A vulnerability in SSL + Twitter ? Say it isn’t so! More pleasingly, a Turkey student uses Twitter’s own service to text him back the compromised text, UNENCRYPTED! Wow. You know, there’s not much Twitter can do about this. After all, they didn’t come up with SSL. But I wouldn’t be surprised if the federal government comes in and mandates certain security provisions on Twitter. Couldn’t you classify Twitter as too big to fail?
Archive for the ‘Hackc0red’ Category
Grad Student Uses SSL Exploit Against Twitter Service
Monday, December 21st, 2009More on the Iranian Twitter attack.
Friday, December 18th, 2009ComputerWorld is reporting that the initial vector of attack was through malware (no surprise). I have said the same thing over and over again. The best vector in any compromise is always THE WEAKEST LINK, and in this case, employees WITHIN a corporation with a lackadaisical IT policy. You know what DNS guys, if you want to surf the web, don’t do so with IE while logging into your DNS record interface. Probably not the smartest group in town.
Iranians DNS Poison the heck out of Twitter.
Friday, December 18th, 2009
So Twitter was down, again! I thought I would post a few DNS Poisoning websites on the topic, but most importantly, things you can do to avoid DNS poisoning on your own site.
The easiest way to locate a victim to this kind of attack is via the name server IP. One would have to utilize tools from a third party, such as NIRSoft, to find the proper applications that will allow you to conduct this kind of search. Also keep in mind. Because web domains normally have two or more name servers(standard protocol), when conducting a search, you just might get a valid server in your search. I would keep on doing the search until you are redirected to another server different from the first. You have to have a keen eye, but a victim of a DNS Poisoning attack is identifiable by a completely different IP that normally has no relation to the IP subnet or nomenclature of the nameservers. The target machine might also contain a few capital letters, numbers, or anything else that might make the nameserver appear “different.”
I delt with this attack first hand and unfortunately, I had to wipe out all of the boxes and start from scratch. However, that does not mean the attacks stopped. I understood that my first and last defense was BIND and if I set it up correctly, BIND could be as much of your friend than enemy. Below are a few links on securing BIND. I highly suggest them.
- http://oreilly.com/catalog/dns4/chapter/ch11.html
- http://www.bind9.net/manuals
- http://www.grok.org.uk/docs/tsig.html
- http://www.serverwatch.com/tutorials/article.php/10825_3497601_2/Unraveling-BIND-93.htm
When setting up BIND, I made sure that my install was in a CHROOT jail. This was tedious at first as it led to the creation of A LOT of local records. And once you have BIND in a jail, make sure it is TESTED! When preparing my servers, I made sure that A.) my machine was the only machine which had access to BIND. B.) SERVER or APACHE was not owner of BIND. I actually made bogus, non-root, owners for each of my apps. Anything else that you can do that will prepare the application outside the “normal” install configuration is a HUGE plus.
Have fun!
Scammers on Ebay
Monday, November 9th, 2009
Just recently I purchased a new IPhone 3GS from AT&T. That leaves me with my old IPhone to sell. So I decided to go through Ebay as it seemed to be the democratic thing to do. I have never done suh things before due to the excessive amounts of fraud and trickery, but I chose to remain optimistic. I have to say that I was quite dissapointed with the while process. Long story short, I am greeted withthis email…
Hello seller get back to me with your paypal email id as soon as possible so that i can get the payment made as soon as i get this from you..
Nice doing business with you..
Prompting me to send an email indicating that I believe their to be fraud like activities going on with my auction. The following is a response from Ebay…
Hello xxx (xxx@xxx.com),
Our records show that you recently contacted or received messages from william5695 through eBay’s messaging system. This account was recently found to have been accessed by an unauthorized third party, who may have used the account in an attempt to defraud other members.
We’ve taken action to restore this account to the original owner, but wanted to let you know to be suspicious of any communication you may have received from them. Nothing is wrong with your account at this time ? this message is just being sent as a precaution. If you have received any messages from that appears suspicious, please feel free to forward them to us at spoof@ebay.com for review.
Just goes to show how reliable these services are. The scammers came into my auction, drove the bid price high enough where only they could price the item. If I, the user, had the power to approve bids, then that would be the ticket. Until then, I just don’t know how reliable Ebay can be? Question is…Should I try again?
Bahama botnet
Thursday, September 17th, 2009Today the Bahama botnet showed its ugliness by conducting a massive click fraud campaign. Yet another reason to read my blog everyday, because I keep you, the web surfer of the internet, in the know. I thought this be a good time to remind everybody that if your site has been compromised, shut it down and move over to a good host such as myself. These hackers love to attack companies who serve internally because its the “cheapest” way to go, and will not stop doing so until web people decide to shell out a little more money which would go to an actual expert at a NOC whose job it is to look through packet data. Other people talking about the Bahama botnet are the New York Times, who actually appears to have been serving malicious ads, and Click Forensics.
And please people. If you feel your computer has been compromised, don’t buy speed boosters. Format your computer.
Hostdepartment.com is a sham !
Tuesday, December 16th, 2008I have a client who used hostdepartment.com as their registrar. A week or so into designing their website, I was notified that their current site had been hacked. Note: This information is to serve the public, but in no way should it be misconstrued as a legal investigation. I am open to help out in any legal action taken against hostdepartment.com.
Honestly, if it wasn’t so difficult to change over the DNS records, I would not have discovered this. After tonight, however, I just got the same weird feeling as I always had while employed at my old job. I began to search around online for a hostdepartment.com. Afterall, if they are serving my client their DNS records, I should get to know their track record. I found out their track record soon enough by discovering the following link.
http://www.hosthideout.com/archive/index.php/t-7122.html
Believe it or not, when I saw that hostdepartment.com’s domain records used to point to a Performance Systems International Inc., I had actually encountered this exact same firm at my old job. I had tracked down PSI Inc, called them up, talked to one of their security guys, and he had informed me that there were several lawsuits pending on the entity claiming to be Performance Systems International Inc. You could imagine the chills that went down my spine when I saw this.
This made me re-read an email my client had sent me indicating that their site had been hacked. What I thought was interesting was that if this hostdepartment.com was a legit company here in the United States, the idiots open themselves up to litigation. Email is as follows.
Hello Sir,
As we check for your site, seems your file is injected with malicious code.
There are several possibilities that can cause this issue:
1. Stolen ftp access info from clients local pc’s or network
2. Successful attempt attack to guess ftp username & password using brute-force method
3. Hole in proftpd
Please kindly reupload for your original file
We have upgrade our ProFTPd to the latest version, to minimize exploit attack and eliminate proftpd hole issue and Run security check on all of our server. if you sure there is no trojan or keyloger at your Local PC, should be there is no problem again with injection issue.
Very interesting indeed. I talked to the client tonight in which he had noticed broken English in several of his emails responses. Red flags having already been raised, this was just another. But as I read the email above over again, one can find the broken English. This should be flag #1.
Flag #2 is the Whois information.
Registrant Contact:
Host Department LLC
DNR Department ()Fax:
1400 Kennedy blvd
Union City, NJ 07087
USAdministrative Contact:
Host Department LLC
DNR Department (registrar@hostdepartment.com)
+1.8668874678
Fax:
1400 Kennedy blvd
Union City, NJ 07087
USTechnical Contact:
Host Department LLC
DNR Department (registrar@hostdepartment.com)
+1.8668874678
Fax:
1400 Kennedy blvd
Union City, NJ 07087
USStatus: Active
Name Servers:
ns1.worldispnetwork.com
ns2.worldispnetwork.comCreation date: 20 Jul 2001 02:38:21
Expiration date: 20 Jul 2012 02:38:21
Paying close attention to the business contact information, one can find Hostdepartment.com located at 1400 Kennedy Blvd, Union City NJ. When I saw that these Yahoos were located in Union City, New Jersey a HUGE red flag went up. If you don’t know what I am talking about, perhaps I can recommend a few good movies…The Godfather, Goodfellas,Casino,The Sopranos to name a few. If you need more, email me and we can do lunch.
Still, these guys could be legit. I am sure there are plenty of good reputable businesses in the Union City area. Let’s find some. Well here is another idea. If 1400 Kennedy Blvd is a legit business location, perhaps we can check the local listing within Google. Doing a search uncovers the following.
Ambulatory Plastic Surgery Center: Reddy Loka N MD
maps.google.com
1400 Kennedy Blvd
Union City, NJ 07087
(201) 330-9595
Look at that juicy piece of information. Located in the very same building is an Ambulatory Plastic Surgery Center. Now if anybody has ever been inside a hosting company, they would know that due to the high level of security, power requirements and staff needs, there is no way in hell a plastic surgery center can be located in the same building. There are no exceptions to the rule. If anybody has been in a hosting company, they would know this. There are large hosting companies that have multiple buildings, of which are sectioned off for other companies, but the racks and security staff stay in one spot. ALWAYS.
So now I know something is a bit off here. I decided to talk straight to the source as I was armed with all the information I needed. Below is my “conversation.” I am aaa.
Chat InformationWelcome to HOST DEPARTMENT.COM Live chat. An online representative will be with you shortly. You are number 1 in the queue.
PHP5, MySQL5, MS-SQL 2005, Ruby on Rails, .NET 3.5 are NOW AVAILABLE at Premium Hosting.
SPECIAL OFFER with DISCOUNTS and FREE HOSTING!
Chat InformationYou are now chatting with ‘Matthias Rosso’
aaa: MR Rosso ?
Matthias Rosso: Premium Hosting ~ Use XMAS20 & take your discount NOW!
Hello! Welcome to Host Department’s LiveChat.How may I help you?
aaa: I need the latest version of proftpd. where do I get it ?
Matthias Rosso: I’m sorry
Matthias Rosso: May i know your username please
aaa: why ?
Matthias Rosso: So i could add your username in my report.
aaa: what report ? I just want to know where to get proftpd ?
Matthias Rosso: in my daily report, you could find it here http://www.proftpd.org/download.html
aaa: you know how to spell fraud, matthias ?
aaa: Any idea why your organization is suggesting users to download open source “crackable” ftp programs, matthias ?
aaa: I need an answer for MY report.
Matthias Rosso: pardon me?
aaa: your website states 24/7 support with a live representative. Yet your phone number leads me to an answering machine. Why is that ?
Matthias Rosso: We have 24/7 live support by chat
aaa: And you are based at 1400 Kennedy Blvd Union City, Nj 07087 ?
aaa: You are an ISP based in Union City, Nj I hope ?
Matthias Rosso: Pardon me, may i have your username please. If you do not give me your username, i will take the next chat.
aaa: Where are you ?
aaa: I see here you are a sales agent. Yet you are answering technical support questions ?
aaa: That’s pretty strange Matthias
Matthias Rosso: Currently we have launch new cluster, you may review the feature from http://www.hostdepartment.com/premiumhosting/
Matthias Rosso: I could get a discount for you
aaa: I need a botnet. How much for a botnet ?
Matthias Rosso: If you mean dot net, you could review this page http://www.hostdepartment.com/premiumhosting/windows.php
aaa: Do you work in New Jersey ?
Matthias Rosso: Yes
aaa: How large is your colo ?
aaa: do you sell rack space ?
Matthias Rosso: Our servers are placed at Hurricane and Terremark and we do not sell rack space we rent from them.
aaa: Would it surprise you if I told you I already knew that.
aaa: As a matter of fact, I know who works down the hall from you.
aaa: I could be FBI for all you know.
aaa: But then again, you wouldn’t know until I call the attorney general on your little operation.
aaa: Have a great day, Matthias
That’s it in a nutshell. Next I will contact the attorney general in New Jersey and make sure he is aware of this scam. I’ll keep everybody posted.
