Translate

#heartbleed distractions help hackers to plunder away 250,000 student ids and credentials from US universities

19:27 Vijay Prabhu 0 Comments
As websites and web service providers all over the world are patching the huge hole left as a result of #heartbleed and their entire security apparatus is busy solving the #heartbleed problems like reset of passwords etc., this is proving a gold mine of time for hackers.  The distractions caused by the #heartbleed bug has left many websites vulnerable to the standard run of the mill hacking attacks.  Hackers have used this opportune moment to target atleast at least 18 U.S. universities and steal student social security numbers and other credentials according to a computer security research firm Hold Security.

#heartbleed distractions help hackers to plunder away 250,000 student ids and credentials from US universities


Alex Holden, CTO of Hold Security said that "Somebody had access to a student account that had an entire list of employees." He gave the example of  the phishing mail sent to the employees of the hospital connected with a university.  As many as 17000 people received the phishing mail asking them to reset their passwords. Holden said that the scammer had got hold of the email ids of these 17000 people from a university breach where he says atleast 250,000 account details were hacked and stolen. 

It's unknown how much data has been pilfered from the schools or the extent to which the schools are aware of the attacks. Up to 250,000 people could be affected, Holden said. "Hopefully, it's not payroll [data]," he said.

The hospital in question is now considering a mass reset of passwords as a solution to this phishing problem.  The hospital is a client of Hold Security while Holden says that other universities have not been notified.

"We have had very bad luck with several universities as far as reaching out about breaches," Holden said. "The problem is finding within a very large, decentralized infrastructure the right person to talk to and impress on them that something is going on."

The hackers/attackers have been using standard SQL injection attacks through which the hacker tries to see if backend databases will surrender data through different types of requests. In other cases, it appears backdoors, or malicious software programs that can steal data, have somehow been installed.

Holden says that hacking university networks may not be as profitable as hacking other commerce sites but finding domains and subdomains of large companies or universities can involve a lot of manual research and guesswork.   Hackers have to pay  US$20 to $100 on the TOR market places to buy a list a of millions of domains, which can be attacked. Holden suspects the lists may come from insiders at registrars. The practice of aggregating domains isn't in itself illegal, he said.

What lures the hackers to university sites is the access to large numbers of young users who are mostly students.  Holden says that a simple sub domain hack can give hackers access to 10,000 to 50,000 student details.

"They may not have a lot of money in their accounts but when exploited in bulk they may be as profitable as a number of people further in their careers," Holden said.


Netgear and Linksys DSL routers 'fix' does nothing about the backdoor, merely hides it says Arstechnica report

19:56 Vijay Prabhu 0 Comments
Eloi Vanderbeken, a security researcher from synacktiv.com had discovered a backdoor in several models of Linksys, Cisco and Netgear Wi-Fi DSL modems that would grant admin access to the attacker along with the ability to reset the router's configuration. After Vanderbecken published his findings and several others corroborated his results in January 2014, the modem manufacturers like Netgear and other vendors published a new version of the firmware that was supposed to close the back door.  Now Vanderbeken has found that the firmware released by the vendors is just a camouflage.  As per a report by Arstechnica, the new firmware does not 'fix' the backdoor.  It merely hides it.
Netgear and Linksys DSL routers 'fix' does nothing about the backdoor, merely hides it says Arstechnica report
Vanderbeken found out that the new firmware apparently only hid the backdoor rather than closing it. In a PowerPoint presentation posted by him on April 18, Vanderbecken  has now confirmed that that the “fixed” code concealed the same communications port he had originally found (port 32764) until a remote user employed a secret “knock”—sending a specially crafted network packet that reactivates the backdoor interface.

The packet structure used to open the backdoor, Vanderbecken said, is the same used by “an old Sercomm update tool”—a packet also used in code by Wilmer van der Gaast to "rootkit" another Netgear router. The packet’s payload, in the version of the backdoor discovered by Vanderbecken in the firmware posted by Netgear, is an MD5 hash of the router’s model number (DGN1000).
Netgear and Linksys DSL routers 'fix' does nothing about the backdoor, merely hides it says Arstechnica report
The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware and not just a mistake made in coding. “It’s deliberate” Vanderbecken asserted in his presentation. 
Netgear and Linksys DSL routers 'fix' does nothing about the backdoor, merely hides it says Arstechnica report
Readers may note that many users reading the initial results of Vanderbeken in January, 2014 had concluded or alluded that the DSL modem manufacturers kept the backdoor specifically for NSA. Though this has never been proved or accepted either by NSA or the modem vendors, Vanderbeken's new research seemingly points towards a deliberate masking of the backdoor by the high profile vendors for reasons best known to them.  The manner in which the so called patch was supposed to 'fix' the backdoor only highlights the doubts of the users and readers towards a company authorised backdoor.
Easter egg: DSL router patch merely hides backdoor instead of closing it Researcher finds secret “knock” opens admin for some Linksys, Netgear routers.
In all 24 models of Wi-Fi DSL modems are said to have the above backdoor.  Among the 24 models the below listed models are top selling modems in the world. 

- Linksys WAG200G
- Netgear DM111Pv2
- Linksys WAG320N
- Linksys WAG54G2 
- DGN1000 Netgear N150
- Diamond DSL642WLG / SerComm IP806Gx v2 TI


BJP blocks access to its website in Pakistan due to repeated hacking attempts on its various websites

18:57 Vijay Prabhu 0 Comments
Desperate times call for desperate measures.  Repeated hacking attempts by the Pakistan based hackers has made the BJP top honchos in charge of the website, block its premier website bjp.org for visitors from Pakistan.  Readers may note that in past 2 weeks Pakistan based hackers have hacked and defaced atleast 5 BJP websites.  The decision to block Pakistan based IPs from viewing the page seems to be taken after the Pakistani hackers took down the website of BJP's top leader Mr.L.K.Advani's website on Sunday.  
BJP blocks access of bjp.org to Pakistan due to repeated hacking attempts on its various websites
As of now the residents of Pakistan cannot access the BJP Website but the portal of India's Prime Minister hopeful and high traffic narendramodi.in can be accessed by them. Pakistan residents visiting bjp.org will get the following message upon visiting it.

“Error 1009 The owner of this Web site (bjp.org) has banned your IP address (—) on the country or region you are accessing it from,” 

Though it is well known that hackers mostly use proxies to hack websites so the reason behind the blocking is best known to the webmasters of bjp.org.  In case Pakistani residents or media wants to visit the site, they have to do so by creating a Virtual Private Network and masking Pakistani IP address.  On that too, the links wont work.  Especially the 'charge sheet' BJP has prepared against the present UPA government wont be visible to Pakistani residents. 


Indian discovers multiples XSS and CSRF bugs in eBay Magento eCommerce web application, gets awarded $11,171 as bug bounty

23:53 Vijay Prabhu 0 Comments
Atulkumar Shedage, a web application security researcher from India has found out multiple bugs in the  Ebay Magento eCommerce website. Atul Shedage  who is the member of Bugcrowd community has won 1st prize for finding the bugs and a bounty of $11,171.00 for his discoveries.
Indian discovers a bug in Ebay Magento eCommerce web application, gets awarded $11,171 as bug bounty
Atul who is already a certified bug tracker for Bugcrowd has already been acknowledged by mega tech companies like Google, Apple, etsy, Facebook,Github etc.  Bugcrowd ranks him 14th in their list of bug trackers with 179 points.  As per Bugcrowd, Atul has already 50 bug discoveries. 

Regarding the bug discovery in Ebay Magento e-Commerce web application, Atul has made five bug discoveries.  All the bugs are related to the xss (cross scripting) and CSRF scripts which can allow a potential hacker/attacker to remotely access the eBay Magento e-Commerce web application.  The bounty has been announced officially only yesterday, so the details regarding the bugs found by Atul are sketchy. eBay has already acknowledged the bugs, the image of which is reproduced below.
Indian discovers a bug in Ebay Magento eCommerce web application, gets awarded $11,171 as bug bounty
Atul is member of the Bugcrowd which is a brainchild of two entrepreneurs and former security consultants, Casey Ellis and chris raethke.  Bugcrowd allows security researchers, ethical hackers, white hat hackers and bug trackers to collaborate and channelise their love for bugs and hacking in a positive way. Ellis and Belokamen founded Bugcrowd two years back and has since grown manifold. 
It combines crowdsourcing with information security, providing businesses with a crowd of well-intending hackers to discover vulnerabilities before more malicious types do, whereby benefiting both the companies and the hackers in a meaningful way.