BlackNet Logo

News

::News ::

• Solaris Telnet 0day: No exploit needed

  
  What appears to be an old security issue, has come to bite Sun's flagship Solaris OS in the "root", so to speak. A bug in Solaris SunOS 5.10/5.11 "in.telnet" configuration allows attackers to log into the service WITH NO PASSWORD. This is basically the same "AIX/linux rlogin -froot" bug that affected BSD tools distributed with many *nix systems as long as 10 years ago! Solaris 9 and below appear to not be vulnerable.
  Announced on the Full Disclosure mailing list, security researcher "Kingcope" released a paper that brought the flaw to light.
  

   According to CERT, "By supplying a specially crafted USER Environment variable over telnet, a remote attacker may be able to bypass authentication to gain access to the system with elevated privileges. Public exploit code is available". They correctly note that the attacker must know the name of a valid user on the system, but falsely state that it cannot be used to gain root access.

   However, when "in.telnetd" is configured to allow non-console superuser login, this flaw can give root access.

  To test if you are vulnerable, simply try to telnet to your Solaris box with this command:

  "telnet -l -f<user> <hostname>"

    

   Security experts are suggesting a few different mitigation techniques to protect systems from this flaw, as there is no patch currently available from Sun.

    

  - firewall access tp port 23

   - disable the "telnetd" service

  - disable "in.telnetd" in the "/etc/inetd.conf" file

  - change "/etc/default/login add CONSOLE=/dev/console" to limit where root can login from.

   Sun has responded to this discovery, you may read their response  here.  

   The disclosure of this vulnerability to the public without vendor notification, or a patch, keeps the fires burning on the question of the "Full Disclosure" style of alerting the world to security flaws.

• Capture The Flag competition at HITB2007

  
  

  Hack In The Box announced a Capture the Flag ('CTF') hacking competition with cash prizes that will take place in Sheraton Creek Hotel, Dubai from 4th - 5th April 2007 . This is the second CTF to be held in the Middle East after HITBSecConf2005, which was run in Bahrain.

    This CTF game is an attack only version of the popular competition held once a year in Kuala Lumpur: several teams of three players will challenge each others in launching penetrative attacks against pre-configured servers and target machines.

  According to the official website  , “Each machine is configured with various services (some of which may be vulnerable while others might not be). Participants are required to retrieve pre-configured files or ‘flags’ from the target machine in order to score points. Attendees are not bared from attacking each other however any participant found using denial of service attacks will be removed from the game immediately.”

   

  These servers reproduce a digital environment  which is as close as possible to the real one but each application contains both known vulnerabilities and specifically designed breaches.

    

  Players are allowed to use any kind of technique to hit the target and get as many flags as possible, but hard limitations are imposed to the participants in order to prevent them from subverting  each others: no flooding of network, no DOS attacks are admitted and , as highlighted in the official website :

   “ NO harassment of other opponents (verbal abuse, etc),  NO physical attack, NO attacking of Score Servers”  will be tolerated.  

  The team that during the two day-race  will collect the highest number of flags, will be the winner and get the prize amounting to $3000., whereas $2000 will go to the second place and $1000 to the third place.

    

  The main objective of the CTF competition is to create an occasion for experts in hacking techniques to show their abilities and the legal application of such skills. Moreover, as declared by  Meling Mudin, lead organiser of the CTF competition and a core member of the HITB team :” it allows information security practitioners the opportunity to showcase their security research capabilities and skills to the rest of the world."

   

  'This is evident by the number of serious independent security consultants, security research and development companies, and security consulting companies which routinely send their best guys to participate in the Malaysian competition', he added.

   

  The race will take place during  HITBSecConf2007, that will start in April, 2nd.  

• Canadian Nuclear Safety Commission's website attacked

  
  The Canadian Nuclear Safety Commission's website was hacked last week by an unknown attacker who replaced the official  "Media Releases" section with a section named  "security breaches" and there he (or she)  posted a photograph of a nuclear explosion.

  The picture was labeled as "for Immediate Release" and it was associated to the caption:
   "Please dont [sic] put me in jail … oops, I divided by zero."

   The attack provoked astonishment and concern across Canada, because the Canadian Nuclear Safety Commission IT System holds details and sensitive information  about  nuclear activities in Canada and about how to track the movement of high-risk radioactive sealed sources. 

  According to Aurèle Gervais, the spokesman of the Commission, the attack will not bring about dangers for National Security since there’s no way anyone could get the access to “potentially dangerous information” without a secure government login. Moreover Mr. Gervais confirmed the attack was carried out on a part of the website run by an external provider with no link to the internal site.

   

  In spite of the fact that an information leak is very unlikely to happen, the Commission is going to undertake deep investigations and it has already asked the Royal Canadian Mounted Police , the national police service, to investigate.

   

  This is the first time such an attack has been held against the Canadian Nuclear Safety Commission, but considering the variety of vulnerabilities discovered every day ,it will be hardly the last one. 

• MSN Virus discovered in Taiwan

  
  MSN-addicted pay attention! The Taipei Times  reported that thousands of people across  Taiwan have been affected by a virus transmitted through MSN that allows attackers to take control of  users’ PCs. 

  Lots of them have received a link from friends regularly registered in their list of contacts. Once they clicked over it, they discovered a backdoor virus has been installed on their computers.

  Many users declared that as first their list of contacts disappeared and it became impossible to close MSN Messenger. Some of them said that  data was wiped off their computers, while others admitted that nothing untoward after clicking on the Messenger link.

   

  There are is no clear information about the nature of the virus or about how widespread was, indeed on the one hand  MSN representatives claimed that they detected a backdoor virus named BKDR_RINBOT.A, and on the other  experts from the Chinese division of Symantec  said that it could be identified as the Backdoor.irc.Bot virus.

    

  According to Symatec, the virus uses the contact list to send the link so that the recipient will be taken off guard.

   

  The purpose of this kind of attack is both to obtain more contacts to continue to spread the virus, and to gain full control of the infected computer. Moreover, it was verified that infected computers would execute the virus every time the computer was rebooted and tried to connect to an IRC chat room server so that computers connecting to that server would become infected by the virus. 

• Privacy for (US) soldiers

  
  US Army declared war against military data leaks but its security program hasn’t  met with enthusiasms by  privacy groups that harshly criticized the initiative to monitor and eventually censor websites and soldiers' blogs .

   

  According to the Register  , the Electronic Frontier Foundation (EFF) sued the US  Department of Defense after the Department of Defense and Army failed to respond to Freedom of Information Act (FOIA) requests about the blog monitoring programme.

   All federal agencies, including the Department of Defense and the Army are required to keep to the Freedom of Information Act (FOIA) that burdens institutions to disclose records requested in writing by any person. The EFF focuses on the fact that an Army unit called the Army Web Risk Assessment Cell (AWRAC) has the charge to notify webmasters and bloggers when it finds "sensitive information".

   

  Anyway bloggers sometimes complaint that they are often  coerced to censor also those passages that have nothing to do with military information but actually deal with their personal feelings about war.

  "Soldiers should be free to blog their thoughts at this critical point in the national debate on the war in Iraq," EFF staff attorney Marcia Hofmann said. "Of course, a military effort requires some level of secrecy. But the public has a right to know if the Army is silencing soldiers' opinions as well. That's why the Department of Defense must release information on how this program works without delay."

  On the other hand, an Army statement highlights that : "AWRAC notifies webmasters and blog writers when they find documents, pictures, and other items that may compromise security. AWRAC reviews for information on public websites which may provide an adversary with sensitive information that could put soldiers or family members in danger. AWRAC assesses the risk the information poses to the military and determines if the next step is to request the information be removed."

  In spite of the fact that the AWRAC has no legal authority to impose changes to postings or to take down a certain website, no member of the US Army would dare make a stand. Indeed, the Unit has much influence since just the fact that a soldier's superiors get informed about similar facts, could represent a concern for the soldier himself. 

  This initiative to support soldiers' right of expression  is a part of the EFF’s  FLAG Project , which uses FOIA requests and litigation to cast a light on government'sAbuses about privacy.  

• Data theft at Morgan Stanley

  
  Last week a former Morgan Stanley  consultant was found guilty in a case of data stealing: Ira Chilowitz, 44 has been accused of stealing names of the brokerage firm's hedge fund clients and confidential information about the fees they were charged, Reuters reported .

    The defendant declared that his decision to get proprietary documents  from his company’s database was due to the fact that he and another individual were planning to set up their own consulting firm and they thought that such classified information could help them get business.

  No comment  was released by Morgan Stanley's spokesmen on this proposal.

    

  According to official documents by the Attorney, the data on the company's hedge fund clientele "would be highly valuable to competitors of Morgan."

   

   This is the main reason standing behind the accusations of conspiracy, theft of trade secrets, unauthorized computer access and transportation of stolen property, moved to Mr. Chilowitz . 

  Mr Chilowitz was arrested in july and now he risks 26 years in prison and an $850,000 fine.

• To catch a criminal.. via web

  
  Criminal hunting methods are changing more and more according to the development of new technologies and  instruments but recently, a strange trend is revolutionizing criminal investigation techniques.. 

   The trend consists in making pleas about cases of  murders, kidnappings, burglaries and other crimes on social networks such ad MySpace in order to hit the attention of the widest range of people and possibly collect information to help investigations. In other words, these pleas work as high-tech equivalents of "wanted" posters.

   

   Similar initiatives are  taken  by crime victims and police equally , showing a further  perspective about the level of influence that the Internet has in everyday life.  

  For instance, relatives of a Chicago doctor who was murdered last October,  posted on MySpace.com a surveillance video showing a blood-spattered young man rushing from the building.

  The son of the victim explain this choice as an attempt to gain attention on the case:  "Young people between 18 and 25 are probably not watching the nightly news or reading the newspaper every day. That audience is probably on the Internet, and they all have MySpace."

    

  After they posted on MySpace an announcement offering a $25,000 reward, the website received more than 40,000 hits in six weeks, whereas Chicago Police admitted they hadn’t received any call but just a few e-mails.

   Social networks has been monitored for long by police agencies that were in search for sexual predators of terrorist organizations, and now they are actively using them as a crime-fighting tool:as reported by the US magazine  USA Today, a detective said that he gets "probably one, two MySpace cases a week." 

  …CSI, beware!

• Cyber-terror’s way to fund raising

  
  Is money made by data thieves a source for terrorism? 

  The link between cyber crime and terrorism is quite foggy and it is not easy to determine which activities are backed by terrorist organizations and which ones are carried out by “normal”  attackers. Anyway, as declared by Miss Avivah Litan, Gartner's resident expert  on identity theft, recent events have cleared up the situation a bit more. 

  "This is something people have been talking about since 9-11,"she says. "But it's really a new phenomenon."

  The first effective proof of cracking activities aimed to  Middle East extremist group's fund-raising was discovered in late 2006 thanks to the arrest of approximately 50 people in Egypt and Lebanon. The arrests led to the discovery of millions of dollars filched by using stolen debit and credit account numbers.

  Miss Litan’s declaration was released after last week’s  attack to the company of chain retailers T.J. Maxx and Marshalls that provoked a huge data breach.

  There’s no confirmation about the involvement of terrorism in such attack but security experts do not hide their concern about this possibility.

  Specifically, Miss Litan's assertions focus on the debate about what is really happening on the digital ground: nothing new... but very little known!

• Hacking for gossip

  
  

  People go hacking (and cracking) for the strangest reasons but.. wow! Now there’s  also someone who hacks for gossip!

   

   This could have been the beginning of an unconventional story about stolen secrets for frivolous reasons but even if the underground world is such a small world, there are no crunchy implications in this story and  in spite of appearances, this digital intrusion, was committed for money.  

  According to the Associated Press, a British tabloid journalist who hacked into royal officials' voicemail was sentenced Friday to four months in prison.

  Clive Goodman, 49, the royal editor of the News of the World, was probably  looking for a  career-saving scoop, so he hired a  private investigator, Mr.Glenn Mulcaire, to hack into royal officials' voicemail systems  and intercept  messages from the members of the British royal family.

   

   Mr. Goodman’s lawyer claimed that “Mr. Goodman's stories were no longer considered adequate by his superiors.”

  “He was demoted, sidelined and a younger reporter was assigned to cover the royal family. Under that pressure, he feared for his job, “he said.

   

  
  Unfortunately for Mr. Goodman the judge didn’t consider “working pressure” as a reasonable excuse to get uncontrolled access into Royal family’s life and he and Mr.  Mulcaire where condemned to four and six months in prison.

  Soon after the sentences Andy Coulson, the editor of the News of the World, resigned.

   

  As admitted by Mr. mulcaire,  managed in getting mobile phone network operators ‘s confidential pin numbers to access messages left on the Royal cell phones . So, between November 2005 and June 2006, he and Goodman and made  609 separate calls to the voicemail systems of three senior members of the royal household.

   Their lack of experience was the cause of a series of digital mistakes that allowed police to arrest them.

- Our Webisites Stats -

~Top Downloads~

~Virus Info~

Banners

  Your Banner Here