Monthly Archives: November 2012

Hackers break into two FreeBSD Project servers using stolen SSH keys

Users who installed third-party software packages distributed by FreeBSD.org are advised to reinstall their machines

By Lucian Constantin

Hackers have compromised two servers used by the FreeBSD Project to build third-party software packages. Anyone who has installed such packages since Sept. 19 should completely reinstall their machines, the project’s security team warned.

Intrusions on two machines within the FreeBSD.org cluster were detected on Nov. 11, the FreeBSD security team said Saturday. “The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution,” said a message on the project’s public announcements mailing list.

The two compromised servers acted as nodes for the project’s legacy third-party package-building infrastructure, the FreeBSD Project said in an advisory posted on its website.

The incident only affected the collection of third-party software packages distributed by the project and not the operating system’s “base” components, such as the kernel, system libraries, compiler or core command-line tools.

The FreeBSD security team believes the intruders gained access to the servers using a legitimate SSH authentication key stolen from a developer, and not by exploiting a vulnerability in the operating system.

Even though the team did not find any evidence of the third-party software packages being modified by the hackers, they cannot exclude this possibility.

“We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors,” the team said. “Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources.”

The package sets currently available for all versions of FreeBSD have been validated and none of them have been altered in any way, the team said.

As a result of the incident, the FreeBSD Project plans to speed its process of deprecating legacy distribution services, like those based on CVSup, in favor of the more robust Subversion system. The advisory includes several recommendations about the tools users and developers should use for updates, source code copying and signed binary distribution.

This is not the first time an open-source software project had to deal with an intrusion because of compromised SSH authentication keys. In August 2009, the Apache Project was forced to shut down its primary Web and mirror servers after discovering that hackers used an SSH key associated with an automated backup account to upload and execute malicious code on some of the servers.

“This is a hearty reminder that a chain is only as strong as its weakest link,” said Paul Ducklin, the head of technology for Asia Pacific at antivirus vendor Sophos, in a blog post Sunday. “In particular, never forget that the security of your internal systems may very well be no better than the security of any and all external systems from which you accept remote access — whether those are servers, laptops or even mobile devices.”

Retrieved from InfoWorld

Anonymous promises more Israeli data leaks

Following its assault on Gaza, Israel has become the target of millions of  DDoS attempts, with claims that several hundred websites have been brought  down.

Anonymous  last week threatened to carry out the attacks if Israel’s bombardment  continued, saying: “Cease and desist from your terror upon the innocent people  of Palestine or you will know the full and unbridled wrath of Anonymous. And  like all the other evil governments that have faced our rage, you will NOT  survive it unscathed.”

Over the weekend, Israeli finance minister Yuval Steinitz said that Israel  had fought off 44 million cyber attacks on government websites, launched from  all over the world. However, he claimed the government had foiled the attempts  of the hackers in all but one case, saying that its sites were all mirrored and  could be replaced within minutes.

Anonymous, though, says  it’s been much for successful than that. It claims to have taken down nearly  700 public and private websites, including those of the foreign ministry and the  Bank of Jerusalem, and to have captured the details of more than 5,000 Israeli  officials.

It’s now promising the release of another document twice as large.

It’s also posted a statement denying that its activities amount to  terrorism, and pointing out that the group has always been opposed to physical  violence.

“Pro-Israeli groups throughout the world have grown from a foundation of  Israeli/US propaganda and lies. They arbitrarily dismiss the apartheid system of  racial segregation and oppression imposed by the Israeli government on the  Palestinian people,” it says.

“The fact of the matter is, in the eyes of the media, only the United States  and its allies are capable of labeling another state or organization as a  terrorists.”

Retrieved from TGDAILY

Anonymous hacker group attacks Israeli websites

Hacking group Anonymous has launched a series of cyber attacks against websites in Israel.

Data bombardments briefly knocked some sites offline and led to others being defaced with pro-Palestinian messages.

The OpIsrael campaign was launched by the hacking collective in retaliation for attacks on Gaza.

The cyber attacks come as the Israeli army updates its web campaign adding “achievements” and “badges” for regular visitors.

Propaganda war

Anonymous said it had launched the OpIsrael campaign following threats by the Israeli government to cut all Gaza’s telecommunication links. This, said the group in a statement posted to the AnonRelations website, “crossed a line in the sand”.

“We are ANONYMOUS and NO ONE shuts down the Internet on our watch,” it said.

The group warned the Israeli government not to cut off telecom and web links and urged it to end military operations in Gaza. If the attacks did not end, Israel would feel the group’s “full and unbridled wrath”.

Hours after the statement was launched, Anonymous posted a list of 87 sites it claimed had been defaced or attacked as part of OpIsrael. Many of the sites had their homepages replaced with messages in support of Hamas and the Palestinians.

Anonymous also produced a package of information for people in Gaza detailing alternative ways for them to communicate if net and other telecommunication links were cut.

At the same time as the Anonymous attacks were being carried out, the Israeli Defence Force re-started tools on its blog that reward people for repeat visits and interacting with the site.

Called IDF Ranks, the tools add a “game” element to the blog and reward repeat visitors with points. When visitors have amassed enough points they get a virtual military rank.

A visitor who goes to the site 10 times gets a “consistent” badge and someone who does lots of searches gets rewarded with the “research officer” rank.

The army said the rank system was turned off briefly as its social media sites had received very heavy traffic. On Wednesday, it began a live feed about its military operation against Hamas in the Gaza Strip.

Similarly, Hamas has been giving running commentaries on its mortar and rocket attacks on Israeli targets via Twitter.

Retrieved from BBC

Taliban official’s email blunder leaks 400+ contacts

Anyone in the bulk email business should know never to mix up cc: (“carbon copy”) and bcc: (“blind carbon copy”) – especially if the materials you’re sending out are Taliban press releases.

That was exactly the rookie mistake made by Taliban spokesman Qari Yousuf Ahmedi last week, ABC News reports, which resulted in Ahmedi inadvertently disclosing his full mailing list of more than 400 email addresses.

Ahmedi is one of two official spokesmen for the Islamic fundamentalist movement, the other being Zabiullah Mujahid. Ahmedi was reportedly forwarding a press release he received from Mujahid when he mistakenly put recipients’ addresses in “cc” field, causing contacts he meant to keep private to be viewable to everyone on the list.

According to the ABC News report, most of those addresses belonged to journalists. That’s bad news (no pun intended), because in war-torn Afghanistan, targeted attacks on journalists are commonplace.

According to Nai, an Afghan media watchdog group, there have been 121 acts of violence against journalists in the last three years alone, an average of more than three per month.

One reporter outed by Ahmedi’s error was Mustafa Kazemi, a prolific blogger whose Twitter feed has more than 9,500 followers. On November 10, Kazemi turned to the micro-blogging service to announce the leak:

In later posts, Kazemi explained that the leaked email addresses were not limited to the media, but also included addresses from the US and Afghan governments, in addition to “a large number” of Taliban personnel.

ABC expounded further, noting that academics and activists were also included in the list, as were members of other, non-Taliban militant groups.

It may surprise some to learn that, for a fundamentalist religious group that imposes a strict, archaic interpretation of Islamic law, the Taliban is fairly modern where communications are concerned. The group regularly uses its email list and various blogs to issue press releases, generally to claim responsibility for attacks.

Earlier this year, Qari Yousuf Ahmedi told the Arabic newspaper Asharq Alawsat, “Visiting websites is not more difficult than joining jihad and the battlefield. More important than visiting websites is winning over the minds and hearts of the masses who visit websites.”

Ahmedi also has his own Twitter feed, though as of this writing he has not posted anything about his email gaffe; in fact, it has been silent since November 6. Your intrepid Reg reporter couldn’t find a Facebook page for him, either, though he has claimed to have one. Maybe that’s one thing he knows how to keep private?

Retrieved from The Register

Antivirus startup linked to infamous Chinese hacker

Anvisoft, a Chinese antivirus startup, has been linked to an infamous hacker suspected of developing sophisticated malware   used to siphon sensitive information from Defense Department contractors in 2006.

Through some high-tech sleuthing on the Web, Brian Krebs, author of the KrebsonSecurity blog, found Anvisoft-connected IP   addresses connected Anvisoft to registered to “tandailin” in Gaoxingu, China.

Tan Dailin, a.k.a. Withered Rose, was the subject of Verisign’s 2007 iDefense report, which described Dailin as the 20-year-old leader of a state-sponsored hacking team called NCPH, which stood for Network   Crack Program Hacker.

In 2006, the group was linked to multiple zero-day attacks against Microsoft Office vulnerabilities. Some of the attacks were aimed at defense contractors, Krebs reported.

Anvisoft did not respond to a request for comment, and has been coy in answering questions on its user forum. Krebs acknowledged that Dailin might not be connected to the company.

“This may all be a strange coincidence or hoax,” Krebs said on Wednesday. “Anvisoft may in fact be a legitimate company, with   a legitimate product; and for all I know, it is. But until it starts to answer some basic questions about who’s running the   company, this firm is going to have a tough time gaining any kind of credibility or market share.”

The report was a warning to small businesses and consumers to only use “well-known and trusted branded products in such a   sensitive area as malware protection,” said IDC analyst Al Hilwa.

[In depth from Malware/Cybercime section: Organized cybercrime revealed]

“It is [also] why consumer technologies are moving to the curated platform app store model that we see today with mobile devices,   where the responsibility of screening applications and utilities is handled by well-known and trusted branded companies,”   Hilwa said.

While not condoning Dailin’s past, Himanshu Dwivedi, founder of security consulting firm iSEC Partners, said sophisticated   hackers are better equipped to build antivirus products than the average software developer without a background in security.

“When you take a pure security person to write a product, for me personally, and this is my bias, I actually have more confidence   that that product is secure, because it’s written by someone who knows all the ways to bypass software,” Dwivedi said.

Nevertheless, to buy a security product from someone like Dailin would expose the buyer to unnecessary risk, said Gartner   analyst Peter Firstbrook. “I would rather trust my PC security to a good white hat hacker than a reformed black hat hacker.”

China is known as a hotbed for cyberespionage. The U.S. Defense Department recently reported that Chinese hackers aiming malware   at U.S. industries and government agencies were a threat to the national economy.

Retrieved from Networkworld

Windows 8 ‘penetrated’ says firm which sells to world’s spy agencies

French security researcher firm Vupen claim to have already developed a reliable windows 8 exploit, just days after the launch of latest edition of Microsoft’s flagship operating system.

The sometimes controversial firm, which sells the exploits it develops to Western government agencies and deliberately avoids sharing vulnerability details with vendors, said that the exploit it has cooked up allows it to take over Windows 8 machines running Internet Explorer 10.

“We welcome #Windows 8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations,” Vupen’s chief exec Chaouki Bekrar boasted in a Twitter update.

Windows 8 offers improved exploit mitigation technologies including DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization) while IE10 bundles improved sandboxing. Getting over these extra hurdles is no mean feat and doesn’t necessarily mean that exploits and malware from mainstream hackers will flood cyberspace anytime soon.

Vupen doesn’t go into details about the security bugs it has identified, logically enough, since the value of the exploits it markets depends on their effectiveness and longevity. Spilling the details on a vulnerability makes it more likely that vendors will come up with patches sooner rather than later, something that works against the “government-grade exploit” side of Vupen’s business.

The French security firm previously promised to come up with Windows 8 exploits at the same time as the launch of the operating system. Bekrar told Forbes details of the Windows 8 attack would be supplied to its customers in a carefully worded answer that failed to rule out the use of the exploit as an offensive tool.

“The in-depth technical details of the flaws will be shared with our customers and they can use them to protect their critical infrastructures against potential attacks or for national security purposes,” Bekrar said.

Retrieved from The Register