Hackin9

InfoSec News

Lenovo surpassed Dell to become the world's second largest PC vendor at the end of the third quarter, according to research firms IDC and Gartner.
 
Research In Motion reported late Wednesday that email was operating, and BlackBerry Messenger (BBM) traffic was online and passing successfully in all regions where its service was previously affected.
 
Microsoft Silverlight & .NET Framework Inheritance Restriction Remote Code Execution Vulnerability
 
Microsoft Windows Active Accessibility DLL Loading Arbitrary Code Execution Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
With today's focus on the release of iOS 5, and people worldwide refreshing the UPS shipping status page to check if the iPhone 4S left Hong Kong or Anchorage yet, a patch released for OS X Lion (10.7)came in under the radar. In addition to bringing us iCloud support and a good number of other security related patches, one issue sticks out as SUPERCRITICAL, PATCHNOW, STOPTHATiOS 5 DOWNLOAD.
The exploit can be implemented in a line of javascript, and will launch arbitrary programs on the user's system. It does not appear that the attacker can pass arguments to the software, which may make real malicious exploitation a bit hard, but Iam not going to wait for an improved proof of concept to proof me wrong.
That said:It is our policy not to link to exploit code. Search twitter and other outlets for links. We may reconsider if we see the code used maliciously. At this point, Iam only aware of the PoC site. Please let us know if you spot it anywhere else.
NB: My Macbook failed to boot after applying the update. Still debugging why :(
Update: In my case, the Macbook boot failed because Ihad Symantec's PGP software installed. I didn't use the whole disk encryption, but PGP still installed drivers that turned out to be the problem. My recovery process:
- hold command+R during boot to boot into recovery mode (if you got a recovery partition

- if you are using filevault2, launch the disk utilty to unlock the disk

- remove the following files from your system disk (which is now mounted under /Volumes )
Library/Extensions/PGPnke.kext

System/Library/Extensions/PGPwde.kext

Library/Extensions/PGPdiskDriver.kext
This did it for me. The next reboot went fine. For more details see the following sites that helped me get this working:

http://prowiki.isc.upenn.edu/wiki/Removing_PGP_Desktop_on_a_Mac

https://discussions.apple.com/message/16333057#16333057

http://www.macworld.com/article/161088/2011/07/hands_on_lion_recovery_mode.html

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The benefits of server virtualization are so significant at this point that implementing it is a no-brainer. First and foremost, server virtualization makes much better use of computing resources than physical servers do, since you can run many different virtual servers on a single physical host. In fact, you may be surprised at just how many general-purpose server instances a single modern server can handle simultaneously.
 
Red Bend, which makes products for delivering over-the-air software updates, will soon offer a virtualization technology for Android devices that allows a user to have both a personal profile and a business profile on the same device.
 
Both server virtualization and desktop virtualization use a software core called a hypervisor to run multiple operating systems on the same physical server hardware. Each OS is kept separate, with resources dedicated as needed.
 
Google Cloud Storage, announced Tuesday, allows you to store your company's business data online for a minimal cost. You can access your data from anywhere, you don't have to engage in costly server hardware management, and the largest tech giant in the world protects your data. All of this opens up cloud data storage to small and medium sized businesses as well as the enterprise-sized companies that were relying on it in the past.
 
Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1985) Local Privilege Escalation Vulnerability
 
AzeoTech DAQFactory Denial of Service Vulnerability
 
Microsoft Windows Kernel 'Win32k.sys' TrueType Font File Remote Denial of Service Vulnerability
 
Microsoft Windows Kernel '.fon' Font File Remote Code Execution Vulnerability
 
http://www.sans.org/critical-security-controls/control.php?id=8



Next up, Critical Control 8. This one shines a spotlight on the need to place tight controls around the use of Admin or any Powerful Privileges on all of your systems. Essentially, what this means is Admin access (root/Administrator accounts) should be tightly controlled and monitored for use and abuse.



Exploiting the Control



The Admin privileges can always be exploited when controls are not present. Here are some quick examples of why these controls are important.



1. When Admin accounts are used regularly, they can be exploitable...



- when a malicious email is opened.

- when a malicious file is downloaded and opened.

- when the user visits a site that can exploit the browser.

(these exist whether unwittingly or inadvertently)



which gives enough access to own your system and your data.



2. When user accounts with Admin privileges are configured with standing access to privilege escalation and little accountability, they can be exploitable



- by exploiting the user account through one of the methods above

- by password guessing the user account with standing privileges



then escalating access to own your system and your data.



Mitigation



The definition of Critical Control 8 identifies 8 QUICK WINS. I will not cover them here. Read through them, and do not be shy about sharing ideas in the comments on how to implement them. We all want to read more!



One example...



I can provide some detail on the use of sudo to assist in mitigation of risk and the use of the root account on your UNIX servers. One method is to implement the following controls to the root account in order to minimize its use and abuse of privilege.

Automate the changing of the root password on a regular basis. Daily is my recommendation. There are many ways to accomplish this, so please share your ideas.


Limit access to the operational staff to an as needed basis. When crisis/incident/support needs arise, provide a mechanism for them to check out or look up the root password. Again many waysshare your ideas.


A way to keep the revolving need at bay and minimize the exposure to root for any ops support team is to create a list of common commands the systems administrator staff use daily. Take this list and configure sudo to provide standing access to an exhaustive but limited command set. This mechanism provides two things:



- Lessens the opportunity for the abuse of privilege.

- Provides accountability to the user that executes the commands.

A brief example of implementing this sudo rule set can be:




(NOTE: this is NOT an exhaustive list, it is brief only to illustrate.)



Place this rule set in to your sudoers file and create and add all of your system admins into the admins group, and they will have the ability to use sudo to execute these commands as root.


User_Alias SYSTEM_ADMINS = %admins



Cmnd_Alias ADMIN_COMMANDS = \

/bin/date, \

/bin/kill, \

/bin/mount, \

/bin/umount, \

/sbin/ifconfig, \

/sbin/ifup



SYSTEM_ADMINS ALL=(root) NOPASSWD: ADMIN_COMMANDS



I have in the past been involved with efforts of this nature in sizeable shops. It is difficult at first, but it can provide good efficiencies and it always keeps the auditors happy when it comes to US SOX laws and the like.



Please feel free to share what other ideas are being used out there.



Implementation, Metrics, and Testing



Controlling the use of Admin Privileges is no small task, and only gets harder as your environment continues to grow. So if your shop is small, get to it. It will never get easier than it is today.



The control definition on the URL above provides some insight on Metrics, Testing and Monitoring the use of admin privs. Read through it and please use the comment button to provide some ideas and feedback on the following:



Any other examples of gaps that this control proposes to mitigate?

(I offered two above).

What can be used to accomplish the 8 QUICK WINS?

What controls can be used for Windows Powerful Privilege?

(Many of us want to hear what you do!)



Any variations of sudo that can provide some good control?



What are you using for Sensors, Measurement, and Scoring?

(See CC8 definition: http://www.sans.org/critical-security-controls/control.php?id=8)



The more we share these ideas the safer all of our systems and data will be.



--

Kevin Shortt

ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple Safari ImageIO TIFF Image Handling Heap Buffer Overflow Vulnerability
 
IBM has expanded its SmartCloud services, giving customers more tools to migrate their existing processes and data onto IBM's PaaS (platform-as-a-service) offerings, or to set up their own private clouds.
 
After helping pave the way for platform independent websites and applications, the Mozilla Foundation has set a new, and ambitious, task for itself to standardize mobile applications on the Web platform as well.
 
As far as NASA's IT CTO is concerned, mobile technology and public and private cloud infrastructures will soon make help desks as we know them pointless.
 
Reports of problems with the iOS 5 upgrade flooded Apple's support forum today soon after Apple released the new mobile operating system.
 
EBay has launched an application development platform called X.commerce that pulls in tools and functionality from a variety of its sites and products, including the eBay marketplace and PayPal, as well as from partners.
 
 
iDefense Security Advisory 10.11.11: Microsoft Internet Explorer Object Handling Memory Corruption Vulnerability
 
APPLE-SA-2011-10-12-6 Numbers for iOS v1.5
 
APPLE-SA-2011-10-12-5 Pages for iOS v1.5
 
APPLE-SA-2011-10-12-4 Safari 5.1.1
 
AMD is looking to get back into the race with Intel with the introduction of its eight-core desktop chip and its new Bulldozer architecture.
 
A Google engineer has caused an online stir by posting a long rant on Google+ that slams Google and calls the company's new social network a 'pathetic afterthought.'
 
Microsoft Wednesday announced it will collaborate with Yahoo spin-off Hortonworks to develop a Apache Hadoop implementation for its Windows Server and Windows Azure platforms.
 
BlackBerry email service delays continued globally on Wednesday, with BlackBerry Messenger instant messaging and Web browsing still down in many regions after three days.
 
Robert W. Galvin, the son of the founder of Motorola and CEO of the company for 29 years, has died. He was 89.
 
Within Apple's new iCloud service, you can sync, back up your devices, and locate friends--but if you want to manage your music and purchases, look to the service's iTunes in the Cloud initiative: For free, you can automatically download any new purchases across all your devices, and access any past purchases (still available on iTunes); pay an extra $25 a year, and you can store and stream your music online with iTunes Match. Here's how these all work.
 
With portable devices, there's always a risk of losing or damaging your hardware when you're out and about. As such, it makes sense to make regular backups of your iPhone, iPad, or iPod touch, but in the past, that process has been easier said than done. With iCloud Backup, however, you can back up your iOS device's data automatically, even when you're not using it.
 
Over the past few years, consumers have become obsessed with the notion of having their documents and data instantly available wherever they are, on whichever device they happen to be using at the time. In the past, Apple experimented with this by offering limited sync services; with iCloud, the company is charging head-first into the digital-sync sphere.
 
Apple has unwittingly become an enterprise player, and the company is leading the trend toward IT consumerization as users become attached to their iPads and iPhones and IT administrators try to incorporate the devices into corporate technology infrastructures.
 
Once you have iCloud set up on your devices, you can take advantage of the service's syncing capabilities. You'll be able to access your contacts, calendars, mail, documents, photos, and more across all your devices and on the Web. The syncing process on iCloud, however, is different than the iTunes syncing process Apple users have become familiar with. With iCloud, your data is seamlessly pushed across all of your devices; you won't actively have to choose when you want to sync your device. Instead, your data is automatically stored onto iCloud, and your iOS devices and computers collectively sync to and pull information from this central server on a regular basis, keeping everything up to date.
 
APPLE-SA-2011-10-12-3 OS X Lion v10.7.2 and Security Update 2011-006
 
APPLE-SA-2011-10-12-2 Apple TV Software Update 4.4
 
APPLE-SA-2011-10-12-1 iOS 5 Software Update
 
CORE-2011-0106: Microsoft Publisher 2007 Pubconv.dll Memory Corruption
 
Apple today shipped the long-awaited upgrades to its mobile and Mac operating systems that provide, among other things, access to the new iCloud service.
 
Apple today launched iCloud, the free online synchronization and backup service that replaces MobileMe.
 
Hard on the heels of recent reports that Google's Chrome browser may overtake Firefox by year's end, Mozilla on Monday released its annual “State of Mozilla” report including rosy financial results and a discussion of its efforts moving forward.
 
When Apple's iOS 5 launches, iCloud will be waiting.
 
A coalition of IT vendors, online companies and nonprofit organizations have launched a wide-ranging program to drive up broadband adoption in the U.S. and train residents in tech skills in an effort to cut unemployment and spur economic growth.
 
OPC Systems.NET RPC Packet Remote Denial of Service Vulnerability
 
AppSec DC 2012 CFP is OPEN!
 
Re: SilverStripe 2.4.5 Multiple backend Cross-site scripting vulnerabilities
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Attacks against the Mac are on the rise, and users need to know what they're up against to mount an effective defense. Here's a survival guide that will help. Insider (registration required)
 
Multiple vulnerabilities in BugFree
 
Multiple vulnerabilities in Pretty Link WordPress Plugin
 
LedgerSMB 1.3.0 released, includes anti-XSRF framework
 
After a recent survey revealed that almost 80 percent of its largest customers lack a mobile-optimized website, Google has decided to launch a program to address that issue specifically among retailers.
 
BlackBerry users Wednesday reported that problems are continuing into a third day in Europe and Asia, after Research in Motion reported on Tuesday that a fix was underway.
 
After Raytheon began selling missiles to Taiwan in 2006, the defense company's computer network came under a torrent of cyberattacks.
 
The SSL certificate authorities like Comodo that have had their security undermined by hackers shouldn't be trusted, and in fact, the way the entire SSL certificate industry of today works can and should be replaced with something better, says Moxie Marlinspike, a security expert who's come up with a plan he says will do that.
 
Google App Engine SDK Cross Site Request Forgery Vulnerability And Command Execution Weaknesses
 
[ MDVSA-2011:148 ] samba
 
Google App Enging SDK Code Execution Vulnerability (CVE 2011-1364)
 
What's in a name? That which we call a rose

By any other name would smell as sweet. Juliet, Romeo and Juliet (II, ii, 1-2)



to be esteemed is better than silver or gold. Proverbs 22:1 (NIV)

A rose is a rose is a rose
What if I could hack your organization and abuse your companys reputation and what if I could do it without your firewall, IDS, IPS, or your host-based badware detection making a peep?



What if I could use your organizations good name to sell ED drugs, questionable Facebook apps, shady online personal ads, or to distribute porn that would make a sailor blush?



What if I did all of that, and you didnt know? What if the hack itself took place on a machine you didnt directly control and only accessed rarely? And what if the hack was so subtle, so obscure, and so difficult to find that once I had it in place, it might be years before you ever stumbled across it if you ever stumbled across it?



This nightmare scenario is, unfortunately, reality for at least 50 organizations ones that Ive been able to uncover and I'm certain that there are many, many more. Each of these organizations has been a victim of a malicious alteration of their domain information an alteration that added new machine names to their existing information, and allowed bottom-feeding scam artists to abuse their good reputation to boost the search-engine profile of their drug, app, personal ad, or porn sites.



Take a look at the following table:




These sites...
Resolve To
While the main site...
Resolves To


buy-viagra.4kidsnus.com
67.55.117.204
www.4kidsnus.com
50.73.38.13


drugs-1501.abingtonurology.com
67.55.117.204
www.abingtonurology.com
74.208.98.50


personals-1501.abingtonurology.com


tubes-1501.abingtonurology.com


payday-loans.accessbank.com
74.220.215.210
www.accessbank.com
66.147.240.154


cialis.advancedsynthesis.com
74.50.13.17
www.advancedsynthesis.com
216.227.216.47


viagra.advancedsynthesis.com


cialis.apptech.com
66.96.147.107
www.apptech.com
66.96.147.107


loans.apptech.com


viagra.apptech.com
66.96.147.106


buy-cialis.asfiusa.com
67.55.33.109
www.asfiusa.com
74.220.215.84


buy-viagra.asfiusa.com


mg-drugs.asfiusa.com


payday-loans.asfiusa.com


rx-drugs.asfiusa.com


facebook.blueagle.com
74.50.13.17
www.blueagle.com
209.200.244.56


buy-cialis.boothscorner.com
67.55.117.204
www.boothscorner.com
74.208.98.50


buy-viagra.boothscorner.com


24-buy-cialis.campsankanac.org
67.55.33.109
www.campsankanac.org
74.208.98.50


24-personals.campsankanac.org


buy-cialis.campsankanac.org


buy-viagra.campsankanac.org


viagra.cccsaa.org
74.50.13.17
www.cccsaa.org
216.227.214.82


buy-cialis.cfi.gov.ar
67.55.117.204
www.cfi.gov.ar
201.234.37.147


buy-viagra.cfi.gov.ar


mg-drugs.chesarda.org
65.254.250.103
www.chesarda.org
65.254.250.109


viagra.cranehighschool.org
74.50.13.17
www.cranehighschool.org
216.227.220.85


buy-cialis.dollardiscount.com
67.55.117.204
www.dollardiscount.com
74.208.98.50


buy-viagra.dollardiscount.com


buy-cialis.eap.edu
74.220.215.210
www.eap.edu
66.147.240.167


buy-viagra.eap.edu


mgdrugs.eap.edu


payday-loans.eap.edu


rxdrugs.eap.edu


buy-cialis.ejercito.mil.do
74.220.215.210
www.ejercito.mil.do
74.220.215.113


buy-viagra.ejercito.mil.do


mgdrugs.ejercito.mil.do


payday-loans.ejercito.mil.do


rxdrugs.ejercito.mil.do


buy-cialis.elbertcounty-co.gov
74.220.215.210
www.elbertcounty-co.gov
74.220.207.155


buy-viagra.elbertcounty-co.gov


drugs.elbertcounty-co.gov


cheap-viagra.ellerbecreek.org
66.96.147.106
www.ellerbecreek.org
66.96.147.106


cialis-price.ellerbecreek.org


payday-loans.ellerbecreek.org


cialis-buy.esad.org
69.73.170.8
www.esad.org
69.73.185.194


payday-loan.esad.org


player.esad.org


translator.esad.org


buy-cialis.fabius-ny.gov
173.236.60.138
www.fabius-ny.gov
173.236.47.26


buy-viagra.fabius-ny.gov


payday-loans.fabius-ny.gov


personals.fabius-ny.gov


1-facebook.fwbl.com
173.236.60.138
www.fwbl.com
65.60.41.210


1-games.fwbl.com


1-payday-loans.fwbl.com


1translator.fwbl.com


payday-loans.fwbl.com


payday-loans.fwbl.com


translator2.fwbl.com


facebook-i.georgetownky.gov
69.73.170.8
www.georgetownky.gov
69.73.136.24


payday.georgetownky.gov


personals-d.georgetownky.gov


viagra-buy.georgetownky.gov


rx-drugs.golocalnet.com
65.254.250.103
www.golocalnet.com
65.254.250.105


mg-drugs.goodhope.com
66.96.147.106
www.goodhope.com
66.96.147.115


buy-cialis.hamwave.com
74.50.13.17
www.hamwave.com
209.200.245.66


buy-viagra.hamwave.com


payday.hamwave.com


buy-cialis.haskell.edu
74.220.215.210
www.haskell.edu
74.220.207.138


buy-viagra.haskell.edu


drugs-coog.haskell.edu


drugs.haskell.edu


cialis.hiwassee.edu
65.254.250.103
www.hiwassee.edu
65.254.250.110


drugs.hiwassee.edu


payday-loans.hiwassee.edu


buy-viagra.hothouse.net
66.96.147.106
www.hothouse.net
66.96.147.106


buy-cialis.iiehk.org
67.55.117.204
www.iiehk.org
58.177.188.240


buy-viagra.iiehk.org


buy-viagra.karen.org
65.254.250.103
www.karen.org
65.254.250.109


facebook.lisboniowa.com
65.254.250.103
www.lisboniowa.com
65.254.250.114


payday-loans.lisboniowa.com


viagra.lisboniowa.com


cialis.medpharmsales.com
74.50.13.17
www.medpharmsales.com
216.227.214.82


buy-cialis.menalive.com
69.73.170.8
www.menalive.com
69.73.138.10


buy-viagra.menalive.com


drugs.menalive.com


facebook.menalive.com


payday-loans.menalive.com


buy-viagra.mvas.org
74.220.215.210
www.mvas.org
74.220.215.73


payday-loans.mvas.org


buy-cialis.nywolf.org
96.30.42.100
www.nywolf.org
96.30.42.100


buy-viagra.nywolf.org


payday-loans.nywolf.org


buy-cialis.okgolf.org
65.254.250.103
www.okgolf.org
65.254.250.101


loans.omill.org
69.73.170.8
www.omill.org
69.73.139.41


mg-drugs.omill.org


personals.omill.org


rx-drugs.omill.org


cialis.onyvax.com
173.236.60.138
www.onyvax.com
216.104.37.106


loans.onyvax.com


viagra.onyvax.com


drugs-1501.pattywagstaff.com
67.55.117.204
www.pattywagstaff.com
76.202.66.30


personals-1501.pattywagstaff.com


tubes-1501.pattywagstaff.com


1-payday-loans.qunlimited.com
173.236.60.138
www.qunlimited.com
173.236.37.194


1facebook.qunlimited.com


1-facebook.rivcoems.org
173.236.60.138
www.rivcoems.org
69.175.91.58


1-payday-loans.rivcoems.org


1player.rivcoems.org


buy-cialis.sacmetrofire.ca.gov
74.220.215.210
www.sacmetrofire.ca.gov
66.147.240.176


buy-viagra.sacmetrofire.ca.gov


drugs.sacmetrofire.ca.gov


mgdrugs.sacmetrofire.ca.gov


rxdrugs.sacmetrofire.ca.gov


buy-cialis.santafeproductions.com
74.50.13.17
www.santafeproductions.com
209.200.242.240


cialis.saturdaymarket.com
74.50.13.17
www.saturdaymarket.com
209.200.245.36


viagra.saturdaymarket.com


buy-cialis.seabury.edu
74.220.215.210
www.seabury.edu
66.147.240.183


buy-viagra.seabury.edu


drugs.seabury.edu


buy-cialis.symspray.com
66.96.147.106
www.symspray.com
66.96.147.103


buy-cymbalta.tcsys.com
67.55.117.204
www.tcsys.com
99.20.97.250


buy-lexapro.tcsys.com


buy-viagra.tcsys.com


divx-player.tcsys.com


facebook.tcsys.com


flv-player.tcsys.com


personals-2702.tcsys.com


player.tcsys.com


translator.tcsys.com


tubes-2702.tcsys.com


buy-viagra.ubf.org
74.220.215.210
www.ubf.org
74.220.201.220


mg-drugs.ubf.org


payday-loans.ubf.org


rx-drugs.ubf.org


drugs-1801.uhsurology.com
67.55.117.204
www.uhsurology.com
64.57.219.72


personals-1801.uhsurology.com


tubes-1801.uhsurology.com


buy-cialis.uniben.edu
74.220.215.210
www.uniben.edu
69.195.82.57


buy-viagra.uniben.edu


mg-drugs.uniben.edu


mgdrugs.uniben.edu


payday-loans.uniben.edu


payday.uniben.edu


rx-drugs.uniben.edu


rxdrugs.uniben.edu


buy-cialis.viethoc.org
67.55.117.204
www.viethoc.org
208.127.15.120


buy-cymbalta.viethoc.org


buy-levitra.viethoc.org


buy-lexapro.viethoc.org


buy-viagra.viethoc.org


divx-player-beob.viethoc.org


flv-player-beob.viethoc.org


personals-0602.viethoc.org


player-beob.viethoc.org


drugs.williamson.edu
65.254.250.103
www.williamson.edu
65.254.250.105


payday-loans.williamson.edu


viagra.williamson.edu


payday.yanceycountync.gov
67.55.33.109
www.yanceycountync.gov
66.147.242.162


tubes-1111.yanceycountync.gov



Note: These IP addresses can (and should) change. The above information was gathered 10-7-2011 13:00 UTC
Over 150 new entries have been created in the zone information for these organizations. Each of these new sites inherits whatever good reputation the parent domain may have accumulated, and is, therefore, valuable as a means of search engine optimization (SEO).



The following table shows that these hacks occurred at multiple DNS providers with a few being somewhat more popular than others:






Domain
DNS Provider


4kidsnus.com
dnsexit.com


abingtonurology.com


boothscorner.com


campsankanac.org


cfi.gov.ar


dollardiscount.com


iiehk.org


pattywagstaff.com


tcsys.com


uhsurology.com


viethoc.org


yanceycountync.gov


ejercito.mil.do
hostmonster.com


accessbank.com


asfiusa.com


eap.edu


elbertcounty-co.gov


haskell.edu


mvas.org


sacmetrofire.ca.gov


seabury.edu


ubf.org


uniben.edu


apptech.com
ipage.com


ellerbecreek.org


goodhope.com


hothouse.net


symspray.com


qunlimited.com
justhost.com


advancedsynthesis.com
lunariffic.com


blueagle.com


cccsaa.org


cranehighschool.org


hamwave.com


medpharmsales.com


santafeproductions.com


saturdaymarket.com


compliancemedical.com
myhostcenter.com


menalive.com
nocdirect.com


esad.org


georgetownky.gov


omill.org


fabius-ny.gov
pipedns.com


fwbl.com


onyvax.com


rivcoems.org


chesarda.org
powweb.com


golocalnet.com


hiwassee.edu


lisboniowa.com


okgolf.org


williamson.edu


nywolf.org
wiredtree.com


karen.org
yourhostingaccount.com



Down the Rabbit Hole



Finding these sites was a matter of luck and perseverance. Initially, I happened across a single, odd-sounding site name while looking for organizations that had been compromised by the bad guys for SEO purposes. Using tools that attempt to list all of the domain records pointing to a particular IP address led me to more. Google searches for sites linking to these domains led me further. Unquestionably, there are more of these types of sites out there some not currently in use. However, because there is no good way to truly search DNS information, attempting to find these from the outside is difficult and frustrating.



Round up the usual suspects...



How did this happen? Unsurprisingly, no one I talked to about this was standing at the front of the line, ready to take the blame for these issues: Domain owners swear they used good passwords and are sure that the DNS providers were hacked, DNS providers are certain that the Domain owners used lousy passwords on their accounts... 'round and 'round we go.



My gut tells me that the truth lies somewhere in between: bad passwords combined with poor account lockout controls on something like a cPanel-type web interface probably led to successful brute force attacks on most of these... Icould, however, be completely wrong. Unfortunately, I just don't have the time to chase every one of these to ground.



Dont Let This Happen To You

Check your DNS zone file information periodically, just to make sure nothing has been added without your knowledge.
Choose passwords wisely, especially on interfaces where brute-force attacks are likely (i.e. pretty much anything accessible from the internet). Never use dictionary words. And remember: while qwertyuiop may not be in your dictionary, it IS in mine...
Periodically take a look at your website how Google sees it (Google search: site:yoursite.com NOT www.yoursite.com, and look through the pages for anything out of the ordinary. Toss a few choice keywords in as well (Viagra, Cialis, drugs, personals, etc...). This kind of search can help you discover many different types of issues with your site.


Tom Liston

ISC Handler

Senior Security Consultant, InGuardians, Inc.

Twitter: @tliston
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Survey finds dangerous gap in prevention
CSO
However, as we noted in last month's cover story, What makes an infosec leader, organizations are not investing in the processes necessary to make certain those technologies are running in concert. For instance, only 43% of respondents have established ...

and more »
 
Photograhers of all levels—from professional to hobbyist—eagerly embraced the iPhone as a powerful shooting, sharing, and editing device: the sheer number of photography apps available for the iPhone and iPod touch is overwhelming. The iPad, however, has proven to be less popular as a device for the snap-happy crowd.
 
The Zeus financial malware has been updated with peer-to-peer functionality that makes it much more resilient to take-down efforts and gives its controllers flexibility in how they run their fraud operations.
 
IBM plans to roll out software on its midrange and high-end clustered storage arrays that allows policy-based migration, backups and data deletion. The company also will announce that its V7000 series array can perform both file- and block-based data transfers.
 
Microsoft and Nokia are wooing Symbian developers, offering them help in porting applications to Windows Phone ahead of the launch of the Finnish company's first smartphone based on Microsoft's platform.
 
Cisco this week filled out its desktop virtualization product line by adding a thin client that improves processing and bandwidth utilization for voice and video.
 
Neustar is acquiring privately owned Targusinfo for approximately $650 million in cash in a bid to expand its real-time information and analytics services, it said on Tuesday.
 
BlackBerry users Wednesday reported that problems are continuing into a third day in Europe and Asia, after Research in Motion reported on Tuesday that a fix was underway.
 
China's Huawei Technologies has called on the U.S. Department of Commerce to explain why the company is apparently being excluded from participation in the construction of a national wireless network for emergency responders.
 
They're bright-eyed and bushy-tailed, but new tech grads aren't quite ready for the work world, IT managers say. Here are seven skills they lack.
 
The production of hard disks at Western Digital (WD) facilities close to Bangkok, Thailand, has been halted following severe flooding, the company said on Wednesday.
 
India's second-largest outsourcer, Infosys, reported strong revenue and profit growth for the quarter ended Sept. 30, despite concerns about economic problems in its key markets in the U.S. and Europe.
 
Joomla! Sgicatalog Component 'id' Parameter SQL Injection Vulnerability
 
Sony has suspended 93,000 user accounts on several of its gaming and entertainment networks after unauthorized login attempts on those accounts, it said Wednesday.
 
TUGZip ZIP File Remote Buffer Overflow Vulnerability
 

Posted by InfoSec News on Oct 12

http://www.theregister.co.uk/2011/10/11/websites_share_usernames/

By Dan Goodin in San Francisco
The Register
11th October 2011

Home Depot, The Wall Street Journal, Photobucket, and hundreds of other
websites share visitor's names, usernames, or other personal information
with advertisers or other third parties, often without disclosing the
practice in privacy policies, academic researchers said.

Sixty-one percent of websites tested by...
 

Posted by InfoSec News on Oct 12

http://www.csoonline.com/article/691487/case-study-security-on-a-shoestring-budget

By Joan Goodchild
Senior Editor
CSO
October 11, 2011

According to figures released recently by Kaspersky Lab, 1300 IT pros
were asked about IT risks and security spending. Among large companies,
the average security budget is $3.35 million, according to Kaspersky's
data.

To Michael Dent, CISO of Fairfax County Government in Virginia, this
sounds like an...
 

Posted by InfoSec News on Oct 12

http://www.wired.com/dangerroom/2011/10/drone-virus-kept-quiet/

By Noah Shachtman
Danger Room
Wired.com
October 11, 2011

Officials at Creech Air Force Base in Nevada knew for two weeks about a
virus infecting the drone “cockpits” there. But they kept the
information about the infection to themselves -- leaving the unit that’s
supposed to serve as the Air Force’s cybersecurity specialists in the
dark. The network defenders at the...
 
Joomla! JCE Component Multiple Directory Traversal Vulnerabilities
 

Posted by InfoSec News on Oct 12

http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/231900575/more-exploits-for-sale-means-better-security.html

By Robert Lemos
Contributing Editor
Dark Reading
Oct 11, 2011

For a decade, security researchers have been able to earn money by
selling the details of significant vulnerabilities to bounty programs:
first to the Vulnerability Contributor Program launched by iDefense in
2002, and then to...
 

Posted by InfoSec News on Oct 12

http://www.inquisitr.com/149788/sony-online-entertainment-and-playstation-networks-hacked-93000-accounts-compromised/

By James Johnson
The Inquisitr
October 12, 2011

Sony chief security officer Philip Reitinger warned Sony Entertainment
Online customers and PlayStation Network users on Tuesday night that
their accounts may have been compromised after a hack led to 93,000
accounts being compromised.

Sony announced that all 93,000 accounts...
 

Posted by InfoSec News on Oct 12

http://tribune.com.pk/story/271116/ban-porn-or-else-hacker-penetrates-pta-site/

By Jahanzaib Haque
The Express Tribune
October 10, 2011

The Pakistan Telecommunication Authority (PTA) website was hacked on
Monday by a hacker who left a message demanding a blanket ban on all
websites containing explicit material.

The PTA website faced a database error for some time, and while its
front page was not defaced, a page listing the demands of...
 

Posted by InfoSec News on Oct 12

http://www.networkworld.com/news/2011/101111-rsa-chief-says-two-groups-251804.html

By Jeremy Kirk
IDG News Service
October 11, 2011

Six weeks after EMC's RSA security division saw its SecurID system hit
by hackers, RSA president Tom Heiser met with the CIO of a large global
medical device company.

The CIO wasn't happy. SecurID, an authentication system used by 40
million people in at least 30,000 organizations worldwide to...
 
Internet Storm Center Infocon Status