Phishing Leads to Man-In-The-Middle Attacks

Krebs on Security reported that a security company called Proofpoint had detected a 4 week-long targeted phishing campaign against customers of one of Brazil’s largest ISPs who use two routers (UTStarcom and TP-Link) that are commonly used on that ISP. The emails pretended to be an account/billing message from the ISP with a link to a fake site that looked like the ISP’s site. The fake site used a cross-site request forgery exploit to start a brute force attack against the victim’s router administrator login page using default usernames and passwords for the two brands of routers. Once the script had successfully logged in it would change the router’s primary DNS (Dynamic Name Server) address to the criminal’s own malicious DNS. This allows the crooks to monitor all web traffic, hi-jack search results and redirect the victim from legitimate sites to look-alike spoofs that steal authentication credentials and sensitive data like usernames, passwords and credit card info. This could also lead to the installation of other malware.

dnshijack-600x162
I
mage of malicious iframe scripts used to hi-jack the router and DNS

This type of  attack is especially dangerous because it can bypass antivirus and security tool detection and can even lead to the router and hosts becoming part of a bot-net.

The important take away from this attack is that users need to change the default usernames and passwords on their routers and take precautions against falling victim to phishing attacks.

Sources:

http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/

https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm

Author: Charles Leavitt

Facebook Gives Out Bounties to White Hat Hackers

In today’s world there are dozens of big name companies being hacked every year through countless vulnerabilities in software that we all depend on.  This has created a rather bleak public opinion of the term ‘hacker.’  Yet, as Facebook is clearly aware, not all hacking is bad hacking – it just depends on how you use the holes that you have exploited.

Facebook is a company that should be very concerned about cyber security, over a billion (yes, I said a billion) people around the world use this social media behemoth – meaning they have a lot of private information to keep track of.  Recognizing this, Facebook started an ongoing public program back in 2011 to give hackers a chance to turn away from the dark side – albeit with a little monetary reward as incentive.  They give hackers a chance to quietly report any exploits that they have found directly to Facebook in exchange for a cash bounty.

Colloquially these hackers are known as ‘white hat’ hackers, and there are surprisingly a lot of them.  Facebook dished out a total of 1.3 million dollars in 2014 alone through this program, with bounties ranging from as low as $500 to as high as $30,000.  Just recently, a hacker named Laxman Muthiyah discovered a way to delete a users photos through Facebook’s graphing API.  Grateful for the find, Facebook gave him a whopping $12,500 for reporting it without making it public.

Despite this monetary reward, these hackers can’t be all in it for the money.  By exploiting Facebook’s holes on their own or by selling them, they could surely turn a much higher profit than what Facebook is offering.  Yet, the reward coupled with a sense of morality are what drive these hackers to continue to do good rather than evil.

– Keegan Parrotte

Nearly Twenty Months Vulnerable

What’s latest on the list of ever growing computing security concerns? Well, nothing too kind, that’s for certain. Early last month a security flaw involving the United Kingdom’s online card carrier, Moonpig, was leaked on the internet. (Moonpig has three million customers.)

While it is standard for security issues, vulnerabilities, and risks to be revealed, something in particular makes the Moonpig’s situation a peculiar one. If not peculiar, then definitely vexing to say the last. According to sources, Moonpig’s methods of authentication leave much to be desired.

Since August 2013 — yes, that is correct, the year 2013, Moonpig has supposedly known about the insecure protection of user information on their website. This still unresolved monstrosity pretty much translates into the idea that the standard user has the ability to pretend to be someone else. Under the pretense as this other user, the system then gives the user access to account details, from home addresses and names to credit card tidbits.

Screen Shot 2015-02-22 at 9.58.09 PM

(Screenshot of Moonpig statement found on Paul Price’s blog)

This credit card information discloses the card’s last four digits, expiration, and card holder. Equally concerning is that Price reveals many companies create user identities consisting of user address, birthday, and final four credit card digits.

Under a secure system, Moonpig’s app should run an authentication process to crosscheck the request is being made by the account’s holder– good wonders, customer protection! Essentially, spoofing another user shouldn’t permit them to still gain this data access.

In a true exposition of catering to the customer, Moonpig has no such authentication. Of course, the fact this has been a fatal flaw since August 2013 becomes icing on the cake. (A definite lie of a cake, if you follow.) In any case, there have been no news updates from Moonpig since January. Granted, the upwards of a year and three quarters already creates quite the statement.

The original discoverer of Moonpig’s blatant lack of concern comes from security researcher Paul Price’s blog. Eventually he decided to go public the week of January 5. Although its API is currently down, who’s to say what has and hasn’t happened to customer information.

– Misha (mxb4099)

——–

Paul’s blog, for more technical detail: http://www.ifc0nfig.com/moonpig-vulnerability/

Read about the handy dandy “GetCreditCardDetails” method included.

Original Article Found: http://www.mirror.co.uk/news/technology-science/technology/moonpig-security-flaw-leaves-3-4926441

Further Reading:

“Rather than securely sending information protected by an individual’s username and password, the API sent every request protected by the same credentials…”

————-

Interesting side note; while I wasn’t sure a whole article was fit to be dedicated to the ‘security’ flaw of the newly released Rasberry Pi 2, it’s worth noting it has the innocent bug of crashing when its photo is taken.

https://nakedsecurity.sophos.com/2015/02/11/most-adorable-bug-raspberry-pi-2-crashes-when-you-take-a-photo-of-it/

 

Malware Found On Major Hard-Drives

Security researchers at Kaspersky Labs have discovered spyware hidden within the firmware of hard-drives made by Seagate, Western Digital, Toshiba, Mircron and Samsung. Kaspersky Labs found victims in thirty different countries such as, China, Russia, and Iraq. The victims fall into multiple categories, such as governments, military, Islamic activists, and mass media.

The organization responsible for these attacks are called the Equation Group by Kaspersky. While researchers at Kaspersky have not disclosed the country that Equation belongs to, they have speculated that Equation Group are also be responsible of Stuxnet, a National Security Agency spy program targeting the Iranian nuclear program. Therefore closely linking the Equation Group and the NSA.

The spyware is able to collect and copy data of the infected computers and is activated when the infected PC starts. It also has the ability to map out the network of the infected computer.

Lead researcher states that this would not be possible without the source code of the hard-drives. By looking through the source code for vulnerabilities, the hard drives could be exploited. While many of the hard-drive manufacturers have commented that they would not release their source code, Equation Group still managed to acquire it.

victim map

Links:

https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

-Zhi-Han Ling

Customer Records Stolen from 2nd Largest US Health Insurer

Hackers were able to access customer and employee records of Anthem, the second largest health insurer in the US. According to Anthem, the hackers were able to access names, birthdays, addresses, and SSNs, however based on the current information they did not access medical or financial information.

The breach was only discovered a little over a week ago when the systems administrator noticed queries being run on the database using his own credentials.

Based on information shared by an Athem spokeswoman, the company only encrypts data that is being transferred to or from the database meaning that the data stolen was not encrypted. Anthem relies on “other measures, including elevated user credentials, to limit access to the data when it is residing in a database.” However the attack relied on stolen employee credentials, no one is sure whether or not encrypting the data would have prevented the attack.

Sources: