Reports are emerging that members of the hacker, or something because they don’t want to be called that anymore (from the IRC: To the idiot reporters: we’re not hackers), collective Anonymous defaced NASA in support of Wikileaks.
Category: Application Security
Earlier today Wesley Kerfoot reported on the Full Disclosure mailing list that a page in the Paypal.com domain is susceptible to a non-persistent reflected cross site scripting attack (XSS). While non-persistent XSS bugs are somewhat common, this is quite serious for a site like PayPal, where user accounts are linked directly to bank accounts, debit, or credit cards and payment can be made to third parties without any additional authentication after user access is gained.
Refusing to maintain and follow a good termination checklist that walks through what access rights to decommission when someone leaves your company can put the brakes on your customers’ good will. Texas Auto Center in Austin Texas demonstrated the headaches that ensue when in February they left more than 80 customers who financed cars unable to get to school, work, and stuck with charges for towing and unnecessary repair work.
Originally diagnosed as mechanical failures in the cars, the problems stopped as soon as all the passwords for the WebTeckPlus system used by the firm were reset. A recently terminated employee, twenty year old Omar Ramos-Lopez, had used still active credentials to login to the web administration portal of the Auto Center’s payment incentive vendor and used it to disable vehicle starters or, according to police reports, have horns honk through the night.
Shortly after President Obama’s State of the Union address, constituents visiting the web sites of Congressional representatives like Charles Gonzalez (20th District of Texas), Spencer Bachus (Alabama’s 8th District), and Brian Baird (Washington’s 3rd District) were presented with a defacement message from the Red Eye Crew that as of 4:10 am EST remains up on their web sites. All of the sites affected are in the house.gov domain, but not every congressional site in the domain is defaced.
Less than 24 hours from the last web site defacement, TechCrunch has been defaced again early this morning by the same cracker(s) responsible for yesterday’s attack. Whatever preventative measures were taken yesterday (WordPress upgrade, HTTP authentication for wp-admin) have not blocked the attacker’s access to modify TechCrunch’s content, as this morning the attacker left a profane message on top of the homepage for Michael Arrington as well as a few media outlets like Yahoo and the BBC. At this point TechCrunch should perhaps be ensuring that there is no uploaded shell on the server the site is hosted on.