uncompiled.com

Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008.

In an article to be published Wednesday discussing the Pentagon’s cyberstrategy, Deputy Defense Secretary William J. Lynn III says malicious code placed on the drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military’s Central Command.

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” he says in the Foreign Affairs article.

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

Lynn’s decision to declassify an incident that Defense officials had kept secret reflects the Pentagon’s desire to raise congressional and public concern over the threats facing U.S. computer systems, experts said.

Much of what Lynn writes in Foreign Affairs has been said before: that the Pentagon’s 15,000 networks and 7 million computing devices are being probed thousands of times daily; that cyberwar is asymmetric; and that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult to identify the instigator of an attack.

But he also presents new details about the Defense Department’s cyberstrategy, including the development of ways to find intruders inside the network. That is part of what is called “active defense.” Counterfeit hardware has been detected in systems that the Pentagon has bought. Such hardware could expose the network to manipulation from adversaries.

He puts the Homeland Security Department on notice that although it has the “lead” in protecting the dot.gov and dot.com domains, the Pentagon – which includes the ultra-secret National Security Agency – should support efforts to protect critical industry networks.

Lynn’s declassification of the 2008 incident has prompted concern among cyberexperts that he gave adversaries useful information. The Foreign Affairs article, Pentagon officials said, is the first on-the-record disclosure that a foreign intelligence agency had penetrated the U.S. military’s classified systems. In 2008, the Los Angeles Times reported, citing anonymous Defense officials, that the incursion might have originated in Russia.

The Pentagon operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy, Lynn said. In November 2008, the Defense Department banned the use of flash drives, a ban it has since modified.

Infiltrating the military’s command and control system is significant, said one former intelligence official who spoke on the condition of anonymity because of the sensitivity of the matter. “This is how we order people to go to war. If you’re on the inside, you can change orders. You can say, ‘turn left’ instead of ‘turn right.’ You can say ‘go up’ instead of ‘go down.’ ”

In a nutshell, he said, the “Pentagon has begun to recognize its vulnerability and is making a case for how you’ve got to deal with it.”

Source

A researcher at the DefCon hackers’ meet has demonstrated kit for spoofing GSM base stations, allowing even those on a limited budget to intercept phone calls and text messages.

The audience attending the talk by Chris Paget were able to see their own handsets transferring to his spoofed base station, with calls receiving a recorded message explaining that the security had been compromised, Associated Press reports. The demonstration would presumably have been a lot less impressive if Las Vegas had better 3G coverage.

The basis of the attack isn’t new: the attacker sets up a base station advertised as belonging to a compatible network operator and handsets locally switch to the stronger signal. In a live attack the base station then connects to the real cellar network and passes authentication tokens back and forth as though it wasn’t there.

GSM communications are supposed to be encrypted between the genuine network at the handset, but in some countries strong encryption isn’t allowed so the network informs the handset not to encrypt the communications. The handset is supposed to pop up a warning when this happens, but doesn’t, so rogue base stations can ask the handset not to encrypt anything and then listen in.

The 2G GMS standard does not mandate mutual authentication – the handset must prove its identity to the network, but the network is not required to return the favour. That’s always made 2G networks open to this kind of abuse; the only difference is that the kit to do it has got a lot cheaper over the years. 3G standards do require such authentication, so they are immune from this kind of attack.

During the demonstration, Paget pointed out that one could jam the 3G signal (at 2.1GHz), forcing handsets to drop back to 2G and open themselves to the vulnerability. That’s true, but will cease to be possible (or at least will get a lot more difficult) once operators start deploying 3G technology on the 2G frequencies.

“GSM is broken – it’s just plain broken,” said Paget during the demonstration, though he could have added that the standard is no more broken than it was yesterday – the break just got cheaper to exploit.

Source

Two researchers at the Black Hat conference in Las Vegas on Thursday exposed 24 ways hackers can hijack seemingly secure browser sessions.

Robert Hansen and Josh Sokol demonstrated methods attackers can use to take over users’ accounts or assume control of a website without the need for any exploits, due to the way browsers implement “HTTPS.” HTTPS, a combination of the Hypertext Transfer Protocol with the SSL/TLS Protocol, allows a website owner to encrypt a session using a digital certificate.

For any of the two dozen attacks to work, however, a criminal would have to have assumed control of a user’s computer via a man-in-the-middle (MITM) exploit, by which an attacker intercepts communications between two systems.

But the researchers wanted to show that HTTPS protection alone won’t stop bad things from happening.

For example, the pair detailed an attack known as “session fixation” that takes advantage of the fact that banks using HTTPS don’t change a user’s cookie after they login — they simply mark it as valid. As a result, an attacker with MITM control could visit the bank site ahead of the user and set the cookie, essentially logging in the crook as the legitimate user.

Another scenario, known as “delayed pop-up,” involves a user who visits a website, such as a bank, and clicks on a link to go the SSL-protected version of the site. This opens a second tab, but if the attacker has control of the first tab, he is able to change the other HTTPS tab to redirect users to malicious executables or authentication forms.

Still, the reliance on MITM makes the scenarios Hansen and Sokol demonstrated unlikely to happen on a widespread scale, they said.

“You’d have to be a very determined attacker,” Hansen said. “And determined attackers have a lot of other avenues for attack.”

He did say that while “the world is not crashing,” website owners and users should take the threats seriously as they have the potential to threaten secure electronic commerce. Potential mitigations include the browser makers offering tab, port and cookie sandboxing controls.

Hansen added that there are likely “hundreds” of other similar vulnerabilities.

Source

North Korea was behind the cyber attacks that occurred a year ago Wednesday, according to a government IT source in South Korea.
The distributed denial of service, or DDoS, attacks paralyzed more than 20 domestic sites including those of the presidential office and major portal sites.

On foreign media reports saying no evidence linked the North to the attacks, Jeong Seok-hwa, investigation director at the Cyber Terror Response Center in charge of the investigation, said, “No country including the U.S. could identify the origin of the DDoS attacks that occurred a year ago. Thankfully, the discovery by Korean investigation agencies has been the most credible so far.”

On how he was sure that it was Pyongyang, Jeong said, “It might be too early to conclude this, but the facts so far have shown that the IP address used for the attacks was the same one rented by North Korea’s Posts and Telecommunications Ministry from a Chinese Internet provider.”

“The attack was waged by dozens of people, not one individual,” he added.

According to the National Police Agency, the cyber center in October last year found that the attacks originated from the IP of the North’s ministry.

A lieutenant on the investigation team was promoted to inspector in recognition of this discovery. He refused to disclose more, however, saying “Giving out more details will compromise our national strategy,” but added, “It was possible thanks to the technical capability we’ve accumulated for more than 10 years since the cyber center’s launch.”

Amid rising fears over a second cyber attack from the North, Jeong said, “Attack rumors were prevalent in April and May, but nothing really happened. But there certainly is the possibility of another attack. One of the servers that made the attack order seems to have copied all files saved on zombie PCs, or those in charge of the attack.”

This indicates that zombie PCs analyzed the files South Koreans frequently use to make more of them when starting an attack.

On preventing a cyber attack, Jeong said, “We cannot prevent zombie PCs from multiplying even with the latest vaccine program. The government must distribute free firewall programs (used for protection in Internet banking services).

With the investigation over last year’s cyber attacks ongoing, Jeong pledged to find the culprit. “We’ve done everything we can within the country. Since the attack originated from China, which is beyond our investigative jurisdiction, we will collaborate with China to find who did it,” he said.

Source

Media Temple, Web hosting provider for Adobe, ABC, Sony, NBC, Time, Volkswagen, and Starbucks, was hit with a sophisticated distributed denial-of-service (DDoS) attack Tuesday.

The outage began about 3:50 p.m. PDT, when Media Temple’s domain name servers were deluged by a flood of traffic coming from outside the U.S., and lasted a total of about two-and-a-half hours, according to a tech support representative at the Los Angeles-based company.

“Due to the sophistication of the attack, our normal DDoS firewall prevention techniques didn’t block the attack adequately, as the traffic appears to be legitimate,” the company reported at around 5:40 p.m. PDT.

The company said it had initially blocked all traffic from Asia, South America, and Mexico to reduce strain on the network, but later removed the blocks. As of 6:10 p.m. PDT the network was reported stable.

“Overall, network health is normalizing, however more work must be done to mitigate the effects of this incident and prevent future occurrences,” the company said, adding that it would provide an update at 10 p.m. PDT.

Company representatives did not immediately return a call seeking comment.

Update May 25 at 11:59 p.m. PT: A tech support representative at Media Temple said the outage lasted a total of about two-and-a-half hours.

Source

The second man charged in 2006 computer attacks on The Planet and T35 Hosting has agreed to plead guilty.

According to court filings, Thomas James Frederick Smith is set to plead guilty before a federal judge in Dallas on June 10. He and David Anthony Edwards are facing five years in prison and fines of up to US$250,000 on charges that they assembled a 22,000 node botnet and then trained it on two ISPs to show a prospective buyer what it could do.

Edwards pleaded guilty to the charges before U.S. District Judge Jane J. Boyle on April 29. He is set to be sentenced August 19. Before he decided to plead guilty, Smith’s case had been set to go to trial next week.

Federal prosecutors say that Smith and Edwards — known by their hacker handles Zook and Davus — created a botnet they called Nettick, which they then tried to sell to cybercriminals, asking US$0.15 per infected computer.

To prove that they really controlled Nettick, the two allegedly trained it on a system hosted by The Planet, launching an August 2006 DDoS (distributed denial of service) attack on the ISP.

Six weeks later, the two allegedly broke into Texas Web hosting provider T35 Hosting, stole the company’s database of user names and passwords and then defaced T35′s Web site, posting this data to the public. T35 is best known as the free ISP that had hosted the Web site of Joe Stack, who crashed his plane into an IRS building in Austin, Texas, earlier this year.

Shortly after the attack, Smith allegedly posted a message to the HelptingWebmasters.com, pretending to be an innocent witness to the incident. “I found out today at around 11:40 PM that the t35 Website was Completly [sic] defaced,” Zook wrote in the post. “I posted it to a few news sites and noticed after posting them that the Mysql dumps were actually up for grabs… How are all the users going to be compensated? Im [sic] sure EVERYONES [sic] password was in that file…”

Source

Targeted cyberattacks of the sort that hit Google Inc. earlier this year are testing enterprise security models in new ways, and they represent an imminent threat to sensitive corporate data.

State-sponsored groups with deep technical skills and computing resources have long been directing such attacks against government and military targets . However, Google’s disclosure in January that its network was attacked by China-based hackers stoked long-standing fears that cybercrooks would expand their horizons and start aiming targeted attacks at commercial networks.

Some experts say it’s likely that widespread attacks have already begun. “If you have not yet identified systems within your enterprise that have been compromised through these advanced attacks, you probably are very lucky — or you aren’t looking closely enough,” said Amit Yoran, former director of the U.S Department of Homeland Security’s National Cyber Security Division and current CEO of security vendor NetWitness Corp.

Unlike the e-mail- and network-borne worms and viruses that have been hitting corporate networks for years, targeted attacks are stealthier and virtually impossible to fully block. Hackers typically rely on sophisticated social engineering techniques to break into networks, maintain access to them without detection and continually snoop out and steal sensitive information.

Some security pros suggest that IT managers are better off focusing on mitigating damage from targeted attacks instead of trying to prevent them.

Sean Arries, a researcher at Terremark Worldwide Inc., a Miami-based provider of IT infrastructure services, said traditional security measures, such as signature-based anti-malware tools, can’t prevent targeted attacks because the perpetrators often take advantage of zero-day threats for which there are no known defenses.

Instead, he said, companies should take steps to strengthen their ability to detect intrusions and to respond quickly. Arries noted that a gusher of data going out over the network, for example, is a sign that something’s amiss.

Paul Wood, a senior intelligence analyst at Symantec Corp.’s MessageLabs Intelligence unit, said that cloud-based security controls could help IT managers better detect targeted attacks. With a hosted security service, the provider sifts through large volumes of network traffic daily and therefore could spot suspicious activity sooner than internal IT operators who handle multiple jobs, he added.

Enabling remote logging capabilities is also crucial to detecting attacks, Arries said. Those who break into a server tend to wipe out activity logs and any other evidence of their presence from the server, he said. One way to get around that is to make sure that all logs are created at and stored in a central location.

This version of this story was originally published in Computerworld ‘s print edition. It was adapted from an article that originally ran on Computerworld.com as part of an in-depth look at cyberwar.

Source

The OWASP Top 10 Web Application Security Risks for 2010 are:

1. A1: Injection
2. A2: Cross-Site Scripting (XSS)
3. A3: Broken Authentication and Session Management
4. A4: Insecure Direct Object References
5. A5: Cross-Site Request Forgery (CSRF)
6. A6: Security Misconfiguration
7. A7: Insecure Cryptographic Storage
8. A8: Failure to Restrict URL Access
9. A9: Insufficient Transport Layer Protection
10. A10: Unvalidated Redirects and Forwards

Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the world!!!
As you help us spread the word, please emphasize:
* OWASP is reaching out to developers, not just the application security community
* The Top 10 is about managing risk, not just avoiding vulnerabilities
* To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation
* We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.

Source

Update 1: The attack continues! Now they are using the domain http://mainnetsoll.com/grep/. Make sure to fix your wp-config and change your database password ASAP.

Update 2: A quick fix if you can’t change your database password. Set the WP_SITEURL inside your wp-config. It will override the change in the database. Just add this line inside your file:
define(‘WP_SITEURL’, ‘yoursite.com’);

Update 3: If you are seeing attacks from a different domain, please let us know. If you need help, send us an email and we will try to help asap (use contact@sucuri.net ).

Yesterday we reported of a mass infection of WordPress blogs that were hosted at Network Solutions.

First of all, I must say that the response from Network Solutions was very good. They were active on the forums, responding to users via Twitter and really trying to find and fix the problem. They even send me an email just after my first post went live to get more information and share notes. That’s what I like to see from a hosting company.

Anyway, we discussed via the phone yesterday and after a long analysis they have nailed the cause of the problem. This is what happened:
Wordpress stores the database credentials in plain-text at the wp-config.php file.

This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).

A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.

This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials

Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became networkads.net/grep. Easy hack.

So, at the end anyone can be blamed. At WordPress for requiring that the database credentials be stored in clear-text. At WordPress again for not installing itself securely by default. At the users for not securing their blogs. At Network Solutions for allowing this to happen.

I also have to agree with Network Solutions that this problem can happen at any shared host site. Not only for WordPress, but for any CMS out there that store the passwords in clear-text. For anyone affected with this problem (or anyone at a shared server), change your database credentials ASAP and make sure your configuration file is not readable by everyone else.

*To change the permissions via FTP, just run chmod 750 wp-config.php inside your blog directory.

Source

A new type of cross-site scripting (XSS) attack that exploits commonly used network administration tools could be putting users’ data at risk, a researcher says.

Tyler Reguly, lead security research engineer at nCircle, today published a white paper outlining a new category of attack called “meta-information XSS” (miXSS), which works differently than other forms of the popular attack method — and could be difficult to detect.

“Think about those network administration utilities that so many webmasters and SMB administrators rely on — tools that perform a whois lookup, resolve DNS records, or simply query the headers of a Web server,” the white paper states. “They’re taking the meta-information provided by various services and displaying it within the rendered Website.

“These Web-based services introduce a class of XSS that can’t be captured by the current categories.”

Reguly explains that there are three current types of XSS attacks: reflected, persistent, and DOM-based.

“Reflected XSS refers to an attack that occurs when user input is reflected back at the user,” he writes. “This means that you provide the malicious data as user input, and the Web application simply echoes the data back to you.

“Persistent XSS refers to an attack that stores user input, allowing it to affect a much broader scope of visitors. An attack may be stored in the database and displayed to all visitors, rather than just the visitor that provided the malicious input.”

DOM-based XSS refers to attacks that modify the Document Object Model directly and don’t require data in the HTTP response, Reguly says.

“None of these [categories] really captures the process that occurs when you are dealing with [miXSS],” the paper says. “With miXSS, the input that the user provides is completely valid and properly sanitized. This rules out reflected XSS, and since we aren’t storing the user input, persistent XSS can also be disregarded. Finally, since we’re not interacting with the DOM, we can eliminate this type of attack.”

MiXSS has aspects of both reflected and persistent attacks, but does not fall into either category, Reguly explains. “It is valid user input provided to a service,” he says. “The service then utilizes the user-provided data to gather data and display it for the user. It is in this data that the cross-site scripting occurs.” Reguly offers an example: a DNS TXT record that contains [a certain value] and a service designed to gather DNS TXT records for the purpose of testing sender policy framework (SPF) records.

“The user provides the domain name pointing to the TXT record, while the service resolves the TXT data and displays the data to the user,” the paper says. “Since the data contains JavaScript, the returned data is processed, and successful cross-site scripting has occurred.”

The XSS vulnerability could be a growing threat in the future, Reguly says, because Web-based tools such as these are increasingly used to quickly resolve network administration issues that might otherwise inhibit the user experience, the paper says.

Source