Information security digest: July 18 – August 18, 2013

Apple Developer Center down for a week It took Apple about a week to restore the functions of the Apple Developer Center following its crash on July 18. After about

Apple Developer Center down for a week

It took Apple about a week to restore the functions of the Apple Developer Center following its crash on July 18. After about three days, Apple officially acknowledged that the site might have been hacked, and then, Turkish network security expert Ibrahim Balic, announced that he might have been the cause of it going down. He had found several serious vulnerabilities in the Apple iAD Workbench advertising system, and by exploiting them, managed to get the personal data of 100,000 registered users of Apple services. He immediately notified the company about the vulnerabilities and likely became the reason for the weeklong outage of the site.

Developers received a letter from Apple, which stated that the architecture of the Apple Developer Center was being completely overhauled.

Read more…


All forums closed

Future Publishing shut down all of its editions’ forums after detecting an attack aimed at PC Gamer’s forums.

“Last week on July 19, 2013 we discovered that the PC Gamer’s vBulletin-powered forum had been the target of a malicious attack. Immediate action was taken to shut down the forum, which blocked the attack. We have since been thoroughly investigating the damage done and how this attack took place.

We have no evidence that any of the PC Gamer’s users’ details were stolen. However, we feel it is safest to keep the forum closed until we are satisfied that the security vulnerability in the software is fixed. Information on the progress of this will be communicated via the PCGamer site.” – said the web page text.


No brakes

Shortly before Defcon two, IT specialists (i.e. hackers) Charlie Miller and Chris Valasek showed the Forbes’ editor how to disable the Ford Escape’s brakes by using a laptop connected to the car’s dashboard. The Ford Escape, like many other modern cars, is packed with computers and, where there are computers, there are vulnerabilities to be found.

Miller and Valasek managed to reverse-engineer enough of the software of the Escape and the Toyota Prius and found a lot of unpleasant surprises that can play a variety of dirty tricks: everything from annoyances like uncontrollably blasting the horn, to serious hazards like slamming on the Prius’ brakes at high speeds. They sent commands from their laptops that killed power steering, spoofed the GPS and made pathological liars out of speedometers and odometers.

Read more…


Down with passwords?

A campaign against passwords was launched on the Internet. The initiators of the campaign demanded the IT industry develop “a safe and convenient alternative” to the current way of authorization, i.e. one that would not require memorizing anything.

3 (1)

Passwords are one of the weakest spots in data security. For better memorization, users often use simple combinations that are easy to hack – which has clear consequences.

There are alternatives to passwords, actually. But as mentioned above, passwords are familiar to most users and bad habits tend to endure, even with current offered alternatives.

Read more…


There would be a reason

The birth of the heir to the British throne, the disaster in Spain, the nearing release of the next series of Plants vs. Zombies: all of these events have aroused a dramatic increase in the activities of malware writers and spammers’ who are trying to exploit public interest. In some cases, there were Chinese detected attempts at using the newly discovered master key vulnerability in Android (bug #9695860). Spammers and virus writers will really try to exploit any newsbreak that attracts massive interest.

Read more…


160 million credit cards

Five men from Russia and the Ukraine have been indicted in the U.S. for hacking into computers at NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Emerging Markets Payments, Global Payment, Diners Singapore and Ingenicard.

Most of the breaches began with SQL injection attacks on the victims’ databases; once inside, the attackers planted backdoor malware to retain a foothold in the networks, from which they pilfered some 160 million credit card accounts, amounting to hundreds of millions of dollars in financial losses, according to the U.S. Attorney’s Office in New Jersey. Three of the victim companies reported $300 million in losses.

The two instigators of those “operations” were Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia.

Read more…


Battle recon

Praetorian Co. announced the launch of a special resource for system administrators that allows them to “audit” (essentially) passwords used in the corporate network. The cloud service tries to automatically crack weak passwords with the help of several different techniques.

4 (1)

Read more…

It should be noted that Kaspersky Lab has its own product that tests the effectiveness of a password’s resistance to brute force attacks (and by botnets, too) – Kaspersky Secure Password Checker.


BlackHat USA 2013

The conference BlackHat 2013 saw many enthralling reports about various incidents that occured last year, as well as serious vulnerabilities that have been detected in recent months.

5 (1)

Most people’s attention was drawn to the reports on critical vulnerabilities like the master key to Android (described in our publications last week – [1], [2] ), and the cracking of SIM cards (details here).

These attacks cracked Apple iOS by means of fake chargers, a rated method of forming malicious botnets via banner networks and the opportunity for attacking Smart TVs with a possible leak of personal data (if there is any stored on the device).

Two SCADA experts simulated a catastrophic attack on an oil well pumping station’s controllers, showing this type of attack could lead to disaster. No specific software vulnerabilities or bugs were required for this attack: it came down to a lack of security in the serial Modbus/TCP protocol, a networking protocol that dates back to the 1970s. There is no authentication or security designed into it at all.

The representatives of Trend Micro discussed the incident with the well-known hacker group APT1/Comment Crew, which iss allegedly linked to the Chinese government. For a long time those hackers tried to hack the system of a single water supply plant in the United States. Amongst doing other things, the hackers tried to steal documents and reset the pumps.

Although it turned out the pumping station was an intricate honeypot specifically designed for “live baiting” hackers. According to the Trend Micro’s Kyle Wilhoit, “it was 100 percent clear they knew what they were doing.” The decoy water plant was not a random target.

Reports on the Black Hat USA 2013


Tor hammered

By the request of U.S. law enforcement, Eric Eoin Marques was arrested in Ireland. Marques is the creator of the hosting company, Freedom House, and the encrypted communication protocol, Tor. In the U.S. he is accused of aiding and abetting in the distribution of child pornography. Immediately after the arrest, reports surfaced about a malicious JavaScript code on websites that used the services of Tor hosting.

The attack was a success because of a vulnerability found in Mozilla Firefox 17, which is the operating base of the Tor Browser. The vulnerability itself was eliminated in June.

Either way, the future of Tor looks very hazy.

Read more…


Bruteforcing WordPress

Unidentified attackers launched another massive attack on WordPress powered websites. A large botnet tried to bruteforce usernames and passwords. Later it became clear that the attack was also done against Joomla and Datalife Engine, and the botnet Fort Disco consisting of about 25,000 infected computers was the organizer of the attack. The attack greatly hampered the functionality of the victimized resources without mentioning the threat, if they were successful, to the companies whose websites use these engines. If the administrator password is weak enough to yield to brute force, the attackers gain control of the entire resource to do with as they please: steal other people’s personal information, change settings, embed malicious codes and so on.

A similar situation was observed in April 2013 when WordPress powered sites became the targets of an attack.

Read more…


Ten gangs

At DEFCON, there was a report that stated the members of ten Russian cybercriminal gangs were the main suppliers of malicious mo software for Android, the victims of which were residents of Russia and Eastern Europe. About 60% of malware for the world’s most popular mobile operating systems is written by this group, and they are behind most cases of frauds via SMS.

The full report is here.


One is enough

Another noteworthy DEFCON report describes a vulnerability found in Google Android, capable of allowing the unauthorized entry into the corporate network via Google Apps. The problem lies in the Android web login function; just one hacked device is sufficient to access Google Apps.

Google received the notice long ago, so there is hope that the necessary measures will be taken in due course.

The slides of the report are here.