“Once users have connected to the Cash-Gordon campaign, they can start accruing “action points” for reading briefings about the issue, getting their friends involved, donating, or even for directly asking Charlie Whelan a question.”

However today it’s the Conservatives that have been left with red faces, after a web site configuration error (or maybe just a lack of planning) saw the site abused to the point of being taken offline.
 
The Cash Gordon website was set up to collect any message posted on Twitter that contained the hashtag #cashgordon and republish it in a live stream in a widget on the home page of Cash Gordon. 
 
Obviously this was duly noted and passed around. It was soon discovered that if you tweeted HTML or JavaScript instead of standard messages, this content would be interpreted and rendered by the visitor’s browser as legitimate part of the Cash Gordon site, allowing pranksters to redirect visitors to any site of the miscreant’s choosing.
 
The screen shot below shows the steady stream of tweets that ensured that visitors to the web site were constantly redirected to many different, sometimes salacious, destinations.
 

Tweets containing JavaScript and #cashgordon hashtag

MP David Wright tweets

“#ivenevervotedtory because you can put lipstick on a scum-sucking pig, but it’s still a scum-sucking pig.”

The tweet was joining in with the Twitter meme responding to the latest Tory poster campaign which features the tag line “I have never voted Tory before but…”. However the turn of phrase has hit a raw nerve among many Twitter users, prompting the MP to delete the offensive tweet and apologise.
  

TrippyPip talks to David Wright MP

MP David Wright tweets

The web site was compromised and defaced as below

Click for larger image

 Unfortunately for the Pakistani FIA though this attack appears to go beyond a simple defacement. The hacker “zombie_ksa” also states on the defaced page

“your whole database and e-mails are leaked …. i was really excited to read, see what the f__k is private in here lOl“

 At first glance this could well seem like idle l33t H4x0r bragging so I did a bit of digging to see if the boast could be substantiated. In a forum posting, zombie_ksa said

“I was Browsing! today Propakistani.pk So i saw post about” how to register complaint with fia cyber crime”! so i feel to check there Security, and i started Penetration Test On there Webserver, unfortunately I GOT access!! And they got Pwned!! !! thats Sounds crazy ! I got whole database! and e-mail Backup! everything!”

The hacker then posted two screen shots, one of the hacked site and second one, below demonstrating his access to their email database (I have sanitised the email addresses here)

Screen shot posted by the hacker

So it seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. The forum post was made at 4 in the afternoon yesterday and the hack is still live at the time of writing. To say this hack has national security implications would not be overstating the matter.

Any organisation holding material this sensitive should, as a priority, make sure all Internet facing servers are hardened and fully patched, the servers should also be regularly audited, preferably daily to look for evidence of new vulnerabilities as they arise. Web application firewalls should be used to look for evidence of and block anomalous or malicious behaviour.

But perhaps most importantly emails dealing with matters this sensitive should not be connected with, or stored on your public web server and they should always be stored in a secure encrypted format.

ELENA knows where you live.

From the beginning of 2010 every German employer must now submit detailed information on a monthly basis to the so-called ELENA database, ELENA is an acronym for Eleketronischer Entgeltnachweis which loosely translates to Electronic Payslip. This sounds innocent enough until you consider exactly what information employers are obliged to provide.

The information will cover every worker’s salary, all absenteeism and their participation in strike action whether legal or illegal. This data is to be submitted to a central hub and from 2012 it will be used to determine whether to pay out or refuse social benefits. Plans are in place to relieve employers of the necessity of printing paper-based pay statements for their employees and instead issuing each worker with a plastic “jobcard” again by 2012. This card would then need to be produced should the holder ever need to apply for benefits allowing for data retrieval to determine eligibility.

Peter Schaar, the German Information Commissioner is reported as saying

“I’ve got a big problem with this. Until now, such information on salary declarations has not appeared, and their general storage in a central file is not legally nor constitutionally allowed.”

My own (German) wife’s reaction to this news was more succinct “I thought these people had agreed that the Stasi was a bad thing?”. The German blogs I could find seemed to be equally opposed to the idea.

For now though, the legislation has entered into force and the reporting has begun. We can only hope that appropriate measures have been taken to store the data in a secure location, using appropriate encryption, that the data entry and retrieval mechanisms are protected with strong encryption and multi-factor authentication and that the appropriate organisational policies and procedures have been put in place to protect this highly sensitive data.

It is an absolute certainty that a centralised data repository of this size and significance will attract the hacking and cracking attentions of criminals, script-kiddies and “hobbyists” alike.

The site www.ahmadinejad.ir, otherwise known as “Mahmoud Ahmadinejad – The Official Blog – Tehran, Islamic Republic of Iran“ has been compromised and is currently hosting a file called “owned.txt” at the URL http://www.ahmadinejad.ir/userfiles/file/owned.txt. UPDATE: The file has now been removed, see screen capture below.

Click preview for larger image

The file says

“Dear God, In 2009 you took my favorite singer – Michael Jackson, my favorite actress – Farrah Fawcett, my favorite actor – Patrick Swayze, my favorite voice – Neda.
Please, please, don’t forget my favorite politician – Ahmadinejad and my favorite dictator – Khamenei in the year 2010. Thank you.”

The reference to “favourite voice” is probably referring to Neda Agha-Soltan who was shot dead during the 2009 Iranian election protests.

No further details are yet available on how the compromise was effected or who is responsible, if more information comes to light I will update this blog post.

Image Courtesy of El Mundo

Mischievous hackers reportedly took advantage of Cross-Site Scripting (XSS) vulnerabilities on www.eu2010.es and replaced an image of Spanish Prime Minister Jose Luis Rodriguez Zapatero with the smiling face of Rowan Atkinson in his Mr. Bean guise, complete with friendly greeting “Hi there!” Perhaps the hackers were hoping the attack would go unnoticed, as apparently there is a physical resemblance between Mr. Zapatero and Mr. Bean (of course I couldn’t possibly comment). The compromise only lasted a few hours until the original content was restored, by 4pm GMT yesterday afternoon, the site administrators were reportedly working on a fix.

In this instance there does not appear to have been any malicious intent, but the dangers of XSS vulnerabilities should not be underestimated. Cross Site Scripting vulnerabilities allow attackers to inject code into innocent web pages in which it would not otherwise appear. This can be used to steal information such as logins or banking credentials, redirect users to malicious web sites or even to directly infect visitors to the site. The real problem is that many web site admins are unaware of the dangers, and even some security companies continue to underestimate and downplay the importance of XSS vulnerabilities and attacks.

On an interesting side note, El Mundo also reported recently that more then 12 million Euros had been spent on “technical assistance and security for the website of the Spanish Presidency [of the EU]“. Again, I couldn’t possibly comment, but SecureSite and Web Application Security are both an awful lot cheaper than that…

“F__k Of U Losers..We Dont Need Such Ministers”

Screenshot of compromised site

Claiming responsibility for the attack are Cyber-Spy & ShakaZz. The forum thread  boasting of the attacks was posted just after 10am this morning.

Initially Cyber-Spy defaced the site alone, leaving a message claiming responsibility. A second hacker, ShakaZz then seems to have hacked the site for a second time, adding his name and the obscene  semi-political message. Cyber-Spy doesn’t seem to have known that his “colleague/competitor” had plans to muscle-in on his l33t haxoring, nor does he seem too happy about it. He says on the forum:

“BTW,shakazz i hope you won’t do the same act again as you did it by changing the page.What does it means by changing the page?”

 

All too often we are quick to ascribe political motivations to these kinds of hacktivist attacks but it only takes a quick squint at some of the forum conversations to reveal the real motivations behind this kind of activity. Malware for the misplaced notion of l33t haxor pride may well have given way to the highly organised criminal operations we are familiar with today, but script-kiddies are still alive and well and operating in a haxor forum near you.

I have informed the Pakistani Ministry of the Interior of the defacement. If you own or maintain a web server and you haven’t audited the security recently, maybe now is the time.

Deutsche Bahn HQ by Honza Soukup

 

  

The Berlin Data Protection Commissioner revealed that Deutsche Bahn were to be fined exactly 1,123,503.50 million Euros to cover a number of serious breaches of data protection legislation that date back over the past 10 years. According to the official press release from the Berlin Data Protection agency this is “highest penalty that a German Data Protection Inspectorate has established“.

The activity for which Deutsche Bahn is being fined relates to the mass screening of employee data including names, addresses, telephone numbers and bank details against those of suppliers. This screening was carried out on at least three separate occasions in 1998, 2002/3 and 2005/6, supposedly to detect fraudulent activity and employee fronted Scheinfirmen or shell companies. Deutsche Bahn also enlisted the services of a detective agency to assist in this screening activity and the Information Commissioner’s press release states that personal and banking information was illegally retained for “years” even after suspicions had been allayed. Particular weighting was given in the release to the monitoring of all external email communications of all employees in the years 2006 and 2007, ostensibly to discover who was leaking information to journalists and members of the German Bundestag or parliament. All of this was done without the knowledge or consent of the employees concerned.

The official press release does not mention further activity included in the Süddeutsche Zeitung article, snooping on management level employees in two separate incidents and also the collection of employee medical records. The newspaper report certainly appears to hint that this may not be the end of the financial penalties.

As a result of the incident, the CEO and several top execs were forced to resign. The new board has created a C-level position responsible for “Compliance, Data Protection & Justice” and promised to work on the development of new HR guidelines on data protection alongside the Works Council.

Deutsche Bahn’s heavy-handed tactics and the size of the resultant fine amply illustrate the need for enterprises to involve employees, works councils and unions from the outset, both when defining data protection policies and also when conducting sensitive investigations.

Effective training programs should inform the employees, but also check their understanding and gain their acceptance of the rights and obligations of the company and the employee. Effective security policies and technologies should include employee representatives in the design process and notify them when subsequent privileged searches are taking place. At the same time care must be taken not to expose the results of those searches to the employee representatives as this could in itself constitute a breach.

Businesses across Europe have a real motivation to get this right as data protection authorites across the continent are rapidly increasing in power and scope.

According to a report in the Daily Express newspaper, the British intelligence services have hired “50 computer-savvy hackers – some of them still teenagers” to work in the Cyber Operations Command that was recently announced as a part of the UK Cyber Security Strategy.

Would you trust this person with your cyber security?

Back in June, when the Cyber Security Strategy was announced I blogged about how surprised and disappointed I was with the comments made by Lord West at the time. By way of a reminder, Lord West told the BBC

 ”They had not employed any “ultra, ultra criminals” but needed the expertise of former “naughty boys”, he added.

“You need youngsters who are deep into this stuff… If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys,” he said”

 

I had actually hoped at the time that this was more ill-informed media bluster than actual truth, unfortunately that seems not to be the case. The Daily Express article reminds us though that this crack team of teenage (former) bad boys have all had to sign the Official Secrets Act so they can’t tell their girlfriends or their mums and dads what they are up to. So that’s alright then isn’t it?

Let me get this straight, I am not here to complain about young people getting jobs or about the Cyber Security Strategy in general. What really upsets me with this story is the implication that *only* young (former) criminals have the skills required to carry out the work necessary to combat cyber terrorism. I have not personally met any of the team that have been hired for these posts at Cyber Operations Command, but I have a feeling that they wouldn’t care too much for the implication either.

It is entirely unacceptable that our security services and our government are broadcasting the message that the only qualification necessary for a job in MI5 is being a hacker (one bad enough to have got caught). People who have been found to have broken the law should not be allowed to profit from their misdeeds especially by way of an employment offer in the very field of their criminal activities. Would you hire a convicted embezzler as a your accountant? How about a teenage convicted embezzler?

The Daily Express article goes on to state “The hackers have also intercepted messages from terrorists in Belmarsh maximum security prison“. Perhaps I am being naive here, but why on Earth are convicted terrorists being allowed accces to technology that allows them to send (one would assume) encrypted messages from prison? Surely if a prisoner still poses a threat to national security, shouldn’t their communications be monitored or at least restricted as necessary?

It would be really beneficial if, instead of inviting criminals and hackers to assist in these commendable national security endeavours, the government approached the application, network and content security communities who have, for many years, been combating malicious, criminal computer and network related activity Please concentrate your activity on the creation of meaningful and sustainable detective and enforcement alliances with international partners. Involve Internet Service Providers in initiatives aimed at cleaning up the huge population of home computers already being exploited by cybercriminals. Don’t waste your time telling schoolboy tales of hiring “naughty boys” for hi-tech derring-do.

Image from limewire.com

This is of course not the fault of LimeWire and there’s no reason why Mark Gorton, chairman of Lime Group, should have been lambasted at today’s hearing. It is also not the first time sensitive information has been leaked over peer-to-peer networks (think motorcades, nuclear facilities, presidential helicopter, terrorist threat assessments, mortgage data, M&A plans, healthcare data) the list is virtually endless. This is all of course without considering the extremely elevated threat from malware over (often) unscanned P2P connections to untrusted devices sharing illegal software and data. It has long been the case that distributing malware along with your warez over file-sharing networks is almost de rigeur.

In many ways, the nature of the data that was leaked is secondary to the potential conclusion that can be drawn from the reaction to this latest event.

According to the Computerworld article “The disclosures prompted the chairman of the committee Rep. Edolphus Towns, (D-N.Y.), to call for a ban on the use of peer-to-peer (P2P) software on all government and contractor computers and networks. “For our sensitive government information, the risk is simply too great to ignore,” said Towns”

Does this mean that installations of P2P software are not already banned on sensitive networks? Does this mean that machines that routinely, or even occasionally, handle sensitive data are not deployed in a locked down configuration where the user has no administrative rights? Does this mean that government network admins do not have visibility over who is using rogue software on their networks? It certainly seems that way and this just reinforces the message about low-hanging fruit in my previous post.

If you are concerned about the proliferation of rogue services or unwanted applications inside your environment (not to mention malware) take a look at the Threat Management Solution.