Online Virus / Malware News

It seems to be the season for defacements and hacktivity. The week began with the Cross Site Scripting attack on the Spanish EU website and the defacement hack of Iranian President Ahmadinejad’s Official site and it closes with a high profile hack of the Pakistani National Response Center for Cyber Crimes, part of the Federal Investigation Authority.

The web site was compromised and defaced as below

Click for larger image

 Unfortunately for the Pakistani FIA though this attack appears to go beyond a simple defacement. The hacker “zombie_ksa” also states on the defaced page

“your whole database and e-mails are leaked …. i was really excited to read, see what the f__k is private in here lOl“

 At first glance this could well seem like idle l33t H4×0r bragging so I did a bit of digging to see if the boast could be substantiated. In a forum posting, zombie_ksa said

“I was Browsing! today Propakistani.pk So i saw post about” how to register complaint with fia cyber crime”! so i feel to check there Security, and i started Penetration Test On there Webserver, unfortunately I GOT access!! And they got Pwned!! !! thats Sounds crazy ! I got whole database! and e-mail Backup! everything!”

The hacker then posted two screen shots, one of the hacked site and second one, below demonstrating his access to their email database (I have sanitised the email addresses here)

Screen shot posted by the hacker

So it seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. The forum post was made at 4 in the afternoon yesterday and the hack is still live at the time of writing. To say this hack has national security implications would not be overstating the matter.

Any organisation holding material this sensitive should, as a priority, make sure all Internet facing servers are hardened and fully patched, the servers should also be regularly audited, preferably daily to look for evidence of new vulnerabilities as they arise. Web application firewalls should be used to look for evidence of and block anomalous or malicious behaviour.

But perhaps most importantly emails dealing with matters this sensitive should not be connected with, or stored on your public web server and they should always be stored in a secure encrypted format.

On the 1st of January this year German employers became subject to a new legal requirement, one that has their own Data Protection Authorities, Trade Unions and Civil Rights groups appalled.

ELENA knows where you live.

From the beginning of 2010 every German employer must now submit detailed information on a monthly basis to the so-called ELENA database, ELENA is an acronym for Eleketronischer Entgeltnachweis which loosely translates to Electronic Payslip. This sounds innocent enough until you consider exactly what information employers are obliged to provide.

The information will cover every worker’s salary, all absenteeism and their participation in strike action whether legal or illegal. This data is to be submitted to a central hub and from 2012 it will be used to determine whether to pay out or refuse social benefits. Plans are in place to relieve employers of the necessity of printing paper-based pay statements for their employees and instead issuing each worker with a plastic “jobcard” again by 2012. This card would then need to be produced should the holder ever need to apply for benefits allowing for data retrieval to determine eligibility.

Peter Schaar, the German Information Commissioner is reported as saying

“I’ve got a big problem with this. Until now, such information on salary declarations has not appeared, and their general storage in a central file is not legally nor constitutionally allowed.”

My own (German) wife’s reaction to this news was more succinct “I thought these people had agreed that the Stasi was a bad thing?”. The German blogs I could find seemed to be equally opposed to the idea.

For now though, the legislation has entered into force and the reporting has begun. We can only hope that appropriate measures have been taken to store the data in a secure location, using appropriate encryption, that the data entry and retrieval mechanisms are protected with strong encryption and multi-factor authentication and that the appropriate organisational policies and procedures have been put in place to protect this highly sensitive data.

It is an absolute certainty that a centralised data repository of this size and significance will attract the hacking and cracking attentions of criminals, script-kiddies and “hobbyists” alike.

Hot on the heels of the Cross Site Scripting attack on the Spanish EU Presidency site, the  official web site of President Ahmadinejad of Iran appears to have also been compromised.

The site www.ahmadinejad.ir, otherwise known as “Mahmoud Ahmadinejad – The Official Blog – Tehran, Islamic Republic of Iran“ has been compromised and is currently hosting a file called “owned.txt” at the URL http://www.ahmadinejad.ir/userfiles/file/owned.txt. UPDATE: The file has now been removed, see screen capture below.

Click preview for larger image

The file says

“Dear God, In 2009 you took my favorite singer – Michael Jackson, my favorite actress – Farrah Fawcett, my favorite actor – Patrick Swayze, my favorite voice – Neda.
Please, please, don’t forget my favorite politician – Ahmadinejad and my favorite dictator – Khamenei in the year 2010. Thank you.”

The reference to “favourite voice” is probably referring to Neda Agha-Soltan who was shot dead during the 2009 Iranian election protests.

No further details are yet available on how the compromise was effected or who is responsible, if more information comes to light I will update this blog post.

As reported by Reuters and the BBC, the official website set up by the Spanish government to mark it’s six-month presidency of the EU was briefly compromised yesterday afternoon.

Image Courtesy of El Mundo

Mischievous hackers reportedly took advantage of Cross-Site Scripting (XSS) vulnerabilities on www.eu2010.es and replaced an image of Spanish Prime Minister Jose Luis Rodriguez Zapatero with the smiling face of Rowan Atkinson in his Mr. Bean guise, complete with friendly greeting “Hi there!” Perhaps the hackers were hoping the attack would go unnoticed, as apparently there is a physical resemblance between Mr. Zapatero and Mr. Bean (of course I couldn’t possibly comment). The compromise only lasted a few hours until the original content was restored, by 4pm GMT yesterday afternoon, the site administrators were reportedly working on a fix.

In this instance there does not appear to have been any malicious intent, but the dangers of XSS vulnerabilities should not be underestimated. Cross Site Scripting vulnerabilities allow attackers to inject code into innocent web pages in which it would not otherwise appear. This can be used to steal information such as logins or banking credentials, redirect users to malicious web sites or even to directly infect visitors to the site. The real problem is that many web site admins are unaware of the dangers, and even some security companies continue to underestimate and downplay the importance of XSS vulnerabilities and attacks.

On an interesting side note, El Mundo also reported recently that more then 12 million Euros had been spent on “technical assistance and security for the website of the Spanish Presidency [of the EU]“. Again, I couldn’t possibly comment, but SecureSite and Web Application Security are both an awful lot cheaper than that…