poke your eye out! The reply back is something no company would have the cojones to do now.
They don't make 'em like they used to. Go Cleveland!