Bank robbers have found a very interesting technique.

From The Local article Police thwart remote-control bank heist:

Surprised last August to suddenly see his computer cursor moving on its own, the employee at the Knivsta branch of Swedbank, north of Stockholm, “discovered a cable connected to his computer linked to a remote control device fastened under his desk,” local police spokesman Christer Nordström told AFP.

The employee quickly pulled the plug, interrupting a transfer of several hundred million kronor, Nordström said.

And how they managed to install this remote-control device? According to the news sources during a break-in before the incident - no money had been stolen from the bank during a break-in.

A comment posted to Technocrat.net is pointing to another interesting case (from CIO Update article) confirmed as keylogger case:

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel.

Swedbank is the leading bank in Sweden, Estonia, Latvia and Lithuania with more than 21,700 employees serving 9 million private and 480,000 corporate customers.

The key which is used to sign iPhone application has apparently leaked, posting the key itself appears to be illegal, therefore we won’t do it, but others have, so just Google search it.

Top Ten Web Hacks of 2007 list has been released by Jeremiah Grossman.

Link to Jeremiah’s post: Top Ten Web Hacks of 2007 (Official)

Various XSS issues, possibilities of firefoxurl vulnerabilities, dangers of opening PDF’s, etc. etc.

Happy clicking!

Q:

I have a webserver where i’ve found several different php shell scripts and I’d like to know how they got there.  Are there known vulnerabilities that allow uploading of php files to a server?

I have several sites running on this server with several php script packages including…

Zencart
phpbb2

Any ideas or pointers will be appreciated!

A: Hi,

There are several vulnerabilities in both off the shelf products as well as custom PHP scripts that would allow “uploading”, in essence they don’t need to upload, they just need to get your PHP scripts to execute an arbitrary (outside) PHP script.

PHPbb has several:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=phpbb

Listed as Code Execution, Arbitrary File Upload, etc.

While zencart has just one problem:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=zen+cart

But that could be misleading, and just mean that the software is very uncommon.

The first days of a new year are “resolutions” days for some, defining goals for others. Time to realize how hardcore procrastinator you are, time to plan too.

I keep up a Google Calendar security events calendar (XML ICS) since early 2007 with major hacker / security conferences I stumble upon. Last update in UTC, change history so you can see what was added, pretty simple. Some people are specially interested in CFP (Call For Papers) deadlines, so the next step is a new calendar just for CFPs.

This is not a comprehensive list of events but a list of relevant events - great speakers, great papers, events with some reputation in short. Want to see your country in the calendar? Tell me what’s important in your area: securitycalendar at gmail.com. BTW, please let me know if you find any worthless conference in the calendar.

I´ve been to 2 DEFCONs. Today my goals are ShmooCon, LayerOne, Toorcon, CanSecWest and CCC. What are your favorite conferences? What would be your picks if someone asked you to choose only, say, 3 conferences a year?

Prevx Blog has a good writeup located at prevx.com/blog/75/Master-Boot-Record-Rootkit…

SANS Internet Storm Center has released an interesting timeline story - link here.

From the post based to Verisign iDefense data:

….

• Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
• Dec. 12, 2007 – First known attacks installing MBR code
  about 1,800 users infected in four days.

McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.

10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.

For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM

The danger of course is that the term could be simply popular - but the trick here is that I’m using something very special as the search term - the IP address of the poster.

The IP address shouldn’t be popular; except for a few rare cases, IP addresses listed on Google are directly related to SPAM - either they are listed under wiki-like sites as being banned, or they appear as mass-comment posters. Simply put, if your IP is listed in Google you must be up to no good.

How good is this method? Nothing is bullet proof, but if you have a suspicion of something being SPAM, put the IP in Google and see there are hits; Almost all the comment SPAM I filtered out this month had more than 100 hits in Google, all non-SPAM had either 0 or below the 10 hits mark.

BTW: A good advantage of Google is that it is quick - a few seconds to get a respond - a disadvantage is that you cannot just “hammer” them with searches or they will block you - maybe someone can pickup this idea and make an RBL from IP addresses using Google as a back-engine.

My Admirer application (previously known as Secret Crush) has been removed from Facebook now. The installation process was canceled during the weekend, but now it is finally gone.

Fortinet reported about the Zango spyware installation related to this application last week. The issue was described in this SecuriTeam post.

Response from Zango Inc. is interesting to read - link to the Zango blog here.

From the post:

At no point in adding the Secret Crush widget to a Facebook profile does the widget install either spyware or Zango software, or even attempt to do so. Any suggestion that Zango software is being “secretly installed” is simply not true.

It appears that there was no automatic installation of spyware at all.

Sometimes I dislike how media deals with security news, always looking for the next scoop. Take the buzz around “WiFi Epidemiology: Can Your Neighbors’ Router Make Yours Sick?” paper, by Indiana University researchers. Excerpt from Network World article:

Although the researchers did not develop any attack code that would be used to carry out this infection, they believe it would be possible to write code that guessed default passwords by first entering the default administrative passwords that shipped with the router, and then by trying a list of one million commonly used passwords, one after the other. They believe that 36% of passwords can be guessed using this technique.

I think this is a dejavu. I remember Renderman (Church of Wifi) suggested a similar scenario in his talk “New Wireless Fun From the Church Of WiFi“. At DEFCON 14 (2006). Including the usage of third-party-firmware.

The guys over at Indiana University didn’t develop any exploit for that, so I think I can develop all this theory a little bit. For good.

What about a Wi-Fi healer instead of a attack, a World Wide WEP Wipe (WWWW) or something like that? A wardriving device which breaks into WEP WAPs and “heals” it with WPA-PSK / WPA2-PSK using a database of known administration interface URL (for  popular models, for most firmware versions). Maybe it would not be necessary to even change the WEP key since breaking WEP is a matter of resouces and time and breaking WPA-PSK is a matter of luck (bad, easy guessable keys + cowpatty “classic”, cowpatty with lookup tables, aircrack-ng). Some users wouldn’t even notice the new security scheme once you keep the same key

Via:

• WiFi flu: viral router attack could hit whole cities (ars technica 01/02/08)
• A Wi-Fi virus outbreak? Researchers say it’s possible (Network World 01/04/08)

The first spyware spreading with Facebook application has been discovered. Security company Fortinet reports that application called Secret Crush is installing Zango (aka AdWare.Win32.180Solution) with Iframe, technically from ZangoCash.com.

Shortly, this is the spreading mechanism:

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using “Secret Crush” (this happens frequently with Facebook’s Platform Application). [Figure 2] exhibits the social engineering speech employed by the malicious widget to get the user to install it.

The text included to the request entry is “One of Your Friends Might Have a Crush on You!”. Additionally, the buttons are ‘Find Out Who!’ and typical ‘Ignore’.
It appears that Secret Crush is not included to Facebook Application Directory (no log-in needed) any more. Reportedly FortiGuard Team has informed Facebook guys and probably the application has been disabled already.

Update 4th Jan: The application mentioned is located here (renamed to My Admirer), still accessible and has “50,708 daily active users i.e. 4% of total”.

The exact number of affected users is not available.

2007 was the brazilian Christmas for laptops, definitely. Finally the prices are reasonable in retail stores, now one can buy a basic laptop for about R$1.600,00 (about US$950). That’s expensive for a 256MB / 512MB Celeron PC, but hey, that’s much better than feeding the parallel market of “contrabando”.

As a side effect, more Muni Wi-Fi and similar initiatives are emerging in the last few months. The last one came to my attention yesterday: Wi-Fi in Copacabana beach.

Sounds cool, huh? Caipirinhas, lots of hot girls in fio dental, and Wi-Fi (you geek!). Don’t do it, man.

Burglars in Brazil are smart, so be a ninja with your laptop in Brazil. Let your Targus bag at home, it looks like “hey I have a laptop, please steal it from me Mr. Bag Guy”. Be a ninja with other gadgets like iPods, digital cameras and cell phones too. Nothing in your belt too, Mr. Batman.

Wi-Fi in malls is relatively safe, just take care when you’re leaving the place, looking back is always good. Airports are safer, but take care in your way to the hotel, when you’re waiting for a taxi. Recently a gang was arrested, they were specialized in laptops. You know, it’s easy to know you have a laptop because people help burglars a lot: suits and backpacks (specially Targus and other mainstream brands) don’t mix.
Another tip: the vast majority of hotspots in Brazil are associated to Vex, so purchasing some credits before you leave your country in a safe network would be interesting. Another tip, actually a homework before you leave your country: backup your data, protect your HD with a password if available, encrypt the file system, have your VPN set.

Via: Praia de Copacabana deve ter rede Wi-Fi até junho (FolhaOnline 01/02/2007)