May 17, 2012

You are here: Home / Archives for Attacks

Global Intelligence Company Hit by Anonymous. Or Was it?

December 27, 2011 By

(LiveHacking.Com) – The hacking group known as Anonymous says it has stolen emails, passwords and credit card information from the Texas based security think-tank Strategic Forecasting, Inc. According to the BBC, an alleged member of Anonymous posted an online message, claiming that the group had used Stratfor clients’ credit card details to make “over a million dollars” in donations to different charities.

Stratfor’s website was defaced with the message “merry lulzxmas! are you ready for a week of mayhem? H0h0h0h0h0.” In response Stratfor took down its website and suspended email processing. The company, which provides independent analysis of international affairs and security threats, sent an e-mail Sunday to subscribers:

“On December 24th an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.”

However in a bizarre twist another posting appeared from Anonymous saying “hackers claiming to be Anonymous have distorted this truth in order to further their hidden agenda”

“The leaked client list represents subscribers to a daily publication which is the primary service of Stratfor. Stratfor analysts are widely considered to be extremely unbiased. Anonymous does not attack media sources” said Anonymous via an emergency Christmas Anonymous press release.

Filed Under: Attack, Attacks, News Tagged With: , , ,

Facebook Scams with Chrome and FireFox Plugins

December 23, 2011 By

Picture Source: Websense security labs

(LiveHacking.Com) – Security researchers at Websense® have discovered new Facebook scams.

According to the report published by Websense®, the attacker is utilizing social engineering tricks such as engaging video or offers of a free voucher to attract the victims to its scam pages. Then, the victims will be asked to install a browser plugin. When the plugin is installed, it utilizes a malicious script and the Facebook API to post the scam to the victim’s friends’ pages.

According to the Websense® researchers, at the moment, only Chrome and Firefox plugins are being used.

More information is available at Websense® Security Blog.

Filed Under: Attacks, Facebook Tagged With: , , ,

Critical Vulnerability is TYPO3-Core; Remote Code Execution

December 19, 2011 By

(LiveHacking.Com) – The TYPO3 development team has issued a warning about a critical vulnerability in the TYPO3 content management system.

According to TYPO3 security bulletins, a crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation. The security issue is due to insufficient validation of the AbstractController.php file’s BACK_PATH parameter that leads to remote code execution.

With reference to the TYPO3 security advisory, a vulnerable system will meet all the the following conditions:

  1. TYPO3 version 4.5.0 up to 4.5.8, 4.6.0 or 4.6.1 (+ development releases of 4.7 branch).
  2. The following PHP configuration variables set to “on”: register_globals (“off” by default, advised to be “off” in TYPO3SecurityGuide), allow_url_include (“off” by default) and allow_url_fopen (“on” by default)

The following solutions have been advised by the TYPO3 security advisory:

  1. Update to the TYPO3 version 4.5.9 or 4.6.2 that fixes the problem described.
  2. Set at least one of following PHP configuration variables to “off”: register_globals, allow_url_include and allow_url_fopen.
  3. Apply the securitypatch.
  4. Set up a mod_security rule: SecRule ARGS:BACK_PATH “^(https?|ftp)” “deny”.

Please view the TYPO3 security advisory for more information.

Filed Under: Attack, Attacks, TYPO3, Vulnerability Tagged With: , , ,

Non-updated Versions of TimThumb Still Causing Problems for WordPress

November 1, 2011 By

(LiveHacking.Com) - Nearly three months ago it was discovered that TimThumb, a PHP script that is used in many popular WordPress themes, contains a vulnerability that allows a remote attacker to upload arbitrary PHP code to an infected site.

By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.

Researchers at the AVAST Virus Labs in Prague have seen an increase in malware infections that are exploiting non-updated versions of TimThumb.

Researchers from AVAST were contacted with relation to the blog theJournal.fr, the online site for The Poitou-Charentes Journal, which had been infected. According to AVAST. the Poitou-Charentes Journal is just one part of a much bigger attack.

The compromised sites where infected with the Blackhole Toolkit, a set of malware tools available on the black market for around $1500. AVAST have spotted 151,000 hits to one of the locations where this exploit redirects users. AVAST estimates that anywhere up to 3,500 sites have been infected.

More details about the surge in infections can be found here and details of the Blockhole Toolkit can be found on AVAST’s blog here.

Filed Under: Attack, Attacks, Vulnerability, WordPress Tagged With: , ,

Disturbing Number of Cyber-attacks Aimed at UK

November 1, 2011 By

(LiveHacking.Com) - Iain Lobban, director of the UK Government Communications Headquarters (GCHQ) has reported that a “significant but unsuccessful” cyber-attack was made on the Foreign Office and other government departments this summer.

Originally writing in the UK newspaper The Times, the director of the government’s listening centre said that the “disturbing” number of cyber-attacks on the government, industry and private individuals was a threat to the “continued economic wellbeing” of the UK.

“I can attest to attempts to steal British ideas and designs – in the IT, technology, defence, engineering and energy sectors, as well as other industries – to gain commercial advantage or to profit from secret knowledge of contractual arrangements,” said Lobban. “Such intellectual property theft doesn’t just cost the companies concerned. It represents an attack on the UK’s continued economic wellbeing.”

Lobban’s article was published to coincide with the UK London Cyber Conference which starts today (Nov 1) in London. The conference is hosted by British Foreign Secretary William Hague and it was planned that Hilary Clinton would talk at the conference. However she has had to cancel as her mother has fallen ill. Mr Hague tweeted earlier today that:

Very sorry that #SecClinton won’t be able to attend #LondonCyber today. My best wishes to her and her family at this time

The cyber-attacks on the UK targeted sensitive data on government computers, along with defence, technology and engineering firms’ designs.

Lobban also added: “Criminals are using cyberspace to extort money and steal identities, as well as exploit the vulnerable. Increasingly sophisticated techniques target individuals. We are witnessing the development of a global criminal market place – a parallel black economy where cyber dollars are traded in exchange for UK citizens’ credit card details. Tackling cyber crime matters and it is a very real threat to our prosperity.”

Filed Under: Attack, Attacks, News, Security Tagged With: , , , , ,

SQL injection Attack Hits Over 1 Million ASP.NET Pages (and Counting)

October 17, 2011 By

(LiveHacking.Com) - An SQL injection attack that infects web pages and causes drive by downloads of malware is spreading rampantly. Reported last week by Armorize, the SQL injection attack which targets ASP.NET sites, had infected some 180,000 pages. The Register reported on Friday that this number had grown to over 600,000. Now according to Google search the number of infected web pages is over 1,000,000.

Infected sites carry invisible links to sites including jjghui.com and nbnjkl.com. These sites in turn redirect to several other websites, including www3.strongdefenseiz.in and www2.safetosecurity.rr.nu, that include hidden code to exploit known vulnerabilities in Adobe PDF, Adobe Flash or Java. Any PC with un-patched versions of these programs will most likely become infected with malware. Servers used in the attack have IP addresses based in the US and Russia.

This current round of SQL injection attacks seem to be similar to the LizaMoon attacks which appeared in March and April of this year. The Security company Securi has noted that registration information for the domains used in this attack are the same as the one used on the earlier Lizamoon domains:

Technical Contact:
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us

One thing worth noting is that at the time of the LizaMoon attacks Google mentioned that:

“Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.”

Sites can be scanned to make sure they are clean (or not) at http://sitecheck.sucuri.net

Filed Under: Attack, Attacks, SQL Injection Tagged With: , ,

MySQL.com Hacked To Serve Up Malware

September 27, 2011 By

(LiveHacking.Com) – MySQL.com was hacked yesterday to redirect users to a site that downloaded and executed malicious code on the visitor’s Windows computer without any user interaction. The site has since been cleaned up and is now working normally.

According to Armorize, who first reported the problem, the hack used a combination of JavaScript and iframes to send the user to truruhfhqnviaosdpruejeslsuy.cx.cc, a domain specifically created to spread the malware. From there the hacker used the BlackHole Toolkit to infect the visitor’s Windows PC with malware without the visitor’s knowledge. The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform resulted in an infection.

The BlackHole Toolkit attempts to exploit a large number of weaknesses on the visitor’s computer including the browser and the browser plugins like Adobe Flash, Adobe PDF,  Java etc. Any visitors with an out-of-date browser or any unknown (zero-day) exploits will allow the toolkit to infect the PC.

It is estimated that MySQL.com receives almost 12 million visitors a month (nearly 400,000 a day), meaning that there was large number of  potential victims whilst the site was infected.

MySQL.com was also attacked in March, when hackers “TinKode” and “NeOh” took credit for exploiting a SQL injection flaw. As a result they posted a list of usernames and passwords online.

 

Filed Under: Attack, Attacks, Malware Tagged With: , ,

Linux Foundation Security Breach

September 12, 2011 By

(LiveHacking.Com) - The Linux Foundation has suffered a security breach on its Linux.com and LinuxFoundation.org websites. On September 8, 2011, it discovered a security breach that may have compromised the username, password, email address and other information of Linux.com users. The Linux Foundation thinks this latest breach is connected to the recent intrusion on kernel.org.

The Linux Foundation has sent emails to its users where it says:

You should consider the passwords and SSH keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately.

The Linux Foundation, a non-profit organization setup to promote the growth of Linux, is currently auditing all its systems and has taken all its servers offline to do complete re-installs. The various Linux Foundation services will be put back up as they become available.

The Linux Foundation takes the security of its infrastructure and that of
its members extremely seriously and are pursuing all avenues to investigate
this attack and prevent future ones.

Filed Under: Attack, Attacks, Linux, Open Source Tagged With: , ,

Microsoft Follows Mozilla and Google and Revokes All DigiNotar Certificates

September 7, 2011 By

(LiveHacking.Com) - Following in the footsteps of Google and Mozilla, Microsoft has revoked all of DigiNotar’s root certificates and issued a Windows update:

  • DigiNotar Root CA
  • DigiNotar Root CA G2
  • DigiNotar PKIoverheid CA Overheid
  • DigiNotar PKIoverheid CA Organisatie – G2
  • DigiNotar PKIoverheid CA Overheid en Bedrijven

The update is available for all supported versions of Windows (XP, 2003, Vista, 2008, 7 and 2008R2) and increases the number of revoked certificates from two to five.

In a perfect world Microsoft would just rely on its Microsoft Certificate Trust List to validate the trust of a certification authority. However Windows XP and Windows Server 2003 do not use the Microsoft Certificate Trust List and as a result, an update is needed for all editions of Windows XP and Windows Server 2003 to protect customers.

Interestingly, the update also changes IE’s behaviour in that users are no longer just presented with a warning about any certificates issued by DigiNotar, but they are prevented from accessing sites completely.

In order to protect customers more comprehensively against possible man-in-the-middle attacks, Microsoft is releasing an update that takes additional measures to protect customers by completely preventing Internet Explorer users from accessing resources of Web sites that contained certificates signed by the untrusted DigiNotar root certificates. Internet Explorer users who apply this update will be presented with an error message when trying to access a Web site that has been signed by either of the above DigiNotar root certificates. These users will not be able to continue to access the Web site.

Filed Under: Attack, Attacks, Cryptography, Security Tagged With: , ,

GlobalSign Temporarily Halt Issuing Digital Certificates

September 7, 2011 By

(LiveHacking.Com) - GlobalSign, the world’s fifth largest certificate issuer, has temporarily halted the issuance of all digital certificates following a claim that the same hacker responsible for the recent DigiNotar hack has access to four other Certificate Authorities, and named GlobalSign as one of them.

A statement on the GlobalSign web site reads:

GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible.

We apologize for any inconvenience.

This is a wise move by GlobalSign and it seems it doesn’t want to repeat the same mistakes that DigiNotar made. One of the reasons DigiNotar losts its trust status was because of its failure to notify companies like Mozilla that fraudulent certificates were issued for its domains. The cost of its attempt to hide the security breach was that it effectively went out of business.

The hacker also claimed in his posting that:

I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google’s cert, I have code signing privilege! You see?

The hacker also says that he has targeted DigiNotar for a specific reason:

Dutch government is paying what they did 16 years ago about Srebrenica…

Filed Under: Attack, Attacks, Cryptography, Security Tagged With: , ,
« Older Posts
Newer Posts »