ars technica has a good introduction into the tools of Anonymous, covering LOIC, slowloris, HOIC, and VPN anonymizing services.
Attention developers, programmers, and hobby websiters – please sanitize your inputs!
The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing.
And in addition:
Two hackers going by the names TinKode and Ne0h managed to gain access to sensitive information on MySQL.com, the website for the popular open source database.
In the data shared by the hackers, some of the password hashes were cracked to reveal complete login details for accounts associated with mySQL.com, including the WordPress account login details for Robin Schumacher, the former director of product management, and Kaj Arnö, former vice president of community relations.
Some of the passwords revealed simple phrases. Schumacher set his password as a simple 4-digit number—with three repeating digits. The hackers also posted several other database tables without the password hashes.
It’s been very interesting watching the HBGary vs Anonymous event unravel in such a public way, with such well-known hacker methodology used to compromise the systems of security specialists. Anonymous uses SQL injection on HBGary’s public CMS to find a few usernames and passwords, and with a non-privileged user account they were able to compromise an otherwise fairly secure Linux system that was behind on its patches:
The only way they can have some fun is to elevate privileges through exploiting a privilege escalation vulnerability. These crop up from time to time and generally exploit flaws in the operating system kernel or its system libraries to trick it into giving the user more access to the system than should be allowed. By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year, conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.
Exploitation of this flaw gave the Anonymous attackers full access to HBGary’s system. It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system.
Aaron’s password yielded even more fruit. HBGary used Google Apps for its e-mail services, and for both Aaron and Ted, the password cracking provided access to their mail. But Aaron was no mere user of Google Apps: his account was also the administrator of the company’s mail. With his higher access, he could reset the passwords of any mailbox and hence gain access to all the company’s mail—not just his own. It’s this capability that yielded access to Greg Hoglund’s mail.
PCI DSS requires that patches be installed monthly. In addition, could Google Apps’ two-factor authentication have helped prevent that portion of the attack?
So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren’t patched. And an astonishing willingness to hand out credentials over e-mail, even when the person asking for them should have realized something was up.
It’s not enough to know security if you don’t actually implement it.
An infected laptop was used to access the systems at the Pentagon’s credit union, exposing the financial records of the members of the United States military, according to a Kaspersky Lab report.
This isn’t the first time PenFed has been targeted. The credit union posted an alert on its Web site notifying users that a person who was calling members to say their mortgages were being sold and requesting personal information was fraudulently masquerading as a PenFed underwriter.
I wonder if the laptop had PCI-mandated firewall and anti-virus software.
‘Twas an exciting and profitable weekend for hackers!
Three database/email server compromises were revealed over the weekend. A business partner of McDonald’s lost their promotional mailing list, Gawker’s entire user database was compromised and posted, and the DeviantArt user mailing list was also stolen, along with additional user information, again through a partner. None of these cases involved financial data; none of these would have been covered in any way by the PCI requirements.
The danger with the McDonald’s and DeviantArt compromises isn’t the account names, it’s the the potential for phishing and other scams. The phishers now have a validated list of customers they can target their spam at, quite likely starting with fake alerts about the compromise itself to get users to click on links to malicious sites.
Always be cautious about clicking links in email. If one tells you to go to a site where you have an account, use your own bookmark to get there.
Jeremy Schoemaker tracked down a hacker by making good use of logs:
So now here is where it gets interesting…. Now that I had figured out how the person was hacking into my box I was curious how in the hell the person found the file. It was in a subdirectory that I had not used in YEARS. There was no link to it from anywhere on my site. The directory structure it was in was like … html/oldforums/oldstuff/badfile.php . How in the hell did this person find this file? Well after going through the logs greping for the ip range that hacked my box I found that the person found my site from Google! Specifically using Google code search. Now while this was interesting it still did not explain how the page was even indexed…. ohh wait I use Google Sitemaps and I had it on to index everything the default setting OUPS!!
Which is a good reminder of Step One to Security: Change the defaults, ASAP.