Archive for March, 2008
Author: Dave Lewis
March 31, 2008 at 8:40 am · Filed under Crime, Hacker, ID Theft
This morning brings word of another data breach. This time the victim was the Irish employment site Jobs.ie.
From Ireland.com:
Jobs.ie would not say how many of its clients had been affected, but said it had now fixed the security breach.
The clients whose information was taken are at risk from identity fraud and “phishing”, where criminals, often posing as a well-known, legitimate company, use the information gleaned to try to extract further personal and financial information from their victims.
It is understood that the hackers used an illegally obtained log-in and password given to employers who are registered with Jobs.ie to access the job applications area of the site. They then downloaded personal information from CVs submitted, along with job applications.
Most of the stolen information relates to archive CVs rather than those of people now looking for jobs.
The company, which is owned by businessman Denis O’Brien, has in recent days contacted those affected to warn them of the possibility that they may receive e-mails from people using their information.
“All of the people affected have been contacted and informed of the situation. We have urged them to exercise extra vigilance with inbound e-mails in the coming weeks to ensure online security,” a spokeswoman said.
Read on.
Article Link
Author: Dave Lewis
March 31, 2008 at 8:11 am · Filed under Conventions
Here is a piece on the recent CanSecWest conference. This piece by Thom Holwerda is a response to an article that showed up on “Roughly Drafted“.
From OS News:
As you surely know by now, the CanSecWest conference was the stage for a contest, PWN to OWN. Three laptops were set up; laptops running Windows Vista, Ubuntu Linux, and Mac OS X. The goal was to hack the computer and read the contents of a file located on each of the machines, using a 0day code execution vulnerability. During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head. As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe’s Flash, and the Ubuntu machine did not get hacked at all.
Good read. Check it out.
Article Link
Author: Dave Lewis
March 31, 2008 at 8:03 am · Filed under Data Security, Tools
Thanks to Pete Finnigan’s site we learn that there is a new version of the Oracle password cracker “woraauthbf” available.
From PF’s blog:
The Oracle password cracker woraauthbf written by Laszlo Toth has been updated and released as a new version 0.21R2 (The R2) is the new part, so even if you are running version 0.21 then please download the new release. The fix relates to a bug I found in 11g that if more than one user has the same password the cracker found the first occurance only. The bug fix corrects this. This is minor as the cracker could be used without error on the earlier database releases and its unlikely that many people are running 11g in production yet anyway.
For links and more on this check out his site. If you’re interested in Oracle security then you should really consider signing up for this RSS feed.
Article Link
Author: Dave Lewis
March 28, 2008 at 11:36 am · Filed under Data Security, ID Theft, Physical Security
Well, we get word (thx Chris) that the Georgia state department of human resources suffered a data theft last week. Apparently an external hard drive with the personal information of former and current employees stored on it was stolen “by an unauthorized person”. They did not release the number of affect but, just to put it in perspective there are currently 19,000 employees with DHR.
From Atlanta Journal Constitution:
The agency sent letters to all employees affected by the security breach, urging them to review all credit and other financial records.
DHR officials said there is no evidence the information is being used fraudulently, and the theft remains under investigation.
The incident alarmed employees and former employees.
“On the personal side, I’m concerned that they had this kind of breach,” said Jed Nitzberg, a former DHR spokesman.
He added, “I’ve already been in touch with one company about buying fraud monitoring and information protection services as an extra precaution because of this. I’m worried this could come back to cause real damage months from now.”
Gov. Sonny Perdue said through a spokesman that the theft heightens concerns about computer security in state government.
“The governor is not happy about where the government is on this,” said spokesman Bert Brantley.
To say nothing of the fact that they are running Netscape Enterprise 6.0 as their web server.
Read on.
Article Link
Author: Dave Lewis
March 28, 2008 at 7:27 am · Filed under Dumbass, Hacker
What a dumbass.
From the Associated Press:
A computer hacker was sentenced to three years in prison for placing a phony 911 call that led a SWAT team to storm a family home at gunpoint.
It marked the first prosecution in Orange County for a prank known as “swatting” that involves sending SWAT teams on wild goose chases, said county district attorney’s spokeswoman Farrah Emami on Thursday.
Randal T. Ellis, 19, pleaded guilty Wednesday in Orange County Superior Court to five felony counts, including computer access and fraud, false imprisonment by violence and falsely reporting a crime.
He was given prison time and ordered to pay $14,765 in restitution, most of which will go to the county Sheriff’s Department.
Wow…this could have cost someone their life. Read on.
Article Link
Author: Dave Lewis
March 28, 2008 at 7:17 am · Filed under Conventions, Hacker
Well, CanSecWest (which I missed yet again) has hit the press with the hacking contest that saw the MacBook Air hacked in…2 minutes. The winner received 10K for his troubles. Now that is one helluva hourly rate.
From security.itworld .com:
Miller, best known as one of the researchers who first hacked Apple’s iPhone last year, didn’t take much time. Within 2 minutes, he directed the contest’s organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.
He was the first contestant to attempt an attack on any of the systems.
Miller was quickly given a nondisclosure agreement to sign and he’s not allowed to discuss particulars of his bug until the contest’s sponsor, TippingPoint, can notify the vendor.
Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible, or possibly inside, Apple’s Safari browser.
Nicely done.
Article Link
Author: Dave Lewis
March 27, 2008 at 12:57 pm · Filed under OS Security, Vulnerability
I can’t say that I’m overly surprised. I had loaded up a copy of 2008 that I received at Black Hat last year into a virtual machine. I poked around in it for a couple minutes and shut it down. I just didn’t have the stomach to deal with it at the time. Well, it appears that others had the intestinal fortitude that I was sorely lacking.
From eWeek:
Cesar Cerrudo, founder and CEO of Argeniss Information Security, in Parana, Argentina, says the weaknesses could lead to privilege escalation attacks opens the door for a skilled hacker to take complete control of the operating system.
“[We found] from design issues that were not identified by Microsoft engineers during the Security Development Lifecycle (SDL), and allows accounts commonly used by Windows services — NETWORK SERVICE and LOCAL SERVICE — to bypass new Windows services protection mechanisms and elevate privileges, Cerrudo explained.
He said the discovery also affects Internet Information Services 7 in the default configuration, allowing ASP.NET applications to “completely compromise” operating system security.
Cerrudo, a security researcher who is highly regarded for his work on database security, said the problem also afects Windows Vista, Windows XP and Windows 2003.
“On Windows XP and Windows 2003 the problem is especially severe since any Windows service, even when running under a low privileged account, can potentially break through the security protections and fully compromise the operating system. This includes all web applications deployed on Internet Information Services 6,” he added.
He’ll be releasing details of his fun with Windows at HITB 2008 Dubai.
Article Link
Next entries »
Explore
Security Bloggers Network
