The Daily WTF has a good story that may sound a little too familiar to some:

How the aptly-named Super Hacker had managed to shut down the system remotely and provide a fix so quickly intrigued Kiefer. After poking around the network, he finally found the Python file that contained the Super Hacker’s fix:
#!usr/bin/python
# Paying someone $10 to pull a power cord for $3500
print “(C) [Name Removed] 2008.”

The moral of the story: when all else fails, use social engineering.

Once again - another security question from our readers to the security experts who read this blog:

I ran across your site looking for information regarding the security of PPTP. I then found the PPTP bruter program from THC. I am a small business owner. I am a VAR (value added reseller) of POS (point of sale) equipment. My POS equipment is usually windows PC’s running POS software. I install a SOHO router that is also a PPTP endpoint so I can VPN in and remotely administrator my clients systems.

I’m trying to find out how easy it would be for someone to hack my PPTP endpoint. Can you help me figure out how to test my router?

Thanks,

K. L.

It appears that a new WMF attack is coming, as you recall about a year back an WMF vulnerability was used on several high profile sites to infect visitors, this now appears to start happening again.

The first sign of this is the appearance of exploits for the vulnerability, starting off with version specific and evolving into a generic one.

The second sign is web sites being infect with hidden iframe that redirect to a javascript code that is at the moment dormant, or refers to non-existing domains.

The last stage is those javascripts getting modified, or the non-existing domains poping up into existing, you got yourself an infection.

It is time to start your vulnerability assessment engines, make sure all your windows based machines are tested, verify that your website passes a web site audit, and lastly get updated as this news item evolves.

It’s time to look the recent state of targeted attacks. Like we already know the main attack vector in these attacks is Microsoft Office attachment. There are no many organizations that simply can filter .DOC, .XLS and .PPT files.
In mid-January Microsoft confirmed that a new, previously unknown Excel vulnerability was used in targeted attacks. On Monday this week US-CERT issued a warning about the new wave of exploitation. This extremely critical vulnerability, rated ‘10.0′ by CVSS meter BTW, was known as header information code execution vulnerability.
The fix is included to today’s Excel Bulletin MS08-014. However, Microsoft says the following now:

What causes the vulnerability?

Microsoft Excel does not properly validate macro information when loading specially crafted Excel files.

In January we had a very small pieces of information related tho this vuln and Trojan exploiting it.

Information about the characteristics of these targeted attack can be read via my FAQ documents.

My bank forced me to change the login password again; they claim it’s an automated procedure that happens every 90 days, but I know that it actually waits for me to remember the password and then immediately forces me to change it.

When I went in to change it, I was reminded of the draconic rules: it has to be at least 6 characters, with at least 2 numbers and at least 2 uppercase and 2 lowercase. These guys went to the security by obstruction school, no doubt.

I decided to fight back. As I finally got around to remembering this awkward strange password I had to pick 90 days ago, I decided I’m staying with it. So I changed it to something else, which I had to write on a piece of paper for fear of forgetting within 30 seconds (if you saw memento, that movie is about me. And I try to always order beers in bottles since seeing it), and I then went to the ‘change password’ section to change it back to my awkward-but-conditioned-to-memory password.

Naturally, the bank was trying to set me straight. “You can’t change back to any of your last 5 passwords” it told me with a grinning smile, giving me the solution right there. As you can undoubtedly guess, I returned the favor by changing the password 5 times to different things and then changed it back to my old one. I win. Next round in 3 months.

People will always outsmart security systems that try to force them into making the ‘right’ decision. What I’ve done today (and I’m quite proud of it, thank you) is being done every day by people who use their CD-ROMs as coffee trays and have never used any
program that didn’t automatically run when double clicking an icon.

But here’s what is really bothering me: What exactly is the attack scenario here? I would like to see the statistics that show how many attackers actually manage to capture a username and password and only fail because they try to use it after 90 days. While these huge numbers are crunched, please put on the Y-axis how many attackers found the password on a post-it stuck to the monitor because the password is so complicated to remember.

Or maybe so many attackers brute force the password, obviously hundreds of millions of times every day for a single account since there is a clear an immediate need for a long and complicated password (BTW, if this attack is possible, someone should tell me how to do it. I’ve been locked out a few times for failing to type the password correctly within a few guesses. I need a few guesses because I didn’t remember which was the current password, which, as you remember, changes every 90 days).

Being the cynic that I am, and having read enough security policy documents, I can guess why the password policy is the way it is: it’s easy to explain and justify, and it makes sense when showing in a powerpoint slideshow. I once heard from a high-profile organization that due to a successful break-in to their network they decided to tighten up security: all passwords now had to be 9 characters instead of 8. I’m guessing someone was promoted for this genius action, and there’s still enough room to increase it further when the next break-in comes (now that’s thinking ahead).

How is a complex password policy bad? Let me count the ways; It makes your user you enemy instead of your ally. It distracts the security people from the real threat. It gives a false sense of security. It encourages your users to find flaws in your security system and use them. What else? I had more, but somebody just came in the door and I forgot.

Bank robbers have found a very interesting technique.

From The Local article Police thwart remote-control bank heist:

Surprised last August to suddenly see his computer cursor moving on its own, the employee at the Knivsta branch of Swedbank, north of Stockholm, “discovered a cable connected to his computer linked to a remote control device fastened under his desk,” local police spokesman Christer Nordström told AFP.

The employee quickly pulled the plug, interrupting a transfer of several hundred million kronor, Nordström said.

And how they managed to install this remote-control device? According to the news sources during a break-in before the incident - no money had been stolen from the bank during a break-in.

A comment posted to Technocrat.net is pointing to another interesting case (from CIO Update article) confirmed as keylogger case:

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel.

Swedbank is the leading bank in Sweden, Estonia, Latvia and Lithuania with more than 21,700 employees serving 9 million private and 480,000 corporate customers.

Top Ten Web Hacks of 2007 list has been released by Jeremiah Grossman.

Link to Jeremiah’s post: Top Ten Web Hacks of 2007 (Official)

Various XSS issues, possibilities of firefoxurl vulnerabilities, dangers of opening PDF’s, etc. etc.

Happy clicking!

The first spyware spreading with Facebook application has been discovered. Security company Fortinet reports that application called Secret Crush is installing Zango (aka AdWare.Win32.180Solution) with Iframe, technically from ZangoCash.com.

Shortly, this is the spreading mechanism:

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using “Secret Crush” (this happens frequently with Facebook’s Platform Application). [Figure 2] exhibits the social engineering speech employed by the malicious widget to get the user to install it.

The text included to the request entry is “One of Your Friends Might Have a Crush on You!”. Additionally, the buttons are ‘Find Out Who!’ and typical ‘Ignore’.
It appears that Secret Crush is not included to Facebook Application Directory (no log-in needed) any more. Reportedly FortiGuard Team has informed Facebook guys and probably the application has been disabled already.

Update 4th Jan: The application mentioned is located here (renamed to My Admirer), still accessible and has “50,708 daily active users i.e. 4% of total”.

The exact number of affected users is not available.

A frequent source ‘A’ sending updated NSA-Affiliated IP resources to Cryptome’s Web site has reported the following new information:

Certain privacy/full session SSL email hosting services have been purchased/changed operational control by NSA and affiliates within the past few months, through private intermediary entities.

Reportedly the following services are controlled:

Hushmail - based in Canada,
Guardster - based in USA,
and
SAFe-mail.net - based in Israel.

Link here: NSA Controls SSL Email Hosting Services

Update 22nd Dec: Guardster Team has posted its response on 21st Dec to Cryptome:

We can assure you that we do not cooperate with the NSA or any other government agency anywhere in the world. We invite whomever is making this statement to provide proof, rather than making a baseless accusation.
….

Response from Safe-mail.net Team (24th Dec) is the following:

1. We never had any contacts, direct or indirect, with the NSA or any other
government agency anywhere in the world.
2. All software we use is in-house development.
3. We have never shared our technology with any other party.
….

Update 30th Dec: Hushmail Team has posted its response yesterday to Cryptome’s Web site:

Hush Communications Corporation, the company that provides the Hushmail.com email service, is not owned, wholly or in part, by any government agency.

Additionally, ‘More info on industry Windows security software’ has been released:

Zone Alarm, Symantec, MacAfee: All facilitate Microsoft’s NSA-controlled remote admin access via IP/TCP ports 1024 through 1030; ie will allow access without security flag. Unknown whether or not software port forward routing by these same programs will defeat NSA access.

The post released in Cryptome.org on 1st Nov informed about the future updates with details related to this issue and this is the first piece of information.

To the new readers: Cryptome: NSA has access to Windows Mobile smartphones

Recently the security industry has found new hybrid viruses which top anything previously known. They are saying that virus producers now are almost like a terrorist group, they have funding, they have research and development teams, etc. It should be expected really, as there are obviously hate groups all over, particularly Muslim I guess, and they are willing to blow them selves up just to attack the West. 

What do these hybrid viruses do? 

One such virus found in 2007 was named “Storm”, and has been called a Worm and Trojan as well as Virus because it has features of both, I just call them all viruses. Storm actually has capabilities of an SMTP relay apparently, and some sort of Socket server with the capability to communicate stolen information to many destinations, even the ability to communicate and warn it’s own Storm infected host computers across a network of many Storm infected computers. One report said this Storm creates a Botnet of computers with combined criminal computing power greater then IBM’s best super-computers. This virus has features which I really do not want to state because I don’t want to proliferate virus design. This virus starts in an eMail containing an executable attachment, the dumb users are tricked into running the attachment. That’s typical. Experts are estimating that this Storm virus has infected more then 200 million computers around the world, by email, and only the US and Europe have gotten some control of it at this time. 

What’s the solution? 

Actually the solution is to not execute any program from any source except your trustworthy business associates, within the US preferably. But where ever you are you need to have educated and trustworthy associates, so they don’t accidentally propagate viruses. However with eMails you also need to be sure they are legitimate, not artificially produced by a spam virus using your friend’s eMail address. That’s the rule for me, but many of my clients just can’t keep these rules, so I install good Anti-virus software on their computers.

There are a lot of anti-virus packages out there, but big names are not always best. For example Trend-Micro is recommended by many but tests have shown it is not that thorough, and Microsoft has been unwilling to participate and prove the quality of their AV software. McAfee is what I use for many of my clients and it has an excellent track record for many years with a low price, though I also use Symantec which is possibly the best of all. 

I know better then to run any eMail attachment, or download and run any questionable software product from non-american companies particularly, so I have actually not had a virus that I can remember. And I have not used Anti-virus software for near 10 years on my computers. Well, pre 2000 I think I had some minor virus problems, and I unfortunately downloaded and used some over-seas software and started having computer problems, so I backed everything up and wiped my hard drive clean. That’s how I solve my virus problems. Were you expecting some elaborate solution? True, you need more advanced solutions particularly for big networks… 

Advanced corporate solutions: 

Most importantly, again, the solution is to not execute a questionable program. This is especially important on servers, and ultra important for administrators to be careful not to run any questionable program. Second you need good Firewall solutions implemented on your network, this holds down such things as the Storm virus. These things are standard practice of course. I have actually averted these problems all together for administration by using a product called Iron-Admin from WiseFirm, I use it to administer all of my customer’s servers and workstations. This product allows you to administer all your network computers from one workstation, including Windows and Unix/Solaris/Linux servers, and you don’t ever have to execute any programs at all. Iron-Admin uses high-encryption for all it’s communications, and from one computer you can remotely administer 100s of servers and limitless workstations, and do backups of them all at scheduled times. Another similar product which I have tried is InterStructures, but it is not compatible with AIX and Solaris and does not do backups.

You may use Anti-virus software, but honestly it is over-rated. Consider the case of a new virus, such as Storm, in this case your Anti-virus software will not recognize it initially. If your company is so unfortunate that this virus gets access to administration level servers, your whole company’s data could fall. Anti-virus software is a good step to protect common user’s computers to a limited degree, and to stop a virus eventually after it has been discovered. 

I will get into more details on the security factors we have looked at in this article, and some additional ones. Look for my future blogs here. 

The number of recent QuickTime PoC’s is remarkable large and the active exploitation has begun as well, as many of the readers know.

However, the QuickTime RTSP vulnerability reported on 23th Nov is not the only one.

It appears that WabiSabiLabi team has reported that there is another (they call it zero-day vuln) flaw in Apple’s QuickTime player too.

This is what their blog post states:

We just want to specify that the vulnerability shown on those POCs IS NOT the one present in our marketplace.

They are pointing to PoCs listed at Milw0rm etc.

And a summary:

The first issue reported by Krystian Kloskowski (aka h07) is CVE-2007-6166 - CVSS score 9.3. For workarounds see US-CERT VU#659761.

The second issue reported by unknown person is CVE-2007-6238 - CVSS score 10.0. Reportedly ‘Affected system: Windows XP’.

We have been working lately on improving beSTORM’s fuzzing support for SCADA. SCADA stands for Supervisory Control And Data Acquisition or in other words, the ability to monitor and control hardware/equipment.

SCADA isn’t one single protocol, rather it provides a concept which several protocols implement. One of them is DNP3 (Distributed Network Protocol). Originally SCADA protocols were used in closed environments with dedicated wires running through the organization which provided end-to-end communication. Today this type of physical implementation is uncommon and networking infrastructures are used - mainly Ethernet.

DNP3 is one of these, as it can be “carried” on a regular Ethernet infrastructure. It can also be routed through your network if you use DNP3 implementation over TCP/IP, in which case your deployment is much easier - connect the equipment to the network give it an IP address and you can control from anywhere that is reachable to that IP address.

As DNP3 and SCADA in general are mainly used in industrial equipment, it is not easy to come by hardware beSTORM will test. We therefore decided to start some place easier - the sniffer. There are several DNP3 Sniffers out there, the most common and popular is Wireshark (formerly known as Ethereal).

Testing was pretty straightforward. Put a listening netcat on DNP3’s designated port (20000) and fire our beSTORM DNP3 fuzzer at it. Pretty soon we noticed that beSTORM was able to not only fuzz the DNP3 protocol, but also cause several instances of Wireshark to freeze, one of them due to an endless loop Wireshark entered into (fixed in version 0.99.6) and another one caused it to exhaust large amounts of CPU and Memory as Wireshark tries to display more elements then would normally be in a single DNP3 packet (version 0.99.6 is vulnerable).

The endless loop, fixed in version 0.99.6, is caused by the following code:

for (temp16 = 0; temp16 < num_items; temp16++)

The code is vulnerable as the temp16 is set to be 16 bit value while num_items is set to be a 32bit value, which means that I can cause the temp16 to loop forever by supplying a 32bit value to the num_items parameter.

Update: Wireshark has released a new version which is immune to this attack version 0.99.7.

According to the report of pdp several Web sites supporting open redircts are vulnerable to recent JAR: protocol vulnerability.

More information about these XSS vulnerabilities (hey, these are serious now!) is available at GNUCITIZEN entry here:

Severe XSS in Google and Others due to JAR protocol issues

Update 26th Nov: The author of Beford Blog has shared information that his “jarjarbinks.htm” PoC type link still works - when entering it manually to browser’s address bar. Google is still affected to JAR flaw.

A second event of malware infected HD has been discovered, this the second time it has happened in 4 months. The HD are part of “about 1,800 brand new 300-GB or 500-GB external hard drives made for Maxtor in Thailand” that include an autorun.inf file that will execute as soon as the disk is placed into the computer.

More details on the background can be found here and a bit more details on the origin can be read here.

In the old days this wouldn’t have happened as disks were “factory formatted” - requiring you to do a low-level format to start working with them, or at least partition them before use and they weren’t pre-formatted or even contained data on them.
P.S of course Windows is the only operating system that will get infected - Linux or MacOS won’t care about the presence of the autorun.inf file (or the ghost.pif file that is launched by it).

The role and seriousness of cross-site scripting (XSS) vulnerabilities has been a subject of recent FD discussion.

The fact is that since Saturday 3rd Nov there are the following widely known targets:

sitekey.bankofamerica.com
search.money.cnn.com
www.paypal.com (two issues)
www.zone-h.org
movies.nytimes.com
www.fbi.gov
weblogs.macromedia.com
welcome.intel.com
developer.apple.com
searchg.symantec.com
www.mastercard.com
travel.state.gov
my.aol.com
Additionally, several Yahoo domains have unpatched XSS issues. Mastercardfrance.com has its own XSS vulnerabilities as well.

According to the Xssed.com archives most of these are still unpatched. Some examples:

Symantec: XSS in search function at Enterprise section

Apple Developer Connection: XSS in search function
FBI: XSS in redirect-type URL (try www.fbi.gov/filelink.html?file=//google.fr manually)

Bank of America: XSS on Sign In page (https)
Paypal.com has fixed both of its issues.

First time in history Cryptome.org has released information about the characteristics of NSA’s network surveillance.

According to the newest IP address listing

IP ranges published by Cryptome are used by NSA, by NSA’s private sector contractors, and by NSA-friendly non-US national government agencies to access both stand-alone systems and networks running Microsoft products.

The post continues:

This includes wireless wiretapping of “smart phones” running Microsoft Mobile. Microsoft remote administrative privileges allow “backdooring” into Microsoft operating systems via IP/TCP ports 1024 through 1030.

The site has published NSA-affiliated IP addresses since July ‘07. It’s not known if this mysterious source ‘A’ has connections to National Security Agency.