Category: Hacks

TSA Worker Tried to Sabotage Terror Database

0
Posted by Tech Paranoia on March 12, 2010 – 9:53 am
Filed under Hacks
Tagged as , ,

A former Transportation Security Administration contractor is being charged in Colorado for allegedly injecting malicious code into a government network used for screening airport security workers and others.

The malicious code, a logic bomb installed last October, was designed to cause damage and disrupt data on servers on an undisclosed date but was caught by other workers before it delivered its payload.

Douglas James Duchak, 46, had worked as a data analyst at the TSA’s Colorado Springs Operations Center, or CSOC, since 2004. The CSOC is used to vet people who have “access to sensitive information and secure areas of the nation’s transportation network,” according to the indictment. A source involved in the case said this involved screening of both passengers and workers at airports and other transportation facilities.

He pleaded not guilty in a Denver federal court on Wednesday and was released on a $25,000 unsecured bond. The indictment did not say whether the malware was crafted to erase or alter data, or simply disable servers.

The CSOC network stores updated information from the government’s terrorist watchlist as well as criminal histories from the U.S. Marshal’s Service Warrant Information Network.

Duchak’s job was to update the CSOC database as new information arrived from these two sources. But on Oct. 15, he was given two weeks’ notice that his job would be terminated.

About a week later, on Oct. 22, Duchak allegedly transmitted the malicious code onto a CSOC server that stored data from the U.S. Marshal’s Service, according to the indictment. The next day, he allegedly loaded malicious code to a server containing the Terrorist Screening Database. The source involved in the case said the servers “are part of the system that contains the no-fly list” and added that the code, if it had gone undetected, could have traveled to a facility in another state that uses a similar computer system.

Duchak has been charged in the U.S. District of Colorado with two counts of attempting to cause damage to a protected computer. If convicted, he faces a possible prison sentence of 10 years and a $250,000 fine for each count.

Duchak’s attorney, David Lindsey, disputes the government’s charges and says that the system Duchak worked on was a beta system used for testing statistical analyses.

“It wasn’t connected to anything that had to do with security,” Lindsey said. “Before anything he had his hands on left, it went to another system before it got into any live system that did screening. As I understand it, it is a system that does statistical analyses on the systems that are up and running. And when the tests are run, those are done at one level and then [go to] a second level and then at a final level before the analyses are verified and passed onto anything you would call a live system.”

Lindsey said the CSOC servers that were allegedly targeted for sabotage were used for screening workers primarily and were only “remotely, remotely” related to passenger screening, though he could not elaborate.

“The government has been very misleading in the indictment and press release as to any potential harm [this might have caused] to the public,” he said, adding that the alleged malware was not a virus and will ultimately be shown to have been “nothing.”

Source: Wired

TechCrunch compromised, defaced

0
Posted by Tech Paranoia on January 26, 2010 – 11:00 am
Filed under Hacks
Tagged as ,

Popular technology site TechCrunch was hit by potty-mouth hackers late on Monday, leaving the site temporarily unavailable.

A notice on TechCrunch.com’s front page on Tuesday morning explains that “TechCrunch.com was compromised by a security exploit”. Access to the site’s story archive has been suspended leaving a two para notice on the hack as the only content visible on the site.

Hackers defaced the front page of the site with a message (recorded by Mikko Hypponen of F-Secure here) apparently abusing site admins and including a link to a pornographic content and warez linking website.

This defacement was removed by site admins who are in the process of identifying the exploit involved in the hack, securing systems, and bringing TechCrunch back online.

The motives or perpetrators of the attack remain unclear but the timing – a day before Apple’s much anticipated iTab launch in San Francisco – could hardly be worse.

Source: The Register

Hundreds of Network Solutions Sites Hacked

0
Posted by Tech Paranoia on January 20, 2010 – 8:36 am
Filed under Hacks
Tagged as

netsoldeface

Web site domain registrar and hosting provider Network Solutions acknowledged Tuesday that hackers had broken into its servers and defaced hundreds of customer Web sites.

The hackers appear to have replaced each site’s home page with anti-Israeli sentiments and pictures of masked militants and armed with rocket launchers and rifles, along with the message “HaCKed by CWkomando.”

According to results for that search term entered into Microsoft’s Bing search engine, there may in fact be thousands of sites affected by this mass defacement.

One of the defaced pages belonged to Minnesota’s 8th District GOP, according to a story in The Minnesota Independent, which said the Arabic writing that accompanies the defaced pages contains the dedication “For Palestine,” and the repeated phrase “Allahu Akbar” [God is great].

Network Solutions said the hackers were able to get in by exploiting a “file-inclusion” weakness in the company’s Unix servers. So-called remote file inclusion attacks are quite common, and can let attackers insert code that gives them backdoor access to and control over the affected server. Network Solutions said it is in the process of helping customers restore their sites.

“These incidents are regrettable and we apologize for the inconvenience,” the company said in its statement. “Due to the nature of the web, the race between technology and the bad elements is a challenge that companies face continually.”

Network Solutions said there was no danger to customers’ “personally identifiable or secure information” as a result of the incident. Other recent break-ins at NetSol have not been so benign: Last summer, hackers broke into a number of Network Solutions Web servers and planted rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts.

Source: Krebson Security

Hack of Adobe Conducted Via Zero-Day IE Flaw

0
Posted by Tech Paranoia on January 14, 2010 – 2:22 pm
Filed under Hacks, Zero Day, exploit
Tagged as , , , , ,

The recent hack attack on Adobe occurred through exploitation of a zero-day vulnerability that affects all versions of Internet Explorer, according to a security researcher with a leading anti-virus firm.

Microsoft learned about the vulnerability only Wednesday evening and is planning to release an announcement about the vulnerability later today, said the researcher, who asked not to be identified because he’s not authorized to speak with the press.

The vulnerability, for which there is currently no patch, is a memory corruption flaw that causes the browser to internally misfire in a way that allows the hacker to inject malware on the user’s computer.

“It’s pretty targeted so the reality is that it’s only currently being used against these targeted companies,” the researcher said. He couldn’t say how many of the other 33 companies hit in the hack attack were breached in this way.

Zero day vulnerabilities are security flaws in software for which there is currently no patch. Researchers discovered a memory corruption flaw in IE in December, which Microsoft patched on Dec. 9. The researcher, however, said the one that affected Adobe is believed to be a new and different one.

Google announced on Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network, and that the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists.

Minutes later, Adobe acknowledged in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

Neither Google nor Adobe provided details about how the hacks occurred.

Full article at: Threat Level

Cybercriminals target school districts

1
Posted by Tech Paranoia on January 13, 2010 – 1:00 pm
Filed under Hacks
Tagged as

Local school districts across the United States have emerged as a prime target for cybercriminals. In the fall of 2009, districts in Colorado, Illinois, Oklahoma and Pennsylvania all reported thefts of tens of thousands of dollars.

The threat continues: on January 5, 2010, the Duanesburg, New York Central School District disclosed an attempted theft of $3.8 million, about a quarter of the district’s operating budget.

These crimes have been driven by malicious software infecting central office PC’s containing the district’s electronic banking details. These details were subsequently used by cybercriminals to access the district’s online bank account and illegally transfer money out of the account to money-mules, who subsequently transfer the funds to the criminal ringleaders.

Comodo CEO Melih Abdulhayoglu points out the soft-target characteristics of school districts and similar organizations including local governments, not-for-profit-organizations, and small businesses that make them attractive to cybercriminals. Abdulhayoglu further points out the need for much stronger “Default Deny” PC endpoint security to be deployed by organizations that will always appear to be soft targets relative to larger organizations with the personnel and financial resources to mount stronger cyber-defenses.

Source: Help Net Security

Google announces data breach, will stop censoring in China (if they stay at all)

0
Posted by Tech Paranoia on January 13, 2010 – 11:00 am
Filed under Hacks
Tagged as , ,

The big news today regarding Google is its announcement on its blog that it was a target of a highly focused attack on its corporate infrastructure.

Googles statement:

“First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.”

Google has announced that it will stop filtering search results in China. This is a bold move for Google, and a reversal of past practices. Google has come under fire from freedom advocates in recent years due to its cooperation with the Chinese government in censoring search results for users in China.

This move indicates that Google possibly considers the attacks to have been authorized by the Chinese government, or that they were performed by government sympathizers.

Additionally, Google has announced that if conditions in China continue to be non-conducive to business, it will consider pulling out of China completely.

Adobe confirms a targeted attack against its corporate network

0
Posted by Tech Paranoia on January 13, 2010 – 9:00 am
Filed under Hacks, Software
Tagged as , ,

The start of 2010 has been rough for Adobe, which has now released a statement confirming a “sophisticated and coordinated attack” against its corporate network.

A statement from Adobe:

“Adobe became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. We are currently in contact with other companies and are investigating the incident. At this time, we have no evidence to indicate that any sensitive information — including customer, financial, employee or any other sensitive data — has been compromised. We anticipate the full investigation will take quite some time to complete. We have and will continue to use information gained from this attack to make infrastructure improvements to enhance security for Adobe, our customers and our partners.”

Adobe has come under fire recently due to a flaw found in its Reader and Acrobat software which remained unpatched for over a month. Due to this incident, Adobe has stated that it will be building a silent updater for these products.

Twitter hack group hits Baidu.com

0
Posted by Tech Paranoia on January 12, 2010 – 9:00 am
Filed under Hacks
Tagged as , , ,

The same group that used a DNS attack to hijack Twitter last month has defaced the home page of Chinese search engine Baidu.

Surfers visiting Baidu site on Monday night were confronted by the message “This site has been hacked by Iranian Cyber Army”, together with an image of the Iranian flag. Early speculation suggests the attack involved changing Baidu’s DNS records rather than a direct attack on the site itself, but this remains unconfirmed.

The attack might have been used to point the millions of Chinese users who use Baidu every day towards a site that took advantage of browser exploits to infect computer users with malware. So it’s perhaps fortunate that the Baidu hack involved only political graffiti.

By Tuesday morning, Baidu’s site had been cleaned up. Screenshots of the hack can be found in a blog entry with further commentary on the attack by Sophos here.

Source: The Register

http://www.sophos.com/blogs/gc/g/2010/01/12/baidu-chinas-largest-search-engine

Hacker pierces hardware firewalls with web page

0
Posted by Tech Paranoia on January 7, 2010 – 2:00 pm
Filed under Firewalls, Hacks
Tagged as ,

On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser’s geographical location by exploiting weaknesses in many WiFi routers. Now, he’s back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.

By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it’s behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.

“What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port,” Kamkar told El Reg. “This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required.”

Kamkar’s proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim’s internal system, and using what’s known as NAT traversal an attacker can access any port that’s open on the local system.

For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack doesn’t guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources.

“Most people have this false sense of security that ‘well, I’m behind my router, nobody can connect to my ports,’” said Kamkar, the hacker behind the notorious Samy Worm that in 2005 took MySpace out of commission by adding more than 1 million friends to the author’s account. “If you’re going to keep a service open to the world, you’ll probably have more upkeep” to make sure it’s secure.

The problem is a hard one to solve, since NAT, short for network address translation, is included in many routers to give users a seamless experience when accessing a host of internet-based services and applications. The use of a software-based firewall on the client will help, but Kamkar warned that even then some ports may be accessible.

While Kamkar’s proof-of-concept requires users to press a submit button, he said it’s trivial to use javascript so no interaction is required after the page is visited.

Kamkar said he based his attack on IRC because many versions of Linux used to run routers support the protocol by default. He’s based similar attacks on file transfer protocol and had success with both the Belkin and Airport Extreme routers and believes other services such SIP may work on those routers as well as other devices.

Source: The Register

Attack on InterNetX’s DNS servers

0
Posted by Tech Paranoia on January 7, 2010 – 11:30 am
Filed under Hacks
Tagged as ,

The H has a report that InterNetX’s DNS servers were taken down Wednesday by a severe DDoS attack.

Around 1 PM CET on Wednesday, domains hosted at InterNetX were difficult, if not impossible, to reach. The host has since added technical filters to mitigate the effect of the attacks; the service is now basically back up and running. Sometime today, the firm hopes to make public details of the attack.

Since 2004, InterNetX has been a part of the United Internet Holding. The firm says that it currently hosts some 2.9 million domains in addition to Schlundtech’s domain reselling business. A spokesperson from 1&1 said the problem did not affect other domains hosted by providers within United Internet, such as 1&1 and GMX. InterNetX’s DNS servers were also under a massive DDoS attack at the end of 2008.

Source: The H Online