 |
The "No Network is 100% Secure" series
- High Value Site Hacks, 2009 edition -
- In the news -
A White Paper
|
|
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Contact Us
Vulnerability test: There is no malware on this page.
Click on the "How vulnerable am I?" button above to run a (completely safe) test to
see if you are vulnerable to drive-by explots.
If a new window does NOT open, you are about as safe as you can be, at least until
these hackers come up with some new exploit. Note that you still need to have ALL
of your software (not just the operating system) patched to the latest level
since there are lots of other ways to pick up trojans and viruses besides visiting
a compromised, infected drive-by web site.
A recent study revealed that the average PC in the USA (including computers in a
corporate environment) have over a dozen current vulnerabilities. And remember,
these hackers only have to exploit one vulnerability and you're hacked! The same
study confirmed that there is an over-dependance on anti-virus software to keep
computers safe. This is an absolute fallacy! AV software is a 1999 solution to a
2009 problem. The drive-by attacks described in this white paper go largely
unnoticed by AV software. If your computer failed our vulnerability
test, it's just a matter of when, not if, you get hacked.
Feedback: We value the opinion of IT professionals. If you have comments
about this series of white papers (too detailed, not detailed enough, helful,
boring, or whatever) we would appreciate hearing from you. The information
contained in these white papers is intended to help IT Managers better
secure their networks. The more on-point our white papers are, the more useful
the information will be to our target audience. Thanks in advance!
The Center for Defense Information (CDI) :July, 2009. The CDI Web site has been
compromised. The site is injected with a JavaScript code that exploits the latest
Microsoft Office Web Components Control vulnerability. The vulnerability is in the
Internet Explorer ActiveX control used to display Excel spreadsheets.
The Center for Defense Information (CDI), founded in 1972 by retired U.S. Navy Rear
Admiral Gene La Rocque, states that it is dedicated to strengthening national and
international security through: international cooperation; reduced reliance on
unilateral military power to resolve conflict; reduced reliance on nuclear weapons; a
transformed and reformed U.S. military establishment; and prudent oversight of defense
programs. Currently operating under the aegis of the World Security Institute. It is
composed of academics and high-ranking retired U.S. military officers who conduct
critical analyses of U.S. defense and security policy.
It is interesting (at least to me) that an organization that promotes a weak defense
and a "kumbaya" attitude towards committed terrorists and criminals would be attacked
and hacked by the same evil people they want to give a group hug to. Morons....
Think an independent security audit isn't worth the money?: July 27, 2009
Retailer TJX Companies, Inc., has reached a $9.75 million consumer protection settlement
with 41 states, stemming from a breach of sensitive data about thousands of customers.
The company is the parent of the T.J. Maxx and Marshalls discount clothing chains and
HomeGoods stores. "This multi-state investigation was triggered by the largest computer
security breach ever reported," said Pennsylvania Attorney General Tom Corbett. "Every
time someone swiped a credit card or debit card at a store operated by TJX, their
information was funneled directly to hackers, compromising the accounts of millions of
consumers." Corbett said the settlement resolves allegations that TJX ignored flaws in
the configuration of its computer network and failed to take sufficient steps to protect
customer information--allowing hackers to access its unsecured network and operate
undetected for more than a year, leaving tens of millions of consumers vulnerable to
identity theft. Additionally, Corbett said the settlement requires TJX to upgrade and
carefully test its security systems and to regularly report the results of their
security testing to Attorneys General across the country.
Daqi.com hacked: The Daqi.com Experience Center Web site has been compromised
and is serving several popular exploits. A quick investigation shows that following
vulnerabilities are targeted:
Windows Animated Cursor Remote Code Execution Vulnerability
Microsoft Windows MDAC Vulnerability
Microsoft Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability
Sina DLoader Class ActiveX Control 'DonwloadAndInstall' Method Arbitrary File Download Vulnerability
Xunlei Thunder DapPlayer ActiveX Control Buffer Overflow
Ourgame GLWorld GLIEDown ActiveX Control Vulnerabilities
RealPlayer IERPCtl ActiveX Control Buffer Overflow Vulnerability
Storm MPS.StormPlayer.1 ActiveX Control Buffer Overflow Vulnerability
Daqi.com is a high-profile portal site in China with Alexa rank 586, loved by people who
enjoy news all over the world.
Apache.org compromise: August 28, 2009. The open-source Apache Software
Foundation pulled its Apache.org Web site offline for about three hours today because
of server hack caused by a compromised SSH key. A brief message posted on the site
stated that the compromise was "not due to any software exploits in Apache itself",
but was actually caused by a compromised SSH key.
No one is safe....
It's not just hackers who steal your information:
Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were
invited to join an "online community" for which they would be paid $10 with the idea
they would be helping the company learn more about their customers. It turned out they
learned a lot more than participants realized or that the feds thought was reasonable.
To join the "My SHC Community," users downloaded software that ended up grabbing some
members' prescription information, emails, bank account data and purchases on other
sites. Thanks for the Trojan, Sears and KMart... :(
The Sony rootkit is back: After purchasing an Anastacia CD, the plaintiff
played it in his computer but his anti-virus software set off an alert saying the disc
was infected with a rootkit. He went on to test the CD on three other computers. As a
result, the plaintiff ended up losing valuable data. Claiming for his losses, the
plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and
another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was
self-employed, he also claimed for loss of profits and in addition claimed 800 euros
which he paid to a computer expert to repair his network after the infection. Added
to this was 185 euros in legal costs making a total claim of around 1,500 euros. The
judge's assessment was that the CD sold to the plaintiff was faulty, since he should
be able to expect that the CD could play on his system without interfering with it. The
court ordered the retailer of the CD to pay damages of 1,200 euros.
Note that the above two item Authors provided no information substantiating these
stories.
However, it's certainly true that Vendor CDs, DVDs and floppies have been known
to contain malware so it is always a good idea to scan ALL media before running
any of it's programs or installing any of it's software. As for allowing any site
to download software onto your computer? Just say "NO!".
Congress investigates Chinese cyberspying: October 22, 2009.
The Chinese government is ratcheting up its cyberspying operations against the U.S., a
congressional advisory panel found, citing an example of a carefully orchestrated
campaign against one U.S. company that appears to have been sponsored by Beijing.
The unnamed company was just one of several successfully penetrated by a campaign of
cyberespionage, according to the U.S.-China Economic and Security Review Commission
report to be released Thursday. Chinese espionage operations are "straining the U.S.
capacity to respond," the report concludes. The bipartisan commission, formed by
Congress in 2000 to investigate the security implications of growing trade with China,
is made up largely of former U.S. government officials in the national security field.
The commission contracted analysts at defense giant Northrop Gruman Corp. to write the
report. The analysts wouldn't name the company described in the case study, describing
it only as "a firm involved in high-technology development." The report didn't provide
a damage assessment and didn't say specifically who was behind the attack against the
U.S. company. But it said the company's internal analysis indicated the attack
originated in or came through China.
The FCC weighs in: October 22, 2009. The Federal Communications Commission
voted to approve proposed new rules aimed at blocking Internet service providers, like
Comcast, and wireless phone companies such as Verizon and AT&T, from intentionally
halting or slowing Web traffic. The proposal, or so-called net neutrality regulations,
will set off a series of regulatory procedures and a final rule is expected to be
introduced early next year. Supporters say the regulations prevents any company from
steering viewers to its own outlets and manipulating choice by consumers to watch or
read what they choose. But critics charge that the plan is another power grab by the
government.
"These new rules should rightly be viewed by consumers suspiciously as another
government power grab over a private service provided by private companies in a
competitive marketplace," Sen. John McCain wrote in an opinion article published by
The Washington Times. McCain argued that a government takeover of the Internet will
"stifle innovation" and "hinder job creation," noting that the technology industry is
the fastest-growing job market behind health care.
The proposal contains six principles, including four existing guidelines adopted in
2005 on Internet network operations. The additional rules are designed to prevent
Internet traffic discrimination and increase transparency on how carriers manage their
networks to ensure that they aren't targeting technologies that may compete with their
own services. Verizon and Google have endorsed the plan, saying they need open access
to all Internet users, while AT&T has opposed it, saying the status quo should be
maintained.
More on Congressional Cyberspying hearings: What's the most amazing and
troubling (at least to me) is that this very important issue is being largely ignored
by the USA so-called "mainstream" media. Americans would need to subscribe to the
Daily Telegraph in London to even hear about this story. London, Oct 23, 2009 : The
Communist regime in China with the help of a elite hacker community is building its
cyber warfare capabilities and appears to be using a long-term computer attack campaign
to collect US intelligence. An independent study released by a [US] congressional
advisory panel found cases that suggested that China's elite hacker community has ties
to Beijing, although there is no substantial proof. The commission report details a
cyber attack against a US company several years ago that appeared to either originate
in or came through China and was similar to other incidents also believed to be
connected to that country, The Telegraph reports. The data from company's network
was being sent to multiple computers in the US and overseas, according to an analysis
done by the company over several days. The report contends that the attackers targeted
specific data, suggesting a very coordinated and sophisticated operation by people who
had the expertise to use the high-tech information. An IP address located in China was
used at times during the episode, the paper reports. The Chinese Government is said to
view such cyber prowess as critical for victory in future conflicts, similar to the
priority on offensive cyber abilities stressed by some US officials. Potential Chinese
targets in the US would likely include Pentagon networks and databases to disrupt
command and control communications, and possibly corrupt encrypted data, the report says.
Citibank should have hired us!: December 23,2009. The Wall Street Journal
reports that the FBI is looking into a potential computer-security breach that resulted
in the theft of tens of millions of dollars from Citibank by computer hackers. These
hackers appear to be linked to a Russian cyber gang who targeted Citigroup's
Citibank subsidiary, including its North American retail bank and other businesses.
This attack was detected over the summer, but there is a chance that it could have
happened as much as a year earlier.
The report goes on to say that it is possible that these same hackers hacked into a
U.S. government agency (or two). Citigroup was quick to point out that it "had no
breach of the system and there were no losses, no customer losses, no bank losses
... Any allegation that the FBI is working a case at Citigroup involving tens of
millions of losses is just not true." I know that I believe them....
This threat was discovered thanks to suspicious traffic from Internet addresses used
by the Russian Business Network (a group that has sold hacking tools for accessing
U.S. government systems). The article goes on to highlight the fact that this breach
was especially dangerous because the hackers could have toyed with the entire banking
system, as hackers gaining entry to one bank could lead to plenty of other banks
violated.
Cyber crime is now an epidemic, as losses to online crime totaled $260 million in
the U.S. alone last year. That is a heck of a lot of security breaches!
Sports fans aren't safe either: December 29, 2009. You'd think that going
to a FOX News site would be safe, right? Wrong. The Fox Sports site has recently been
compromised and injected with malicious code. Fox Sports is a division of the Fox
Broadcasting Company. It specializes in the latest sports news and world sports
updates. Fox Sports has an Alexa ranking of 330. The site has been injected with
two pieces of malicious code. One of them is the latest Gumblar campaign, and the
other redirects individuals to a malicious Web site for further attacks.
Thousands of Web sites have been compromised by the latest Gumblar campaign. The
Gumblar page is highly obfuscated. After deobfuscation, the page uses PDF and Flash
exploits to run malware in order to control a victim's computer. In addition, a
piece of VBScript is executed to download malware. Some of these vulnerabilities
such as Adobe Flash and PDF currently have no patch available so if you visited
FOX News recently and have vulnerable software installed, you are most likely infected.
We are receiving a lot of hits on our Trojan White Paper page so we suspect that the
numbers of infected PCs may be quite high.
Many security pros are focused on the wrong threats:
Many corporate information technology departments are prioritizing the wrong threats to
their computer systems. They focus on old problems while leaving their companies open
to a
myriad of new cyber attacks that target sensitive customer and corporate information. In
2009, two cyber risks dwarfed all others. But many IT Managers are not effectively
mitigating them, instead
preferring to invest in mitigating less critical risks. The less critical risks are
things like flaws
in the Windows operating system. While these bugs were the No. 1 problem for everyone
on the Internet not long ago, times have changed. Thanks to significant security
improvements by Microsoft, automated tools for applying its patches and generally good
habits within organizations, the operating system is now much harder to hit. As such,
hacker interest has waned. Only one major worm, Conficker, circulated in the first half
of 2009. Attacks on operating systems accounted for only about 30% of the total
volume of attack activity on the Internet. And thanks to patching, most of these were
not very successful.
On the rise in 2009 are quiet attacks on desktop programs, such as Microsoft's Office,
Adobe's
Flash Player and Acrobat programs, Java applications, and Apple's QuickTime program.
Attacks on these programs currently account for about 10% of attack volume, up from
zero three or four years ago. And these are likely to be far more successful, since
more than 90% of corporate computers are using old, unsecured versions of these
programs.
Attackers are very opportunistic. They will work with the easiest to use vulnerability
that will give them the biggest return. This is why attacks on company Web sites have
skyrocketed. An estimated 60% of attack activity is now directed at trying to hack Web
sites. This is often accomplished by targeting "SQL injection" and "Cross-Site
Scripting" flaws in open-source and custom-built Web applications, which currently
account for more than 80% of the new vulnerabilities being discovered. Attackers are
often looking to steal proprietary company information, such as customer data and
trade secrets. Security software company McAfee estimated that in 2008, companies
around the world lost more than $1 trillion due to this sort of intellectual property
and data theft. Hackers also frequently turn the sites they victimize into tools for
distributing malicious programs to the computers of site visitors, often turning
customers' machines into zombies that are networked into botnets much like the one
that Conficker has built.
The latest data shows that exploiting web server and client side applications
flaws are the current dominant atatck vectors. However, smart IT Managers remain well
aware that the number one weakkness in enterprise security remains in the fact
that people (Users) are still being fooled into allowing hackers to infect their
workstations. Old fashioned, unsophisticated phishing schemes and tricking Users
into downloading malware is still the top threat that needs to be protected against.
About the Author
Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle.
Home-based in Portland, Oregon, Frank has been designing remote diagnostic and
network enterprise monitoring centers since the late 1970s. Prior to becoming a
professional systems engineering consultant in 1990, Frank had a 20 year career
in computer systems field engineering and field engineering management. Frank
has a BSEE from Northeastern University and holds several certifications including
Network General's Certified Network Expert (CNX). As a NOC design engineer and
architect, Frank works regularly with enterprise-class monitoring tools such as
HP Openview Operations, BMC Patrol and others. In his enterprise security
audit work, Frank uses sniffers and other professional grade monitoring tools on a
daily basis.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
More high value site hacks in the news
More 2009 network hacks news
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
ISO/IEC 27005:2008 Standard for Security Risk Management
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
Portland, Oregon Network Security Consulting
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
|
|
Last modified June 25, 2009
Copyright 1990-2009 Easyrider LAN Pro