i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

MAC Webcams Hijacked via a bug in Flash

It has emerged that a bug in Adobe’s Flash player can allow webcam’s and microphone’s on Apple Mac’s to be hijacked by website owners allowing them to eavesdrop without permission.

All that’s required is to visit a malicious website and to click on a few buttons on that page.  Without warning, the visitor’s camera and microphone will be activated and the video and audio intercepted.  On Wednesday Adobe said they were planning on fixing the vulnerability, which is caused by flaws in the Flash Player Settings Manager.  The panel, which is used to designate which sites may access feeds from a user’s camera and mic, is delivered in the SWF format used by Flash.  A computer science student at Stanford University, Feross Aboukhadijeh, discovered he could embed the SWF file as an invisible iframe and superimpose misleading graphics on top that tricked visitors into making changes to the underlying privacy settings.

Settings Manager is actually hosted on Adobe’s servers and therefore a fix should be able to be implemented without having to release an update to users machines.  A spokesperson for Adobe has said an update should be in place by he end of he week.

The Stanford student said so far only Mac’s running Safari or Firefox were vulnerable, however he indicated that further research may lead to this attack becoming more universal.

Mass attack on websites running ASP.NET

Research has highlighted a mass attack on web servers running ASP.NET, the infection redirects users to site’s running old versions of Oracle’s JAVA, Adobe’s Flash and various browsers.  The attack was disclosed by security firm Armorize on Wednesday.

The initial attack is showing around 1.15 million infected pages and the follow on exploit around 17500 pages, figures shown are from Google searches.

The infection injects code into ASP.NET websites and plants an invisible link in to visitors’ browsers to sites including jjghui.com and nbnjkl.com, which in turn redirect to a number of other sites which include obfuscated code.  The sites use a number of attacks that exploit well known vulnerabilities in JAVA, Flash etc.  Computers running unpatched versions are then used by the attackers.

Armorize researchers submitted the attack code lastweek and at the time only six of the top 43 antivirus vendors detected the attack, hopefully this figure has drastically increased since then.

Another firm, Securi, has released a scanner that can detect if your site is infected, click here

If your site is compromised you must remove the infection from your database and audit ALL code to remove SQL Injection issues.

Facebook accused of violating US wiretap laws

A lady from Mississippi in the USA has accused Facebook of violating US federal wiretap laws by tracking her internet browsing history.  She states this happened even when she wasn’t logged into the social networking site.

In the lawsuit filed on wednesday, Brooke Rutledge of Lafayette County, Mississippi also claims breach of contract, trespassing, invasion of privacy and unjust enrichment.  Class action status has been set so that other users can join in the lawsuit.  This comes a few weeks after an Australian blogger published evidence that Facebook could track users browsing habits even when not logged into the site.


Celebrity Email Hacker Arrested by FBI

A 35-year-old man named as Christopher Chaney, was arrested in Jacksonville, Florida according to a recent FBI statement.  Chaney has been linked to recent attacks on celebrity email accounts which have led to exposure of naked photo’s of a number of high profile celebs.

If found guilty of all 26 indictments, which include accessing computer systems without authorisation, identity theft and wire tapping, Chaney could face a maximum of 121 years in a federal prison.

It is thought Chaney scoured the internet for information about his targets and then used that to hack into their email accounts.

“Operation Hackerazzi” as it was known was the FBI operation into hacking incidents was coming under huge pressure to catch the culprit that was causing tabloid headlines around the world.

Victims of the email hacks have included Scarlett Johansson and Lady Gaga to name just two.  More than 50 victims were identified by Operation Hackerazzi and nude pictures and naughty text messages have all been plastered across the internet.

German Police using Droid Trojan to spy on citizens

A backdoor Trojan that is capable of monitoring online activity and recording Skype calls has been detected – and is allegedly being used by the German police force.

The courts in Germany have permitted the use of Bundestrojaner to record Skype calls if the police have the legal permission for wiretap.

The Chaos Computer Club (CCC) have been researching this and have stated that, “The malware can not only siphon away intimate data, but also offers a remote control or backdoor functionality for uploading and executing arbitrary programs.”

CCC also stated in their research, “The Trojan can, for example, receive uploads of arbitrary programs from the internet and execute them remotely. This means an upgrade path from Quellen-TKÜ to the full Bundestrojaner’s functionality is built in right from the start.”

CCC finished by saying that control of the PC is not only open to the agency or police force who put the trojan there, but due to poor design may allow others to take control of the machine too.
A spokesperson from CCC said, “We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities. The security level this Trojan leaves the infected systems in is comparable with it setting all passwords to ‘1234’.”

CCC said, “The clandestine infiltration of IT systems by government agencies must stop. At the same time we would like to call on all hackers and people interested in technology to further analyse the malware, so that at least some benefit can be reaped from this embarrassing eavesdropping attempt.

“Also, we will gladly continue to receive copies of other versions of government malware off your hands.”

Chief research officer at F-Secure, said: “We do not know who created this backdoor and what it was used for. We have no reason to suspect CCC’s findings, but we can’t confirm that this Trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

Security company Sophos have also stated that their research shows the trojan can be used to eavesdrop on a number of common applications like Skype, Yahoo Messenger and MSN Messenger.  It can also keylog from a number of common browsers such as IE and Firefox and can also take screenshots of the users’ screen.

F-Secure are detecting this backdoor as Backdoor:W32/R2D2.A. The name R2D2 comes from a string inside the Trojan ‘C3PO-r2d2-POE’



German officials have now admitted to using the the above mentioned Trojan to spy on citizens.  Officials from Bavaria and other states have admitted to using the trojan, which may be in breach of German wiretapping law.

Bavarian Interior Minister Joachim Herrmann believed the police acted within the laws parameters but will investigate the matter of R2D2′s use.
German law permits the use of spy software by government officials in order to combat terrorists and criminals. Wiretapping is legal but courts need to give the approval for its use in all cases.

BT and Nigel Mansell Twitter Accounts Hacked

BT Business and Nigel Mansell both fell victim to a Twitter account hijack on friday which then went onto punt a popular diet pill scam.

@btbusiness and @Mansell5 were both directed to a weight loss site on friday, where there was an article discussing the supposed benefits of Acai Berry.
@btbusiness soon noticed and regained control of their account, however @Mansell5 was only changed over the weekend, with Nigel tweeting on sunday evening, “I’m thinking its time to choose a new password!”
The image above shows the @btbusiness offering 🙂

The Acai Berry spam attack has been seen numerous times before, last December when Gawker was hacked a number of Twitter account were hijacked because users were using the same password on both their Gawker and Twitter accounts.

It appears no harm was done this time but both BT Business and Nigel Mansell could have faced a lot more embarrassment over this, if they had been punting something other than diet pill scams.

Facebook adds Websense Phishing Filters

Facebook has announced it is stepping up its efforts to help users of the site protect themselves from malicious or phishing links posted within their site.
Phishing links often lead to username and password theft.

As of next week users will be warned if they are about to be taken to a malicious website when following a link, this has been possible by partnering with security firm Websense.  The current setup already alerts users if they are about to visit another website but there is no distinction as to whether that is a friendly or malicious website.

The new technology will show a warning screen whenever the system thinks there is a risk, from this screen users can return to the Facebook page or continue on to the linked website, at their own risk.

The protection will be powered by Websense’s “Threatseeker Cloud”, a system which stores a database of known malicious URLs.

Doppleganger Domain Attack

Domain typo-squatting is commonly used to spread malware to users who accidentally misspell a legitimate domain in their web browser. A new type of domain typo-squatting takes advantage of an omission instead of a misspelling.

A Doppelganger Domain is a domain spelt identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes. Doppelganger Domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information.

Each company in the Fortune 500 was profiled for susceptibility to Doppelganger Domains and 151 companies (or 30%) were found to be susceptible. In large corporations, email usage is extremely high and the likelihood of some email being mis-sent is high which could result in data leakage.

Security researcher Peter Kim and Garrett Gee who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

Bots to solicit stolen data

Hackers have proved they can break just about any computer network, shown by recent hacks of Sony and the like. However once data is compromised there is another challenge to face: unloading the virtual booty.

Often stolen credit card numbers, online banking credentials, e-mail logins, and Social Security numbers are released on to a sprawling network of underground chat rooms and invitation-only forums, this is where such data is bought and sold. Law enforcement investigators from around the world lurk there as well trying to catch the crooks, but with hacking incidents on the rise, the problem is far too big to police by traditional means.

Enter the modern day informant. A Texas based security firm, CSIdentity, has created artificial-intelligence software capable of posing as a hacker and engaging the crooks in the underground forums. The goal is to solicit stolen data – a hacker hoping to fence 1,000 credit card numbers will offer dozens for free to prove they’re real – and send them back to human investigators.

SSL Encryption Broken

Researchers have discovered a weakness in the SSL (secure sockets layer) protocol.  SSL is used by nearly all websites who are trying to protect data being sent from the web server to the end users browser.

The vulnerability was discovered in versions 1.0 and earlier of TLS (Transport Layer Security).  Although versions 1.1 and 1.2 of TLS aren’t vulnerable, not many websites or browsers support them, making encrypted transactions on the likes of PayPal, Banking sites and just about every other website, vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website being visited.

Researchers Thai Duong and Juliano Rizzo plan to demonstrate some proof of concept code later this week at the Ekoparty Conference in Buenos Aires.  The software is called BEAST, (Browser Exploit Against SSL/TLS). The code, apparently Javascript, works with a network sniffer to decrypt encrypted cookies that a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this research was first published, Google released a developer version of its Chrome browser designed to thwart the attack.

Good to see Google are on the case to fix this before it becomes an everyday issue.  LEts hope the rest of the browser developer community can be quick to act.