Tag Archives: SQL Injection

Orange.fr compromised – 245,000 clear text passwords exposed?

Treat your password like your toothbrush, don’t let anyone else use it and change it every six months. (Clifford Stoll)

 

It looks like HackersBlog have come out of retirement, and with a bang. (see here for an earlier interview I did with HackersBlog)

They have posted a couple of stories this month, one regarding a SQL injection vulnerability at gamespot.com which exposed the personal details of 8 million subcribers. From previous postings, you can do the maths and figure out how much that little lot would be worth in the underground economy. Happily the vulnerability at gamespot is reportedly fixed now.

 

The showstopper however is the vulnerability on the orange.fr website which was posted today. According to 2fingers over at HackersBlog a SQL injection vulnerability was discovered by fellow hacker Unu, that exposes not only the account details of almost a quarter of a million customers, but also their passwords in clear text

 

Recently published research showed that 61% of people use the same password for multiple sites, so this kind of compromise represents real risk for many people.

 

orangefr2

 

HackersBlog state that they have alerted the folks over at orange.fr but have not yet received a response.

 

In the meantime, it you are an orange.fr customer and are concerned about the safety of any other online accounts you may have I would encourage you to change your passwords on those other accounts, and of course on the orange.fr web site.

 

From another, earlier posting on HackersBlog, it seems they may be posting some news about o2.co.uk soon as well…

 

Here are a few tips for maintaining password security online.

 

Choose three complex passwords, easy to remember but difficult to guess, us a combination of numbers, upper and lower case letter and special characters like !£$@&. (Trend Micro’s advice on password creation is available in our Safe Computing Guide).

 

Use the first password as a general one for the majority of sites that require passwords to login. The second password, use for your email account and only your email account. Finally use the third password for any websites that could have financial consequences such as online banking or payment sites.

 

Finally, for those of you out there hosting web sites that hold other people’s data, have a look at the guidelines in my earlier blog entry about Spotify…

Microsoft, Xerox, Coca-Cola (and more) Hacked

Last night just before midnight, I noticed someone tweeting that msn.co.nz had been hacked. Obviously such a high profile domain is an attractive target for hackers and hacktivists alike, but it is relatively rare that they are succesful, so I quickly tapped the link into my browser and went to take a look.

 

Sure enough, this is what I see:

billgates1

 

The picture of Bill Gates was taken after French anarchist Paul Godin chucked a custard pie at Mr Gates in April of 1998. The text below the image read:

“Aaaare youuuu Hackeeeed !!

by Agd_Scorp – rx5 – Cr@zy_King

JeXToXiC, , 4R!F, KacaK, BLAsteR, Cebrail, AmeN

Zec, TheHacker, ZeberuS, s3f4, Frabiyy, NetRoot, Suskun

PAKbugs Crew Friends :Zombie_KSA, spo0fer, xOOmxOOm

unuttuklarimiz affede..u

STOP THE WAR ISRAEL”

 

It appeared to be a simple case, albeit it relatively high profile, of hacktivism. The compromised site wasn’t redirecting to any malicious code, so informed my colleagues in New Zealand so they could let MSN know, and went off to bed.

 

Looking at a zone-h article this morning, it seems it was a little more extensive than it at first appeared. The machine that was actually compromised (via a SQL injection) belonged to the registrar domainz.net and the hacktivists were able to redirect several company websites  (including Microsoft Hotmail & MSN, Coca-Cola, Xerox, F-Secure & Bitdefender) to the server with the defaced pages.

 

When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact zone-h notes that registrars have been “one of the main aims of the past months“.

 

If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.

An interview with HackersBlog

UPDATE: A couple of days after this interview, HackersBlog released the details of their latest succesful compromise, Tiscali UK. Once again, access to user data, including username, firstname, surname, company, telephone, regdate, lastlogin, email and hashed password.

 

 

 

After many high profile compromises over the past few months, the Romanian hacking project HackersBlog United is rapidly gaining visibility on the web security scene. The recent web site compromises that HackersBlog lay claim to include; Kaspersky, F-Secure, Symantec, Bitdefender, Second Life, Facebook, Hi5, StayFriends, International Herald Tribune, Yahoo!, The UK National Lottery, UK newspaper The Telegraph and most recently British Telecom

 

 banner

 

 

HackersBlog operate under their own code of ethics that mean that they will not expose website problems in public that have a high risk of exploitation, they will not save or distribute private data from compromised web sites, and they contact the website owner with details of the vulnerabilities exploited to allow them to carry out the necessary remediation (full code of ethics here).

 

I decided to contact the group to find out a little more about how they operate, why they do what they do, and importantly to ask them for any general advice that can help everyone provide a more secure online experience for their customers.

 

I have left the answers below exactly as they were received. I think you’ll agree that even the most high profile website can learn from the compromises detailed on HackersBlog. Perhaps the biggest lesson to keep in mind though, is that without proper regard for security as an integral part of the design process, we are all potential victims.

 

How long has your group existed, why did it come into being and what motivates you to continue?

We are coming from romanian “blackhat” teams that used to compete against each other. We united for a better purpose, that of informing the public of the dangers on the internet.

Is anonymity necessary for conversation or are you safe from prosecution simply because of a lack of international co-operation around cybercrime?

No comment.

We have seen you target security vendors recently, a newspaper, and now telecoms companies, is there a method behind your choice of targets?

We dont have an agenda. Usually, when we find a vuln in a website, we try to show that their competitors can face the same problems. We dont like to spend too much time diggin vulns only in one type of websites but rather try to diversify and enlarge the spectrum of our research.

On average what ratio of “successes” do you have when attempting to compromise professional enterprise level web sites?

Lets look at it from a different perspective. We are using only very well known methods and therefore the return is somewhere around 15-20%. If someone is using blackhat techniques the results can grow exponentially since the ethic would not stop that person in his doings.

What are the top 5 “schoolboy errors” made by the professionals when designing or securing their sites, errors that you really shouldn’t be seeing?

When the attack is manual (without making use of certain softwares used in scaning/verifying vulns) the error messages generated by the site are of crucial importance to the attacker. One of the main issues here is that coders forget the error reporting activated.

Another serious mistake is “trusting” the data coming from the user (forms and such) as being genuine without further verification.

Another factor that cannot necesarly be taking as a mistake but which we believe can generate problems to the website or the server where the site  is hosted is the presence in the links, of the parameters in their “normal” form. For instance:  .php: ?parameter1=val1&parameter2=val2. A whole lot of “vulnerability scanners” search the web for sites with this kind of parameters because they are easily identifyable and can the be tested in the hope of finding security holes. Instead, if the parameters would be included in a “SEO friendly URL”, such as: /articol-23.html, those scanners would fire in the dark because the link will not have a standard structure anymore: .php?p1=v1&p2=v2.

Based on these “mishaps” and along with many others we can outline the most common vulns found on the web: Cross Site Scripting,  SQL Injection, Local Path Disclosure, Local File Include and Remote File Inclusion, Remote Code Execution… Of course, this is just a short list and there are more solutions out there, available to anyone.

Do you think that companies are getting smarter about securing their online assets as time goes on or have no lessons been learned in the time that you have been active?

It is too early for us now to opinate about this since our presence online in this format (whitehat) is not very old. However, anyone who has to deal with online security can confirm that sites are safer and better protected now then they were a few years ago, also because there were people and companies out there who pointed out the problems they found.

Kind regards

2fingers