M32 Security » Breaches

DreamHost Shell/FTP Account Database Compromised, ALL Passwords Reset

Kyle — Sun, 22 Jan 2012 23:37:02 +0000

Image via Wikipedia

According to DreamHost’s Status and Blog, staff noticed some unusual activity on one of their databases that held user login information for shell accounts. While the passwords were mostly encrypted, hackers “hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted,” according to DreamHost CEO Simon Anderson.

As a precaution, ALL shell/FTP account passwords were reset by DreamHost. While it will cause some inconvenience for users trying to access their sites over SSH/FTP, the implications are much more serious. A lot of CMS systems store their database username and passwords in plaintext on configuration files. If whoever gained access to DreamHost’s shell account database and managed to decrypt the information, then they would have unmitigated access to not only sites’ files, but they could potentially (and most likely) gain access to the back-end database driving those sites with all user data. This could be a very major breach of user data from one of the largest web hosts in the United States.

DreamHost is being unusually mum about the technical details about the hack and is angering customers over their negligence regarding out-dated server software. While most front-end software is kept up-to-date, their back-end software is grossly outdated and there appears to be no real effort nor care by DreamHost to keep OS and back-end software updated. What makes things worse is that DreamHost’s official stance on their security solution is to not disclose what technologies they use. Rather than taking a proactive and relatively transparent stance to their own security systems, the company has decided to take-up a reactive and a “security through obscurity” stance.

DreamHost Security Issue Prompts FTP Password Resets (sucuri.net)
Changing Shell/FTP Passwords due to Security Issue (dreamhoststatus.com)
Security Update (dreamhost.com)

Tags: blog, breach, cms, Compromised, isc, Password, Security, Server, ssh, tw, user data

Virus targets US Predator and Reaper drones

Kyle — Fri, 07 Oct 2011 21:29:53 +0000

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other war zones. The name of the virus is yet to be known, as details are still emerging about how the malicious code got into the systems in the first place. Could this be a belligerent enemy to US forces attacking their main weapon in use for remote regions? Ars Technica has the story after the jump.

Computer virus hits US Predator and Reaper drone fleet.

Tags: attack, Breaches, code, computer virus, cybersecurity, drone, keystroke, malicious code, malware, MQ-9 ReaperMQ-9 Reaper, nist, predator, reaper drones, War on TerrorismWar on Terrorism

WordPress.org Possibly Compromised, Resets ALL Passwords

Kyle — Wed, 22 Jun 2011 00:40:44 +0000

WordPress founder Matt Mullenweg posted on WordPress.org’s News page today that several popular WordPress plugins had changes committed to them that had been determined to not be from their developers. The commits actually added back doors that would compromise potentially hundreds of thousands of WordPress installations that utilized them. As a precautionary measure, all changes were reverted for these plugins and ALL passwords to WordPress.org, BuddyPress.org, and bbPress.org reset. There aren’t many more details as of yet, but there is sure to be a witch hunt over the integrity of WordPress.org’s security as well as all code that powers the CMS.

Tags: Addthis, BuddyPress, cms, code, Compromised, founder, Matt Mullenweg, News, Security, W3 Totalcache, WordPress, wordpress plugins, wordpress.org, WPTouch

British Game Developer Codemasters Breached, Tens of Thousands of Accounts Compromised

Kyle — Mon, 13 Jun 2011 17:55:17 +0000

British game developer Codemasters, who develops games for almost every platform out there, has had its site breached and has had ‘tens of thousands’ of customers’ personal data stolen. According to the BBC:

 The firm described the data theft as "significant" saying names, addresses, phone numbers and dates of birth were all taken on 3 June.

The company has since taken its website offline and visitors are now directed to Codemasters’ Facebook page for the meantime. This is yet another example of companies learning the hard way that IT security infrastructure is not something that should be neglected.

Details on who was responsible for the theft and methods used to carry out the attack are as of yet unknown.

Tags: bbc, british game, codemasters, Compromised, Facebook, offline, personal data, Security

LulzSec Hacks Sony…Again…And Scores PSN Source Code

Kyle — Tue, 07 Jun 2011 00:56:38 +0000

LulzSec, also known as Lulz Security, which has become infamous for their past and more recent hacks including PBS and Sony, has hacked Sony HQ…again. This time they scored around 54 megabytes of the developer’s source code to the PlayStation Network. What does it mean? Hold on to your butts. The group published a press release detailing the hack while simultaneously releasing all stolen code to the public through various channels. The implications of this are enormous, as Sony’s PSN is now wide-open to any exploits found in the previously obfuscated code. Expect Sony’s problems to continue for a while.

The targeting of Sony stems from their legal assault on George Hotz, otherwise known as GeoHotz, who had found and published a way to circumvent protection mechanisms on the PlayStation 3. This was a big deal after the company removed the “Other OS” feature through a firmware update that allowed the installation of Linux on the console to use the powerful IBM Cell processor that powers the machine. The PS3 has been known to be used by organizations like the US Air Force in supercomputer clusters due to the Cell processor’s vastly superior floating-point performance which is highly desired for processing large amounts of data for modeling.

Stay tuned…

Tags: ACHIEVEMENT, Cell, floating point, geohotz, George Hotz, IBM, ibm cell processor, legal assault, lulz, LulzSec, OtherOS, pbs, playstation 3, point performance, ps3, psn, release, sony hq, Source, supercomputer

phpMyAdmin Exploit Used To Launch New SSH Brute-Force Attack

Kyle — Fri, 13 Aug 2010 01:55:13 +0000

An older vulnerability in phpMyAdmin (CVE-2009-1151) is now being exploited by a botnet known as dd_ssh. Details are still emerging, but it appears that this new bot originated from 91.193.157.206 according to SANS. If the exploit of CVE-2009-1151 is successful on vulnerable phpMyAdmin installs, the files vmsplice.txt, dd.txt, and, in some instances, vm.c are downloaded from the aforementioned IP. The last of those files mentioned contains the vmsplice local root exploit (CVE2008-0600). After being compromised, the infected installations start making connections to multiple addresses on ports 54509 and 54510; most likely for command & control. SANS ISC is actively monitoring this apparent new botnet and has noticed a notable up-tick in machines scanning SSH lately.

More Info Over at SANS ISC and thanks goes to Briareos over at BroadBand Reports for the quick fact-finding and possible discovery.

June Security Advisory posted by F5 on identifying any suspicious activity and mitigating the exploit

Tags: dd.txt, dd_ssh vmsplice.txt, phpmyadmin, ssh, vm.c, vmsplice, vulnerability

Zeus v3 Trojan Silently Siphoning Money From UK Bank Accounts

Kyle — Thu, 12 Aug 2010 03:19:40 +0000

Security research firm M86 Security (no relation) has posted a whitepaper outlining how cyber-criminals started utilizing the Zeus v3 trojan in conjunction with the Eleonore, Phoenix, and Siberia Exploit Kits to siphon £675,000 (~$1.05 million USD) so far from UK victims’ systems that have been compromised. The attack started on July 5th and has continued silently ever since. The main reason why the theft hasn’t been successfully mitigated thus far is because of the Zeus trojan’s extreme difficulty to detect by antivirus solutions. The Zeus trojan, also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber is sold as a kit to people willing to pay a price for the latest code known as Zeus v3. It primarily infects a machine through exploiting un-patched versions of Internet Explorer to gain control.

The Zeus trojan has been known to steal user data in the past, but has never been used in such a direct manner. In the US, there are believed to be 3.6 million infected machines by the malware alone, which makes it arguably one of the world’s most dangerous trojans/botnets in terms of potential damage. The Daily Mail has a good article outlining the exact details.

M86 Security Whitepaper (PDF)

Tags: botnet, Eleonore, Gorhax, kit, M86 Security, malware, Phoenix, siberia, trojan, UK, ZBot, Zeus v3, £675000

Conficker: The Proactive Worm Ahead Of The Curve

Kyle — Sun, 08 Aug 2010 19:26:15 +0000

An interesting article over at The Register shows how the now infamous ~6 million strong Conficker botnet/worm stays ahead of the curve in terms of Information Security by staying proactive and paranoid in how it is managed. Although the classification of the worm only goes from A through E, the botnet itself is ever-evolving; creating a nightmare for researchers world-wide in detection and cleansing of infected machines. It is unknown who runs the botnet, but it is known that the technical skill behind its command is very much on the bleeding-edge of security as well as social engineering. For instance, the worm uses simple exploits to infect Windows machines, but it phones home to domain names which can no longer be predicted and shut-down to receive new instructions and updates to the code that infects the machine. It has used scareware in the past to spread as well, such as bogus security software. It has even gone so far as to actually remove or fix other security threats on an infected machine to avoid detection. It constantly stays up-to-date and often mitigates even the newest anti-malware tools designed to remove it.

What makes it so hard to remove is its inability to be cracked. It has used the MD6 cryptographic hash function that was a candidate for the NIST SHA-3 Hash Competition with a 4096-bit RSA key. Even when a buffer-overflow vulnerability was discovered in MD6, the botnet’s owner corrected the implementation within a matter of days. There is an entire working group called The Conficker Working Group tasked entirely to the botnet, which has yet to break-in and take any sort of control away from whoever runs it.

In-depth article at The Register

Tags: botnet, buffer overflow, Conficker, Conficker Working Group, Downadup, Downup, Kido, MD6, nist, RSA, scareware, SHA-3, worm

Laptop stolen from MoD with encryption key that could open highly sensitive files

Kyle — Mon, 14 Dec 2009 04:03:16 +0000

The Sun and now the BBC have reported that a laptop used by a high-ranking RAF Officer at the UK’s Ministry of Defence was stolen in late November; possibly much more recently that included an encryption key with the potential to open highly sensitive files. The laptop was said to be stolen from a highly secure area has arisen fears that a mole is operating within the Ministry. If the severity of the breach is as serious as has been reported, this could be be one of the largest breaches of data security in a very long time.

It is not known if the laptop in question has been secured with disk encryption or any other type of techniques used in attempt to keep data from unauthorized parties.

As of writing this, the MoD has been bluntly quiet on the incident saying only that “An investigation is ongoing.”

Heads up to The Spy Blog UK for highlighting this

Tags: Breaches, data security, disk encryption, late november, ministry of defence, mole, raf officer, sensitive files, severity, unauthorized parties

T-Mobile USA confirms massive data breach

Kyle — Thu, 11 Jun 2009 02:02:57 +0000

The network security guys at T-Mobile USA probably breached their underpants after some black hat or group of black hats named “Pwnmobile” posted on seclists.org a sizeable list of internal hostnames, OSes, partial descriptions, internal IP addresses, and facilities relating to the back-end of T-Mobile’s customer management and services network.

At first, T-Mobile tried to say it was just a list pulled from a corporate document; but now the company is admitting that it was, in fact a major security breach according to a USA Today Blog and are not disclosing how much data was taken. Odds are, if whoever managed to get this far, a very sizeable amount of data was captured. The person who made the posting mentioned that they had tried to sell the information to competitors, but they were not taken seriously.

On a slightly related note, the posting related the T-Mobile hack with Check Point. Does this mean a perimeter Check Point firewall was either hacked or exploited to gain access to this network? Only further elaboration from Pwnmobile, T-Mobile, or an insider can say. There have been several recently published high-visibility Check Point exploits and perhaps they were used in the hack.

Tags: attack, black hat, breach, check point, check point firewall, checkpoint, corporate document, cybersecurity, exploit, GSM, high visibility, internal ip addresses, massive data, mobile hack, network, network security, partial descriptions, Pwnmobile, Security, t-mobile, usa today, user data