Aug 30 2011

Hackers Acquire Google Certificate, Could Hijack Gmail Accounts

Hackers have obtained a digital certificate good for any Google website from a Dutch certificate provider.

Google SSL Certificate

Criminals could use the certificate to conduct “man-in-the-middle” attacks targeting users of Gmail, Google’s search engine or any other service.

Attackers could poison DNS, present their site with the fake cert and bingo, they have the user’s credentials.

Man-in-the-middle attacks could also be launched via spam messages with links leading to a site posing as, say, the real Gmail. If recipients surfed to that link, their account login username and password could be hijacked.

Details of the certificate were posted on Pastebin last Saturday.

The SSL certificate is valid, and was issued by DigiNotar, a Dutch certificate authority, or CA.

It’s unclear whether the certificate was obtained because of a lack of oversight by DigiNotar or through a breach of the company’s certificate issuing website.

Given their ties to the government and financial sectors it’s extremely important to find out the scope of the breach as quickly as possible. The situation was reminiscent of a breach last March, when a hacker obtained certificates for some of the Web’s biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo.

Then, Comodo said that nine certificates had been fraudulently issued after attackers used an account assigned to a company partner in southern Europe.

Initially, Comodo argued that Iran’s government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates.

Aug 29 2011

Using Google Servers as a DDoS Tool

Google’s servers can be used by cyber attackers to launch DDoS attacks, claims Simone “R00T_ATI” Quatrini, a penetration tester for Italian security consulting firm AIR Sicurezza.

Google Servers

Quatrini discovered that two vulnerable pages – /_/sharebox/linkpreview/ and gadgets/proxy? – can be used to request any file type, which Google+ will download and show – even if the attacker isn’t logged into Google+.

By making many such request simultaneously – which he managed to do by using a shell script he’s written – he practically used Google’s bandwidth to orchestrate a small DDoS attack against a server he owns.

He points out that his home bandwidth can’t exceed 6Mbps, and that the use of Google’s server resulted in an output bandwidth of at least 91Mbps.

“The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs,” says Quatrini. “But beware: igadgets/proxy? will send your IP in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/.”

He says he has discovered the flaws that allow the attack on August 10 and that he contacted Google’s Security center about it. After 19 days of receiving no reply from Google, he published his findings.

Aug 28 2011

Windows Remote Desktop Worm “Morto” Spreading

F-Secure Lab just found a new Internet worm, and it’s spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven’t seen before: RDP (Remote Desktop Protocol). Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.

Windows Remote Desktop Worm Morto

When you connect to another computer with this tool, you can remotely use the computer, just like you’d use a local computer.

Windows Remote Desktop Worm Morto

Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
…….
………..

Once you are connected to a remote system, you can access the drives of that server via Windows shares such as \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt.

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.

F-Secure Lab detected Morto components as Backdoor:W32/Morto.A and Worm:W32/Morto.B.

Aug 25 2011

Hacker Penetrated Facebook Servers

Glenn ManghamIn one of the first cases of its kind in Britain, Glenn Steven Mangham, 25, used “considerable technical expertise” to repeatedly bypass security at the world’s dominant social network, it was claimed.

The student, from York, faces five charges, including that he “made, adapted, supplied or offered to supply” a computer program to hack into a Facebook server, Westminster magistrates’ court heard.

Police sources described the incidents as one of the first investigations into attempts to illegally access the site, which boasts more than 750 million members worldwide.

One Scotland Yard source told The Daily Telegraph that detectives were not aware of any hacking attempts “to this extent” on the site in Britain. It is understood Mangham does not have a Facebook profile.

Mangham was arrested by officers from the Metropolitan Police’s Central e-Crime Unit in early June on suspicion of “computer hacking offences” before being charged earlier this month.

He appeared in court for the first time yesterday on what the judge, Nicholas Evans, described as “serious allegations” under the Computer Misuse Act.

He was banned from having any access to computers, his iPhone or “any devices capable of accessing the internet” while on bail. His lawyers argued the conditions were similar to forcing him into “exile”

“The court feels it will be safer if there was no access to the internet which will reduce the temptation for your son to go on to Facebook,” said Judge Evans.

Specialist cyber crime police allege that between April 27 and May 9 Mangham repeatedly hacked into a Facebook “puzzle server” using software he had downloaded.

The firm runs puzzle servers to allow computer programmers to test their skills. Mangham allegedly knew that doing so could disrupt its operation.

On April 29 he also tried to hack into a “mailman” server run by Facebook via his web browser, police claim. Such systems are used by firms to run internal and external email distribution lists.

Just over a week later he allegedly used software to “secure access to the Facebook phabricator server”. Phabricator is a set of tools designed by the firm to make it easier to build Facebook applications such as games.

Mangham had “made, adapted, supplied or offered to supply” a special software script to hack into the Phabricator server, the court heard.

Despite the extent of the alleged intrusions, Facebook said its users’ personal data was not compromised.

Aug 23 2011

Get Paid to Hack Your TouchPad to Run Android

HP TouchPad Android
After HP announced it would discontinue production of its TouchPad tablet last week, it looked like early HP tablet adopters spent $500 on a dud. If you’re an enterprising software hacker, however, there could be an opportunity to make your money back — and then some.

A hardware-modification web site is offering a $1,500 cash bounty for the first person to successfully port a full version of the Android operating system over to HP’s TouchPad.

Hacknmod.com offers a tiered bounty system for would-be TouchPad hackers: Just getting Android to run on the TouchPad without taking full advantage of the tablet’s hardware will win you a cool $450. But the more you’re able to integrate the system software into the device, the more cash you’ll earn. Get the Wi-Fi, multitouch capability, audio and camera up and running, and you’ll add another $1,050 to the pot.

While the bounty is characteristic of the Android-modding crowd which basically wants to slap Android onto anything with a circuit board and touch screen, it’s also an admirable effort to breathe new life into a dying piece of hardware. After reports of dismal sales and third-party retailers sitting on hundreds of thousands of unsold TouchPads, HP decided to kill production after a mere 49 days on the market.

It was bad news for current TouchPad owners. No more HP hardware gives little incentive for webOS app developers to continue producing applications for the platform. In turn, TouchPad owners miss out on the latest popular applications to come to mobile devices. And of course, it gives potential customers no incentive to buy the remaining TouchPads retailers have in stock, costing HP and retail stores hundreds of millions of dollars. Everyone loses.

But if the porting plans work, it could mean bringing a slew of Android apps over to HP’s tablet. If the TouchPad can be made capable of running thousands of Android apps, the device may not be obsolete.

This isn’t the first time the Android-modification community tried to port the operating system over to non-Android devices. Android modders have run the operating system on Barnes And Noble’s Nook Color e-reader, certain Nokia smartphones and even an iPhone.