The "No Network is 100% Secure" series
- High Value Site Hacks, 2009 edition -
- In the news -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Vulnerability test: There is no malware on this page.
Click on the "How vulnerable am I?" button above to run a (completely safe) test to
see if you are vulnerable to drive-by explots.
If a new window does NOT open, you are about as safe as you can be, at least until
these hackers come up with some new exploit. Note that you still need to have ALL
of your software (not just the operating system) patched to the latest level
since there are lots of other ways to pick up trojans and viruses besides visiting
a compromised, infected drive-by web site.
A recent study revealed that the average PC in the USA (including computers in a corporate environment) have over a dozen current vulnerabilities. And remember, these hackers only have to exploit one vulnerability and you're hacked! The same study confirmed that there is an over-dependance on anti-virus software to keep computers safe. This is an absolute fallacy! AV software is a 1999 solution to a 2009 problem. The drive-by attacks described in this white paper go largely unnoticed by AV software. If your computer failed our vulnerability test, it's just a matter of when, not if, you get hacked.
Feedback: We value the opinion of IT professionals. If you have comments about this series of white papers (too detailed, not detailed enough, helful, boring, or whatever) we would appreciate hearing from you. The information contained in these white papers is intended to help IT Managers better secure their networks. The more on-point our white papers are, the more useful the information will be to our target audience. Thanks in advance!
The Center for Defense Information (CDI), founded in 1972 by retired U.S. Navy Rear Admiral Gene La Rocque, states that it is dedicated to strengthening national and international security through: international cooperation; reduced reliance on unilateral military power to resolve conflict; reduced reliance on nuclear weapons; a transformed and reformed U.S. military establishment; and prudent oversight of defense programs. Currently operating under the aegis of the World Security Institute. It is composed of academics and high-ranking retired U.S. military officers who conduct critical analyses of U.S. defense and security policy.
It is interesting (at least to me) that an organization that promotes a weak defense and a "kumbaya" attitude towards committed terrorists and criminals would be attacked and hacked by the same evil people they want to give a group hug to. Morons....
Think an independent security audit isn't worth the money?: July 27, 2009 Retailer TJX Companies, Inc., has reached a $9.75 million consumer protection settlement with 41 states, stemming from a breach of sensitive data about thousands of customers. The company is the parent of the T.J. Maxx and Marshalls discount clothing chains and HomeGoods stores. "This multi-state investigation was triggered by the largest computer security breach ever reported," said Pennsylvania Attorney General Tom Corbett. "Every time someone swiped a credit card or debit card at a store operated by TJX, their information was funneled directly to hackers, compromising the accounts of millions of consumers." Corbett said the settlement resolves allegations that TJX ignored flaws in the configuration of its computer network and failed to take sufficient steps to protect customer information--allowing hackers to access its unsecured network and operate undetected for more than a year, leaving tens of millions of consumers vulnerable to identity theft. Additionally, Corbett said the settlement requires TJX to upgrade and carefully test its security systems and to regularly report the results of their security testing to Attorneys General across the country.
Daqi.com hacked: The Daqi.com Experience Center Web site has been compromised and is serving several popular exploits. A quick investigation shows that following vulnerabilities are targeted:
Windows Animated Cursor Remote Code Execution Vulnerability
Microsoft Windows MDAC Vulnerability
Microsoft Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability
Sina DLoader Class ActiveX Control 'DonwloadAndInstall' Method Arbitrary File Download Vulnerability
Xunlei Thunder DapPlayer ActiveX Control Buffer Overflow
Ourgame GLWorld GLIEDown ActiveX Control Vulnerabilities
RealPlayer IERPCtl ActiveX Control Buffer Overflow Vulnerability
Storm MPS.StormPlayer.1 ActiveX Control Buffer Overflow Vulnerability
Daqi.com is a high-profile portal site in China with Alexa rank 586, loved by people who enjoy news all over the world.
Apache.org compromise: August 28, 2009. The open-source Apache Software Foundation pulled its Apache.org Web site offline for about three hours today because of server hack caused by a compromised SSH key. A brief message posted on the site stated that the compromise was "not due to any software exploits in Apache itself", but was actually caused by a compromised SSH key.
No one is safe....
It's not just hackers who steal your information: Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable. To join the "My SHC Community," users downloaded software that ended up grabbing some members' prescription information, emails, bank account data and purchases on other sites. Thanks for the Trojan, Sears and KMart... :(
The Sony rootkit is back: After purchasing an Anastacia CD, the plaintiff played it in his computer but his anti-virus software set off an alert saying the disc was infected with a rootkit. He went on to test the CD on three other computers. As a result, the plaintiff ended up losing valuable data. Claiming for his losses, the plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was self-employed, he also claimed for loss of profits and in addition claimed 800 euros which he paid to a computer expert to repair his network after the infection. Added to this was 185 euros in legal costs making a total claim of around 1,500 euros. The judge's assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it. The court ordered the retailer of the CD to pay damages of 1,200 euros.
Note that the above two item Authors provided no information substantiating these stories. However, it's certainly true that Vendor CDs, DVDs and floppies have been known to contain malware so it is always a good idea to scan ALL media before running any of it's programs or installing any of it's software. As for allowing any site to download software onto your computer? Just say "NO!".
Congress investigates Chinese cyberspying: October 22, 2009. The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing. The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are "straining the U.S. capacity to respond," the report concludes. The bipartisan commission, formed by Congress in 2000 to investigate the security implications of growing trade with China, is made up largely of former U.S. government officials in the national security field. The commission contracted analysts at defense giant Northrop Gruman Corp. to write the report. The analysts wouldn't name the company described in the case study, describing it only as "a firm involved in high-technology development." The report didn't provide a damage assessment and didn't say specifically who was behind the attack against the U.S. company. But it said the company's internal analysis indicated the attack originated in or came through China.
The FCC weighs in: October 22, 2009. The Federal Communications Commission voted to approve proposed new rules aimed at blocking Internet service providers, like Comcast, and wireless phone companies such as Verizon and AT&T, from intentionally halting or slowing Web traffic. The proposal, or so-called net neutrality regulations, will set off a series of regulatory procedures and a final rule is expected to be introduced early next year. Supporters say the regulations prevents any company from steering viewers to its own outlets and manipulating choice by consumers to watch or read what they choose. But critics charge that the plan is another power grab by the government.
"These new rules should rightly be viewed by consumers suspiciously as another government power grab over a private service provided by private companies in a competitive marketplace," Sen. John McCain wrote in an opinion article published by The Washington Times. McCain argued that a government takeover of the Internet will "stifle innovation" and "hinder job creation," noting that the technology industry is the fastest-growing job market behind health care.
The proposal contains six principles, including four existing guidelines adopted in 2005 on Internet network operations. The additional rules are designed to prevent Internet traffic discrimination and increase transparency on how carriers manage their networks to ensure that they aren't targeting technologies that may compete with their own services. Verizon and Google have endorsed the plan, saying they need open access to all Internet users, while AT&T has opposed it, saying the status quo should be maintained.
More on Congressional Cyberspying hearings: What's the most amazing and troubling (at least to me) is that this very important issue is being largely ignored by the USA so-called "mainstream" media. Americans would need to subscribe to the Daily Telegraph in London to even hear about this story. London, Oct 23, 2009 : The Communist regime in China with the help of a elite hacker community is building its cyber warfare capabilities and appears to be using a long-term computer attack campaign to collect US intelligence. An independent study released by a [US] congressional advisory panel found cases that suggested that China's elite hacker community has ties to Beijing, although there is no substantial proof. The commission report details a cyber attack against a US company several years ago that appeared to either originate in or came through China and was similar to other incidents also believed to be connected to that country, The Telegraph reports. The data from company's network was being sent to multiple computers in the US and overseas, according to an analysis done by the company over several days. The report contends that the attackers targeted specific data, suggesting a very coordinated and sophisticated operation by people who had the expertise to use the high-tech information. An IP address located in China was used at times during the episode, the paper reports. The Chinese Government is said to view such cyber prowess as critical for victory in future conflicts, similar to the priority on offensive cyber abilities stressed by some US officials. Potential Chinese targets in the US would likely include Pentagon networks and databases to disrupt command and control communications, and possibly corrupt encrypted data, the report says.
Citibank should have hired us!: December 23,2009. The Wall Street Journal reports that the FBI is looking into a potential computer-security breach that resulted in the theft of tens of millions of dollars from Citibank by computer hackers. These hackers appear to be linked to a Russian cyber gang who targeted Citigroup's Citibank subsidiary, including its North American retail bank and other businesses. This attack was detected over the summer, but there is a chance that it could have happened as much as a year earlier.
The report goes on to say that it is possible that these same hackers hacked into a U.S. government agency (or two). Citigroup was quick to point out that it "had no breach of the system and there were no losses, no customer losses, no bank losses ... Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true." I know that I believe them....
This threat was discovered thanks to suspicious traffic from Internet addresses used by the Russian Business Network (a group that has sold hacking tools for accessing U.S. government systems). The article goes on to highlight the fact that this breach was especially dangerous because the hackers could have toyed with the entire banking system, as hackers gaining entry to one bank could lead to plenty of other banks violated.
Cyber crime is now an epidemic, as losses to online crime totaled $260 million in the U.S. alone last year. That is a heck of a lot of security breaches!
Sports fans aren't safe either: December 29, 2009. You'd think that going to a FOX News site would be safe, right? Wrong. The Fox Sports site has recently been compromised and injected with malicious code. Fox Sports is a division of the Fox Broadcasting Company. It specializes in the latest sports news and world sports updates. Fox Sports has an Alexa ranking of 330. The site has been injected with two pieces of malicious code. One of them is the latest Gumblar campaign, and the other redirects individuals to a malicious Web site for further attacks. Thousands of Web sites have been compromised by the latest Gumblar campaign. The Gumblar page is highly obfuscated. After deobfuscation, the page uses PDF and Flash exploits to run malware in order to control a victim's computer. In addition, a piece of VBScript is executed to download malware. Some of these vulnerabilities such as Adobe Flash and PDF currently have no patch available so if you visited FOX News recently and have vulnerable software installed, you are most likely infected. We are receiving a lot of hits on our Trojan White Paper page so we suspect that the numbers of infected PCs may be quite high.
Many security pros are focused on the wrong threats: Many corporate information technology departments are prioritizing the wrong threats to their computer systems. They focus on old problems while leaving their companies open to a myriad of new cyber attacks that target sensitive customer and corporate information. In 2009, two cyber risks dwarfed all others. But many IT Managers are not effectively mitigating them, instead preferring to invest in mitigating less critical risks. The less critical risks are things like flaws in the Windows operating system. While these bugs were the No. 1 problem for everyone on the Internet not long ago, times have changed. Thanks to significant security improvements by Microsoft, automated tools for applying its patches and generally good habits within organizations, the operating system is now much harder to hit. As such, hacker interest has waned. Only one major worm, Conficker, circulated in the first half of 2009. Attacks on operating systems accounted for only about 30% of the total volume of attack activity on the Internet. And thanks to patching, most of these were not very successful.
On the rise in 2009 are quiet attacks on desktop programs, such as Microsoft's Office, Adobe's Flash Player and Acrobat programs, Java applications, and Apple's QuickTime program. Attacks on these programs currently account for about 10% of attack volume, up from zero three or four years ago. And these are likely to be far more successful, since more than 90% of corporate computers are using old, unsecured versions of these programs.
Attackers are very opportunistic. They will work with the easiest to use vulnerability that will give them the biggest return. This is why attacks on company Web sites have skyrocketed. An estimated 60% of attack activity is now directed at trying to hack Web sites. This is often accomplished by targeting "SQL injection" and "Cross-Site Scripting" flaws in open-source and custom-built Web applications, which currently account for more than 80% of the new vulnerabilities being discovered. Attackers are often looking to steal proprietary company information, such as customer data and trade secrets. Security software company McAfee estimated that in 2008, companies around the world lost more than $1 trillion due to this sort of intellectual property and data theft. Hackers also frequently turn the sites they victimize into tools for distributing malicious programs to the computers of site visitors, often turning customers' machines into zombies that are networked into botnets much like the one that Conficker has built.
The latest data shows that exploiting web server and client side applications flaws are the current dominant atatck vectors. However, smart IT Managers remain well aware that the number one weakkness in enterprise security remains in the fact that people (Users) are still being fooled into allowing hackers to infect their workstations. Old fashioned, unsophisticated phishing schemes and tricking Users into downloading malware is still the top threat that needs to be protected against.
About the Author
Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
More high value site hacks in the news
More 2009 network hacks news
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
ISO/IEC 27005:2008 Standard for Security Risk Management
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
Portland, Oregon Network Security Consulting
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified June 25, 2009
Copyright 1990-2009 Easyrider LAN Pro