Newsweek.com becomes the latest in a long list of sites that will reveal an Easter egg if you enter the Konami Code (↑, ↑, ↓, ↓, ←, →, ←, →, B, A, enter) correctly. The Konami Code is a cheat code that appeared in many of Konami’s video games, starting in around 1986 (my favorite places to use it were Contra and Life Force, 30 lives FTW). Ostensibly this is probably something that was included by a developer unbeknownst to the powers that be at Newsweek, similar to an incident that happened at ESPN involving unicorns last year.

Enter Konami code, be warned of Zombie attack.

Buried in a file of other Javascript libraries used by the Newsweek site is the Konami Javascript library code written by George Mandis. Within http://www.newsweek.com/etc/designs/newsweek/lib.js is the following Javascript, which looks for the keyboard pattern (↑, ↑, ↓, ↓, ←, →, ←, →, B, A, enter) and replaces content on the page when successful as shown:

/*
    * Konami-JS ~
    * Modified variable names and obscured (March 31st, 2010), but otherwise intact
    * :: Now with support for touch events and multiple instances for 
    * :: situations that call for multiple easter eggs!
    * Code: http://konami-js.googlecode.com/
    * Examples: http://www.snaptortoise.com/konami-js
    * Copyright (c) 2009 George Mandis (georgemandis.com, snaptortoise.com)
    * Version: 1.2 (1/30/2010)
    * Licensed under the GNU General Public License v3
    * http://www.gnu.org/copyleft/gpl.html
    * Tested in: Safari 4, Firefox 3, IE7 and Mobile Safari 2.2.1
*/

var AdDebug = function() {
    var adDebug= {
            addEvent:function ( obj, type, fn, ref_obj )
            {
                if (obj.addEventListener)
                    obj.addEventListener( type, fn, false );
                else if (obj.attachEvent)
                {
                    // IE
                    obj["e"+type+fn] = fn;
                    obj[type+fn] = function() { obj["e"+type+fn]( window.event,ref_obj ); }

                    obj.attachEvent( "on"+type, obj[type+fn] );
                }
            },
            input:"",
            pattern:"3838404037393739666513",
            load: function(link) {  

                this.addEvent(document,"keydown", function(e,ref_obj) {                                         
                    if (ref_obj) adDebug = ref_obj; // IE
                    adDebug.input+= e ? e.keyCode : event.keyCode;
                if (adDebug.input.indexOf(adDebug.pattern) != -1) {
                    adDebug.code(link);
                    adDebug.input="";
                    return;
                    }
                },this);
            this.iphone.load(link)

                },
            code: function(link) { window.location=link},
            iphone:{
                    start_x:0,
                    start_y:0,
                    stop_x:0,
                    stop_y:0,
                    tap:false,
                    capture:false,
                    keys:["UP","UP","DOWN","DOWN","LEFT","RIGHT","LEFT","RIGHT","TAP","TAP","TAP"],
                    code: function(link) { window.location=link},
                    load: function(link){
                            adDebug.addEvent(document,"touchmove",function(e){
                              if(e.touches.length == 1 && adDebug.iphone.capture==true){ 
                                var touch = e.touches[0]; 
                                    adDebug.iphone.stop_x = touch.pageX;
                                    adDebug.iphone.stop_y = touch.pageY;
                                    adDebug.iphone.tap = false; 
                                    adDebug.iphone.capture=false;
                                    adDebug.iphone.check_direction();
                                    }
                                    });               
                            adDebug.addEvent(document,"touchend",function(evt){
                                    if (adDebug.iphone.tap==true) adDebug.iphone.check_direction();           
                                    },false);
                            adDebug.addEvent(document,"touchstart", function(evt){
                                    adDebug.iphone.start_x = evt.changedTouches[0].pageX
                                    adDebug.iphone.start_y = evt.changedTouches[0].pageY
                                    adDebug.iphone.tap = true
                                    adDebug.iphone.capture = true
                                    });               
                                    },
                    check_direction: function(){
                            x_magnitude = Math.abs(this.start_x-this.stop_x)
                            y_magnitude = Math.abs(this.start_y-this.stop_y)
                            x = ((this.start_x-this.stop_x) < 0) ? "RIGHT" : "LEFT";
                            y = ((this.start_y-this.stop_y) < 0) ? "DOWN" : "UP";
                            result = (x_magnitude > y_magnitude) ? x : y;
                            result = (this.tap==true) ? "TAP" : result;                     
                            if (result==this.keys[0]) this.keys = this.keys.slice(1,this.keys.length)
                            if (this.keys.length==0) this.code(this.link)
                            }
                    }
    }

    return adDebug;
}

var adDebugContent = function(){
    function render() {
        $("a").attr("href", "#");

        // FEATURE
        var feature = '<article class="feature-area feature-style-wide"><div class="feature-content"><header><span class="byline" property="dc:creator">MIKE ROBINSON</span><h1 class="header header-60"><a href="#">ZOMBIES ATTACK!</a></h1><span class="subhead">Run for the hills!</span></header><p>The undead have risen from their graves and invaded large portions of the east coast. Driven only by an unsatiable desire for brains, there seems to be no stopping their ruthless push forward. Residents are advised to barricade themselves in their homes and wait for further instructions. Under no circumstances should the walking dead be allowed in your house.</p></div>'
        $(".feature").html(feature);

        // NEWSWEEK NOW
        $(".newsweek-now .par").html("");
        var nowHtml = "";
        var nowTemplate = '<div class="newsweeknow section"><article class="stream-item" class="stream-item article-item"><h2 class="header" property="dc:title"><a href="#">${title}</a></h2><div class="grid-5"><p class="text" property="dc:abstract">${description}<a rel="dcterm:source" href="#" class="more">More <span class="guillemets">&rsaquo;</span></a></p></div><aside class="grid-2 last"><a href="/search.html?q=tea+party" class="primary-tag" title="Primary Tag" property="dc:subject ctag:label foaf:primaryTopic" typeof="ctag:Tag" resource="/content/newsweek/tag/politics.html" rel="ctag:means">Zombies</a><span class="byline">by <span class="author"><a typeof="foaf:person" property="dc:creator" rel="foaf:publications">${author}</a></span></span><time property="dc:created" pubdate="true" datetime="2010-06-11">Jun 11, 2010</time></aside></article></div>';

        for(var i = 0; i < content.now.length; i++){
            var template = nowTemplate;
            var item = content.now[i];

            template = template.replace("${title}", item.title);
            template = template.replace("${description}", item.description);
            template = template.replace("${author}", item.author);

            nowHtml += template;
        }
        $(".newsweek-now .par").html(nowHtml);

        // SPECTRUM
        $(".spectrum h2").html(content.spectrum.title);
        $(".spectrum a").attr("href", "#");
        var spectrumItems = $(".spectrum ul.sidebar-content li");
        var j = 0;
        for(var i = 0; i < spectrumItems.length; i++){
            var element = spectrumItems[i];

            if(j < content.spectrum.viewpoints.length){
                var item = content.spectrum.viewpoints[j];

                $(element).find("h3 a").text(item.title);
                $(element).find("q a").html(item.quote);
                $(element).find("span.source").text(item.source);
                $(element).find("cite.publication").hide();
                j++;
            } else {
                $(".spectrum ul.sidebar-content li").eq(i).remove();
            }
        }
    }

    var content = {
        "now":[
            {
                "title":"The Zombie Invasion Timeline",
                "description":"It was just three months ago that patient zero, a former British citizen living in New York, was identified as the cause of the zombie invasion. While initially considered to be a bad sinus infection, the disease quickly spread after Patient Zero ate the brains of a attending neurosurgeon.",
                "author":"Steven Stone"
            },
            {
                "title":"Fleeing the Zombie Horde: What Are Our Options?",
                "description":"With goverment barricades falling and traditional warfare tactics deemed ineffective, the local populace must now consider the option of fleeing as viable and advised. There are many options depending on an individuals geographical location, however most zombie experts expressly advise against running for the hills without proper preparation. One must take into consideration the hazardous effects natural elements such as rain and cold weather can have, especially in cold winter months.",
                "author":"Dan Alcalde"

            },
            {
                "title":"No End in Sight for Undead Feast",
                "description":"The haunted continue to walk the streets, often heard moaning 'BRAAAAAIIIIIINS!' [paraphrased]. With their unstoppable quest for human brains the undead have shown no signs in slowing down their pursuit or consumption of our most precious organs. A noted chef suggests, 'While zombies will eat any organ, they most definitely have a preference for our soft cranial tissue. It is easily digestible, and once the tough outer skull is removed quite simple to recover.'",
                "author":"Roberto Gonzalez"
            },
            {
                "title":"Go For the Head",
                "description":"Several close combat experts have reiterated how important it is to strike a zombie directly in the head with a large blunt weapon. Only by smashing their brains can you be certain the approaching undead will not rise again and feast on your exposed limbs.",
                "author":"Nicole Barth"
            },
            {
                "title":"Zombies and You",
                "description":"Not everybody reacts the same to the undead. If you, or a loved one, has encountered a zombie please share your experiences in the comments.",
                "author":"Monica Parra"
            }

        ],
        "spectrum":{
            "title":"Zombie Invasion Continues Unabated",
            "viewpoints":[
                {
                    "title":"SUSPICIOUS",
                    "quote":"I don't see how every barricade could fail unless the government meant to let them through.",
                    "source":"Tim Knight"
                },
                {
                    "title":"DECISIVE",
                    "quote":"If we can't be protected then we'll just protect ourselves!",
                    "source":"Mike Robinson"
                },
                {
                    "title":"FLEEING",
                    "quote":"Save yourselves, run now",
                    "source":"Mark Catalano"
                },
                {
                    "title":"HUNGRY",
                    "quote":"Braaaaaains. Braains brains braaaaaaaaains...",
                    "source":"Dan Alcalde"
                },
                {
                    "title":"BITTEN",
                    "quote":"Wow those things bite hard. Oh, I feel funny...",
                    "source":"Andrew Sprouse"
                }
            ]
        }

    }

    return {
        render: render
    } 
}();

Finally

In the case where this happened on ESPN the results were mostly harmless. As explained by developer Keith Lam, the incident was a prank, not an indication that someone hacked into the site (the developer was canned though). It will be interesting to see if Newsweek’s amusing defacement is the same situation.

If so, the only downside to the ESPN unicorns was that it exposed that there is little control over the production environment at ESPN, it was fairly easily for a developer to sneak something into production without anyone knowing about it. Unicorns are funny, a disgruntled person could come up with things to show on the web site that aren’t so funny.

But in both cases, these are harmless jokes, so no harm no foul for the most part.

Update – 6/15/10

According to a Newsweek spokesperson it was an internal developer: “It’s true that our programmers had a bit of fun and hid the Konami Easter egg in the site. It does not affect the rest of the site’s functionality. Now that we’ve all had a laugh, we will be removing it.”

Related Posts:

• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement
• Baidu.com the Latest Victim of Iranian CyberArmy

BP continues to be the subject of criticism following the Deepwater Horizon oil spill, and the hacking community appears to be taking exception to some of BP’s recent public relations activities in the online arena. Specifically, reactions to BP’s having bought the sponsored link for the search term ‘oil spill’ seems to have triggered resentment in the form of both reconnaissance work, a Twitter account compromise, and an amusing cross site scripting vulnerability.

In the Reddit case, the method shown and gotchas demonstrated are worth covering, although no actual hack takes place. The XSS demonstrated at the bottom of the post is just creative and funny.

Twitter

As widely reported, on May 27th, BP’s official Twitter account was compromised and the following tweet put up.

Pick a stronger password.

And while it’s not a hack, the spoof Twitter account BPGlobalPR has garnered some attention (150k followers) as a satirical response to BP’s actual public relations response. It has gotten enough attention that the real BP has made overtures to the fake account to better identify itself as a parody.

Reddit

Last night on Reddit a user skipperdee responded to a post about the BP sponsored link as follows:

Reconnaissance

Let’s walk through his suggestions:

VPN Login Screen

Looking at what’s here, he found what is ostensibly a VPN login screen for some extranet type applications: https://access.bpglobal.com/bp/C/login.html?_targetURL=https://access.bpglobal.com/pkmslogin.form (with what looks like an open redirect).

Down tick one for information security is that it offers only certificate based authentication or alternatively login with a plain id and password.

https://access.bpglobal.com/help/bpcertExpired.html

A review of this screen (above) however seems to indicate that the user’s windows login (active directory) is the same as their IDAM login, by referencing the phrase NT ID and password.

User Names

Our Reddit user goes on to show off a little Google hacking by demonstrating how to find out the user names of BP employees:

http://www.google.com/#hl=en&q=%22Documents+And+Settings%22+site%3Abp.com&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=dfdf66882bd03aae.

Username equals Warna3.

Because a number of BP employees use the built in MS Word footer option for file name and path, their user names have been exposed in publicly released documents. Now that a number of usernames can be enumerated, with a brute force password cracker its off to the races for an attacker.

Documents

He then goes on to demonstrate that publicly available sites have a sub-directory /STAGING which appears to show semi-public documents (releases to the press, investor releases, etc.).

http://www.google.com/#q=site:bp.com+inurl:staging+%222010%22&hl=en&start=0&sa=N&fp=dfdf66882bd03aae

It’s unclear that anything unusual is publicly exposed here. One document is marked official use only which shows the oil spill projections, however that’s a lot like saying something is under copyright but still releasable. Another is marked “Project Confidential” but it’s unclear if it left that classification when added to the /STAGING site.

Situation Map.

Like a lot of large companies, there’s probably more online than should be, but it doesn’t appear /STAGING has any special significance as an intranet type site. I will confess, this is my favorite document, the April 2008 company magazine:

BP Horizon: The Battle to Secure Company Data.

Some Passwords

There are two old passwords in two of the files, a form and a newsletter, both are for ibackup.com access which like other document sharing sites has a public folder concept. Given their age, there probably isn’t much of an issue here, however password re-use inside organizations is quite common.

ID: bproadmap
PW: safety
journey_hazard_assessment_card_2009_02_18.pdf

ID: bpshipping02
PW: flag01
Flag_29_May_2008.pdf

In the case of the second id, it certainly looks to be the kind of id and password that gets incremented for different things (bpshipping01, bpshipping03, flag02).

PHP File Include and XSS

Finally, the Reddit commenter points out the energizer.gp.com URL as one that appears to be a web application with a few issues including potentially a PHP remote file include or arbitrary file access:

http://energiser.bp.com/help.php?module=moodle&file=insert file here

The site appears to use Moodle, a popular CMS platform, thus something else that can be looked at. However holisticinfosec got there first and best with an XSS based iFrame injection:

http://energiser.bp.com/login/index.php?lang=%22%3E%3Ciframe%20src=http://www.tampabay.com/multimedi
a/archive/00121/SP_322824_BORC_oilp_121445c.jpg%20width=450%20height=300%20frameborder=0%20scroll=no
%3E%3C/%3E%3C/;document.write%28unescape%28a.source%29%29;{//

iFrame inclusion on a bp.com site.

Finally

Is most of this nonsense from a hard core security standpoint? Yes, to an extent. The XSS ought to be corrected, and dual factor authentication on VPN’s is kind of a must have at this point.

Does BP need a security audit of their perimeter, web properties, online services used, and security policies? Also yes. Maybe schedule it after they plug that gushing oil geyser this August.

Related Posts:

• Newsweek Reports Zombie Invasion
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement
• Baidu.com the Latest Victim of Iranian CyberArmy

Shortly after President Obama’s State of the Union address, constituents visiting the web sites of Congressional representatives like Charles Gonzalez (20th District of Texas), Spencer Bachus (Alabama’s 8th District), and Brian Baird (Washington’s 3rd District) were presented with a defacement message from the Red Eye Crew that as of 4:10 am EST remains up on their web sites. All of the sites affected are in the house.gov domain, but not every congressional site in the domain is defaced.

The Defacement

The sites were defaced to simply show the following line of text:

FUCK OBAMA!! Red Eye CREW !!!!! O RESTO E HACKER !!! by m4V3RiCk ; HADES ; T4ph0d4 -- FROM BRASIL

Official web site for Representative John Barrow (D - GA).

O RESTO E HACKER is Portuguese, roughly “The rest are hackers”.

Affected Sites

Here is a list of Congressional members web sites that we noted were affected last night. The full list, 49 web sites, attached below as Appendix A, was released on the 28th.

http://www.joewilson.house.gov/

http://bachus.house.gov/


http://www.baird.house.gov/


http://www.barrow.house.gov/


http://www.gonzalez.house.gov/


http://mcnerney.house.gov/


http://mikepence.house.gov/


http://driehaus.house.gov/


http://carson.house.gov/


http://campbell.house.gov/


http://doggett.house.gov/


http://coffman.house.gov/


http://www.kosmas.house.gov/


http://hersethsandlin.house.gov/


http://lujan.house.gov/


http://www.mccollum.house.gov/


http://teague.house.gov/


http://mitchell.house.gov/


http://www.roe.house.gov/


http://www.lofgren.house.gov/


http://carnahan.house.gov/


http://www.chrismurphy.house.gov/


http://hunter.house.gov/


http://olver.house.gov/


http://arcuri.house.gov/


http://olver.house.gov/


http://tierney.house.gov/

A few committee sites were affected as well:

http://republicans.financialservices.house.gov/

http://republicans.oversight.house.gov/


http://gop.cha.house.gov/

Defaced Sites Normal Appearance

Here are a few examples of what the now defaced sites normally look like:

The Spencer Bachus site on better days.

The Charles Gonzalez site on better days.

The RedEye Crew

The Red Eye Crew has been around for a while, and have thousands of web site defacements to their credit. One member, handle HADES, defaced 453 government sites in Brazil last August through a reported SQL Injection. A quick review of the defacements captured at Zone-H shows 45,735 defacements, primarily mass defacements. At one point they were doing tongue in cheek dedications to the memory of Elizabeth Bathory, a prolific female serial killer from the Middle Ages.

Last August, they defaced the web site of Old Dominion University with a message in Portugese, supporting their being a Brazilian team. The team has also defaced a number of Brazilian web sites. These two points are alongside the fact that they come right out and say that they’re from Brazil.

Not the First Time Around

“those were default passwords, meant to be changed by the Representatives’ offices.”
GovTrends

As one of our readers astutely pointed out, these sites are managed by a third party provider called GovTrends a Virginia web development company with the somewhat ironic phrase “You get what you pay for” on their web site. Last August at least 18 congressional member sites managed by the same vendor were defaced by Indonesian cracker 3n_byt3 (1164 defacements to his credit), a result of a reported login to the administrative portion of the sites with a default password according to GovTrends, in an apparent attempt to deflect blame for the attack back to House staffers.

This explanation actually makes little sense, because the defacer added a news item to each page stating: H4ck3d by 3n_byt3 @ Indonesia H4ck3rs. If he had full administrative access to the CMS platform, the defacement would have been a full page defacement, not an injection into a news item on the site. The problem was much more likely an SQL injection, potentially the Joomla Component News SQL Injection vulnerability.

Senator Edwards site defacement from last August.

And Then It Got Awkward

“It is extremely important that my constituents can trust that information provided to my office is kept confidential and secure.”
Rep. Spencer Bachus

After the attack in August Representative Spencer Bachus sent a letter to the CAO (Chief Administrative Officer) of the House, asking essentially for two things: actual details of the attack and a plan for notification of these incidents in the future, as shared with Brian Krebs.

You can read the full letter here: BachusLetter.

In the letter he states “GovTrends refused to provide copies of the logs of the intrusion” and referred all questions to the HIR (House Information Resources), while at the same time telling the press the default password theory. Its completely unclear why Representative Bachus, who appeared to be the only one publicly calling for a review of the logs by someone with forensics expertise, was denied being able to do this.

The risk of a breach and defacement is born fully by him, as the web site is in his name, and thus the request for a proper investigation by a computer forensics expert the correct instinct in this scenario. By not conducting a proper review of the attack in August, and conducting a web application vulnerability assessment following that, there was little hope of preventing future defacements such as the one today.

So How did they get in?

“Over the last year the House has continued aggressively fortifying its security systems.”
Jeff Ventura, CAO spokesman, August 7th, 2009

Unfortunately, we won’t know that until someone who manages house.gov provides some details. Server access seems unlikely, because while the sites we checked are hosted on dcserver1.house.gov, not every site hosted on that server is defaced (example congressman Joe Sestak’s web site was fine). The sites are not redirecting anywhere.

Congress members seem to be able to use different content management systems for updating their web sites. For example, Michelle Bachmann’s site uses a tool called Fireside, a content management system targeted towards members of Congress. That site returns firesideweb.house.gov as the server, whereas the defaced sites we checked return dcserver1.house.gov. All of the defaced sites we saw have one commonality, and that is that they are run on the Joomla content management system.

But not all of the Joomla CMS web sites are affected. For example a comment tag indicates that sites http://ellison.house.gov and http://kirkpatrick.house.gov are using Joomla, but they were not defaced. This might indicate that it is a Joomla component that is to blame, however that is just speculation.

Joomla has had its share of security vulnerabilities in the past (as shown in the OSVDB). Don’t waste time discussing historical vulnerabilities in Joomla or its extensions however, like all popular complex web content platforms configuration by the web site operators is important and it is their responsibility to ensure a patched installation with a secure configuration (like no default passwords). Only when an installation is fully updated and a zero day or improperly reported vulnerability is introduced based on a careless mistake, can the platform come into serious question.

Regardless, only the person who has access to the server the sites are running on and performs the forensic analysis will be able to tell exactly what happened. Hopefully they will release some sort of statement.

Updates – 1/28/09

Representatives John Boehner and Nancy Pelosi want to know what happened, as detailed in a letter sent to the House CAO today:

January 28, 2010

The Honorable Daniel P. Beard
Chief Administrative Officer
U.S. House of Representatives
Washington, DC 20515

Dear Mr. Beard:

We request that you initiate an immediate and comprehensive assessment of how hackers were able to 
deface the websites of nearly fifty House Members and Committees last night.

In the past, we jointly requested that your office review and tighten cybersecurity protections designed 
to ensure that congressional offices and committees are safeguarded from unauthorized intrusions. We 
appreciate the efforts you and your cybersecurity team have taken to tighten firewalls, as well as more 
recent efforts to ensure that official mobile communications devices are secure from hacking and other 
intrusions.

However, last night's actions indicate that further review of security procedures are needed. From initial 
reports, these intrusions appear to be related to one website vendor which has had previous security 
failures. While many Members have expressed satisfaction with the vendor in question, this is the second 
time in a year websites hosted and supported by this vendor have been compromised. We therefore request 
that your office work with the Committee on House Administration to review the security standards for House 
vendors and to assess whether this vendor, and others, have adhered to those standards. We also request 
that you take immediate action to protect against breaches of the House firewalls and to ensure website 
security of all House offices.

Thank you for your attention to this matter.

Sincerely,


NANCY PELOSI                      JOHN BOEHNER
Speaker                               Republican Leader

Cc: The Honorable Robert A. Brady
Chairman, Committee on House Administration

The Honorable Dan Lungren
Ranking Member, Committee on House Administration

SOURCE Office of the Speaker of the House

Some outlets are reporting that this was “an attack on the site’s of Democrats”. Note that one of the first sites we saw was defaced was that of Republican Congressman Joe Wilson from South Carolina. “You lie!”-nope, its true.

SC Magazine got a reaction from Jeff Ventura, spokesman for the Office of the Chief Administrative Officer (CAO) in the U.S. House: “None of the sites we host and manage internally at the House are impacted, it was through no action of ours that this breach occurred.”.

The server appears to be the same as many of the other representative’s sites, so a full abdication of responsibility to the vendor, especially at this early stage without a statement from a qualified computer forensics resource, would seem to be inappropriate. Further the question for the CAO as well as the affected members of Congress is why they stuck with the same vendor after the August breach and the subsequent refusal to provide a detailed analysis or logs that could be reviewed by a computer security expert. Finally the organization with the overall responsibility for information technology must regularly vet vendors they use.

Then the associated press reported this:

Ventura says the vendor was performing an update and for a brief moment let its guard down. That was long enough to allow the hacker to penetrate the sites.

Without further information this makes little sense. It is a classic response to elevate the cracker by saying that they caught you in a moment of ‘letting your guard down’, further the “we were upgrading systems” response is always thought better than the “a vulnerability was out there for x amount of time” response. What maintenance allowed a cracker to get in and how did they happen to get to you in that short window? It does happen sometimes, but its unusual and usually still based on an IT error, even in sites that are under constant external probing by bad actors.

Further evidence would have to be provided for this to be an acceptably plausible theory of what happened, especially in light of the scant details and somewhat problematic explanation of the August attack.

Ventura stated to Politico:

“I think what you’re going to see going forward is an insistence to the adherence of policy, as opposed to just the suggestion that the policy standard has to be a certain level.”

This is actually somewhat similar to what was stated the last time around. If I’m a member of Congress whose reputation is being affected, at this point I’m calling for a computer forensics team from a reputable company to come in for an evaluation and tell me a reasonable theory of how this breach happened. Then I’m releasing a statement, identifying the expert firm I called in to do the evaluation, so that people understand that a serious investigation took place. Further I’m getting a web vulnerability assessment done on the house.gov web properties. These two actions don’t offer any guarantee of perfect forward security, but they make a big difference.

At the same time Govtrends is being painted as stonewalling: “GovTrends employees did not return multiple phone or email messages seeking comment.” And Ventura states “We’re discussing our options,”.

RedEye also defaced three Brazilian government web sites last night (addresses below) with the following message:

Red Eye Crew! Owned by HADES && m4V3R1ck

www.cedasc.ba.gov.br 
www.cti.gov.br 
itapiranga.cti.gov.br 

Finally in a piece of completely unrelated but somewhat coincidental circumstance, Joomla.org, the project homepage of the Joomla CMS used by the Congressional sites, was itself defaced by the same Red Eye Crew back in August of 2008.

H A C K E D !

joomla.org owned!


Red Eye CREW

owned joomla.org =)

m4V3RiCk - W4n73d - _dDoS_

by m4v3rick

"That´s all Folks!!"

Appendix A – Full list of Affected Sites

altmire.house.gov
arcuri.house.gov
bachus.house.gov
baird.house.gov
barrow.house.gov
bilirakis.house.gov
boccieri.house.gov
bright.house.gov
campbell.house.gov
carnahan.house.gov
carson.house.gov
charliewilson.house.gov
childers.house.gov
coffman.house.gov
dahlkemper.house.gov
davis.house.gov
doggett.house.gov
driehaus.house.gov
energycommerce.house.gov
gonzalez.house.gov
gop.cha.house.gov
hersethsandlin.house.gov
honda.house.gov
hunter.house.gov
joewilson.house.gov
kirk.house.gov
kosmas.house.gov
larson.house.gov
lipinski.house.gov
lofgren.house.gov
lujan.house.gov
mccollum.house.gov
mcnerney.house.gov
mikepence.house.gov
mitchell.house.gov
mollohan.house.gov
murphy.house.gov
murtha.house.gov
olver.house.gov
quigley.house.gov
republicans.financialservices.house.gov
republicans.oversight.house.gov
resourcescommittee.house.gov
roe.house.gov
schakowsky.house.gov
shea-porter.house.gov
teague.house.gov
tierney.house.gov
welch.house.gov 

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement
• Baidu.com the Latest Victim of Iranian CyberArmy

Less than 24 hours from the last web site defacement, TechCrunch has been defaced again early this morning by the same cracker(s) responsible for yesterday’s attack. Whatever preventative measures were taken yesterday (WordPress upgrade, HTTP authentication for wp-admin) have not blocked the attacker’s access to modify TechCrunch’s content, as this morning the attacker left a profane message on top of the homepage for Michael Arrington as well as a few media outlets like Yahoo and the BBC. At this point TechCrunch should perhaps be ensuring that there is no uploaded shell on the server the site is hosted on.

The message greeting visitors to TechCrunch this morning.

The Message

The message on the homepage above the content reads as follows:

“So Arrington, how much did all the media coverage yesterday brought you in trough the welcome.html ad 
you forced people to? What a fucking retarded move was that you twat. You should be thanking me and 
sucking on my fucking ballsack for not deleting everyone on the box and publishing the mysql, if that’s
what you want O.K, I can do that. Also, you fucking dickwads from sites like Yahoo!, BBC and plenty 
more, where the FUCK do you see adult content on http://dupedb.com/ ???????? 
I mean honestly, are you fucktards also in just for the money?!?!?!”

The message is an apparent protest of TechCrunch’s decision to have the site lead in with a web advertisement before showing the homepage and an objection to the characterization of the DupeDB.com web site as being an adult content web site. The second objection is not totally without merit, the site is clearly a warez site with software, music, movies, and pornography, not a pornographic web site which brings up other connotations. That’s not to suggest one is any better or worse than the other, just that “warez site” (underground distribution of pirated content) is a more apt description.

Links to DupeDB.com(91.121.221.39) are referenced again, which is hosted in Roubaix, France by ISP Ovh Systems.

DupeDB.com

The Same Attackers?

Its just a reasonable guess, but the fact that the defacement now clearly references the first attack and also questions why the coverage of the attack references DupeDB.com as an adult content web site, would indicate now that the purveyor of this site hosted in France is taking responsibility for the defacements.

SQL Injection?

There is a rumor based on details of an attack on another site around the same time as TechCrunch, shoemoney.com, where HTML was injected (a meta redirect tag) that caused the site to redirect visitors to “a torrent web site” which has not been specified. In that case a problem occurred with the xmlrpc.php on the WordPress installation (a function allowing for remote publishing). This file has been the subject of other security issues (unauthorized access, SQL injection) in the past.

But there is a key difference. Back in September, a privilege escalation bug was found using the xmlrpc.php file, but it required that a user register with the WordPress installation first. This is possible on shoemoney.com, but TechCrunch has user registrations in WordPress disabled. It could still be a totally new defect with xmlrpc.php, but the most recent defect we saw that’s out there (September time frame) would likely not have worked on TechCrunch.

Shell?

A mechanism some attackers use when they have gained access to a web site’s administrative console, or access to a server, is to drop a web shell or backdoor so that they can gain access at a future date. Its a somewhat common method to deface a web site by uploading a shell, for example a php shell (although there are many types), that then allows you to modify files, execute commands on the server, grab the database, and so forth.

While it is not a perfect example (and you probably want to kill the sound if you don’t speak Spanish), the video below from YouTube demonstrates an attacker having gained access to the WordPress administrative console (an older version, but the point holds), proceeding to the Appearance-Editor screen, and replacing an existing page in the site with the N3tShell (a larger screenshot of the shell is shown after the video). Once this php shell is installed, the attacker can browse the file system on the server, execute commands, and so forth through the shell depending on the file permissions.

Credit darkfuneral89, this is not a Praetorian video

N3T Shell, just an example as used in the YouTube video. Click to view a larger image.

It is important to note here that we are not saying that this is what happened, only that taking into account the attacker’s repeat access, that this is a favored method for defacement, and that the attacker states he has access to the MySQL database, that this or something similar is a possibility. Other possibilities include the attacker having only WordPress access and lying about any further access, that he has access to the server at RackSpace, and so forth. We won’t know much more until TechCrunch is more forthcoming with details about the two attacks.

Finally

Obviously updating the WordPress version of TechCrunch.com and implementing web server authentication on the wp-admin page did not do the trick of keeping this cracker out. Actually, while its providing a HTTP authentication login dialog, login attempts to the TechCrunch WordPress login screen are still possible after canceling through the web server authentication dialogue (login box).

At this point if TechCrunch did the responsible thing yesterday and changed all the passwords of the user accounts on the box hosted by RackSpace as well as the WordPress application login credentials, they should potentially be looking for some sort of uploaded shell, because clearly the attacker is able to gain access at will. If they haven’t changed the access credentials, that might be a good first step. Another good first step would be looking for an admin account that doesn’t quite belong in WordPress.

Of note is that the attacker threatens to “delete everyone on the box” and publish the backend MySQL database, perhaps giving us a clue into his level of access into TechCrunch. Yesterday we speculated that it was the WordPress platform that was somehow compromised because of the application’s history of security problems and the quick WordPress upgrade TechCrunch appeared to perform (visible by viewing the version numbers shown on the Readme.html file that TechCrunch should be deleting after the install). This may still be the case but the attacker seems to be stating he has gained access beyond the WordPress application by talking about the database. This access could still have gone through WordPress of course, via uploading a shell of some sort. If true, and its reasonably plausible given his continued access to TechCrunch, this rules out his having simply accessed the WordPress administrative portal and only modifying content.

We look forward to reading TechCrunch’s full analysis of what’s happening to their blog.

Other Coverage Worth Reading

• http://www.sophos.com/blogs/gc/g/2010/01/27/techcrunch-hacked-intruders-pottymouthed

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• TechCrunched – TechCrunch the Victim of a Defacement
• Baidu.com the Latest Victim of Iranian CyberArmy

TechCrunch, the popular blog founded by Michael Arrington in 2005 that profiles technology start ups with posts about their products and company news, was the victim of a website defacement that has effectively taken the site down for a period of three hours at time of writing. The site initially went down a little after 1 am EST with a message of “Hi” on the homepage, and for a while seesawed between coming back up, being newly defaced, and showing a “We’ll be back shortly” message.

There is no word yet of how the attack took place, however, all appearances suggest that access was gained to the TechCrunch content itself as opposed to being a DNS redirect, or something similar, as happened to Twitter and Baidu recently. The fact that TechCrunch uses the WordPress blog application has led to speculation that the problem may be an exploit in the popular blogging platform.

At 1:20 am EST TechCrunch was down with the message “Hi” on the homepage.

The first message showing up on TechCrunch.

It then showed this link:

The first link to DupeDB.com as 'rapidshare downloads'.

From there the site came back up briefly and went back to the “We’ll be back shortly” message.

We'll be back soon.

It was taken over again as shown below, then returned to the “We’ll be back shortly” message.

Taken over again, this time with another link to dupedb.com.

The site finally seem to become stable after 3am EST with a final message from TechCrunch on the homepage:

Earlier tonight techcrunch.com was compromised by a security exploit.

We're working to identify the exploit and will bring the site back online shortly. 

DupeDB.com

The site (91.121.221.39) that the homepage was linked to appears to be a warez site hosted in Roubaix, France, hosted by ISP Ovh Systems. TechCrunch is of course hosted by Rackspace.com, which was recently in the news because of the role their servers played in the ‘Aurora’ attack on Google.

The word warez is a self referential term in communities that deal with the underground distribution of pirated content (software, music, movies, etc.). The dupeDB site appears to be a torrent and rapidshare download site containing links to movies, music, cracked software, and so forth.

DupeDB.com site.

DupeDB has its own Twitter account and online forum as well.

Other Attacks with DupeDB.com

The attack directs to the same web site as a brief takeover of forums of the Neowin.net technology news website on December 27th of last year. In that case, a Meta redirect was injected sending users from neowin.net to dupedb.com. The same issue also afflicted the Flyertalk forum on December 27th, and the Sprint Users forum on December 15th.

The Meta tag redirect injected into Neowin.net’s forums:

<meta content="0; URL=http://dupedb.com/" http-equiv="Refresh"/>

Finally

No details have emerged on exactly how TechCrunch was taken over, the evidence does not suggest a DNS redirect from what we were able to see. That said TechCrunch uses WordPress (just like us), which a security professional once jokingly referred to as a dropper because of the number of security problems the platform has had. That’s hardly unique to WordPress, the platform is very much a victim of its own popularity, its inherent complexity as a publishing platform, and the fact that plugin integration is community driven thus soemtimes introducing security problems. These three things are all positives, but do introduce security considerations.

Pursuing the theory of a possible WordPress issue, CrunchGear, a site in the TechCrunch Network, has its readme.html file available stating the WordPress version installed, and its /admin authentication page is accessible here for password guessing.

Now that TechCrunch is back up, we can see that their readme file is also available, as well as their WordPress login screen (which is awkwardly behind webserver authentication, but still accessible if you cancel out of the login dialogue. Its entirely possible someone brute forced the password, there are scripts available to do this for WordPress.

Another question comes up as to whether TechCrunch just updated their WordPress install. In speaking to security pro Dan Tentler, the WordPress version on the readme.html file was 2.8.4 earlier tonight. Now it reads 2.9.1, the current version of WordPress.

There’s no evidence that anyone involved with DupeDB is actually responsible for the attack, however there is no real attribution in the defacement, and this would drive traffic to the warez web site.

Either way, we expect TechCrunch, who has provided extensive coverage of other site compromises, to be just as up front in analyzing how their own site was cracked.

We’ll provide updates as they become available.

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• Baidu.com the Latest Victim of Iranian CyberArmy

A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com. Baidu is one of the most popular web sites in the world, a NASDAQ 100 multimedia company headquartered in Beijing that indexes over 740 million web pages for search and provides music and video content. The company employs over 6,000 people, has a 77% market share for search in China, and has annual revenue of about $200mm. For about three hours they were an advertising platform for a hacktivist group supporting the fundamentalist Islamic regime in Iran.

Such digital attacks for political purposes are sometimes referred to as hacktivism, usually defined as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends”.

The IP address baidu.com pointed to temporarily routed to 174.121.0.7 in Houston Texas when we pinged it, to a site hosted via ISP ThePlanet.com. The site normally shows hosts in Beijing, China, hosted by China Unicom (example: 202.108.22.5 is back up now). It appeared last night that the defacement site was hosted at a couple of different places.

The site as it appeared for about three hours today:

The site served up at baidu.com earlier.

Baidu.com as it normally appears:

Baidu.com, normally.

Two other domain names are referenced on the page: cyberarmyofiran.com and ircarmy.com. The first, IP 70.35.29.162, shows hosting by Netfirms in Markham Ontario in Canada. The second, ircarmy.com, is at IP 69.147.83.188, showing hosting by Yahoo in Sunnyvalue, California.

This is the same group responsible for the attacks on Twitter and mowjcamp.org last month, Twitter having gone down for a while the evening of December 17th. During the attack on Twitter a bad actor used an id and password assigned to Twitter to log in to the administrative portal of managed DNS service provider Dyn.

DNS Services

At the time that Baidu.com was being redirected, we were seeing different SOA and NS results for the Baidu.com domain name. A simple script was used to look at this data:

$ sh dnsbaidu.com
[baidu.com]----------------------
---[resolver.qwest.net]---
---[SOA]---
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
---[NS]---
ns3.baidu.com.
ns2.baidu.com.
dns.baidu.com.
ns4.baidu.com.


---[4.2.2.2]---
---[SOA]---
---[NS]---


---[4.2.2.3]---
---[SOA]---
dns204.a.register.com. root.register.com. 2010011108 28800 7200 604800 14400
---[NS]---
dns050.c.register.com.
dns204.a.register.com.
dns010.d.register.com.
dns190.b.register.com.


---[8.8.8.8]---
---[SOA]---
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
---[NS]---
dns.baidu.com.
ns2.baidu.com.
ns3.baidu.com.
ns4.baidu.com.


---[8.8.4.4]---
---[SOA]---
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
---[NS]---
dns.baidu.com.
ns2.baidu.com.
ns3.baidu.com.
ns4.baidu.com.


---[208.67.222.222]---
---[SOA]---
ns1.coolhandle.com. server.pronethosting.net. 2010011101 86400 7200 3600000 86400
---[NS]---
ns2.coolhandle.com.
ns1.coolhandle.com.

We were seeing even more interesting results when using a DNS tool called Squishywishywoo. The results are below and I have attached the full output in: baidu-dnscheck.pdf

50.0% of queries will be returned by 174.121.0.2 (ns2303.hostgator.com)
baidu.com.  86400   IN  SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. (
                    2010011202  ; Serial
                    86400   ; Refresh
                    7200    ; Retry
                    3600000 ; Expire
                    86400 ) ; Minimum TTL
50.0% of queries will be returned by 174.121.0.3 (ns2304.hostgator.com)
baidu.com.  86400   IN  SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. (
                    2010011202  ; Serial
                    86400   ; Refresh
                    7200    ; Retry
                    3600000 ; Expire
                    86400 ) ; Minimum TTL

Out of all the DNS results, only Google (8.8.8.8) and Qwest (resolver.qwest.net) return correct answers for Baidu’s NS records. The others, OpenDNS (208.67.222.222), Level 3 (4.2.2.3 & 4.2.2.2), and Squishywishywoo returned incorrect results.

We are able to check for the correct expected results by looking at the WHOIS data provided by register.com. Register.com is the service that the Baidu.com domain was registered with and is the definitive authority for that domain.

definitive
Registrant: 
Domain Discreet 
ATTN: baidu.com 
Rua Dr. Brito Camara, n 20, 1 
Funchal, Madeira 9000-039 
PT 
Phone: 1-902-7495331 
Email: 036f37850a14115101201f9483195f63@domaindiscreet.com


Registrar Name....: Register.com 
Registrar Whois...: whois.register.com 
Registrar Homepage: www.register.com 

Domain Name: baidu.com 
Created on..............: 1999-10-11 
Expires on..............: 2014-10-11 

Administrative Contact: 
Domain Discreet 
ATTN: baidu.com 
Rua Dr. Brito Camara, n 20, 1 
Funchal, Madeira 9000-039 
PT 
Phone: 1-902-7495331 
Email: 036f376a0a14115100199c0316d64ebb@domaindiscreet.com


Technical Contact: 
Domain Discreet 
ATTN: baidu.com 
Rua Dr. Brito Camara, n 20, 1 
Funchal, Madeira 9000-039 
PT 
Phone: 1-902-7495331 
Email: 036f37860a14115101c8a6d69ced14a8@domaindiscreet.com


DNS Servers: 
ns3.baidu.com
ns2.baidu.com
ns4.baidu.com
dns.baidu.com

In directly querying the listed authoritative servers with the dig command, we are able to display the data that the rest of the world should be seeing.

dig @220.181.37.10 baidu.com SOA                                                                                       (~/tmp/new)

; <<>> DiG 9.6.0-APPLE-P2 <<>> @220.181.37.10 baidu.com SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;baidu.com.         IN  SOA

;; ANSWER SECTION:
baidu.com.      7200    IN  SOA dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200

;; AUTHORITY SECTION:
baidu.com.      86411   IN  NS  dns.baidu.com.
baidu.com.      86411   IN  NS  ns2.baidu.com.
baidu.com.      86411   IN  NS  ns3.baidu.com.
baidu.com.      86411   IN  NS  ns4.baidu.com.

;; ADDITIONAL SECTION:
dns.baidu.com.      300 IN  A   202.108.22.220
ns2.baidu.com.      300 IN  A   61.135.165.235
ns3.baidu.com.      300 IN  A   220.181.37.10
ns4.baidu.com.      300 IN  A   220.181.38.10

;; Query time: 308 msec
;; SERVER: 220.181.37.10£53(220.181.37.10)
;; WHEN: Tue Jan 12 00:17:03 2010
;; MSG SIZE  rcvd: 202

The key thing to note is the SOA serial number 2010011101. When a recursive DNS server such as Google’s 8.8.8.8 receives a request for Baidu.com and it does not have that data in its DNS cache, it will proceed down the DNS hierarchy to find the authoritative DNS server for the domain and request the needed data. The authoritative DNS server will return the requested data and the current serial number, which in this case is 2010011101. The recursive DNS server will return the cached results, but after a timeout period it will go back to the authoritative DNS server, send the serial number it has in the cache, and ask if it needs an update on the date. The authoritative DNS server will then compare the request and internal number to see if there needs to be an update.

The issue with this comes into play in our data above; OpenDNS’s results show an SOA serial number of 2010011101, which is correct, but also contain the wrong NS server entries for Baidu.com. When OpenDNS goes and asks the authoritative DNS server if it needs to update data it will be told no due to the matching SOA records; thus, it will continue returning bad DNS data until the authoritative DNS server changes the serial number.

With this data in mind, we would ascertain that the changes were initially made at .com level, most likely through Register.com to point the Baidu.com domain name to DNS servers controlled by the attackers. When we dug into DNS records, Register’s were corrected, but the cached bad records out on the other DNS servers still existed. While we can’t confirm this with certainty, the data found in DNS would lead to this conclusion.

A recommendation to Baidu.com’s DNS administrators is to update their serial numbers to something higher than 2010011202 as that has been the highest serial number we have see on any DNS server. This will force cached servers to update their records to the proper entries.

Translation of the Text

The text is Persian and translates roughly to:

"Iranian (Persian) Cyber Army, is formed (and is on the move), in protest for the meddling of the foreign and
 Zionist sites in our countries domestic affairs and broadcasting of false news and inciting of conflict."

The text in the middle says “Dear Hussein”, perhaps in reference to Imam Hussein.

A similar sentiment to the messages present in the attack on Twitter.

Baidu

The name Baidu comes from an 800 year old Chinese poem written during the Song Dynasty. The poem compares the search for retreating beauty amid chaotic glamor with the search for one’s dream impeded by life’s obstacles. And we have ‘Google’.

Finally

While pressured to intervene as a response to Iran’s nuclear ambitions, China has for the most part stayed clear of speaking out on the subject. Businesses in China have served as intermediaries for products imported from Iran that are then shipped to U.S. firms, in violation of U.S. economic sanctions against Iran. For these reasons, it is unclear how attacking a Chinese search engine fits into the strategy of this hacktivist pro-Iranian government group. It may have just been that baidu.com was an opportunity to spread their message on a high profile web site.

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement

At some time around 10pm on Thursday, users going to Twitter.com were served the page below with a banner reading “This site has been hacked by the Iranian Cyber Army”. Also, mowjcamp.org, a site for supporters of Mir-Hossein Mousavi Khameneh a candidate who ran against Mahmoud Ahmadinejad in the 2009 Iranian presidential election, has been serving a similar defacement since at least December 16th and continues to do so. The motive appears to be activism in support of Iran’s current Islamic regime. The attack vector was a bad actor using an id and password assigned to Twitter to log in to the administrative portal of managed DNS service provider Dyn.

The page served to users visiting twitter.com as it appeared earlier.

Twitter actually had a prominent role in protests following the disputed Iranian presidential elections, and was a key source for Iranian citizens to both receive and disseminate information during the country’s widespread protests. The targeting of both the opposition candidate and the Twitter platform is then somewhat suspect as being related to the time period following the election. Such digital attacks for political purposes are sometimes referred to as hacktivism, usually defined as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends”.

The site description in Google which temporarily indexed Twitter with the defacement seems to confirm this motive. The text reads: “In the name of God, As an Iranian this is a reaction to Twitter’s interference sly which was U.S. authorities ordered in the internal affairs of my country…”.

Google's short lived indexing of the defaced twitter.com.

The page contains an e-mail address, I guess the “Iranian Cyber Army” is accepting feedback, an image of a flag with Arabic words, and an English message at the bottom as follows:

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And 
Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST ;)
Take Care.

We think its nice they asked us to take care.

Attack Vector

Twitter uses a hosted managed DNS service by Dyn, Inc, a New Hampshire firm, for their domain names. According to WHO.IS, they have been using this service since February of 2009. Dyn’s Chief Technology Officer, Tom Daly, has stated that someone using a “set of valid Twitter credentials” made the DNS changes that affected twitter.

So they would have logged in here:

Dyn Login Screen

Then they would have been presented a page like this (here’s ours as an example, all public information), and could modify where the domain name points:

Example screen where DNS records are edited.

Dyn Responds

• “It was not a failing on our systems whatsoever.”
  • Tom Daly, Dyn CTO
• “”This was not an unauthorized breach of our system.”
• On Twitter’s explanation “It will fully exonerate us, that’s one thing I can say,”
• On whether Twitter’s credentials were stolen by hackers: “You’ll have to read between the lines,”
  • Kyle York, Dyn VP of Marketing

Well those are examples of a combination of a strong statement alongside playing semantics. Dyn hosts DNS for a number of major web properties such as Arcsight, Zappos, Subway, British Telecom and others. While many other managed DNS services do the same thing, requiring only a web form with id and password authentication is probably not a good way to protect DNS records.

As an example of where to go from here, the online video game World of Warcraft has $6.50 physical one time password (OTP) tokens to authenticate in order to play:

OTP token to authenticate, to World of Warcraft.

Many of you log into your corporate virtual private networks with similar OTP tokens, issued by firms such as RSA.

So your company protects its internal network with dual factor authentication. Many web sites and web services such as World of Warcraft or eTrade protect the individual user with the same. Why doesn’t Twitter require their managed DNS provider to protect the primary product of their $1 billion dollar valuation company with the same.

We’ve also asked Dyn twice for the geoip of the attacker that used Twitter credentials to update the DNS entry without response.

How did they get Twitter’s Login for the Site?

I don’t know, and there’s been a lot of speculation. But looking for evidence of something that has changed? DynStatus reports on Friday that “due to increased security concerns…we have disabled access to our e-mail based password reset system, to prevent compromise of customer login credentials via e-mail systems.

So potentially something happened where the password reset function was subverted, either by someone having access to the e-mail account at Twitter that password reset e-mails are sent to, or a subversion of the password reset functionality on the web site.

E-mail based password resets suspended, as of today, by Dyn.

Was e-mail access absolutely required to subvert a password reset? Of course not, as an example the site has some of the source HTML usually associated with sites built with the Drupal CMS, which has had past issues with attacks on its password reset function: drupal-passwdxss.txt. We’re not saying that’s what this is, but we are replying that until Twitter comes forward, no one knows that a Twitter staff e-mail account has been compromised.

What’s the Flag Say?

Relying on the translations of others (we don’t speak Arabic or Farsi) the flag contains a message of “Hezbollah is victorious” at the top, referring to the paramilitary organization in Lebanon supported by Iran which in 2006 engaged in a 34 day military conflict with Israel.

The next word is the name of the third Shi’i Imam, Imam Husayn. Finally at the bottom there is a poem that reads: “We shall strike if the leader orders, we shall lose our heads if the leader wishes.”

Based on the material displayed, there is speculation that the cracker(s) is part of a Shiite group.

Twitter.com Serving the Page from the Wrong IP

At some point during last night’s defacement people started noting that the content being served for the domain twitter.com was being served by IP address: 66.147.242.88. This IP address is tied to Bluehost and according to GeoIP is a web server in Provo, Utah. The IP is still hosting a similar defacement page at the time of writing at: http://66.147.242.88/~twitter9/index.htm.

Page returned from http://66.147.242.88/~twitter9/index.htm.

This version has a few sentences in Farsi at the bottom as opposed to the English message, Google translates this as:

Name of God
As an Iranian response to this intervention sly server command in the internal affairs of my country
 and American authorities)
This site is a warning Hk

If any native speakers who can read this want to help us with the translation, the comments are open below.

The Attack – Theories from Last Night Worth Explaining

DNS Cache Poisoning?

Twitter’s Biz Stone put out an update on their blog indicating that Twitter’s DNS records “were temporarily compromised”. That led to speculation that the culprit was DNS Cache Poisoning. An explanation of DNS Cache Poisoning could easily make its own blog post, so we’ll keep it brief here.

Essentially a domain name server translates a domain name (www.google.com) into an IP address used to find the resource requested which is hosted on the Internet. Usually name servers rely on data served from authoritative Domain Name System, basically a hierarchy of who listens to who. When a bad actor (or possibly an unintended mistake) is able to provide bad data to a caching name server, that name server is considered poisoned. That data is cached for future requests, but now may contain a record that diverts a domain name (www.google.com) to an IP address not owned by Google but rather by the bad actor.

A cache is a duplicate copy of original data stored elsewhere, kept to speed up duplicate requests for the same resource. Confused? There is a decent video below explaining an attack scenario where the DNS server receives a look up request from a bad actor who then floods the DNS server with bad name resolution data. The bad resolution of the domain is saved in cache, and future users are sent to the wrong IP address. For example, it may send requests for twitter.com to an IP address in Utah serving up Iranian political propaganda.

Basic Explanation of DNS Cache Poisoning

Check Point put out a video last year that gives what is a very high level explanation of what happens in a DNS Cache Poisoning attack. If you’re not familiar with this type of attack, it might be useful:

DNS Hijacking?

Another site suggested the problem might be DNS Hijacking. A DNS server essentially is used to translate domain names to IP addresses, basically because domain names are easier to remember when accessing Internet connected resources. While most users depend on DNS servers hosted by their ISP and in turn downstream providers, it is possible for a bad actor to host a rogue DNS server, point the domains of legitimate web sites to IP addresses hosting a bogus web site for example, and attempt via malicious code on the PC to change the user’s DNS server assignment. When a bad actor attempts to redirect users from a legitimate web site to a bogus one, its usually referred to as pharming.

mowjcamp.org

Recall we mentioned earlier that Twitter is the second site we’re aware of to be defaced in the same way. The site mowjcamp.org, a political rally web site supporting former Iranian opposition candidate Mir-Hossein Mousavi Khameneh, is actively at time of writing serving a defacement page similar to the one that was on Twitter with this IP address: 66.147.244.182. This IP is also associated with ISP Bluehost, and GeoIP also points back to Provo, Utah for its location.

The first screenshot is what mowjcamp.org is supposed to look like, and can be viewed directly at the IP address: http://174.129.25.248.

What mowjcamp.org is supposed to look like.

What mowjcamp.org looks like now.

Twitter Responds

So as we mentioned earlier Twitter had this to say last night:

12/17/09 11:43 PM
As we tweeted a bit ago, Twitter's DNS records were temporarily compromised tonight but have now been fixed.
 As some noticed, Twitter.com was redirected for a while but API and platform applications were working. 
We will update with more information and details once we've investigated more fully.

And then today posted this update:

12/18/09 1:33 PM
Update on Last Night's DNS Disruption
Domain Name System or DNS is an Internet protocol used to translate IP addresses into domain names so 
instead of typing in a long string of numbers we can enter urls like www.twitter.com into a browser to visit 
our favorite web sites. Last night, DNS settings for the Twitter web site were hijacked. 
From 9:46pm to 11pm PST, approximately 80% of Traffic to Twitter.com was redirected to other web sites. 
We tweeted, blogged, and updated our status page last night.

During the attack, we were in direct contact with our DNS provider, Dynect. We worked closely to reset our 
DNS as quickly as possible. The motive for this attack appears to have been focused on defacing our site, 
not aimed at users—we don't believe any accounts were compromised. If you're concerned that your 
account could have been affected in some way, feel free to contact us, accountsafe [at] twitter.com.

As is always the case, the updates are short on meaningful information, providing a review of what we already read elsewhere, leaving out any indication of how the bad actor or actors got the login credentials for Dyn, and not providing any indication on what might be corrected to prevent this going forward.

Bluehost Responds

Bluehost discovered that Twitter.com had been the victim of a DNS compromise and, further, that the attackers had redirected some of the Twitter traffic to an account hosted on Bluehost servers. This customer account on BlueHost was setup using a stolen identity and credit card, as determined by the Bluehost verification department. The Bluehost abuse department immediately terminated this account. Contact was made by Bluehost to law enforcement agents to assist in all ongoing investigations.

It is somewhat strange that their monitoring did not notice a web site that went from zero to millions of visits in minutes.

Hysteria

The coverage coming out of this incident is riotious:

Thursday night’s cyber attack against the Twitter microblogging service was no routine assault to bring down a website. It was a sophisticated online blitz –perhaps part of an online Iranian cybercampaign – that could prove costly for social media networks.

http://www.csmonitor.com/Money/2009/1218/Iranian-hacker-attack-What-will-it-cost-Twitter

Ah yes, the blitzkrieg online cyberwar has begun. Let me get my hat. If by sophisticated you mean “is able to use a web site” and “knows how to use ‘whois’” then yes, a highly sophisticated assault.

The attack last night on Twitter was clear retribution for the role that the service played during the [post-Iran election] demonstrations, and the role that it continues to play today. We have spoken to a number of sources overnight who have told us that the Iranian Cyber Army, unlike other groups with similar national monikers, is a group name that is to be taken literally ie. it is an Iranian government group. Little is known about how the group operates, but previous attempts to shut off Iranian citizens from Twitter and other web services demonstrate that Iran has the capability and will to use almost any means to control the flow of information on the web both within and outside of its own borders.

http://www.washingtonpost.com/wp-dyn/content/article/2009/12/18/AR2009121801982.html

Do these sources have names or credibility of any kind? Because while this could be a government sponsored group, it could be a pissed off Islamic kid, a group of guys who communicate in an Arabic hacking forum, or any number of things.

In a web war, Iran has demonstrated that almost nobody is immune, the battlefield is level and it is not afraid to fire the first big shots in full view of the entire world.

http://www.techcrunch.com/2009/12/18/twitter-dns-attack-iran/

Are we in a web war with Iran? Because no one has one iota of proof yet that this is an Iranian government sponsored group. For reference, the battlefield is not level if we are in a war, the U.S. dependence on technology is far greater than that of Iran. If they’re ready to step up beyond logging in to an accessible web portal and changing a DNS entry at a managed DNS provider, they could really cause a lot of trouble.

With a large-scale attack on a popular global web service, it is the first time that cyber attacks have been used as part of a propaganda campaign to propel the global political agenda of a foreign government.

http://www.techcrunch.com/2009/12/18/twitter-dns-attack-iran/

Really? I could have sworn I’ve seen web sites defaced for political propaganda purposes before.

The HTML

Since these sites may be taken down at any point, if you want to do further research here is the HTML that was being returned from the defaced web site:

<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>..:: This Web Site Has Been Hacked By Iranian Cyber Army ::.. </title>
</head>

<body bgcolor="#000000">

<p align="center">&nbsp;</p>
<p align="center"><img border="0" src="index.6.gif"><img border="0" src="index.2.gif"><img border="0" 
src="index.7.gif"></p>
<p align="center"><img border="0" src="index.8.gif"></p>
<p align="center">
<a href="mailto:iranian.cyber.army@gmail.com?subject=Mowjcamp">
<img border="0" src="index.5.gif"></a></p>

<p align="center"><img border="0" src="index.3.jpg" width="43%" height="106%"></p>
<p align="center"><font face="Tahoma" size="2"><b>&nbsp;&nbsp;&nbsp;</b></font></p>
<p align="center"><b><font face="Tahoma" size="2" color="#FFFFFF">nbsp;
&#1576;&#1606;&#1575;&#1605; &#1582;&#1583;&#1575;<br>
&#1576;&#1607; &#1593;&#1606;&#1608;&#1575;&#1606; &#1740;&#1705; 
&#1575;&#1740;&#1585;&#1575;&#1606;&#1740; &#1583;&#1585; &#1662;&#1575;&#1587;&#1582; 
&#1576;&#1607; &#1583;&#1582;&#1575;&#1604;&#1578; &#1607;&#1575;&#1740; 
&#1588;&#1740;&#1591;&#1606;&#1578; &#1570;&#1605;&#1740;&#1586; &#1575;&#1740;&#1606; 
&#1587;&#1585;&#1608;&#1740;&#1587; &#1583;&#1607;&#1606;&#1583;&#1607; &#1576;&#1607; 
&#1583;&#1587;&#1578;&#1608;&#1585; 

&#1605;&#1602;&#1575;&#1605;&#1575;&#1578; 
&#1570;&#1605;&#1585;&#1740;&#1705;&#1575;&#1740;&#1740; &#1583;&#1585; 
&#1575;&#1605;&#1608;&#1585; &#1583;&#1575;&#1582;&#1604;&#1740; 
&#1705;&#1588;&#1608;&#1585;&#1605; )&nbsp; <br>
&#1575;&#1740;&#1606; &#1587;&#1575;&#1740;&#1578; &#1576;&#1607; 
&#1593;&#1606;&#1608;&#1575;&#1606; &#1607;&#1588;&#1583;&#1575;&#1585; &#1607;&#1705; 
&#1605;&#1740; &#1588;&#1608;&#1583; <br>

&nbsp;</font></b></p>

</body>

</html>

Finally

Although Twitter’s security posture has been a well publicized running disaster, this particular circumstance doesn’t really fall under the same category as previous problems because this was an attack outside of the Twitter infrastructure itself. TechCrunch threw something out there about changing your passwords, always a good practice, but your password was probably not at risk during this attack.

Who says the crackers only motivation is money these days?

Critical services such as DNS, BGP Routers, and any service that can single-handedly take down your entire company should be protected by two-factor authentication. Looking at Dyn’s login page on the website, it appears the service uses standard username and password authentication without support for two-factor authentication, something we would suggest that they change or at least offer at cost to larger clients.

But the real crime, as youngluck noted on TechCrunch: “Actually, the sad thing here is that an “army” with enough sophistication to take down Twitter, could have a graphic design department that could suck this bad.”

We’ll update the post if Twitter uncharacteristically provides more information about what happened.

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement

10/05/2009 Appearance

Site appearance according to posting on Zone-H.

Correct Appearance

NSA Career Fair schedule, correct appearance.

SQL_Master

The attacker, using the handle SQL_Master, is attributed on Zone-H to site defacements of Google Tokelau (a territory in New Zealand) and a Microsoft web property in Korea. He has been associated with the Jurm team, a Moroccan hacker group known primarily for web site defacements of the Israeli version web sites of major companies, for example Kia, Sprite, and Fanta.

A Microsoft defacement attributed to SQL_Master from July of this year references “Agd_Scrop, free him”. Agd_Scorp was part of a Turkish hacker group called Peace Crew that defaced NATO and U.S. military web sites as a political reaction to Operation Cast Lead, or as its more commonly referred to the Gaza War, where Israel and Hamas forces clashed starting December of 2008. The two hacker groups are known to have partnered in defacements at the beginning of this year during the conflict in what was termed a virtual war where a few thousand Israeli web sites were defaced. Agd_Scrop appears to have been arrested by Kayseri (central Turkey) police over the summer, and faces up to 20 years in prison on various cybercrime related charges.

National Security Agency

The NSA or National Security Agency is the cryptologic intelligence agency of the United States. Created in 1952 under President Truman, its primary initial responsibility was the collection and analysis of foreign communications. In 2008 President George W. Bush signed a directive authorizing the NSA to monitor the computer networks of all federal agencies, giving the agency a primary role in federal efforts around cybersecurity.

Because of this role and other factors, including the agency’s historical role with cryptographic systems and controversial domestic wiretapping programs, NSA networks and computer systems are an attractive target for crackers. Further, because of the agency’s role in cybersecurity monitoring, defacements such as this one are embarrassingly problematic.

Zone-H.org

Zone-H.org, a site hosted in France which has been around since 2002, hosts an archive of defaced web sites. In January 2007 the site itself was a victim of a pseudo defacement, when a team from Saudi Arabia gained access to the registrar’s administrative panel and redirected the zone-h.org domain name to a different IP. The site’s mission is very similar to the defacement archive that used to be maintained at attrition.org. Both have been the subject of criticism over the years, the suggestion being that hosting the archive is itself an incentive for site defacements. The counter to this is that without the central archiving of the evidence of web site defacements, the problem would be less known and understood by the security community. Companies may also try to sweep such episodes under the rug. Besides, the site defacements would simply be posted in other places (forums and similar web sites).

Related Posts:

• iPhone 4 Ordering and Session Switching
• Newsweek Reports Zombie Invasion
• Going After BP
• May’s Patch Tuesday
• March’s Patch Tuesday

ESPN is cornified.

For those who have not played Contra in a while, the Konami code is up,up,down,down,left,right,left,right,b,a,enter (it used to be good for 30 lives among other things in popular video game titles, such as Contra or Life Force). Cornify, as the web site implies, provides unicorns and rainbows on demand, essentially appending pictures of unicorns to div tags randomly around the web page.

References to the Cornify script showed up in two places on the web site. The first, at the top of the page following the <head> tag was a simple href reference to the cornify web site.

The second part of the script, responsible for the Konami code and the call to cornify.com, is found in one of the external Javascript files: http://a.espncdn.com/prod/scripts/espn.core.min.200904211701.js

Here is the relevant snippet, you will note the variable c contains the references for the keydown event:

(jQuery);
(function(b){var d=[],c="38,38,40,40,37,39,37,39,66,65";
b(document).keydown(function(f){d.push(f.keyCode);
if(d.toString().indexOf(c)>=0){b(document).unbind("keydown",arguments.callee);
b.getScript("http://www.cornify.com/js/cornify.js",function(){cornify_add();
b(document).keydown(cornify_add)

How the script ended up on the ESPN web site is anyone’s guess at this point in time, ESPN has not yet released a statement. Speculation abounds on web forums and in blog comments as to whether this was as a result of some third party attack or a prank by an ESPN staffer or consultant. One comment even suggested that ESPN did this on purpose as a viral marketing ploy, however this seems unlikely. Imagine the board meeting where someone suggests: “Gentleman I’ve got it, the secret to sports web site traffic. It’s unicorns”.

If you want a demonstration of what the Cornify script does, have fun clicking the image below:

Updates

04/29/09 – Keith Lam, a developer for the ESPN web sites, confirmed that the script was a prank, added March 31st by a developer as an April Fools joke, and largely unnoticed until the post on Kotatu. You will note that Keith took some grief on Twitter for his role in removing the Javascript: conversation on Twitter.

References

• The Javascript source from Cornify: http://www.cornify.com/js/cornify.js
• Wired Magazine referenced Cornify back in February: http://www.wired.com/sterling/2009/02/proof-why-the-c.html
• Paul Irish wrote a good blog post about his integrating the Cornify javascript with the Konami code back in February: http://paulirish.com/2009/cornify-easter-egg-with-jquery/
• Kotaku broke the story early on making ESPN magical: http://kotaku.com/5230185/the-konami-code-makes-espncom-magical

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement