Recently in Hacks Category

RockYou was hacked a couple of weeks ago and over 35 million passwords were stolen. RockYou may have your password if you've played any of their Social Networking Applications on sites like Facebook or MySpace. Their applications include

• Slideshow
• Uploadphoto
• Photofx
• Glittertext
• Funnotes
• Countdown
• Superhug
• Myspace layouts
• Stickers
• Superwall
• Pieces of flair
• Speedracing
• Likeness
• Hugme
• Birthday cards

Pieces of flair seems like one I've seen my friends using. Depending on the application, RockYou may have had your Facebook or Webmail password. RockYou recommends that you change passwords for any online service where you've used the same password disclosed to them.

In the last day, I've seen a massive spike in the number of friends who have had their Gmail account hacked and spam sent to contacts in the address book. Its not necessarily connected to the RockYou attack, but its worth mentioning. The hacker briefly posted the full database online for anyone to download. So its not surprising that people would get hit.

I logged into PowWeb (my web host)'s forums and found they were majorly owned last night. The powers that be aren't saying anything at all, but other users are reporting malicious javascript (detected as Psyme) was added to many of their webpages, particularly index pages.

PowWeb reset all passwords used for Ops (their web control panel) and mailed one time passwords to users. They have now removed the viral code added to the user files. They have not reported how this occured.

My sites don't seem to have been effected at all.

I read a couple of interesting blog posts today about sites getting hacked.

Sunbelt Blog had an example of a hacked site, where the site redirected you to malware if you got to the site through a link (such as from a search engine). Otherwise the site displayed normally.

The Kaspersky Analyst diary had more information. In a dark form of search engine optimization, the attackers would find search results for a search term, and then compromise the popular results that they could. Adding an iframe is so 2006, so they'd modify existing javascript on the page to run their code and redirect users to Antivirus 2009 websites.

The SANS Internet Storm Center diary has an entry a telnet authentication bypass vulnerability in Solaris 10 and 11. They don't mention any useful details, but if you're the type who prefers to see for yourself, you might check out a place that likes to fully disclose this type of thing.

I found we only have one Solaris 10 server running telnet. Its one of the Unix administrator's desktops. You can only access root from the console, but I was able to get in using the 'adm' account. Good times, good times.

I hear that a government agency (which I wont name) is blocking all email file attachments with a .doc extension as a result of the announced zero day attack. The email that I saw adviced employees to stick to TXT files and PDF files.

Every company has its own level of risk aversion but I think this is kind of ridiculous. Word documents are essential to business. I've asked before in this blog, you people with untrustworthy antivirus who block by file type what are you going to do when viruses come in flavors other than easily blockable things like EXE and PIF. Well, we found soon that viruses come in image files. Viruses come in office files. I guess the answer for this agency will eventually be to enforce text only email.

The Federal agency will be blocking .doc files until a fix is available or they feel the threat level has changed. I did hear that renaming the extension before mailing does circumvent this filter. So they aren't blocking using the file header, only by extension. If someone were truely targeting them specifically, and currently this attack is only used against one or two companies, the attacker might know enough to rename the file with instructions for the recipient to rename the .cod file back to .doc.

I'm a bit surprised that they are advising that PDF files are an acceptable alternative. Adobe Reader and Professional have all kinds of remote execution vulnerabilities. Adobe recommends that you upgrade to version 8 which was released this week.

Fantasy site Second Life was hacked according to Dark Reading. The second life website doesn't provide any information other than that it was a zero day attack on unnamed web software. More info is available in their blog.

My rainbow tables for alphanumeric plus 32 symbols and a space are not working right with Sam Inside. I'm not sure if the problem is with SAMInside or with the files. My original file source is not available right now, so I cant download a new copy and compare hashes. I feel like my powers have been diminished, like superman with kryptonite.

Six Apart's free support bulletin board for Movable Type has been offline for maintenance since this past weekend. I just saw why on Bugtraq. Looks like there is another SQL injection exploit in Invision Power Board that will grant an attacker admin access. This is a vulnerability in versions prior to 2.1.7. Hopefully they'll get patched and back online soon.

Back in May, I wrote when that forum was exploited and modified to serve up WMF exploits. At that time I let the SANS ISC know about it. So it was pretty funny in June when a Circuit City IPB forum was hacked and it made the tech news. According to MSN search there are still a lot of boards running Invision Power Board 2.1.6. A lot of them are hobby websites that likely learn the hard way about keeping up with security patches.

The Cisco VPN Client for Windows has a privilege escalation vulnerability that allows a regular user to gain system right.

http://www.cisco.com/warp/public/707/cisco-sa-20060524-vpnclient.shtml

Makes you wonder, if you've "locked down" your user permissions, how many of the really dangerous ones haven't already promoted themselves to admin through privilege escalation vulnerabilities like this.

I'm not sure if I've posted about this or not. During March and into April we had a pen-testing project as school. At the beginning of the semester we had a project to configure our server (Windows 2003, or Red Hat Enterprise AS 4). Next we had to perform reconnaissance on our classmates and a collection of cannon fodder servers set up by the instructor. This led into the pen testing assignment.

Going into the assignment, my main concern was not getting hacked and not embarrassing myself. It actually turned out better than that. I didn't get hacked, and I was able to hack more servers than anyone else in the class.

What differentiated my results from those of my classmates were a series of application attacks. The foundation for these attacks were laid when Terminal Services was installed. You see Terminal Services has asks at install if you want high security or application compatibility. If you select application compatibility, then any terminal server user has modify rights to c:\program files\* and some important registry keys. The administrator of those servers should have looked at the terminal server settings and changed it to the high security, or looked at the file ACLs and removed unnecessary permissions.

Although my "guest" account only had user rights, because I was a terminal server user, I was able to modify some key files. Luall.exe is Symantec Liveupdate. When a scheduled liveupdate runs, it runs with SYSTEM permissions. By replacing luall.exe with my own version of the file, I was able to escalate my rights and own multiple servers.

This is another case of application compatibility mode causing security troubles. Of course this is not the preferred configuration for Terminal Services. So hopefully this isn't an exposure that you have on your own servers. So if you have Terminal Services, even just for remote admin mode, make sure that you check your security level. Otherwise a Terminal Server User is just an admin who hasn't promoted himself yet.

I'm downloading rainbow tables to go along with with my password cracking software. I ended up getting almost every user account just using alpha-numberic tables. I want to go for the whole shabang so I'm downloading rainbow tables with alphanumberic and special characters and spaces. I just noticed I'll be over quota. Hope I dont get a nasty email from Cox. Well at least I found one thing that can be legally downloaded via bittorrent.

Microsoft complained this week about "security" companies publishing exploit code for its vulnerabilities. It was once common to publish proof of concept code as a method of proving a vulnerability exists. This goes beyond that. These companies that have received credit for holding off public announcement of the vulnerability until a patch is available, then release exploit code at the same moment Microsoft releases the patches.

Administrators have not yet had time to do any due diligence on the patches. Even if they deployed patches without any testing, roll-outs at large organizations take time.

This exploit code is widely available. Its not like the olden days where you had to know where to look. Now every script kiddie has 5 copies of the code at their disposal and the administrator has it too. This exploit code is then expanded on to create a worm.

Sometimes exploit code is neat. It gives a solid demonstration that encourages people to patch. Releasing this code publicly at the same time the patches are released is reprehensible. Why help the virus writing incubation period?

Graduate students at Johns Hopkins University have uncovered a method of cracking the encryption surrounding RFID, so reports news.com.

Non-technical results are posted at www.rfidanalysis.org

RFID systems are used in automotive keys so that a signal from the key is necessary to start the car. It is used in Mobil SpeedPass and it is used in Wal-Mart inventory.

The writers point out that the 40 bit encryption is rather trivial to hack. What is needed is AES encryption. The problem is with the long rollout cycles for automobiles, this is not a change that will occur immediately.

Of course with speedpass I still think the primary issue is when someone steals your keys they now have access to your credit card (without signature necessary) at every Mobil/Exxon station.

Over at Slashdot, they have an article on a new form of wireless hijacking.

They've written an applet to sniff wireless traffic and replace specified responses with their own content. So when you pull down a website it is replaced by something else.

In theory its similar to a man in the middle attack, but its more interesting because it is grabbed out of the air.

Their writeup is here. I'd highly suggest not following the links to images or videos on that site.