|
BlackNet
Logo
|
|
|
News
|
::News ::
-
Solaris Telnet 0day: No exploit needed
What appears to be an old security issue, has come to bite Sun's
flagship Solaris OS in the "root", so to speak. A bug in Solaris SunOS
5.10/5.11 "in.telnet" configuration allows attackers to log into the
service WITH NO PASSWORD. This is basically the same
"AIX/linux rlogin -froot" bug that affected BSD tools distributed with
many *nix systems as long as 10 years ago! Solaris 9 and below appear
to not be vulnerable.
Announced on the Full Disclosure mailing list, security researcher "Kingcope" released a paper that brought the flaw to light.
According to CERT, "By supplying a specially crafted USER
Environment variable over telnet, a remote attacker may be able to
bypass authentication to gain access to the system with elevated
privileges. Public exploit code is available". They correctly note that
the attacker must know the name of a valid user on the system, but
falsely state that it cannot be used to gain root access.
However, when "in.telnetd" is configured to allow non-console superuser login, this flaw can give root access.
To test if you are vulnerable, simply try to telnet to your Solaris box with this command:
"telnet -l -f<user> <hostname>"
Security experts are suggesting a few different mitigation
techniques to protect systems from this flaw, as there is no patch
currently available from Sun.
- firewall access tp port 23
- disable the "telnetd" service
- disable "in.telnetd" in the "/etc/inetd.conf" file
- change "/etc/default/login add CONSOLE=/dev/console" to limit where root can login from.
Sun has responded to this discovery, you may read their response here.
The disclosure of this vulnerability to the public without
vendor notification, or a patch, keeps the fires burning on the
question of the "Full Disclosure" style of alerting the world to
security flaws.
Click here to add a comment!
-
Capture The Flag competition at HITB2007
Hack In The Box announced a Capture the Flag ('CTF') hacking competition with cash prizes that will take place in Sheraton Creek Hotel, Dubai from 4th - 5th April 2007 . This is the second CTF to be held in the Middle East after HITBSecConf2005, which was run in Bahrain.
This
CTF game is an attack only version of the popular competition held once
a year in Kuala Lumpur: several teams of three players will challenge
each others in launching penetrative attacks against pre-configured servers and target machines.
According to the official website , “Each
machine is configured with various services (some of which may be
vulnerable while others might not be). Participants are required to
retrieve pre-configured files or ‘flags’ from the target machine in
order to score points. Attendees are not bared from attacking each
other however any participant found using denial of service attacks
will be removed from the game immediately.”
These
servers reproduce a digital environment which is as close as possible
to the real one but each application contains both known
vulnerabilities and specifically designed breaches.
Players
are allowed to use any kind of technique to hit the target and get as
many flags as possible, but hard limitations are imposed to the
participants in order to prevent them from subverting each others: no
flooding of network, no DOS attacks are admitted and , as highlighted
in the official website :
“ NO
harassment of other opponents (verbal abuse, etc), NO physical
attack, NO attacking of Score Servers” will be tolerated.
The
team that during the two day-race will collect the highest number of
flags, will be the winner and get the prize amounting to $3000.,
whereas $2000 will go to the second place and $1000 to the third place.
The
main objective of the CTF competition is to create an occasion for
experts in hacking techniques to show their abilities and the legal
application of such skills. Moreover, as declared by Meling Mudin,
lead organiser of the CTF competition and a core member of the HITB
team :” it allows information security practitioners the opportunity to
showcase their security research capabilities and skills to the rest of
the world."
'This
is evident by the number of serious independent security consultants,
security research and development companies, and security consulting
companies which routinely send their best guys to participate in the
Malaysian competition', he added.
The race will take place during HITBSecConf2007, that will start in April, 2nd.
Click here to add a comment!
-
Canadian Nuclear Safety Commission's website attacked
The Canadian Nuclear Safety Commission's website
was hacked last week by an unknown attacker who replaced the official
"Media Releases" section with a section named "security breaches" and
there he (or she) posted a photograph of a nuclear explosion.
The picture was labeled as "for Immediate Release" and it was associated to the caption:
"Please dont [sic] put me in jail … oops, I divided by zero."
The attack provoked astonishment and concern across Canada, because the Canadian Nuclear
Safety Commission IT System holds details and sensitive information
about nuclear activities in Canada and about how to track the movement
of high-risk radioactive sealed sources.
According
to Aurèle Gervais, the spokesman of the Commission, the attack will not
bring about dangers for National Security since there’s no way anyone
could get the access to “potentially dangerous information” without a
secure government login. Moreover Mr. Gervais confirmed the attack was
carried out on a part of the website run by an external provider with
no link to the internal site.
In
spite of the fact that an information leak is very unlikely to happen,
the Commission is going to undertake deep investigations and it has
already asked the Royal Canadian Mounted Police , the national police service, to investigate.
This is the first time such an attack has been held against the Canadian Nuclear Safety Commission, but considering the variety of vulnerabilities discovered every day ,it will be hardly the last one.
Click here to add a comment!
-
MSN Virus discovered in Taiwan
MSN-addicted pay attention! The Taipei Times reported
that thousands of people across Taiwan have been affected by a virus
transmitted through MSN that allows attackers to take control of
users’ PCs.
Lots of them have received
a link from friends regularly registered in their list of contacts.
Once they clicked over it, they discovered a backdoor virus has been
installed on their computers.
Many users declared that as first their list of contacts
disappeared and it became impossible to close MSN Messenger. Some of
them said that data was wiped off their computers, while others
admitted that nothing untoward after clicking on the Messenger link.
There
are is no clear information about the nature of the virus or about how
widespread was, indeed on the one hand MSN representatives claimed
that they detected a backdoor virus named BKDR_RINBOT.A, and on the
other experts from the Chinese division of Symantec said that it
could be identified as the Backdoor.irc.Bot virus.
According to Symatec, the virus uses the contact list to send the link so that the recipient will be taken off guard.
The
purpose of this kind of attack is both to obtain more contacts to
continue to spread the virus, and to gain full control of the infected
computer. Moreover, it was verified that infected computers would
execute the virus every time the computer was rebooted and tried to
connect to an IRC chat room server so that computers connecting to that
server would become infected by the virus.
Click here to add a comment!
-
Privacy for (US) soldiers
US Army declared war
against military data leaks but its security program hasn’t met with
enthusiasms by privacy groups that harshly criticized the initiative
to monitor and eventually censor websites and soldiers' blogs .
According to the Register
, the Electronic Frontier Foundation (EFF) sued the US Department of
Defense after the Department of Defense and Army failed to respond to Freedom of Information Act (FOIA) requests about the blog monitoring programme.
All
federal agencies, including the Department of Defense and the Army are
required to keep to the Freedom of Information Act (FOIA) that burdens
institutions to disclose records requested in writing by any person. The EFF focuses on the fact that an
Army unit called the Army Web Risk Assessment Cell (AWRAC) has the
charge to notify webmasters and bloggers when it finds "sensitive
information".
Anyway bloggers sometimes complaint that they are often
coerced to censor also those passages that have nothing to do with
military information but actually deal with their personal feelings
about war.
"Soldiers should be free to blog their
thoughts at this critical point in the national debate on the war in
Iraq," EFF staff attorney Marcia Hofmann said. "Of course, a military
effort requires some level of secrecy. But the public has a right to
know if the Army is silencing soldiers' opinions as well. That's why
the Department of Defense must release information on how this program
works without delay."
On the other hand, an Army
statement highlights that : "AWRAC notifies webmasters and blog writers
when they find documents, pictures, and other items that may compromise
security. AWRAC reviews for information on public websites which may
provide an adversary with sensitive information that could put soldiers
or family members in danger. AWRAC assesses the risk the information
poses to the military and determines if the next step is to request the
information be removed."
In spite of the fact that
the AWRAC has no legal authority to impose changes to postings or to
take down a certain website, no member of the US Army would dare make a
stand. Indeed, the Unit has much influence since just the fact that a
soldier's superiors get informed about similar facts, could represent a
concern for the soldier himself.
This initiative to support soldiers' right of expression is a part of the EFF’s FLAG Project , which uses FOIA requests and litigation to cast a light on government'sAbuses about privacy.
Click here to add a comment!
-
Data theft at Morgan Stanley
Last week a former Morgan Stanley consultant
was found guilty in a case of data stealing: Ira Chilowitz, 44 has been
accused of stealing names of the brokerage firm's hedge fund clients
and confidential information about the fees they were charged, Reuters reported .
The
defendant declared that his decision to get proprietary documents from
his company’s database was due to the fact that he and another
individual were planning to set up their own consulting firm and they
thought that such classified information could help them get business.
No comment was released by Morgan Stanley's spokesmen on this proposal.
According
to official documents by the Attorney, the data on the company's hedge
fund clientele "would be highly valuable to competitors of Morgan."
This
is the main reason standing behind the accusations of conspiracy, theft
of trade secrets, unauthorized computer access and transportation of
stolen property, moved to Mr. Chilowitz .
Mr Chilowitz was arrested in july and now he risks 26 years in prison and an $850,000 fine.
Click here to add a comment!
-
To catch a criminal.. via web
Criminal hunting methods are changing more and more according
to the development of new technologies and instruments but recently, a
strange trend is revolutionizing criminal investigation techniques..
The
trend consists in making pleas about cases of murders, kidnappings,
burglaries and other crimes on social networks such ad MySpace in order
to hit the attention of the widest range of people and possibly collect
information to help investigations. In other words, these pleas work as
high-tech equivalents of "wanted" posters.
Similar initiatives are taken by crime victims
and police equally , showing a further perspective about the level of
influence that the Internet has in everyday life.
For
instance, relatives of a Chicago doctor who was murdered last October,
posted on MySpace.com a surveillance video showing a blood-spattered
young man rushing from the building.
The
son of the victim explain this choice as an attempt to gain attention
on the case: "Young people between 18 and 25 are probably not watching
the nightly news or reading the newspaper every day. That audience is
probably on the Internet, and they all have MySpace."
After
they posted on MySpace an announcement offering a $25,000 reward, the
website received more than 40,000 hits in six weeks, whereas Chicago
Police admitted they hadn’t received any call but just a few e-mails.
Social
networks has been monitored for long by police agencies that were in
search for sexual predators of terrorist organizations, and now they
are actively using them as a crime-fighting tool:as reported by the US magazine USA Today, a detective said that he gets "probably one, two MySpace cases a week."
…CSI, beware!
Click here to add a comment!
-
Cyber-terror’s way to fund raising
Is money made by data thieves a source for terrorism?
The
link between cyber crime and terrorism is quite foggy and it is not
easy to determine which activities are backed by terrorist
organizations and which ones are carried out by “normal” attackers.
Anyway, as declared by Miss Avivah Litan, Gartner's resident expert on
identity theft, recent events have cleared up the situation a bit more.
"This is something people have been talking about since 9-11,"she says. "But it's really a new phenomenon."
The first effective proof of cracking activities aimed to
Middle East extremist group's fund-raising was discovered in late 2006
thanks to the arrest of approximately 50 people in Egypt and Lebanon.
The arrests led to the discovery of millions of dollars filched by
using stolen debit and credit account numbers.
Miss
Litan’s declaration was released after last week’s attack to the
company of chain retailers T.J. Maxx and Marshalls that provoked a huge data breach.
There’s
no confirmation about the involvement of terrorism in such attack but
security experts do not hide their concern about this possibility.
Specifically,
Miss Litan's assertions focus on the debate about what is really
happening on the digital ground: nothing new... but very little known!
Click here to add a comment!
-
Hacking for gossip
People go hacking (and cracking) for the strangest reasons but.. wow! Now there’s also someone who hacks for gossip!
This
could have been the beginning of an unconventional story about stolen
secrets for frivolous reasons but even if the underground world is such
a small world, there are no crunchy implications in this story and in
spite of appearances, this digital intrusion, was committed for money.
According
to the Associated Press, a British tabloid journalist who hacked into
royal officials' voicemail was sentenced Friday to four months in
prison.
Clive
Goodman, 49, the royal editor of the News of the World, was probably
looking for a career-saving scoop, so he hired a private
investigator, Mr.Glenn Mulcaire, to hack into royal officials'
voicemail systems and intercept messages from the members of the
British royal family.
Mr. Goodman’s lawyer claimed that “Mr. Goodman's stories were no longer considered adequate by his superiors.”
“He
was demoted, sidelined and a younger reporter was assigned to cover the
royal family. Under that pressure, he feared for his job, “he said.
Unfortunately
for Mr. Goodman the judge didn’t consider “working pressure” as a
reasonable excuse to get uncontrolled access into Royal family’s life
and he and Mr. Mulcaire where condemned to four and six months in
prison.
Soon after the sentences Andy Coulson, the editor of the News of the World, resigned.
As
admitted by Mr. mulcaire, managed in getting mobile phone network
operators ‘s confidential pin numbers to access messages left on the
Royal cell phones . So, between November 2005 and June 2006, he and
Goodman and made 609 separate calls to the voicemail systems of three
senior members of the royal household.
Their lack of experience was the cause of a series of digital mistakes that allowed police to arrest them.
Click here to add a comment!
|
- Our Webisites
Stats
-
|
Most Guest Online
was: 33
Owned
Members:
1
|
|
|
|
|