June 18, 2013

You are here: Home / Archives for Data Breach

Two machines attacked within the FreeBSD.org cluster

November 19, 2012 by

(LiveHacking.Com) – Just over a week ago the FreeBSD team detected an intrusion on two of its machines in the FreeBSD.org cluster. As a result the affected machines were taken offline while they investigated.  Also as a precaution, most of the remaining infrastructure machines were also taken offline. The investigation has revealed that the compromise occurred due to a leaked SSH key. No vulnerability or code exploit within FreeBSD was found. However the most alarming thing is that the attack and subsequent  compromise may have occurred as early as the 19th September 2012.

FreeBSD is divided into two segments: the “base” which includes the kernel; the system libraries; the compiler; and the core command-line tools and daemons, and the “packages” which are the third-party components distributed as part of the overall FreeBSD system. According to the security advisory published by the FreeBSD team, “no part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way. However, the attacker had access sufficient to potentially allow the compromise of third-party packages.”

The investigation has concluded that although the attacker had sufficient access to compromise the third-party packages, no evidence has been found that any packages were modified. But the FreeBSD team is taking an extremely conservative view and is working on the assumption that packages generated and distributed between the 19th September and 11th November 2012 could theoretically have been modified.

Who’s affected?

You have no reason to worry if:

  • you are running a system that has had no third-party packages installed or updated on it between the 19th September and 11th November 2012.
  • you reply in the Source, Ports and Documentation Subversion repositories to make updates.
  • you use the freebsd-update binary upgrade mechanism (it uses an entirely separate infrastructure).

However for everyone else the FreeBSD project cannot cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors. Those affect should re-install any machines from scratch, using trusted sources.

The package set built for the upcoming 9.1-RELEASE has been deleted, and will be rebuilt from source before 9.1 is released. With regards to the cluster machines, all suspect machines are being either reinstalled, retired, or thoroughly audited before being brought back online.

Filed Under: Attack, Attacks, Data Breach, News Tagged With:

Adobe’s internal build server hacked, needs to revoke certificate

September 28, 2012 by

(LiveHacking.Com) – Adobe has discovered that its internal code signing infrastructure was breached and used to sign to malicious programs to make them appear like genuine Adobe files. The security breach happened back in July and as a result Adobe will revoke the certificate for all software code signed after July 10, 2012. This will happen on October 4th, in the mean time Adobe is in the process of issuing updates signed using a new digital certificate for all affected products.

Once the breach was discovered and the signatures verified, Adobe immediately decommissioned its existing code signing infrastructure and initiated a forensics investigation to determine how the signatures were created.

The first, of the two malicious files signed with Adobe’s certificate, is called pwdump7 v7.1, it extracts password hashes from the Windows OS. The second malicious utility, myGeeksmail.dll, is thought to be a malicious ISAPI filter. However it doesn’t appear to be publicly available.

“Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk,” wrote Adobe security chief Brad Arkin.

The revocation of the certificate affects only the Windows platform and three Adobe AIR applications (Adobe Muse, Adobe Story AIR applications and Acrobat.com desktop services). However the revocation does not impact any other Adobe software for Macintosh or other platforms. Adobe has informed its partners of the incident including participants in the Microsoft Active Protections Program (MAPP) who have received samples of the falsely signed programs.

The hacked server

Adobe has identified a compromised build server that required access to the code signing service as part of the build process. However the compromised server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service. During its initial investigation, Adobe has discovered malware on the server and the probable mechanism used to gain access.

“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” added Arkin. ”The build server had no access to Adobe source code for any other products and specifically did not have access to any of Adobe’s ubiquitous desktop runtimes such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR.”

Filed Under: Adobe, Data Breach, Security Tagged With: ,

VMWare ESX Source Code Stolen – Starts to Leak onto Internet

April 26, 2012 by

(LiveHacking.Com) – VMware has confirmed that the source code for its ESX hypervisor has been stolen and portions of it are starting to appear on the Internet. Iain Mulholland, the Director of the VMware Security Response Center, wrote that they are “aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.”

The hacker, named Hardcore Charlie, is claiming that the code was stolen from the military contractor China National Import & Export Corp (CEIEC), however they are reporting that such claims are ”totally groundless, highly subjective and defamatory.”

“The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers,” added Iain Mulholland. In the same blog post VMware acknowldged that it shares its source code and interfaces with others companies. Which seems to lend credence to Hardcore Charlie’s claims about the CEIEC breach.

The header file (vmkemit.h) posted by the hacker carries a 1998 copyright date stamp and lists a set of code emission macros for base x86 architecture used by vmkernel.

Hardcore Charlie published the code in a rather incoherent posting to pastebin that also talks about alleged collusion between CITEC and Western military and terrorist organisations: “we want to make it clear that CEIEC is engaged in a criminal activity with Ukraine and Russian officials as of supplying Ukraine and Russia with US army information for the terrorists.” 

The hacker has also threatened to release the source code for EMC.

Filed Under: Data Breach, News, Security, VMware Tagged With: , , ,

Global Payments Says 1.5M Card Details Exposed in Unauthorized System Access

April 2, 2012 by

(LiveHacking.Com) – Over the weekend VISA and MasterCard started alerting banks across the USA about a major security breach at a  credit card processor. Initial reports said that as many as 10 million credit card numbers were exported, including Track 1 and Track 2 information, raising fears of massive credit card cloning.  Shortly after the news broke, Atlanta-based processor Global Payments confirmed, via a press release, that it was the payment processor which had suffered the  unauthorized access into its processing system.

The company says that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers (not 10,000,000 as initially reported). Its investigation has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals.

“We are making rapid progress toward bringing this issue to a close.  Our nearly 4,000 employees around the world are focused on providing exceptional service. We are open for business and continue to process transactions for all of the card brands,” said Chairman and CEO Paul R. Garcia.

Security expert Brian Krebs was one of the first to reveal details of the breach on his blog but initially he was unable to name Global Payments as the victim. VISA has now dropped support for Global Payments and added that “Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet.”

PSCU, which provides online financial services to credit unions, issued a security alert to its members after it was contacted by Visa. The alert reported that 46,194 of the compromised Visa card numbers belonged to PSCU customers, and that the breach lasted from Jan. 21 to Feb. 25.

Since Track 1 and Track 2 data was exposed, the thieves could use the stolen information to counterfeit new cards. For an explanation of the meaning of Track 1 and Track 2 data see here.

The origin of the attack is, as yet, unknown.

Filed Under: Attack, Data Breach, News Tagged With: , ,

Verizon Issued an Annual Report on Data Breaches

August 1, 2010 by

Default configuration and miss-configuration attacks are commune types of attack by the hackers. In these types of attacks the hackers do not use the software or hardware vulnerabilities.

Jeremy Kirk from Computerworld has an interesting article about Verizon new study about the security breaches in 2009.

This year Verizon for its annual report on data breaches, had access to statistics related to investigations done by the U.S. Secret Service. These statistics covered 141 cases involving 143 million records for 2009.

Read the full article at Computerworld.

Filed Under: Data Breach, Security, Vulnerability