Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

A Telemarketer's Smile

Sometimes security mailing lists become the targets of hackers who are trying to make them useless, either through pointless posts, or through mass spamming. One such list under attack at the moment (i.e. just as this article is being published) is 'Full-Disclosure' which is being targeted by one or more hackers in a mass spamming, falsifying messages from identities / recent posters who have been causing trouble for them (in their opinion) on the list. Prominent names such as Dave Aitel and Gadi Evron are being defamed in this manner.

The goal of this mass spamming is likely to be twofold. Initially, the messages require some level of individual attention as they claimed to be valid advisories (but slammed on some points which have seen some heated debate), thus taking more time from the list readers to process them. Secondly, linking prominent names to abusive and offensive posts is an attempt to get overzealous spam filters and block lists to add those names and email addresses to the list of blocked sources. This has the effect of censoring future comments and messages from the real identities, removing them from the security community. Either way, it will take a significant amount of time and resources to recover from the issue.

Security software vendor, Symantec, has finally retired a notorious hacking tool from their software offering. The LC5 software, previously known as L0phtcrack, has been discontinued because it no longer fits in with Symantec's future vision. Originally designed to extract and crack passwords from vulnerable systems (marketed by Symantec as a tool to audit and recover passwords), L0phtcrack was developed by the L0pht group which transferred the technology to @stake in 2000 when they merged, and then sold on to Symantec in 2004. Customers who have had trouble with Symantec software in the past might see the irony in the security vendor having to sell underground hacker tools as part of their valued service offerings.

In what appears to be a related case to an earlier JMSDF leak, Japanese police have inadvertently leaked information on over 1,500 people linked to three years worth of cases. The leak came from an Okayama Prefectural Police investigator whose system was affected by the same, or similar, worm targeting the Winny P2P file sharing application that is popular in Japan. According to news reports, the leak represents the largest online loss of information from Japanese police. What is different from the JMSDF case is that the investigator had received permission to store the files on his personal system while he was working on them. An unconfirmed report suggested that the data included details on victims of sex crimes.

A story that is gathering momentum at the moment is ongoing difficulties with various US financial institutions, with discoveries recently that some are preventing access to accounts from overseas teller machines. Initially, the most recent reporting came from a posting that first appeared on popular blog site The post claimed that a Citibank customer discovered that he could not withdraw funds from an ATM in Canada with his card. On calling the bank, he was told that it was due to a "Class break", and affected Citibank customers accessing services in Canada, the United Kingdom, and Russia.

Further reporting and discussion suggest that access being blocked is related to earlier credit card disclosures and it is a defensive measure against fraud, rather than a "class break". Even though the information was initially uncorroborated, other claims have been made that Royal Bank of Canada / Centura customers have also been affected and the issues are definitely in relation to a loss of credit card data and subsequent withdrawals by the thieves. The claim has also been made that the issue is in relation to the ShadowCrew (a group of credit card traders) investigation from last year.

Subsequent reporting linked the above information with more certainty to a large breach at a major retailer which has been causing ongoing issues for customers of other financial institutions. The retailer, identified as Office Max or Sam's Club, is even alleged to have stored PINs alongside card details unencrypted on internal systems. This information was then captured by a hacker (or hackers) who subsequently broke into the systems.

Security expert, Bruce Schneier has also reported of incidents in Denmark where criminals are breaking into shops pretending to ransack them, and installing skimming equipment on the EFTPOS terminals - including miniature transmitters to pass the data back to the hackers.

Perhaps Citibank should switch to using Mac Mini's for storage. In late February a university student placed his Mac Mini online, taunting site visitors to 'rm -rf /' his system (i.e. wipe it completely) by hacking it. To facilitate this, he installed the Apache, MySQL and PHP versions available through Fink and then activated the LDAP service to provide local user accounts to anybody that connected to the system via SSH (i.e. free user accounts to all who asked). Less than six hours after placing the system online, the website was hacked - but no other damage appeared to have been done.

The widespread media reports that the case initially attracted over the last week indicate only that the system was hacked over the internet, not that the attacker had a valid local user account at the time. While no information was provided as to the mechanism of the breach, it is assumed that he made use of a local privilege escalation exploit to gain Admin level privileges and deface the site, or exploited a known vulnerability in one of the services that was added.

The poor reporting of the incident has irritated Macintosh proponents who have vocally been arguing the poor reporting in forums against those who took the stories as reported. A followup challenge was taken offline by system administrators after several days due to improper approval for conducting the challenge by the local network owner.

News from the seamier side of the Internet doesn't rate much for Information Security concerns, but a recent case does. Once a high flying billing agent for many adult sites, iBill has more recently faced a number of legal and financial difficulties which are only going to get worse following a disclosure of data for millions of customers. The information, which has made its way to a number of spam / hacker groups / carder sites includes names, phone numbers, addresses, email addresses, IP addresses, logins, passwords, credit card types and purchase amounts. The source that publicised the case (Wired) claims that credit card details were missing from the files they viewed. Also missing was identity theft staples such as Social Security Numbers and driver's licence numbers. Although this information is missing, more than enough data remains to effectively blackmail or socially engineer any outcome that an attacker could want.

iBill has since come out and denied losing any customer data, claiming that the lists available online are fake.

The Register recently ran claims suggesting that Microsoft had an active hand in providing personally identifying information about a Chinese HotMail user to the Chinese authorities. The user, a Chinese dissident, is currently facing trial over information that he is alleged to have spread via a number of HotMail accounts. Privacy advocates have pointed to similar cases with Yahoo! users who had their information handed over by Yahoo! to the Chinese authorities and are claiming that the only way the authorities could have identified the latest dissident is with the active assistance of Microsoft. Microsoft is denying the claims.

The latest figures from Netcraft on online hosting have shown an increase in the raw numbers of all tracked servers for February, but the greatest increase belonged to the Apache webserver. This increase came at the cost of all other server types tracked, including the main competitor - Microsoft's IIS. Netcraft also reported that a large number of newly registered sites were primarily used as a domain park, locking the domain name away for advertising / paid searches or as part of a speculative portfolio of domain names. Netcraft states that media coverage of domain buying has possibly led to a resurge in domain name resale, and thus the speculative portfolios being established.

First warnings on the risk of increased attacks against Domain Name Servers (DNS) were raised by S?nnet Beskerming early last year, and at various times again through the year. Increasing reports are starting to be gathered of attacks targeting DNS which make use of specific flaws in a number of DNSs to amplify the effectiveness of the attack. This means that one packet of data going into the DNS is multiplied into numerous packets leaving the server. This allows an attacker to make their attack more efficient, by delivering a much greater attack on the end target for a much smaller initial seed. It stages the attack through an extra point as well, which makes it a little more difficult to trace effectively. The DNS configuration / design issues which lead to this are reported to affect a significant percentage of the available DNS reachable from the greater Internet. Advice has recently been released which identifies the DNS included on Windows 2003, 2000 and NT 4 as being vulnerable to this attack method.

Finally, Microsoft's Black Tuesday is due again for another month. It is reported that there will only be the one critical security patch released this coming Tuesday.

13 March 2006

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.