Monthly Archives: June 2008

Social Engineering Used in Museum Heist

0
Posted by Tom on June 10, 2008 – 9:07 pm
Filed under Social Engineering

<%image(20080610-bear_spray.jpg|132|90|Bear spray is no joke)%>

Classic social engineering at it’s best…a professional thief (or thieves) apparently got away with over 2 million in rare art and jewelry. Pretty much sounds like a movie scenario! From the CBC article:

“Four hours before the break-in on May 23, two or three key surveillance cameras at the Museum of Anthropology mysteriously went off-line.

Around the same time, a caller claiming to be from the alarm company phoned campus security, telling them there was a problem with the system and to ignore any alarms that might go off.

Campus security fell for the ruse and ignored an automated computer alert sent to them, police sources told CBC News.”

Wonderful. It gets better…

“Then, as the lone guard working overnight in the museum that night left for a smoke break, the thief or thieves broke in, wearing gas masks and spraying bear spray to slow down anyone who might stumble across them.”

Bear spray you say? Yes sir…bear spray is some serious stuff. It’s like regular self defense pepper spray but “super charged”! By the way…what’s the deal with the surge in “bear spray” related crimes in Canada? Can anyone in Canada verify a serious bear problem up there? ;-)

They still haven’t caught the thieves. These guys were good. Goes to show you yet another example of “no tech” hacking and how humans are always the weakest link in security.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Indiana Bank gets Hacked…Who’s really to blame?

1
Posted by Tom on June 9, 2008 – 6:00 pm
Filed under Hacking

<%image(20080609-1stSourceBank.jpg|75|53|1st Source Bank Hacked)%>

Interesting story that hit the wire last week about another bank security breach. This time 1st Source Bank of South Bend Indiana became the next victim of stolen debit card data. Not a ton of details have emerged yet but we do know the following:

1. A external monitoring service (an MSSP perhaps?) or hired security consultants (doing a pen test?) detected an unusual amount of data leaving one of the banks servers.

2. The bank notified law-enforcement authorities and hired outside forensic firms (aka: security incident response consultants) to analyze the breach.

3. Track 2 data was compromised. Track 2 data contains the cardholder account number, PIN, plus other discretionary data. Note that the ISO standard does not mention that the PIN has to be encrypted. Only Track 1 data requires it. This may make a replay attack (encoding a fake debit card and using it in ATM transactions with this information) possible.

4. The bank is reissuing all debit cards in it’s portfolio and is offering to pay for “Deluxe ID TheftBlock” – at $4.95 a month for one year for any customer who requests the service.

These quotes from the bank are classic:

The bank also is monitoring automated teller machine transactions “minute by minute” to stop unauthorized activity. But even if the efforts fail, account holders won’t suffer, Seitz said.

“We’re certainly not holding any of our customers financially responsible for any transactions related to this breach,” he said.

and….

“Actually, our customers have been very understanding,” he said. “Obviously, this is something that puts a little stress on that relationship.”

Really…are you kidding me? Also note that they have yet to publicly announce an official statement on their web site about the security breach. Actually, nowhere on their web site mentions anything about the breach (however, they mention lots of interesting stuff about a recent merger with another bank beginning on June 9th…so they are updating the web site regularly). Clearly this is an attempt to make this security breach out to be “no big deal” to the general public.

So who’s really to blame? The bank is of course! Personally, I would rather have my bank be honest and up front with me about a security breach instead of delayed announcements (nothing was sent to customers until two weeks after the breach) and talk about how customers will be “understanding”. Clearly there are major security and customer service issues at this bank. Current 1st Source customers should bail out ASAP!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How not to get your domain hijacked

0
Posted by Tom on June 6, 2008 – 12:09 am
Filed under Hacking

You probably have read about the interesting Comcast domain hijack that took very little technical skill a few weeks ago. Apparently these two hackers were able to social engineer their way to obtain access to the Comcast domain registration account that is being managed by Network Solutions. Once they had access they apparently changed the DNS record of Comcast.net to point to name servers under their control, thus hijacking the domain. For a short time they redirected Comcast users to a web page stating the following:

KRYOGENICS Defiant and EBK RoXed Comcast, sHouTz to VIRUS Warlock elul21 coll1er seven.”

Here’s the best part (from the Wired article):

Network Solutions spokeswoman Susan Wade disputes the hackers’ account. “We now know that it was nothing on our end,” she says. “There was no breach in our system or social engineering situation on our end.”

Deny, deny, deny….not surprised at this response since it makes providers like Network Solutions look really bad. Sooner or later all the details about how these guys did it will come out…then the truth will be told.

In the meantime…what can you do to prevent your site from being the next Comcast? Believe it or not…Network Solutions actually has a few good suggestions! Note: this was apparently posted after the Comcast domain hijacking incident…hmmmm…coincidence or not? :-)

Seriously though. I don’t blame Network Solutions entirely as many companies forget that domain registrations require maintenance and regular review of the security controls around them. By the way, the Wired article that I mentioned above is a great read…and probably the best article currently out there on the hijack.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Dangerous MySpace Spam

2
Posted by Tom on June 4, 2008 – 12:06 am
Filed under Social Networks

I have been doing lots of research over the last few months on online social networking sites to prepare for an upcoming talk that I am going to be giving on the latest threats to social networks…in particular MySpace, Facebook and LinkedIn.

Tonight I received new friend request from someone named “Elysabeth” in my email. Clicking on the link in the email takes you to the legitimate MySpace Friend Request Manager page which shows the below request:

<%image(20080603-myspace_friendrequest_bad.jpg|400|133|Elysabeth wants to be your friend..really!)%>

Clicking on the picture takes you to the profile of Elysabeth. Check out the picture of what the profile looks like now after clicking on the profile.

EDIT: I didn’t edit out the MySpace profile URL in the picture so don’t hit up the URL and click on anything if you don’t want to risk being infected!

Notice anything strange…like the Windows Update notification pop up? Looks pretty real huh? Clicking anywhere on the first half of the page pops up the dialog you see on the right side to download a .exe file….some nice malware for you to install. Enjoy! (only on a Windows box…. :-) ) Interesting to note that by scrolling down the page past the malware banner it looks like a legitimate MySpace profile. My guess is that this profile was hijacked either through XSS or some other third-party application vulnerability…the real owner probably has no clue.

On a related note, I just read an article on how Paris Hilton and Lindsay Lohan just had their private photos downloaded because of a flaw in a Yahoo/MySpace widget. Looks like Yahoo/MySpace fixed this flaw pretty quickly tonight but it goes to show that third-party applications and widgets are another popular attack vector.

One more update…Mediaphyter posted a link tonight on the 10 Social Networking Security Trends To Watch. A must read on the latest online social networking threats.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Metasploit.com Attempted Hijack

1
Posted by Tom on June 3, 2008 – 7:00 pm
Filed under Hacking

This past Monday, some silly hacker got the idea that he could easily redirect traffic from Metasploit.com to some Chinese forum using some ARP poisoning directed at the router that the metasploit.com domain resides. Basically he did a MITM attack. Here is an excerpt from HD Moore’s reply on the Full Disclosure mailing list:

“Problem solved. Someone is ARP poisoning the IP address of the router on which the www.metasploit.com server resides.
I hardcoded an ARP entry for the real router and that seems to solve the MITM issue. It doesn’t help the other 250 servers
on that network, but thats an issue for the ISP to resolve…”

Sucks to be those other 250 servers! This hacker should have brought his a-game if he really wanted take on HD Moore…FAIL!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Stumbling upon Security Issues

5
Posted by Tom on June 2, 2008 – 6:00 am
Filed under Vulnerabilities

Seriously…I don’t go looking for web site security issues or vulnerabilities but sometimes you do “stumble” upon them. :-P

Several weeks ago I was looking for an online schedule of events at one of the local community centers where I live so I did what anyone would do and typed in the URL of the city’s web site into my browser, but without typing “www” first. The actual URL starts with “www” but many times just by typing the URL without “www” will take you to the web site. So to my surprise instead of getting the main index page of the city’s web site I get a web form prompting for login credentials to what looked like an HVAC system attached to the Internet! The header of the page had some information about a system version so I did what any other security guy would do and launched a Google search to find out more details about this system. Yep, it was an HVAC system alright. So I thought no big deal right….out of curiosity I hit the ‘enter’ key thinking that there was no way that there was an anonymous login on this baby…low and behold, it logged me in! I was able to view the HVAC system configuration and potentially manage the HVAC for not only the community center but the city hall and other facilities. Looked like I could have caused some mischievous outages like changing the temperatures and even shutting down the HVAC system. At this point many scenarios entered my head, including why someone would put an HVAC system that should be on the company “Intranet” on the “Internet” with an anonymous administrator level account…nahh…I’m a pen tester so this isn’t shocking to me at all!

Being the ethical person that I am I emailed the city that manages this domain letting them know of the issue…today a received an email that said they were looking into the issue and it should be resolved shortly. So here are the questions. What would you have done (put your non-evil hat on please…yes, methodically messing with the temperature in the mayors office would be a blast…)? Do you just forget that you stumbled upon this vulnerability or do you believe in more of a full disclosure policy to the people running the web site? In talking to some others…attempting to contact the site owners is the best option (which I agree with) yet some others may take a different approach. Some “grey-hat” hackers might even resort to causing havoc with the HVAC system just to prove a point, then disclose the vulnerability the right way. Thoughts from the community?

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS