Tag Archives: Hacked!

Changing the defaults

In a Salt Lake Tribune article, reporter Patty Henetz quoted Utah Department of Health spokesman Tom Hudachko, who said that in this particular incident, a configuration error occurred at the level where passwords are entered, allowing the hacker to invade the security system. Technology Services has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.

Michael Hales, the Health Department’s Medicaid Director, said, “It just looks like processes broke down,” according to the Tribune.

This sounds like a weaselly way of admitting that the default passwords were not changed.  Default passwords are the easiest way into any system!

via Utah Medicaid Breach Exemplifies Value Of Encryption And Access Control – Dark Reading.

Two more articles on Global Payments breach

The first is from SC Magazine, Visa expels Global Payments following 1.5M-card breach:

“What’s the takeaway on PCI?” Litan asked on Monday in a blog post. “The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.”

And the second is from Adrian Sanabria, QSA at Sword and Shield, Global Payments Credit Card Data Breach:

The worst thing I’ve been able to determine from the details so far, is that it seems Global Payments was storing Track Data – information swiped from the magnetic stripe on the back of the card. The PCI DSS explicitly forbids storing track data (requirement 3.2.1), and PCI considers the storage of sensitive data to be one of the most serious PCI violations. CardSystems was effectively shut down for a lesser violation, though their breach was much larger.

It’s a doubly-bad violation of DSS to 1) Not be compliant in the first place, and 2) to suffer a loss of cardholder data.

I imagine the reinstatement audit, if there is one, will be quite extensive.

 

Hackers politely deface security firm website, suggest fixes

If they’d bother getting a contract first, they’d probably make good money in pen testing.

A Cayman Islands security firm got a bit of unsolicited web security advice on March 30 from MalSec, a group of “malicious security” hackers who recently broke into a server belonging to the Nigerian Senate. But unlike some of the nastier site defacements done recently by members of Anonymous’ #AntiSec collective—including takedowns of two Federal Trade Commission sites—the MalSec hackers left the site itself intact, posting only a replacement home page to advise the company, The Security Centre Ltd., of their vulnerability.

[…]

“Whilst no harm was done to the original site,” the hackers wrote on their replacement home page, “we urge you to secure your site before claiming to be ‘the best of the best’ in any kind of security. We were not first—traces of previous security breaches were found.” The page gave instructions on how to return the site to normal, and advised the company to “please oversee your security before somebody else with more harmful intent does. You can thank us later <3.”

In Security Centre’s defense, they are a physical security company, not information security.

via Hackers politely deface security firm website, suggest fixes.

After first Anon hack, PR firm failed to update other .gov websites

While it’s idiotic to refrain from updating your servers, it is doubly-idiotic to refuse to update your servers after they’ve been hacked.

Under the terms of the provisioning service that the servers were provided under, Fleishman-Hilliard was responsible for the administration and security of the servers, including operating system updates, software installations and backups, and had set up the servers—but “had chosen not to update their applications,” Brubeck said.

via After first Anon hack, PR firm failed to update other .gov websites.

Top German cop uses spyware on daughter, gets hacked in retaliation

via Top German cop uses spyware on daughter, gets hacked in retaliation: It’s sad how frequently law enforcement officials bend or break the law to achieve their ends.

Problem 1: This guy forgot he was a father, and treated his kid as just another suspect.

Problem 2: The story reveals the Germans have a program for tracking individuals’ locations via cell phone and car GPS systems, and they had to take it offline because this guy’s home security sucked so hard.

Fortunately for connoisseurs of the weird, Der Spiegel revealed a stranger story in its magazine yesterday. According to the report, a top German security official installed a trojan on his own daughter’s computer to monitor her Internet usage. What could possibly go wrong?

Nothing—well, at least until one of the daughter’s friends found the installed spyware. The friend then went after the dad’s personal computer as a payback and managed to get in, where he found a cache of security-related e-mails from work. The e-mails, in turn, provided the information necessary for hackers to infiltrate Germany’s federal police.

 

Antisec hits private intel firm; millions of docs allegedly lifted

In another great example of What Not To Do, the intelligence firm Strategic Forecasting, Inc, apparently made no attempt whatsoever to comply with PCI DSS.

via Antisec hits private intel firm; millions of docs allegedly lifted:

Antisec breached Stratfor’s networks several weeks ago, according to sources within the group that attacked the firm. On Saturday, Antisec began posting credit card details of a few Stratfor customers on Internet Relay Chat. But that’s just the start of a much larger data dump, the group claims. Anonymous is planning to release much more information—up to 200GB worth, in parts throughout the week leading up to New Year’s Eve. That trove allegedly includes 860,000 usernames, e-mails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no-card-present transactions; and over 2.5 million Stratfor e-mails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com.

[…]

According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

So they stored the security code, stored the entire unencrypted credit card number, used plain-jane md5-hashed passwords, and left everything wide open, and disabled what security features were built-in to the software they were using.

Very Bad Practice.

How hackers gave Subway a $3 million lesson in point-of-sale security

One thing I really enjoy about computer sercurity is learning from other peoples’ mistakes.

via How hackers gave Subway a $3 million lesson in point-of-sale security:

While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.

“With PCI compliance, those apps shouldn’t be on those systems,” said Konrad Fellmann, audit and compliance manager for SecureState, an IT security firm with a practice in retail security auditing, in an interview with Ars. But small retailers who don’t store credit card data are not required to have the same level of auditing as larger companies, Fellmann said.

It’s hard to believe a corporation as large as Subway put so little effort into PCI compliance, but this could have easily been discovered with an external scan, log monitoring, in-scope review, systems change monitoring, malware scanning, and so on and so forth.

So will Subway now have to post the Black Mark of Shame in every franchise?

Hackers turn MySQL.com into malware launchpad

Pretty embarrassing for Oracle and MySQL:

Web security firm Armorize reported in its blog today that the MySQL.com website has been turned into a launchpad for serving up malware attacks. Visitors to the home page of the site are hit with a JavaScript injection attack that has been planted on the site. The script opens an IFRAME to a malicious site, which in turn launches a BlackHole exploit “pack” that probes for known browser and plugin weaknesses and then stealthily installs malware on the visitor’s PC. There’s no warning button or action required by the user other than visiting the site to trigger the download.

via Hackers turn MySQL.com into malware launchpad.