ALERT:ATM PIN NUMBERS HACKED!

Hackers broke into Citibank's network of ATMs inside 7-Eleven stores this year and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.

The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs -- the numeric passwords that theoretically are among the most closely guarded elements of banking transactions -- by attacking the back-end computers responsible for approving the cash withdrawals.

The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.

Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption -- which means encoding them to cloak them to outsiders -- some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.

"PINs were supposed be sacrosanct -- what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with Gartner research firm. "The banks need much better fraud detection systems and much better authentication."

It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores in the U.S., but it doesn't own or operate any of them.

I am controlling your PC via Bluetooth.

Microsoft's June Patch Tuesday release included a critical fix affecting all Windows Vista and XP systems, which could allow attackers to wirelessly steal confidential information from laptops by exploiting a flaw in the Bluetooth stack.

The Bluetooth stack flaw, detailed in Microsoft bulletin CVE-2008-1453 and rated 'critical', could allow an attacker to take complete control of an affected system, install programs, alter data or create new accounts with full user rights.

The MS08-030 patch modifies the way the Bluetooth stack handles a large number of service description requests.

Microsoft recommends applying the patch immediately and security experts advise users to turn off Bluetooth features until the patch has been applied.

Matthew Aburn, director of security consultancy Halcyon, said the flaw was particularly dangerous because hardware manufacturers usually set the factory default for Bluetooth as 'active'.

"Hardware-wise, most ship with Bluetooth on by default. I'd definitely recommend that if you're not using Bluetooth, you should turn it off," Aburn told ZDNet.com.au.

Rob Pregnall, Symantec's senior manager of Technical Product Management for Endpoint Security in Asia Pacific and Japan, agreed. He said hardware manufacturers should do this to make those features easier to access.

"When I look at a freshly bought machine from a reputable manufacturer, the first thing I notice is that every bell and whistle is turned on. I see it across different hardware manufacturers, including Macs," he said.

"All the different communication technologies are generally activated, so I think it's a move by manufacturers to ensure that everything is turned on so that minimal effort is needed to use the capabilities that users were sold on," Pregnall said.

In a blog, Microsoft admits that although in most cases an attacker would need to be in close range to exploit the vulnerability, there are ways to increase that distance.

"The standard range of Bluetooth is in the order of metres, although an attacker could use specialised antennas to increase this," the blog said.

This was backed up by Halcyon's Aburn.

"People look at the standard specifications for Bluetooth range of connectivity, which says you need to be so many metres away but using a directional antenna, people can target you from much further away," he said.

This month's Patch Tuesday includes fixes for a drive-by download weakness in Internet Explorer, as well as flaws in affecting Microsoft's multimedia.

The critical vulnerability affecting Internet Explorer described in CVE-2008-1442 and CVE-2008-1544 only affects Windows XP and Vista systems. The MS08-031 cumulative patch fixes a couple of vulnerabilities, including one that could allow remote code execution if a user viewed a specially crafted web page using Internet Explorer and another which could allow information disclosure if a similarly configured page was viewed using the browser.

The DirectX flaws affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-0011 and CVE-2008-1444. Microsoft says the vulnerability "could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The Social Butterfly

In a world ripe with social networking sites such as Myspace, Facebook, LinkedIn, or any of the other 550,000 different sites allowing you to connect with people you are already friends with, there is bound to be a shady element. That underworld of exploitation, manipulation, and incredible social aptitude. Wait what?

Welcome to the world of the over-friendly and ‘single-minded' Trojan. Single-minded, as it seems to be inviting people to the site and start networking. A Trojan is a programme that appears to be desirable (like a free downloadable game or screen saver), but contains viruses or worms (self-replicating viruses) that can create havoc with the PC and the network.

However, in the case of these social networking sites, the Trojans that plant themselves on the users' computers and send invites to all mail IDs saved in the contact list, are harmless. The Trojan embeds itself in the user's computer when he/she logs on to a social networking site and sends invites to all listed in the contact list.

The receiver – believing it to be from a genuine friend – accepts the invitations and becomes a member of the social networking site. The sites use this to increase their membership, while hackers use the technique for their phishing attempts.

They do not crash the PC nor the network, an IT specialist with a leading BPO notes. But they sure can mar friendships, relationships or even lead to unwanted and unsolicited networking.

Internet Service Providers Association of India (ISPAI) president Rajesh Chharia says, "Even though these programmes only send spam and are quite harmless, at times it can lead to embarrassing situations".

"As most of these social networking sites are used for business networking and friendship, it is not possible for Internet Service Providers (ISPs) to block these sites. The best option is to put in good firewalls at the user's level," he said.
So the next time you log on to a social networking site, an invitation to join the site has gone to your super boss on your behalf. But without your knowledge!

ALERT: IS YOUR VOTE COMPROMISED?

Despite millions of calls to switch back to strictly paper ballots, lawmakers have still not heeded the calls and warnings of computer experts. It came to my attention this friday that in Pinellas County, Florida- A duo of viruses were introduced to the network of ballot stations, bringing into question the validity of the vote.

Two pieces of malicious software were recently discovered on voting stations across Pinellas County.The two bugs, known as Flush.G and W32.SillyDC, work in tandem and go from computer to computer redirecting Internet browsers to sites the user hasn't selected, officials said. The worm is carried through removable media like USB drives, is easily detected and, officials say, rather harmless.

Pinellas Deputy Supervisor of Elections Rick Becker said the worm isn't the kind of Trojan horse that would be used to corrupt a computer voting system and was unsure just where it came from.

Many E-Voting companies love to market the security of their products, stating that since they are not connected to an external internet, that they are exempt from exploitation. However, a proof of concept attack was done by Princeton students against the DieBold voting machines. In this attack, they introduced a virus which self-propogated throughout the systems and switched votes from candidate A or candidate B, and gave them to candidate C.

Are you tired of feeling like your vote doesn't matter? Write to your state or local congressman and encourage them to switch to strictly paper voting.

University Students Scammed- Is your info secure?

A data breach at United Healthcare Services Inc. has led to a rash of identity-theft crimes at the University of California, Irvine.

So far, Nearly 155 medical students have had their information stolen. The attackers stole the social security numbers stolen from an internal database. This breach affects nearly 1300 students, putting them at risk for Credit Card fraud as well as Tax scams. So far, the spammers have stolen 155 students Tax returns.

"In February, the police began getting reports from graduate students that when they filed their income tax returns, they were being told that their returns had already been filed using their Social Security numbers," she said.

So all that the attacker needed was a simple set of numbers, and they took students for hundreds, even thousands of dollars. All because of crappy security measures.

This is why people, This is why.

Checklist To ask your school IT Department
[] What security measures do you have in place for physical IT Infrastructre?
[] What security measures are in place to ensure the confidentiality of my information
[] If there is a unapproved access of my information- How promptly will I be notified?
[] Do you have set guidelines for partners of the university to follow in virtual exchanges?
[] WHO has access to my information and WHEN/WHY can they access it?

HP Support Hacked! UPGRADE NOW!

A customer support application that comes bundled with HP PCs have been found to harbour multiple security vulnerabilities.

The pre-installed software is designed to make it easy for users to keep drivers and HP software automatically updated. But flaws in ActiveX components within HP Instant Support give rise to multiple vulnerabilties that lend themselves to drive-by download malware attacks in cases where Windows users running the vulnerable software stray onto insecure or hacker controlled websites, CSIS Security Group warns.

HP Instant Support HPISDataManager.dll version 1.0.0.22 and earlier are vulnerable. Users need to upgrade to version 1.0.0.24 as explained in a security bulletin from HP here.

A CSIS advisory containing proof of concept demos of the flaws can be found here. And there's an easy to digest bit from Secunia here.

It's not the first trouble HP has had with rogue ActiveX controls in its pre-installed utilities. In December last year two ActiveX bugs created a mechanism for hackers to either thrash or inject hostile code onto HP PCs running either HP Software Update or HP Info Center, respectively.

Microsoft wants your Opinion?

In the continuing effort to improve computer and network security, Microsoft has developed the End to End Trust initiative. As a part of that initiative, Microsoft is seeking input from users and information security professionals to help answer the questions that need to be addressed in order to evolve computer security such as How should we enhance security on the Internet without undermining social values, such as privacy and anonymity? There are more questions to be answered in the End to End Trust Forums. Scott Charney, Microsoft's Corporate Vice President of Trustworthy Computing, has developed a white paper entitled Establishing End to End Trust which provides more details on Microsoft's vision.

While  it is not beyond the stretch of a reasonable person's imagination that a giant of the industry would want to keep it's users secure. The employees and designers of microsoft have showed a lack of willingness to address serious security issues, and wrap every tiny piece of security as the next big step in computing. Rather than the required software that all of this should have been back in Windows 98. It seems that every time Microsoft attempts security, it undoubtedly blows up in it's face. So I would encourage you to voice your opinion to microsoft- Let them know you value your security, as well as your wallet.

Alert: LinkedIN Scams Rampant

Have you heard of the professional networking site linkedin? Well, a number of professional users (Including Myself) have been using this site to increase their job prospects, clientele,  and associates. It seems that more and more, professional scam artists are trying to prey off of the unsuspecting users of LinkedIn. It seems that common sense isn't all that common. Just because someone has a LinkedIn profile- Doesn't mean that they are trustworthy.

     Unsuspecting professionals, driven by the urge to make quick millions off of a simple transaction, willingly turn over their bank information to a person who has made their acquaintance online. Why? Well, the scammers are using a '419 Scam'. What happens is the attacker claims to have inherited/ claimed a large sum of money, and is willing to give you a large fee to deposit the newly acquired funds into a US Bank account.

The best possible way to prevent this kind of attack is to: (A) Only accept mail from people you know, Or who have a related Interest (B) Never execute any financial transactions based solely upon knowledge recieved via virtual communications, Be it Email, Social Networking, Or other communications.  Unless you know the person, don't allow someone access to your account.

Is your cell phone vulnerable?

Recently, it was disclosed that a malformed JPEG image could allow a remote attacker to execute arbitrary commands on a MOTOROLA RAZR phone firmware.

A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device.

So some user interaction is required — accepting the MMS. However, people by and large generally trust image files so that isn't a difficult social engineering challenge.

Perhaps we'll see this JPEG exploit used to simplify unlocking older Razrs. Jailbreaking the iPhone was simplified by a TIFF handling exploit after all.

However, next time that cute chick you met on myspace sends you an "Picture"- Think twice about opening it.

Wordpress SQL injection

Today it came out that there is yet another SQL injection in WordPress Blogs.


This code exploits the Wordpress Plugin Upload File, and allows an attacker to execute an arbitrary command on the hosting machine. If you host your Blog Locally, this is an enormous problem! The exploit (Discovered by a russian hacker http://eserg.ru ) ,  is one of a myriad of security issues recently exposed by Hackers- leaving bloggers worldwide vulnerable.  

What is a Arbitrary Command?
   This is when an attacker is able to exploit a security vulnerability in a program, to execute commands on YOUR computer. For example, in this case, By simply executing this SQL query
null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/*
On your server- he is able to add/remove users, Delete Files, and install any number of viruses.

Be on the lookout in the next week for a patch from www.wordpress.com/www.wordpress.org

Vulnerabilities in the Tennesse Valley Authority Power Grid

Recently, in a disclosure by the US Government Accountability office- the UAO makes the following statement.

"Until the TVA fully implements these security program activities, it risks disruption of its operations as the result of a cyber incident, which could impact its customers," the GAO says. TVA delivers electricity to an area that includes most of Tennessee and parts of Alabama, Georgia, Kentucky, Mississippi, North Carolina and Virginia -- an area with a population of 8.7 million people.

The Authority Power grid is essentially not separate from its corporate network. The latter is ripe with vulnerabilities, including faulty hardware, Anti-virus free machines, poorly patched control systems and a myriad of other issues. The network has "Limited intrusion Detection" and ineffective management. Basically, if you happened upon a Wireless Access Point, with WEPCrack- Your have access to the world's largest public power grid.

I find this to be disgusting, and an absolute slap in the face for the IT community. How hard is it, admins, to set a 14 digit pass code, configure a router, or even mass install a freaking Anti-Virus? Remember, people depend on you for their livelihoods- take the responsibility seriously.

VOIP Cellphone Security

It's happened to all of us. Your busy, walking through a busy area- talking on your cellphone, when suddenly you get the option to switch to Wi-Fi and save those crucial peak hour minutes. Of course you do! So you switch over, and then gloat about being able to do so to your friend on the other line.
So you think you are the best of the geeks?

What you didn't know, was that the router you just connected to was a fake. Well, technically it was real, however- you gave up any right to privacy when you connected. The administrator of the server has installed software on his server, that will allow him to see all of your calls- bye-bye privacy. When a hacker was asked to demonstrate the methods he used, he explained it like this.

"You can see all the cell phones connected to the base station," he said. "You can't see calls, but people associated with the calls. You can also do location tracking. If you know somebody is on the network you can see how close to the base station they are."

That is possible because the subscriber identifier, which is basically the user identification number, can easily be seen on the traffic, although the identifiers are never supposed to be transmitted in plain text, he said. "I know exactly where you are on the network."

As far as localized calling goes, if you have any point in your company where an attacker can gain access to your network- You will find yourself compromised. While VOIP certainly reduces your phone bill,  initially you have to make up the costs in security implementations. Skype is relatively secure, while Vonage is absolutely open to exploitation.

Hi, Im Here to fix your computer.

How Many of us work in a hectic, stressed environment- where deadlines and bottom-lines rule your workweek? In the course of a day, How many idiotic requests do you get to do seemly mundane chores?  How Often has this happened?

You: {Bored and Seeking an excuse to take a break}
Phone Repairman: "Hi, Coorporate sent me over to do some work on your Phoneline"
You: "Oh, Alright- About How Long Will it take?"
PR: "Ten Minutes, Twenty Tops- I have some other stuff to do- so if your busy I can come back during lunch"
You: "Alright, Thanks!"

What happened here? You just gave a rival company full access to your office!
You: But he can't do anything! He doesn't Have My Password!
Me: *Hits You in the Head*

Lets go through this- He could (in Ten Minutes)
A. Steal A Hard Drive
B. Install a Hardware Keylogger

In twenty Minutes
A. Do a Stealth Boot Onto Your Computer
B. Install Software Keylogger and Screen Capture Device
C. Comb through trade secret documents, and walk out with them unquestioned.
D. Confiscate Hidden Bank documents, Client Credit cards, Even Blackmail.

Would You Give A Thief A Key? Would You Give a Murderer A Knife?
            Would You Give A Meth Addict A Pipe?

You wouldn't do it with a Hacker either, 10% of Hacking is Intelligence: 89% is Persistence: And 1% Is Technological Prowess.

Hackers won't be the typical grungy teen whilst looking for information:

When in doubt, the best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. Beyond that, most employees respond in kind, especially to women. Slight flattery or flirtation might even help soften up the target employee to co-operate further, but the smart hacker knows when to stop pulling out information, just before the employee suspects anything odd. A smile, if in person, or a simple “thank you” clenches the deal. And if that’s not enough, the new user routine often works too: “I’m confused, (batting eyelashes) can you help me?”



Need More Info/ Training?
Let Me Secure Your Network!
Gillis57@gmail.com

Or, If for some god-awful reason you actually want to know what I'm doing
twitter.com/Gillis57
gillis57.googlepages.com

Microsoft A Good Guy?

In a recent set of closed door meetings, Microsoft met with Law Enforcement Officials to help solve a rash of crimes. Although Microsoft has generally gotten a bad-wrap for Bullying opponents out of the market place, it seems all that consolidation of resources is finally paying off. They gave a tool to the Officials that allows them to track botnets as they progress! How is this achieved you may ask? By tracking your computer :) Thats right- The Malicious Software Removal Tool is now Identifying you to law enforcement as a part of a global botnet! Oh Happy Day! We don't know exactly what the name is, what technology it uses, or even if it really exists- The Microsoft spokesperson offered this explanation: " Although Microsoft is reluctant to give out details on its botnet buster -- the company said that even revealing its name could give cyber criminals a clue on how to thwart it "

All my indicators went off at that comment- It seems that Microsoft is now engaging in the Propoganda market. We know who you are but we aren't going to do anything! Okay.

From a Microsoft White Paper:
With regard to phishing and spam, for example, it engaged in broad consumer education campaigns and worked on developing technological solutions such as phishing filters and SenderID. For both phishing and botnets, Microsoft began working more extensively with law enforcement to identify phishers and botnet herders in an attempt to create deterrent to such activity, even though the deterrent effect is limited by the current environment because it is hard to find offenders, and criminal penalties may be applied without sufficient force.

Hacker Safe?

Please, don't be lulled into a sense of false security just because a website has the hacker-safe logo on it. "Why not?" You ask me, BECAUSE- *DURRRRR* NOTHING IS HACKER SAFE. But why specifically? The hacker safe certification is a subscription program through various Companies, and although your favorite "Adult" website may be hacker safe when you register. This doesn't mean it will be two weeks down the road. What they companies do is they test each registered website every day using a automatic program, and if they find problems they will tell the website. Thats it, they dont fix it, force the website to take down the certification, nothing- they just say "Hey theres a problem." Dont Believe me?

Geeks Get PwN3D

Geeks.com is a $150 million company specializing in the sale of excess inventory and manufacturers' closeouts. Its Web site says that it is tested on a daily basis by ScanAlert Inc., which offers a service that constantly monitors sites for vulnerabilities.

But ScanAlert spokesman Nigel Ravenhill said via e-mail last week that the vendor, which is being acquired by McAfee Inc., had withdrawn its Hacker Safe certification from Geeks.com "several times" last year after finding vulnerabilities in the retailer's systems. Geeks.com fell out of compliance last June and again in December, he said.

The compromised information included names, addresses, telephone numbers and Visa credit card numbers, according to a copy of the letter posted on The Consumerist blog.

Now, What are the implications of this break in? Am I telling you that you should be a paranoid schizo when doing business on the internet? DUH. A wise man once told me "Putting your credit card on the Internet is like putting your naughty parts in a wood grinder." Although its not the most glamorous quote in the world, its true. Listen to the man, dont stick your wah-wah in the wood grinder.

Calling All Hackers!

Digital Armaments January-February Hacking Challenge: Special 20.000$ Prize - Windows Vulnerabilities and Exploit
Challenge pubblication is 01.04.2008
http://www.digitalarmaments.com/challenge200801566321.html

I. Details
Digital Armaments officially announce the launch of January-February hacking challenge.
The challenge starts on January 1. For the January-february Challenge, Digital Armaments will give a SPECIAL PRIZE of 20.000$ for each submission that results in a Exploitable Vulnerability or Working Exploit for Windows or Windows Diffuse Application. This should include example and documentation.
The submission must be sent during the January/February months and be received by midnight EST on February 29, 2008. The 20.000$ PRIZE will be an extra added to the normal vulnerability payment (check the DACP scheme).

Password Security

As well as having commentary and occasional How-to's from the dark side of security as well as white-hats, I am going to use this as somewhat of a Venting forum for personal observations of idiocy. Okay, first let me say- Passwords are not that hard to remember- unless you have 8+ Numbers, Letters, and symbols in your password, it can very easily be shoulder surfed. Shoulder surfing is an act of seeming to be interested in one's meaningless conversation, in order to see them type their password. For businesses- this can be especially nasty- while that young kid who seems to be so interested in your business plan is watching you login to your systems- you are handing him the foothold to your bottom line. Solution? For 10 dollar's you can prevent all would be surfers: Monitor Mirror

Automated SQL Injection,

If your in a Jam and need to know what this is fast- A SQL Injection is defined as: A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet.

Basically a SQL Injection allows an attacker to bypass security measures such as Logons, Admin Panels, and/or retrieve sensitive customer Data from your web-attached database. An example of a SQL injection would be:
statement := "SELECT * FROM users WHERE name = '" + userName + "';"
This would allow an attacker to pull up stats on a specified username.
What this most recent attack (Listed below) does is it can automatically run a series of common SQL Exploits to gain access to your server and run malicious code giving them access to any of your customer's computers. More to come later



Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend.

View Story