Just before the holiday weekend, as their final act of defiance in 2011, AntiSec supporters published nearly a million records taken during the Christmas Eve attack on Strategic Forecasting Inc. The Tech Herald has examined the list of 860,160 passwords hashes that were leaked, and the results of our tests were both expected and pitiful.

We’re sorry to report that the state of password management and creation is still living in the Dark Ages.

via Report: Analysis of the Stratfor Password List.

The first half of the report describes their methodology, and the latter half describes the passwords they’ve cracked.

Do your employees or customers use passwords like these?  How do you know?

In another great example of What Not To Do, the intelligence firm Strategic Forecasting, Inc, apparently made no attempt whatsoever to comply with PCI DSS.

via Antisec hits private intel firm; millions of docs allegedly lifted:

Antisec breached Stratfor’s networks several weeks ago, according to sources within the group that attacked the firm. On Saturday, Antisec began posting credit card details of a few Stratfor customers on Internet Relay Chat. But that’s just the start of a much larger data dump, the group claims. Anonymous is planning to release much more information—up to 200GB worth, in parts throughout the week leading up to New Year’s Eve. That trove allegedly includes 860,000 usernames, e-mails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no-card-present transactions; and over 2.5 million Stratfor e-mails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com.

[...]

According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

So they stored the security code, stored the entire unencrypted credit card number, used plain-jane md5-hashed passwords, and left everything wide open, and disabled what security features were built-in to the software they were using.

Very Bad Practice.

This could be quite useful:

Two years after Rapid7 acquired the Metasploit Project, the company has rolled out a free and more user-friendly version of the open-source tool that is aimed at less technical users.

The new Metasploit Community Edition is a combination of the popular open-source Metasploit Framework and a basic version of the user interface of Rapid7′s Metasploit Pro commercial product.

via Metasploit For The Masses – Dark Reading.

Ah, the fun of legitimate penetration…

‘Hacker’ gets kudos from his financial services victim, as in-house security cameras go rogue and steal users’ credentials

via Strange But True Penetration-Testing Stories – Dark Reading.

This looks like a very handy new service:

A startup that will officially come out of stealth mode on Wednesday has built a software-as-a-service offering for organizations to handle the mostly manual processes involved in responding to a data loss breach.

The firm’s new SaaS offering encompasses event preparedness; data event analysis; liability assessment; and incident response workflow.

The only problem I see is their pricing scheme: 90-day free trial, then $450 per month and the customer selects a plan based on how many data loss incidents they expect each year.

How many companies can accurately (or honestly) predict an annual DLI rate?  I suppose if they are able to track how many they experience, they could trend and estimate.

But in that situation, I’d say they have pretty severe data control problems.

via Startup To Launch New Brand Of SaaS For Post-Incident Response – Dark Reading.

client k weighs in on the benefits of job rotation and mandatory vacation to detect fraudulent employee activity:

“The profile of a typical fraudster
is a long serving, trusted employee,
who works long hours and
is reluctant to take their annual leave.
Without doubt,
one of the most simple and cost-effective
anti-fraud measures
is to ensure employees take
at least two consecutive weeks holiday.”

via Summer Time Fraud » client k.

“By sending specially crafted HTTP requests which include malformed range HTTP header, an attacker can disrupt the normal function of the web server, thus disallowing legitimate users to receive responses from the web server,” the team’s advisory says. “This issue affects all Apache software versions and a patch has not been released yet.”

You can bet this’ll appear on your next external PCI scan.

via Workarounds Issued For ‘Apache Killer’ Attack – Dark Reading.

So again: Palin’s AOL account was hacked because it used publicly-known answers for password-retrieval questions, a common/known exploit exposed users on O’Reilly’s site, and password-reuse by users exposed their other personal accounts.

On September 19, 2008, hackers from the Anonymous collective attacked the website of Fox News host Bill O’Reilly. The hackers found and immediately posted e-mail addresses, passwords, and physical addresses of 205 O’Reilly site members paying $5 a month to hear Bill’s wisdom. The next day, a distributed denial of service (DDoS) attack hit the site with 5,000 packets per second. That night, another attack flooded two O’Reilly servers with 1.5GB/s of data.

[...]

The attack itself wasn’t particularly clever, but it was effective. Billoreilly.com’s administrative interface was protected by a servlet that locked down access to all back-end material, but the site administrator made one small mistake: he once created a “New premium member report” showing a list of the most recent subscribers, and he created it in such a way that it bypassed the servlet. As later FBI interview notes show, this was “just an error”—but it made the new member report available outside the secure admin structure to someone who knew the location.

[...]

The attackers took the name at the top of the list, an account registered only one hour before, and used it to log into the O’Reilly site as a check of the data’s accuracy. The information was then posted to Wikileaks and discussed on 4chan. Three O’Reilly members who had used the same password on multiple other sites experienced additional fraudulent use of that information.

The article doesn’t differentiate whether the portion of Bill’s site that was hacked contained cardholder data, so I don’t know if this will be considered a breach meriting PCI DSS penalties.  But it’d be quite embarrassing for Bill if his site now has to post the  ”We’ve been hacked!” banner.

via Exclusive: How the FBI investigates the hacktivities of Anonymous.

I have a confession to make: I don’t have a Smartphone.  I think about getting one on occasion, but the reality is, I’m nearly always near a PC, either at home or at work, and can easily look up anything I want to look up, so the cost/benefit has never passed analysis.

But now, I just might have to get one of these:

Pwnie Express :: Wired, wireless, and 3G pentesting dropboxes.

Chaos-hackers grab what they can and throw it on the wall like a big bowl of spaghetti.  How do you stop it?

Feinman recommends that organizations take an inventory of the sensitive data they have and get rid of any data they don’t need. “We’re seeing more customers using our ‘shredder’ feature now,” he says. “If you aren’t going to use it, there’s no reason to keep it around.”

The best way to secure data is to purge what you don’t absolutely need.  It’s true for PCI DSS, and it’s true for everything else.

via AntiSec’s Dump Of Law Enforcement Data Includes Personal Data Of Thousands – Dark Reading.