Since the end of June, the media have been talking about a possible new magazine distributed by Al-Qaeda and promoted on various Islamic websites. One reason I was interested by this document was a message I read in some extremist forums saying it could contain viruses and spyware.
In searching I found two documents. Each had 67 pages and each seemed corrupted. The first three pages were readable, but the others contained only ASCII debris. I will not comment here about the content of the first pages; they have been sufficiently debated in the media. (Click to enlarge.)
My first surprise was my PDF reader was able to open the files, despite their appearing to be corrupted. At first, both files looked identical. In closely examining the first nonreadable page, I saw a difference: In one case, the top and bottom margins were visible. Inside, a filename and path puzzled me–C:\Users\m050\Desktop\ellenbca.pdf. (Click to enlarge.)
Searching the web for ellenbca.pdf, I discovered one interesting file: a document on the best cupcakes in America by someone named Dulcy Israel. (I’m not making this up!)
I also found a French blog post named «Al-Qaïda Magazine»: la manipulation dévoilée (in English: the disclosed trick). This post explained that New Yorker Lee Gillentine had analyzed the cupcake file and discovered someone had opened it as an ASCII-encoded file in a Windows-based text editor, printed a PDF from this text editor, and then merged it with the first three pages of the so-called Al-Qaïda Magazine. (Click to enlarge.)
The only thing apparently missing was the white words on black background. But not really! In fact, each nonprintable ASCII character was replaced by its abbreviation. For example, the hex 00 for NULL and the hex 18 for CANCEL, forming NULCAN (shorthand for Null and Cancel). This patterns runs throughout the whole document.
My searches also turned up a possible newspaper with a title and a font very similar to the one I investigated. Found on a web page containing garbage HTML code with Al-Qaeda references, this second discovery left me wondering.
Despite the noise around this assumed Al-Qaeda document, I am unconvinced of its origin. I doubt it is a terrorist creation. Cybercrime and political hacktivism have invaded the Internet, but disinformation can also be a powerful force.
Unfortunately for the Pakistani FIA though this attack appears to go beyond a simple defacement. The hacker “zombie_ksa” also states on the defaced page
“your whole database and e-mails are leaked …. i was really excited to read, see what the f__k is private in here lOl“
At first glance this could well seem like idle l33t H4×0r bragging so I did a bit of digging to see if the boast could be substantiated. In a forum posting, zombie_ksa said
“I was Browsing! today Propakistani.pk So i saw post about” how to register complaint with fia cyber crime”! so i feel to check there Security, and i started Penetration Test On there Webserver, unfortunately I GOT access!! And they got Pwned!! !! thats Sounds crazy ! I got whole database! and e-mail Backup! everything!”
The hacker then posted two screen shots, one of the hacked site and second one, below demonstrating his access to their email database (I have sanitised the email addresses here)
Screen shot posted by the hacker
So it seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. The forum post was made at 4 in the afternoon yesterday and the hack is still live at the time of writing. To say this hack has national security implications would not be overstating the matter.
Any organisation holding material this sensitive should, as a priority, make sure all Internet facing servers are hardened and fully patched, the servers should also be regularly audited, preferably daily to look for evidence of new vulnerabilities as they arise. Web application firewalls should be used to look for evidence of and block anomalous or malicious behaviour.
But perhaps most importantly emails dealing with matters this sensitive should not be connected with, or stored on your public web server and they should always be stored in a secure encrypted format.
Hot on the heels of the Cross Site Scripting attack on the Spanish EU Presidency site, the official web site of President Ahmadinejad of Iran appears to have also been compromised.
The site www.ahmadinejad.ir, otherwise known as “Mahmoud Ahmadinejad – The Official Blog – Tehran, Islamic Republic of Iran“ has been compromised and is currently hosting a file called “owned.txt” at the URL http://www.ahmadinejad.ir/userfiles/file/owned.txt. UPDATE: The file has now been removed, see screen capture below.
Click preview for larger image
The file says
“Dear God, In 2009 you took my favorite singer – Michael Jackson, my favorite actress – Farrah Fawcett, my favorite actor – Patrick Swayze, my favorite voice – Neda.
Please, please, don’t forget my favorite politician – Ahmadinejad and my favorite dictator – Khamenei in the year 2010. Thank you.”
The reference to “favourite voice” is probably referring to Neda Agha-Soltan who was shot dead during the 2009 Iranian election protests.
No further details are yet available on how the compromise was effected or who is responsible, if more information comes to light I will update this blog post.
UPDATE: I was asked to talk to Channel 4 news in the UK about this incident this evening and they have been good enough to share the full content of my interview and a subsequent interview on the same subject with Tim Stevens from King’s College London.
At about 6am GMT Twitter fell victim to a DNS hijacking attack by a group calling itself the “Iranian Cyber Army” (I wonder if they noticed the CIA irony)? The site was affected for the best part of an hour.
Full hacked page
The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says
“As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”
This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.
These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.
Twitter was not the only web site affected by thsi compromise, a quick search revealed one other site displaying the same content.
Google search result
When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months“.
If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.
No Comments » | 
Add new tag, cybercrime, General Computer Security, hacktivism, Web and Internet Safety | 
Permalink
Posted by Francois Paget
Powered by FireStats