Photo from Julien Lozelli's photostream on Flicker - Creative Commons

“The mailbox was for the use of the Dragon TV’s internal employees only so it had simple passwords for easy communication.”

So, an internet-facing, shared mailbox containing highly confidential information with simple passwords? Normally at this point in a blog article I suppose I would begin to point out things that could have been done to limit the possibilities of such an event. It seems almost too incredible that the aforementioned combination of circumstances should even occur, but here you go…
 
If information is sensitive, do not allow access to it from the internet.
 
If information is sensitive do not store it in a shared mailbox, it is impossible to audit effectively
 
Never use simple passwords, for any reason, ever.
 
If you have a document worth almost half a million dollars… Encrypt it.

“Once users have connected to the Cash-Gordon campaign, they can start accruing “action points” for reading briefings about the issue, getting their friends involved, donating, or even for directly asking Charlie Whelan a question.”

However today it’s the Conservatives that have been left with red faces, after a web site configuration error (or maybe just a lack of planning) saw the site abused to the point of being taken offline.
 
The Cash Gordon website was set up to collect any message posted on Twitter that contained the hashtag #cashgordon and republish it in a live stream in a widget on the home page of Cash Gordon. 
 
Obviously this was duly noted and passed around. It was soon discovered that if you tweeted HTML or JavaScript instead of standard messages, this content would be interpreted and rendered by the visitor’s browser as legitimate part of the Cash Gordon site, allowing pranksters to redirect visitors to any site of the miscreant’s choosing.
 
The screen shot below shows the steady stream of tweets that ensured that visitors to the web site were constantly redirected to many different, sometimes salacious, destinations.
 

Tweets containing JavaScript and #cashgordon hashtag

“Hacked all Windows version 9x to 7 32 bit and 64 bit
Hacked all browsers running a vulnerable plug-in”

Using the built in TDS (Traffic Direction System) criminals can specify which malware they want to push out by country, by browser and by OS. It is clearly designed to support the inter-related vendor infrastructure of the criminal economy. YES Exploit System is a fully fledged platform for delivering malware on behalf of other criminal enterprises, perhaps to seed a new ZeuS campaign or maybe to push out some scareware. As previous blog posts have shown YES is often bundled into full service underground ZeuS offerings. As you can see from the screen shot below, projects can be divided on a per-customer basis.
 

click to enlarge

click to enlarge

MP David Wright tweets

“#ivenevervotedtory because you can put lipstick on a scum-sucking pig, but it’s still a scum-sucking pig.”

The tweet was joining in with the Twitter meme responding to the latest Tory poster campaign which features the tag line “I have never voted Tory before but…”. However the turn of phrase has hit a raw nerve among many Twitter users, prompting the MP to delete the offensive tweet and apologise.
  

TrippyPip talks to David Wright MP

MP David Wright tweets

Twitter Grader home page

  
UPDATE: You will see in the comments on this post an update from HubSpot with a link to their blog explaining the incident, I know a lot of folks don’t read the comments, so here it is in full.

“We are very sorry for the mistake. It is completely our fault. As your article mentions, we have contained the situation and stopped the malicious tweets.

We do want to make clear that by design, the HubSpot software applications are on different servers and systems from our free Grader.com tools. This attack did NOT affect the HubSpot software used by our 2,100 customers. Again, there is no impact on our paid product or paying customers.

We have posted an article on our company blog with more information:

http://www.hubspot.com/blog/bid/5594/One-Lesson-From-The-Twitter-Grader-Screw-up-OAuth-Rocks

- Mike Volpe
HubSpot (makers of Twitter Grader)”

…and that, ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot.

 
__________________________________________________________________________________________

In what looks like another compromise related to Twitter services, a large number of Twitter users who have granted access to their accounts to the web service Twitter.Grader.com have all begun tweeting a bizarre and unauthorised message.
 

Foxy Loxy by Gustaf Tenggren

• Educate yourselves and your users, clicking a link is enough, opening a PDF is enough to infect you, even on a fully patched system.

 

• That being said make sure all applications and systems are fully patched, if that is not possible, use host-based intrusion prevention to “virtually patch” systems and to secure against zero-day exploits.

 

• When an unpatched vulnerability is identified be sure to follow vendor advice to minimise the risk as soon as possible.

 

• Encrypt valuable personal and intellectual property at file level, that way, even if it is stolen it is of limited value or use.

 

• Consider the deployment of data leakage prevention technologies that will recognise and stop sensitive content from leaving your network.

 

• Rethink your security model from an outside in approach, to an inside out one. Secure data, secure access rights, secure applications. Your perimeter only exists on a network diagram.

 

• At the risk of repeating myself, educate your users not to share too much personal information regarding employers, job roles, contact details. Currently far too many targets are far too visible.

 

• Don’t let Chicken Little run your security.

The web site was compromised and defaced as below

Click for larger image

 Unfortunately for the Pakistani FIA though this attack appears to go beyond a simple defacement. The hacker “zombie_ksa” also states on the defaced page

“your whole database and e-mails are leaked …. i was really excited to read, see what the f__k is private in here lOl“

 At first glance this could well seem like idle l33t H4x0r bragging so I did a bit of digging to see if the boast could be substantiated. In a forum posting, zombie_ksa said

“I was Browsing! today Propakistani.pk So i saw post about” how to register complaint with fia cyber crime”! so i feel to check there Security, and i started Penetration Test On there Webserver, unfortunately I GOT access!! And they got Pwned!! !! thats Sounds crazy ! I got whole database! and e-mail Backup! everything!”

The hacker then posted two screen shots, one of the hacked site and second one, below demonstrating his access to their email database (I have sanitised the email addresses here)

Screen shot posted by the hacker

So it seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. The forum post was made at 4 in the afternoon yesterday and the hack is still live at the time of writing. To say this hack has national security implications would not be overstating the matter.

Any organisation holding material this sensitive should, as a priority, make sure all Internet facing servers are hardened and fully patched, the servers should also be regularly audited, preferably daily to look for evidence of new vulnerabilities as they arise. Web application firewalls should be used to look for evidence of and block anomalous or malicious behaviour.

But perhaps most importantly emails dealing with matters this sensitive should not be connected with, or stored on your public web server and they should always be stored in a secure encrypted format.

The site www.ahmadinejad.ir, otherwise known as “Mahmoud Ahmadinejad – The Official Blog – Tehran, Islamic Republic of Iran“ has been compromised and is currently hosting a file called “owned.txt” at the URL http://www.ahmadinejad.ir/userfiles/file/owned.txt. UPDATE: The file has now been removed, see screen capture below.

Click preview for larger image

The file says

“Dear God, In 2009 you took my favorite singer – Michael Jackson, my favorite actress – Farrah Fawcett, my favorite actor – Patrick Swayze, my favorite voice – Neda.
Please, please, don’t forget my favorite politician – Ahmadinejad and my favorite dictator – Khamenei in the year 2010. Thank you.”

The reference to “favourite voice” is probably referring to Neda Agha-Soltan who was shot dead during the 2009 Iranian election protests.

No further details are yet available on how the compromise was effected or who is responsible, if more information comes to light I will update this blog post.

Image Courtesy of El Mundo

Mischievous hackers reportedly took advantage of Cross-Site Scripting (XSS) vulnerabilities on www.eu2010.es and replaced an image of Spanish Prime Minister Jose Luis Rodriguez Zapatero with the smiling face of Rowan Atkinson in his Mr. Bean guise, complete with friendly greeting “Hi there!” Perhaps the hackers were hoping the attack would go unnoticed, as apparently there is a physical resemblance between Mr. Zapatero and Mr. Bean (of course I couldn’t possibly comment). The compromise only lasted a few hours until the original content was restored, by 4pm GMT yesterday afternoon, the site administrators were reportedly working on a fix.

In this instance there does not appear to have been any malicious intent, but the dangers of XSS vulnerabilities should not be underestimated. Cross Site Scripting vulnerabilities allow attackers to inject code into innocent web pages in which it would not otherwise appear. This can be used to steal information such as logins or banking credentials, redirect users to malicious web sites or even to directly infect visitors to the site. The real problem is that many web site admins are unaware of the dangers, and even some security companies continue to underestimate and downplay the importance of XSS vulnerabilities and attacks.

On an interesting side note, El Mundo also reported recently that more then 12 million Euros had been spent on “technical assistance and security for the website of the Spanish Presidency [of the EU]“. Again, I couldn’t possibly comment, but SecureSite and Web Application Security are both an awful lot cheaper than that…

Banner from hacked site

At about 6am GMT Twitter fell victim to a DNS hijacking attack by a group calling itself the “Iranian Cyber Army” (I wonder if they noticed the CIA irony)? The site was affected for the best part of an hour.

Full hacked page

The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says

“As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”

This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.

These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.

Twitter was not the only web site affected by thsi compromise, a quick search revealed one other site displaying the same content.

Google search result

When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months“.

If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.