Thousands of Tumblr accounts compromised

Tumblr users have been targeted with an aggressive phishing campaign in the last week or so and are still being lured into entering their login credentials for access to adult content.

And it seems that the scheme is working very well - GFI researchers have accessed one of the dropzones for the stolen credentials and have discovered a massive amount of data.

What makes this phishing scheme stand out from others is the fact that the scammers are using the compromised Tumblr accounts to set up more and more phishing pages:


Various domains were also used to perpetuate the scam, including tumblriq(dot)com, tumblrlogin(dot)com and tumblrsecurity(dot)com - all registered in the last few weeks to bogus clients.

"The problem has become so pervasive that regular Tumblr users are setting up dedicated anti phishing sites to advise users of the problem," say the researchers.

Also, Tumblr has created an automated reply for people reporting the scheme, in which it advises affected users to reset the password for their account, to remove the fake login template by choosing a new theme and to "unfollow" all the blogs their account is following thanks to the scammers.

"What does somebody want with that many Tumblr logins?" ask the researchers. "We can only guess. The stolen accounts could be used as some form of advert affiliate money making scam, or maybe we could see lots of pages with survey popups pasted over them. There is the very real possibility that the Tumblr accounts are simply a way to test if those users are logging into other services with the same credentials - at that point, everything from email accounts to internet banking sites could be fair game."

Attack of the computer mouse

This attack method is not new. It was tried and tested with flash drives. Finders keepers?

So the next time one finds a ‘branded’ computer accessory (e.g high end razer mouse or solid state HDDs) lying around which seems too good to be true, it usually is.

========================================================

Security firm Netragard has described an attack during which a modified computer mouse was used to infiltrate a client's corporate network. For this attack, the security experts equipped the mouse with an additional micro-controller with USB support (Teensy Board) to simulate a keyboard, and added a USB flash drive to the setup.

When connected to the PC, the Teensy Board's Atmel controller sent keyboard inputs to the computer and ran software that was stored on the USB flash drive. This allowed Netragard to install the Meterpreter remote control software, which is part of the Metasploit framework. To bypass the target system's McAfee virus scanner, Netragard says it used a previously undisclosed exploit.

The crux of the attack was to find a suitable company employee who would, upon receiving the computer mouse, connect it to a company PC without becoming suspicious. The client who ordered the pen test had excluded social engineering attacks via telephone, social networks and email, but Netragard managed to obtain a list of the company's employees via the Jigsaw service. The security experts selected one of the employees and sent the mouse in its original packaging – camouflaged as a promotional gadget.

Attacks that use specially modified USB devices have been around for a while; USB flash drives that are "accidentally" left lying around are often used in security tests. A current study by the US Department of Homeland Security found that 60 per cent of users will naively connect a USB flash drive to their PC to see what is stored on it.

However, using a computer mouse for such an attack is a new idea. Corporate IT security staff may in future be faced with the problem of having to test peripheral devices before they can allow users to connect them to their PCs. Specially modified Android phones can also present themselves as keyboards, and take control, when they are connected to a PC.

1st Annual DEFCON Kids Conference

Seems like USA is preparing to groom their next generation of hackers.
I wonder why we didn't have something similar in SG. :(

http://www.defconkids.org/

I hope it'll be interesting.

Facebook scam baits users with LulzSec suspect photo

Attention to all Facebook users, here's another FB scam bait. Refrain from clicking on the fake links, it doesn't lead you anywhere.

As the hunt for individuals behind LulzSec is underway, and reports about these worldwide efforts spilled over into the mainstream news, cyber crooks have jumped on the opportunity to misuse the curiosity of the public and have set up a Facebook scam targeting them:


The scam was revealed by Sophos' Graham Cluley when he received a request from a British journalist to share the photo of the recently arrested Essex hacker that is thought to have links with the hacking group.

Cluley said to the journalist that he didn't have the photo in question, but the journalist insisted: "But you do have a photo of the hacker! I've seen it on Facebook! But we want an unblurred version!"

This statement led him to investigate the matter, and he unearthed the above pictured scheme. Sure enough, the link used in the story was one who pointed to Cluley's blog post - but the story didn't include a picture of the suspect.

Following the link to the page in question and to the tab labelled "The Picture", he found out that the scam required the victims to "like" and "share" the page before supposedly being redirected to the unblurred picture. Once they did it, they got redirected to a third-party webpage where they were urged to download a program that installs a series of toolbars on the victims' browser.

He doesn't mentioned whether the unblurred photo is shown in the end, but he managed to track it down to a Wired article from 2008.

Chrome extension for identifying insecure code

In a bid to help developers keep their websites clear of security holes, Google has built - and offered for free - a (currently experimental) Chrome extension called DOM Snitch.

The extension intercepts potentially dangerous JavaScript calls. "Once a JavaScript call has been intercepted, DOM Snitch records the document URL and a complete stack trace that will help assess if the intercepted call can lead to cross-site scripting, mixed content, insecure modifications to the same-origin policy for DOM access, or other client-side issues," explains Radoslav Vasilev on Google's Online Security blog.

Sounds like a good tool for all developers, but especially for those who are still unsure of their JavaScript coding capabilities and wish to be sure they are writing secure code.

By using it, not only can developers monitor the DOM modifications as they happen inside the browser, but they can also export the captured modifications in order to show them to and consult with co-workers.

Scaling with Consistency: ISO 27001

Attended a talk today on "Scaling with Consistency: ISO 27001", jointly organised by IT Standards Committee (ITSC) and the Association of Information Security Professionals (AISP).

The guest speaker is Mr Goh Thiam Poh, Operations Director from Equinix Singapore. He shared with us the processes and lessons learnt while pursuing the ISO 27001 certification for Equinix Singapore, and how to manage Information Security consistency and yet be able to scale as the business grows.

Speaker Biography: As Operations Director for Equinix Singapore, Mr Goh Thiam Poh is responsible for the operations performance of the Singapore IBX centres.

Mr Goh has 15 years of management experience in the Telecommunications and Data Centre industry. Prior to joining Equinix, Mr Goh was Director, Hosting Infrastructure Engineering for Singapore Telecommunications Ltd where he led the implementation of the SingTel regional data centres in Singapore, Hong Kong, Taiwan, Japan, South Korean and Australia.

WordPress users endangered by Trojanized plugins

Three popular WordPress plugins have been Trojanized by unknown individuals and made available for download, warned WordPress yesterday.

"Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors," explained Matt Mullenweg. "We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory."

If you use the WordPress platform and have updated one of these plugins in the past two days, you are at risk. You have to upgrade them again - WordPress has pushed out their new, safe versions.

Also, if you have an account on WordPress.org, bbPress.org and/or BuddyPress.org, don't be surprised to find a reset password message the next time you login into your account.

Certification authority reports security breach

Following in the likes of the RSA incident, another certification authority has fallen prey to attackers in need of certificates for phishing authentication pages.


The authority in question is StartSSL, operated by StartCom, and according to the short message posted on their site, the breach occurred on the 15th of June.

"Subscribers and holders of valid certificates are not affected in any form. Visitors to web sites and other parties relying on valid certificates are not affected," it says.

The authority has immediately suspended the issuing of new certificates and has still not resumed services.

The Register reports that Eddy Nigg, StartCom's CTO and COO, has confirmed that the attackers were looking to issue certificates for a list of websites that's very similar to those targeted with the Comodo breach (Gmail, Google, Skype, Yahoo and others), but that they failed to do so.

Nigg also pointed out that the attackers haven't managed to compromise the authority's private encryption key because it is stored on a computer that isn't connected to the Internet.

Dropbox security glitch allowed anyone to access user accounts

Web-based file hosting service Dropbox has confirmed that a bug introduced by a code push allowed anyone to access any user account by simply typing in a random password for a period of nearly four hours.


The bug was detected accidentally by an anonymous user who sent the following information to security researcher Christopher Soghoian:

Hi Chris,

If you're still involved in the Dropbox investigation, there was an interesting development this afternoon. I found I was able to log into my account using an incorrect password, and on further investigation I found I could log in and access files on any of the three accounts I tested (mine and two friends') using any password.

This is corroborated by the admittedly-thin dropbox tech support thread below.

After receiving permission from the sender, Soghoian published the whole email exchange on Pastebin on Sunday morning.

Once the problem was shared with the Dropbox technical support team, it was fixed in a matter of minutes, but that doesn't change the fact that is shouldn't have happened in the first place.

"A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions," Dropbox' Arash Ferdowsi wrote. "We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner."

A recent update says that they have emailed activity-related details to the owners of the accounts that logged on during the period in question, but there is no news on whether the bug was exploited by unauthorized third parties.

This is definitely not a good year for Dropbox. According to Wired, Soghoian has recently filed an FTC complaint against the company, claiming that the service misleads its users by saying that no one at the company had access to the encryption keys needed to open the encrypted files uploaded by the users, when in fact some employees do have access to them and can do it.

With this latest glitch, the company could find itself losing their most precious commodity: the trust of its users.

Android URL Filtering SDK: Secure Web browsing and compliance

Commtouch announced GlobalView URL Filtering for Mobile, which enables real-time protection for mobile device users browsing the Web.


GlobalView URL Filtering is comprised of a Software Development Kit that connects to the cloud-based GlobalView Network. Access to the resources available in the cloud enables the solution to index the sites mobile users actually visit, including dynamic Web 2.0 sites and hundreds of millions of others.

Mobile users benefit from the protection offered by GlobalView URL Filtering without compromising their browsing experience. The Commtouch SDK requires minimal resources, and an adjustable local cache categorizes the vast majority of visited URLs on the device, preventing annoying browser lag.

GlobalView URL Filtering is currently available for operating systems and environments that run a Java Virtual Machine such as Android. Commtouch anticipates adding support for other mobile operating systems such as iOS, QNX and other BlackBerry operating systems, and Windows Phone 7.

Vendors and carriers can leverage GlobalView URL Filtering for Mobile to offer:

Secure web browsing: Mobile users can be protected from phishing sites or sites that download viruses and malicious content.

Regulatory compliance: Organizations can limit their liability, improve productivity and comply with required standards by enforcing Web access policies.

Parental control: Young surfers can be protected from inappropriate Web content such as pornography, gambling, violence and hate sites.

These solutions can be deployed by smartphone, tablet and eBook manufacturers, mobile service providers, as well as Internet security and mobile application developers.

Spam e-books plague Amazon's Kindle store

If you are a regular customer of Amazon's Kindle store, you could already be aware of the fact that spammers are using it to fleece customers out of their hard-earned cash by tricking them into buying bogus e-books.

The scam is made possible by the fact that anyone can publish an e-book on Amazon and offer it for sale. Unfortunately, there is no barrier to publishing as many e-book as one wants, and scammers have jumped at the opportunity.

The scammers can either use an already published e-book, change the title, author and cover and pass it off as a completely different book, or they can use a piece of software that packages public domain content, equips it with a cover and title and submits it for sale.

All in all, the process is very fast and allows scammers to churn out dozens or even more titles a day. Since Amazon doesn't charge for the publishing of e-books or making it available in the store, if the bogus titles are bought even a couple of times, the scammer has earned enough money to justify the time spent on it.

Amazon does try to weed out these books, but a 48-hour approval process obviously allows quite a few of them to slip through unnoticed, mixed with the legitimate titles.

According to Eric Mack, a longer checking process might help with weeding out the offending e-books. Another simple but likely effective solution would be to institute a charge for everyone who wants to publish an e-book on Amazon.

"Charging authors $50, $20 or even just $10 to publish to Amazon would drastically cut back potential profits for spammers, and any author that spent months or years crafting a quality work should have no problem shelling out a small amount to access a global market and ensure that there's fewer titles to weed through," he believes.

iCloud search ends with fake AV

Following Steve Jobs' announcement of Apple's entry into the cloud business, the term "iCloud" has quickly become a trending topic. And cyber scammers - quick as always - have made it their business to poison Google search results tied to the keyword.

A number of these URLs that come up in search results have been found on MyMobi, a news site that covers news about new gadgets. These pages have been cleaned up in the meantime, but that's no guarantee that the criminals won't manage to compromise them again - or other sites for that matter.

Once the users follow the offered link and lans on the compromised page, they get immediately redirected to a malicious page where a script tries to download a file named SecurityScanner.exe onto their computers. If they run it, a fake AV by the name XP Antispyware 2012 gets installed.


"The program contains a registration button. When users click this, the page redirects to a phishing site with a newly created domain that contains the “Choose Plan & Checkout” option to purchase XP Antispyware 2012," explains a Trend Micro researcher. "The FAKEAV malware also blocks Web browsers, Internet Explorer and Google Chrome from surfing the Internet unless users purchase the product."

LulzSec leaked passwords come from Writerspace

Following LulzSec's sharing of a list of 62,000+ random login credentials, people who have been looking into it say that some of them are likely to come from online writing community.


As expected, the passwords used most often include “123456”, "123456789” and “password”. But is the fact that many users have used passwords tied to books ("bookworm", "reader", "reading", "booklover'", and others) has fueled that belief.

"It all points in a clear direction; and if you’re still doubtful, perhaps the smoking gun is the fact that 30 people have chosen 'writerspace' as their password," says Darien Graham-Smith.

And the theory was confirmed by Writerspace: "Today an anonymous group of hackers known as LulzSec posted a list of 62,000 e-mail addresses and passwords. That list included about 12,000 e-mail addresses and passwords from Writerspace members."

They are contacting the owners of the affected accounts and say that their techs are working to insure that their server is as secure as possible. The have also offered some good advice on choosing strong passwords, but I'm not so sure they have been storing the users' passwords as they should have - i.e. encrypted. Well, either that, or their encryption method of choice was weak.

Citigroup data theft the result of a common vulnerability

If the information the NYT has received about the Citigroup breach is correct, and the intrusion was made possible by the exploitation of a vulnerability so frequent and common that it made OWASP's top 10 web application risks list, one wonders how it is possible that the world's largest financial services company hasn't got security experts that would remedy it.

The flaw in question is called insecure direct object reference, and it happens when confidential information is exposed to users because developers did not have the good sense to hide it.

Essentially the process went like this: first, hackers logged into the accountholder website. From there, the attackers used some type of script that allowed them to automatically jump from account to account and harvest any identifiable information merely by changing a portion of the URL. It's not exactly known how the hackers knew to exploit this vulnerability.

A browser and the ability to change the URL string was all that was needed to open hundreds of thousands of accounts to attackers. Oh wonderful.

Once the attackers realized it - I'm guessing one of them probably had an account with Citigroup - it was only a matter of writing a script that would feed random numbers into the URL and every time it successfully accessed an account, the attackers harvested the information contained in it.

If that is true, there is another thing bugging me - why wasn't this "bombarding" the site with requests with bogus combination of numbers over and over again not noticed by anyone? Why wasn't there a mechanism in place that would get triggered by this kind of action?

But maybe, in this case, they couldn't spot it? Maybe the script was written in such a way that the requests were random and spread over a great period of time? One would presume that the attackers would try to get as much information as possible in a short time before the attack was detected, but you never know.

The only thing going for those affected by the Citi hack may be the fact that the attackers do not have expiration dates or security numbers found on the back of the card. This may protect those attacked from serious identity theft, although a lot of other personal information has been disclosed.

All in all, can we now just stop calling it a "sophisticated attack"?

Encrypted voice calling for Android

Cellcrypt launched Mobile for Android, a version of its encrypted voice calling application that runs on Android devices operating over Wi-Fi, GSM and CDMA wireless networks.


Cellcrypt Mobile provides encrypted voice calling for off-the-shelf cell phones using government-certified security in an easy-to-use downloadable application that makes highly secure calling as easy as making or placing a normal phone call.

It is a software-only solution that uses the IP data channel of cellular (2G, 3G, 4G), Wi-Fi and satellite networks and can be deployed to personnel anywhere in the world in as little as 10 minutes.

Cellcrypt Mobile for Android is available immediately on devices supporting Android 2.3 and is interoperable with Cellcrypt running on other devices such as Nokia and BlackBerry smartphones.

"Cellular voice interception is different from other types of data breach,” said Nigel Stanley, Practice Leader, Security at Bloor Research, “if you lose a laptop, USB stick or disk drive it can be fairly obvious that the data has gone missing. But with voice, a successful interception can leave no physical trace so there is little chance of realizing your data has actually been intercepted resulting in disastrous consequences. If you can compromise a cell phone then you are more or less assured that you can collect the most relevant, current and damaging data possible about a user, their business or their private life. By supporting Android devices, Cellcrypt is providing enhanced security for one of the world’s most popular mobile platforms.”

Latest Android Malware Takes Flight With Angry Birds

Malware was embedded in applications that promised to help users cheat their way through Rovio's popular Angry Birds game.

Xuxian Jiang, an assistant professor in computer science at North Carolina State University, last week found 10 applications infected with malware in the Android Market. On June 5, he reported it to Google, which suspended the applications on the same day. Jiang also contacted mobile anti-virus companies and research labs, including Lookout, Symantec, McAfee, CA, SmrtGuard, Juniper, Kinetoo, Fortinet, and others.

What is this latest threat?

In a blog post published last week, Jiang explained that this new malware, which his team named "Plankton" (after the pesky Spongebob character?) doesn't attempt to root Android phones. Rather, it was designed to run in the background secretly.

This particular piece of malware was embedded in applications that promised to help users cheat their way through Rovio's popular Angry Birds game (Angry Birds itself was not infected).

What does it do? Once the malware is fired up by the users, it loads a background service. That background service application scours the device for user data, including the device ID code, and reports it back to a remote server. The server parses the data and then sends a link back to the malware, which downloads an executable and then runs nearly invisible in the background.

The application then starts collecting more data, such as browser bookmarks, browser history, home page shortcuts, and runtime log information.

Full article here.

Cyber Attack Compromises 18 Million WordPress Blogs

Bad news for just about every blogger out there. It seems WordPress, an extremely popular suite of tools for powering blogs, has been the victim of a cyber attack. Automattic, the company that owns WordPress, admitted to the attack this morning and noted that it may have left over 18 million blogs vulnerable.

WordPress founder Matt Mullenweg writes “Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.”

Mullenweg continues “We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

Analysts, including Alexia Tsosis of TechCrunch, have suggested that Mullenweg is downplaying the issue. She indicates that everything from Facebook and Twitter passwords to API keys could have been leaked.

So what does this mean to you? Probably nothing. There is a lot of information out there and the chances of your passwords being nabbed are slim. Still, it is about time you get them changed right? You’ve been using the same two passwords since High School and if you haven’t formed that band by now you probably are never going to. Wait, maybe that’s just me.

How We’re Getting Creamed

Attended a webcast last week put on by Ed Skoudis of InGuardians and Cisco titled "Thwarted the Targeted Network Attack".

The webcast is archived and I would recommend checking it out.

Ed titled his section Targeted Attacks: How We’re Getting Creamed.

10 most common iPhone passcodes

The problem of poor passwords is not confined to computer use, and the fact was discovered by an app developer who has added code to capture user passcodes to one of its applications.

"Because Big Brother’s [the app in question] passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes," says Daniel Amitay.

It turns out that of the 204,508 recorded passcodes, 15% were one of the most common ten:


Comparing it to the list of most common internet passwords, one can see the similarities. "Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition," he points out. "5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”

Another pattern that pops out when looking at the list of top 100 most used passcodes is the conspicuous use of numbers that mimic particular decades in the last century - the 1990s and 1980s in particular. Amitay chalks that up to the assumption that most users are between the ages of 11 and 21, as it is very likely that the passcode represents the year of their birth or graduation.

Again, nothing new here - people often use their birth dates (or those of their near and dear) for PINs, passwords and codes, fearing that they would soon forget a random number and choosing one they never could forget.

The conclusion is, once again, that people are predictable and don't think much about security. But the fact that makes Amitay's revelation extremely crucial is that if someone steals or finds a lost iPhone, he has a 15% chance of unlocking the device and accessing the data within before it gets wiped just by trying out the passwords on the aforementioned top 10 list.

Apple includes malware removal in security update

Apple just released Security Update 2011-003 which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

This is a small update weighing just 2.1 MB and requires Mac OS X 10.6.7 to install.


The OSX.MacDefender. A definition has been added to the malware check within File Quarantine.

The system will check daily for updates to the File Quarantine malware definition list. An opt-out capability is provided via the "Automatically update safe downloads list" checkbox in Security Preferences.

The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed.

It took a while for Apple to react properly to the onslaught of Mac Defender and similar fake AV aimed at Mac users, but they finally did it.

If you'd like more information on how to remove Mac Defender, go here.

Phishing forms on Google Docs

Google Docs is a handy online service for creating various types of documents that are hosted by the company in their cloud and can be made accessible to the greater public.

But, as it turns out, the service is not only handy for regular users, but for phishers as well.

F-Secure has unearthed a number of spreadsheets with a form functionality that are apparently designed to act as phishing forms for webmail accounts upgrades, bug reporting, entering of student data and more.


What makes these spreadsheets particularly dangerous is the fact that they are hosted on spreadsheets.google.com, and that domain has a valid SSL certificate and a prominent padlock icon before the address in the URL bar.

This detail could easily fool unexperienced users into thinking they are safe in sharing their personal and financial information.

While digging around, the researchers have also stumbled upon a Google spreadsheet form that is the request form for a Google Voice account transfer, and they couldn't figure out if it was a phishing form or the real deal.

In the end, Google confirmed the validity of the form, but the researchers can be forgiven for thinking otherwise, since it requested the users' Google Voice number, e-mail address and secret PIN code.