Monday, October 18, 2010

Cross-Site Request Forgery: Are your web applications vulnerable?

Cross Site Request Forgery (also known as XSRF or CSRF) works by exploiting the trust that a site has for the user. CSRF according to OWASP, is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.



How does the attack work?

There are lots of ways in which an end-user can be tricked into submitting information to or loading from a web application. In order to execute an attack, we need to first understand how to generate a malicious request for our victim to execute.

Let us consider the following example: Sawyerr wishes to transfer #1,000 to Segun using http://bank.com. The request generated by Sawyerr will look similar to the following:

POST http://bank.com/transfer.do HTTP/1.1
acct=Segun&amount=1000


However, Titi discovers that this web application in question will execute the same transfer using the URL parameters below:

GET http://bank.com/transfer.do?acct=Segun&amount=1000 HTTP/1.1

Titi now decides to exploit this web application vulnerability using Sawyerr as her victim. Titi first constructs this URL which will transfer #100,000 from Sawyerr's account right to her account.

http://bank.com/transfer.do?acct=Titi&amount=100000

Now that she has generated her malicious request, Titi needs to trick Sawyerr into submitting it. The easiest way to do this is to send Sawyerr an HTML mail containing the following:

<a href="http://bank.com/transfer.do?acct=Titi&amount=100000">View my Pictures!</a>



We are doing this in assumption that Sawyerr is authenticated with the web application when he clicks the link, the transfer of #100,000 to Titi's account will occur.

But lets say Titi realizes that Sawyerr will notice that a transfer will occur if he clicks the link, Titi can decide to hide the attack in a zero-byte image as below:

<img src="http://bank.com/transfer.do?acct=Titi&amount=100000" width="1" height="1" border="0">



If the code above were included in the email, Sawyerr would only see a little box indicating that the browser could not render the image. However, the browser will still submit the request to bank.com without any vindication(visual) that the transfer has taken place.


How to Prevent this type of attack

Use the cheat sheet provided by OWASP here to prevent this type of attack.

Friday, October 8, 2010

Anonymous Cyber-Protest group stages DDOS attack on Spain's copyright society




An online activist group – apparently using the 4Chan web portal as its forum – started a major distributed denial of service attack (DDOS) at around midnight CET yesterday evening against the web portal of the Spanish copyright protection society, the SGAE.

The stated aim of the 'Anonymous' group's attack – one of the first activist protests of its type to attack a copyright organisation in Spain, Infosecurity notes –- was to crash the site.

Unconfirmed reports suggest, however, that the site did not crash, but traffic to the portal was significantly slowed down, as is normal with DDOS attack of this type.

As of 10am CET this morning, however, site traffic to the SGAE portal was back to normal, Infosecurity notes.

According to Luis Corrons, technical director of PandaLabs, the Spanish-headquartered IT security vendor, recent attacks of this type have targeted the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), resulting in 17 server crashes and up to two hours of inactivity.

The Tieve.tk newswire says that the 'Anonymous' cyber-activist group – operating via the 4Chan portal – called its DDOS attack 'operation payback' and claims that the attack is one of several the group has staged in recent weeks.

What appears to have upset the activist group, says Panda, is the attempted closure of free file-sharing websites by groups like the RIAA and the MPAA.

Corrons said that his team has been in contact with the SGAE to advise them of last night's attack and has been monitoring the events in real time throughout the night.

"The way things are progressing, it will be no surprise to see cyberprotests organised country by country targeting different copyright protection associations", he said.

One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards

Well, i read the story from page 1 to 7 and it was like i was watching 'Die hard 5'.



Max Butler had an audacious plan to rule the black market in stolen credit cards. But angry hackers and pesky Feds had other ideas.

Excerpts below

The heat in Max Butler's safe house was nearly unbearable. It was the equipment's fault. Butler had crammed several servers and laptops into the studio apartment high above San Francisco's Tenderloin neighborhood, and the mass of processors and displays produced a swelter that pulsed through the room. Butler brought in some fans, but they didn't provide much relief. The electric bill was so high that the apartment manager suspected Butler of operating a hydroponic dope farm.

But if Butler was going to control the online underworld, he was going to have to take the heat. For nearly two decades, he had honed his skills as a hacker. He had swiped free calls from local telephone companies and sneaked onto the machines of the US Air Force. Now, in August 2006, he was about to pull off his most audacious gambit yet, taking over the online black markets where cybercriminals bought and sold everything from stolen identities to counterfeiting equipment. Together, these sites accounted for millions of dollars in commerce every year, and Butler had a plan to take control of it all.

Read the whole story here.

Chinese iPod gadget aims to skin Apple




Have you ever wished that your iPod Touch was an iPhone? Now it can be, thanks to a new device called the "Apple Peel 520" and created by a Chinese company.

Invented by a 22-year-old programmer who lives in the southern Chinese city of Shenzhen, the gadget is comprised of a case that fits around the outside of Apple's iPod Touch, a popular media player and Wi-Fi-enabled pocket computer with e-mail, maps and other applications.

The Apple Peel 520 case contains a battery, dock connector and SIM card that allows voice calls. Users will also have to install special software to enable a text messaging function, and to allow the device to properly work with the iPod Touch (users will have to break into the software of the iPod in order to download the necessary applications).

Once installed, the Apple Peel gets around five hours of talk time and 120 hours on standby, according to a review posted on Dailytech.com.
I developed it because I love the iPhone, but it's too expensive in China.
--'Maxpy', developer of Apple Peel 520

CNN interviewed the inventor of the device via QQ, a popular instant messaging service in China (he declined a phone interview and was only willing to offer his online name: "Maxpy").

When asked why he created the Apple Peel, Maxpy said it boiled down to economics: "Because I love the iPhone, but it's too expensive in China."

Maxpy said he began building the device last April, revealing the final product online about a month ago via a company he started called Yosion Technology.

The iPhone, which was officially launched on the mainland last October, more than two years after its debut in the US, costs between $588 - $740 while an iPod Touch is around $235. The Apple Peel sells for $57.

Analysts said a thriving gray market flooded with fake iPhones smuggled in from Hong Kong and the West has hurt legitimate sales of the Apple smart phone here.

The illegitimate phones are usually cheaper and contain functions, such as wireless Internet, that are not available on phones sold through legal channels.

"All of the potential users already had purchased an iPhone, they had found a way to buy one," Leo Wang, founder of Mobile 2.0 forum, a telecom and mobile organization, told CNN after the China launch of iPhone release last year. "The official iPhone is too expensive."


Whether or not the Apple Peel 520 will appeal to Chinese consumers or have any impact on iPhone sales in the country remains to be seen. So far, according to Maxpy, only around 150 of the devices have been pre-sold on Taobao.com, a popular Chinese e-commerce site. Two were sent to technology websites for review.

While there are plans to mass manufacture the gadget in the future, Maxpy says those plans are on hold until the company can ensure there are no intellectual property right violations.

"We have no detailed plans," he said. "But of course we want to make a profit from it."

Maxpy also said they want to check on Apple's policy on "outside devices" as well as try to reach the company to see if they have any interest in the gadget, asking CNN whether we could put him in touch with Apple CEO Steve Jobs. We could not.

CNN did try to reach Apple representatives in Beijing and Hong Kong. No one was available for comment.

There are also a few technical glitches to be worked out. According to a Chinese review translated into English on M.I.C. Gadget, the Apple Peel does not support 3G, there's a small lag time when calls are made from the iPod Touch and deleting and forwarding text messages is not available, among other minor complaints.

Nevertheless, many say they are impressed with the functionality of the device.

"It is the first time there has been a hardware application that has changed the functionality in such a key way," said Tai-Pan (a pseudonym), editor of the Taiwan-based Shanzai.com. "It is very cheap for someone with an iPod Touch, so there is some kind of value proposition for people who want to save money."

What's more is the Apple Peel also illustrates the evolution of China's massive "shanzhai," or black market, phone industry. Based mostly in Shenzhen, it is an industry characterized by the massive production of copycat mobile phones and other devices, which are sold at lower prices and often with more localized functionality than global brands.

Every year, millions of shanzhai phones are sold throughout China and exported to developing countries, resulting in a major dent in the sales of mainstream manufacturers in those markets, according to the research firm Gartner.

"People are already or will soon be buying not just China-made but China-owned products," said Benjamin Joffe, founder of the Beijing-based mobile and Internet consulting firm Plus8Star.

"Most of Apple's factories are in China, so it is not like China cannot make high-quality products," he said.

"The issue remaining to go up the value chain has been design, marketing and distribution. Chinese companies are learning, acquiring talent and buying what is missing."

Tuesday, October 5, 2010

Russian authorities detain suspected bank carding kingpin

Russian authorities have detained a Ukrainian citizen accused of overseeing a criminal operation that used fraudulent credit cards and passports to siphon large amounts of cash out of banks around the world.

The detention of the unnamed suspect came as Department K of the Russian Interior Ministry stopped the actions of the international criminal group the Ukrainian allegedly led, according to a press release (Google translation here) issued on Monday. The group, which was made up of at least 50 members, siphoned more than $660,000 out of 17 Russian banks between January and June alone.
Click here to find out more!

Russian authorities also confiscated more than 100 counterfeit credit cards and an encoder used to write data to cards' magnetic stripe.

The action comes as authorities in Ukraine, the US, and UK last week rounded up dozens of people suspected of participating in bank fraud related to Zeus, a prolific computer trojan that specializes in stealing banking credentials of its victims. Most of those arrested were accused of being money mules who used fraudulent passports to launder money stolen from compromised accounts. Five of those detained in Ukraine were accused of orchestrating the overarching scheme.

Russian authorities didn't say if those detained were related to the same crime ring, but the activities they're accused of sound remarkably similar. Some of the Russian suspects are accused of using fake passports to mislead bank employees. ®

Saturday, September 4, 2010

Careers@MTN website INFECTED with MALWARE

Careers@MTN website INFECTED with MALWARE.

URL compromised: http://careers.mtnonline.com
Threat level: HIGH (Do NOT visit for now)

I was going through the site 'Nairaland.com' and came across the 'Jobs & Vacancies' board. A vacancy from MTN caught my attention and this link re-directed me to Careers @ MTN http://careers.mtnonline.com .

Now going through the URL http://careers.mtnonline.com, i discovered a script was being called from www.adword71.com(obviously from the loading pane in Firefox). My curious self took the better part of me so i decided to dig up what I could.



A quick Ctrl+U was done and d result is below.




Meaning once you click on any link there, the javascript file 'b.js' gets to run.

Now the question is 'WHAT IS b.js?' and 'WHAT DOES IT DO?'

b.js is a malicious Javascript file that gets executed on a User's PC when such user visits websites infected with it. The script looks for various vulnerabilities specific to the visiting OS, and when it finds one pulls a .Mov file from the domain dedicated www.adword71.com. That in turn invokes a file which installs a backdoor on end users' machines. Victims are unlikely to know they've been infected because the installation is seamless, and the malware uses few PC resources.

Mode of Attack

The only way this attack coulda happened is through SQL INJECTION. The exploit was 1st seen in the yr 2008 and it was posted on SANS http://isc.sans.edu/diary.html?n&storyid=4294 . After http://careers.mtnonline.com must have been discovered vulnerable to SQLI, the ‘attacker’ made sure the exploit payload was delivered which executed an iterative SQL loop that located every user-created table in the remote database and then appended every text column within the table with a malicious client-side script(in this case ‘b.js’).

As most database-driven Web applications use data in the database to dynamically construct Web content, eventually the script would be presented to a user of the compromised Web site (http://careers.mtnonline.com). The tag will instruct any browser that loads the infected Web page to execute a malicious script (b.js) being hosted on a remote server (www.adword71.com). The purpose of this is to infect as many hosts with malware as possible. As seen in this case, this was a very SUCCESSFUL attack.

Am surprised it hasn’t been patched by MTN till now. An SQL Injection is very much possible as this code makes the server goof up an ASP.NET error

Code
departments.asp?id=1’ OR ‘1’=’1




As posted on SANs by Johannes Ullrich, the ‘technical’ analysis is below

Lets go over this line by line:

First, two variables (T and C) are declared

DECLARE @T VARCHAR(255),@C VARCHAR(255) Next, we declare a "table_cursor". A table cursor will receive the output of a query line by line. It's essentially a "for" loop over all results returned by the query.

DECLARE @T VARCHAR(255),@C VARCHAR(255) The cursor is defined for the following query:
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

This SQL query uses one particular trick: sysobject is a special table in SQL Server. It lists all the other tables available. syscolumns works similar for all columns found in these tables.

The query selects all "objects" with an xtype of "u". These are tables created by the user. System tables (like "sysobjects" and "syscolumns" are ignored). Next, it limits it to columns of type 35 (text), 231 (sysname) and 167 (varchar). These are datatypes that can hold a string of characters.

Our "cursor" will now retrieve all the results, and assign them to the variables "T" (table name) and "C" (column name)


The next sql statement will use these variables:

BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+
"")

For all values of these selected columns, the malicious javascript is added. As a result, you will see the javascript littered throughout the application. Wherever the website is using a string from the database, the javascript is now added. You frequently see it as part of the title tag.


As in this case, http://careers.mtnonline.com is littered with it.

A quick virus scan from AVG and Virus Total shows the following

1.) AVG

Exploit: Script injection 358 This page probably has a script reference injected into it. Generally, these pages are corrupted, rather than infective, but they are still potentially dangerous. This is known internally as type 358. Risk Category: Exploit Description: XPL's Intelligence Network has detected an exploit. An exploit is a piece of malware code that takes advantage of a vulnerability in a software application, usually the operating system or a web browser to infect a computer. Exploits usually target a computer by means of a drive-by download – the user has no idea that a download has even taken place. XPL recommends NOT visiting this web site regardless if your computer has been patched for the vulnerability. Scanned: Friday, September 03, 2010.



2.) VIRUS TOTAL





CONCLUSION

It’s funny lotta Graduates wants that top job @ MTN and that will take them to http://careers.mtnonline.com . Now imagine how many people’s computers are at present infected & compromised as WebsiteOutlook shows mtnonline.com is getting 43257 page views per day. Do NOT visit the site till it gets fixed. Meanwhile MTN have been contacted; let’s hope they do something about it.