[SecurityRatty] tag: rhode

Friday Squid Blogging: Rising Squid Populations off the Coast of Rhode Island

Sun, 13 Jul 2008 03:21:11 +0000

Fake Porn Sites Serving Malware

Wed, 25 Jun 2008 08:16:20 +0000

Ah, that RBN with its centralization mentality for the sake of ease of management and 99.999% uptime. In this very latest example of using malicious doorways redirecting to fake porn sites, consisting of over twenty different domains serving the usual Zlob malware variants, we have a decent abuse of a template for a porn site.

The easy of management of such domain farms and the availability of templates for high trafficked topic segments such as celebrities and pornography, continue contributing to the increasing number of Zlob variants served through fake codecs. Moreover, once set up, the malicious infrastructure starts attracting now just generic search traffic, but also traffic coming from affiliates with whom revenue is shared on the basis of the number of people that downloaded the codec.

In this campaign, the malicious doorway that expands the entire ecosystem is located at search-top.com/in.cgi?5¶meter=drs (66.96.85.113). A redirector that appears to have been operating since 2006, according to this forum posting.

What follows on-the-fly, are all the fake porn sites whose legitimately looking videos attempt to download a Zlob malware variant from a single location - vipcodec.net. Here are all the fake porn sites, and the associated campaigns in this redirection :

watchnenjoy .com/index.php?id=1287&style=white
craziestclips .com/index.php?id=1287&q=
immensevids .com
planetfreepornmovies .com/?t=1&id=1219
poweradult .net/edmund/16551689/1/&id=1219
scan-porn .net/rosalyn/1742941675/1/&id=1219
about-adult .net/emiline/108846601/1/&id=1219
service-porn .com/inde/964842117/1/&id=1219
pleasure-porn .com/elnora/648311952/1/&id=1219
porn-the .net/verge/1734135233/1/&id=1219
porn-pleasure .net/dal/1663381205/1/&id=1219
scan-porn .net/gretchen/515268975/1/&id=1219
abc-adult .com/lillah/1467790484/1/&id=1219
about-adult .net/jenne/434165228/1/&id=1219
look-adult .net/ette/681831796/1/&id=1219
about-adult .net/mime/65729013/1/&id=1219
name-adult .net/alfe/550398461/1/&id=1219
group-adult .net/demerias/867452637/1/&id=1219
useporn .net/rhode/167691118/1/&id=1219
porn-look .net/hephsibah/1254235416/1/&id=1219
scan-porn .net/hence/1684651134/1/&id=1219
abc-adult .com/kendra/371598555/1/&id=1219
name-adult .net/link/1334727639/1/&id=1219
porn-the .net/flo/84660854/1/&id=1219
porn-popular .com/assene/875893411/1/&id=1219
about-adult .net/charlotta/972714195/1/&id=1219
porn-comp .com/orlando/761508522/1/&id=1219
useporn .net/jemima/1405735776/1/&id=1219
about-adult .net/obadiah/263904242/1/&id=1219
group-adult .net/douglas/1110779475/1/&id=1219
porn-look .net/lydde/1844064103/1/&id=1219
pleasure-porn .com/marcia/1627490290/1/&id=1219
service-porn .com/cono/295680123/1/&id=1219
group-adult .net/wes/1733468207/1/&id=1219
abc-adult .com/wib/648341815/1/&id=1219
scan-porn .net/greg/2064937302/1/&id=1219
contact-adult .net/maris/33184936/1/&id=1219
look-adult .net/regina/1273816838/1/&id=1219
abc-adult .com/gwendolyn/869744046/1/&id=1219
service-porn .com/carthaette/1021629112/1/&id=1219
scan-porn .net/ninell/1522355420/1/&id=1219
porn-pleasure .net/waldo/755290223/1/&id=1219
porn-the .net/green/669090607/1/&id=1219
try-adult .com/lula/447057398/1/&id=1219
visit-adult .net/jay/1021153563/1/&id=1219
contact-adult .net/rosa/849017739/1/&id=1219
name-adult .net/hannah/2111126283/1/&id=1219
about-adult .net/robin/2114086747/1/&id=1219
scan-porn .net/geraldine/921262381/1/&id=1219
contact-adult .net/christine/1821111087/1/&id=1219
porn-popular .com/frederica/364993202/1/&id=1219
about-adult .net/kerste/735582753/1/&id=1219
porn-the .net/vine/715820953/1/&id=1219
porn-the .net/newt/1835463160/1/&id=1219
try-adult .com/max/602914725/1/&id=1219
porn-pleasure .net/cille/1420660046/1/&id=1219
poweradult .net/phililpa/178057959/1/&id=1219
name-adult .net/lise/1379126759/1/&id=1219
pleasure-porn .com/marianne/1083617952/1/&id=1219
poweradult .net/emile/1173468576/1/&id=1219
useporn .net/patse/155685496/1/&id=1219
helpporn .net/verna/625840253/1/&id=1219
name-adult .net/aubrey/190928373/1/&id=1219
about-adult .net/alphinias/1345158043/1/&id=1219
useporn .net/rosa/223743611/1/&id=1219
pleasure-porn .com/nerva/1509620489/1/&id=1219
helpporn .net/leet/1619667733/1/&id=1219
about-adult .net/roberta/887345003/1/&id=1219
porn-pleasure .net/tore/1032556395/1/&id=1219
useporn .net/bo/1963737386/1/&id=1219
porn-look .net/karon/136085893/1/&id=1219
poweradult .net/tense/1523522750/1/&id=1219
poweradult .net/hopp/1955964399/1/&id=1219
scan-porn .net/vanne/350822489/1/&id=1219
porn-comp .com/deb/1451360694/1/&id=1219
about-adult .net/moll/1511640690/1/&id=1219
porn-popular .com/obediah/562846948/1/&id=1219
helpporn .net/tamarra/776122096/1/&id=1219
pleasure-porn .com/aristotle/1046422029/1/&id=1219
porn-comp .com/titia/158157566/1/&id=1219
group-adult .net/gay/1297835054/1/&id=1219
porn-look .net/katherine/2136357734/1/&id=1219
helpporn .net/azubah/1197502147/1/&id=1219
porn-comp .com/claes/770105101/1/&id=1219

Associated fake porn sites :

pornbrake .com
sexnitro .net
brakesex .net
pornnitro .net
adultbookings .com
qazsex .com
lightporn .net
delfiporn .net
pornqaz .com
megazporn .com
uinsex .com
xerosex .com
serviceporn .com
aboutadultsex .com
superliveporn .com
bestpriceporn .com
contactporn .net
relatedporn .com
landporno .com
adultsper .com
plus-porn .com
adultstarworld .com
cutadult .com
moviexxxhotel .com
porno-go .com
pornxxxfilm .com
porn-sea .com
review-sex .com
sureadult .com
browseadult .com
network-adult .com
timeadult .com
virtual-sexy .net
funxxxporn .com
loweradult .com
adultfilmsite .com
xxxallvideo .com
custom-sex .com
gallerypictures .net
usaadultvideo .com
adultmovieplus .com
porn-cruise .com
clubxxxvideo .com
mitadult .com
galleryalbum .net
xxxteenfilm .com
hardcorevideosite .com
helpadult .com
portaladult .net
service-sex .com
driveadult .com
access-porno .com
time-sex .com
plus-adult .com
worldadultvideo .com
key-adult .com
estatesex .com
superadultfriend .com
superporncity .com
zero-porno .com
scanadult .com
adultsexpro .com
adultzoneworld .com
porntimeguide .com
usbestporn .com
adulttow .com
look-porn .com
galleryclick .net
micro-sex .com
estatesex .com
try-sex .com
0bucksforpornmovie .com
gays-video-xxx .com
hackthegrid .com
savetop .info
vidsplanet .net
freexxxhere .com
gestkoeporno .com
tv-adult .info
gays-adult-video .com
matures-video .com
analcekc .com
tabletskard .in
molodiedevki .com
dom-porno .com
pornoaziatki .com
latinosvideo .com
geiporno .com
sweetfreeporn .com

If exposing a huge domains portfolio of currently active redirectors has the potential to ruin someone's vacation, then consider someone's vacation ruined already.

Related posts:
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

LPL Financial reports eighteen compromised logons

Tue, 20 May 2008 04:56:31 +0000

Technorati Tag: Security Breach

Date Reported:
5/6/08

Organization:
LPL Financial

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
10,219

Types of Data:
"names, addresses, phone numbers, account numbers, Social Security numbers, and dates of birth"

Breach Description:
LPL Financial recently notified the Maryland State Attorney General of a breach in which "hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL")." The "hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks."

Reference URL:
Maryland State Attorney General breach notification

Report Credit:
Maryland State Attorney General

Response:
From the online source cited above:

We write to advise you of incidents in which hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL").
[Evan] How does a "hacker" compromise usernames and passwords of eighteen people working for the same company? Compromised logon server, spear phishing, malware?

To our knowledge, the hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks.

Attempted transactions were intercepted and either rejected or reversed.

No losses were passed on to customers

Hackers compromised the logon passwords of fourteen financial advisors and four assistants in branch offices located in New Jersey, Illinois, Rhode Island, Pennsylvania, Colorado, Texas, California, Georgia and Connecticut over the course of several months.

These incidents affected approximately 10,219 individuals

The information that was potentially accessible included unencrypted names, addresses and Social Security numbers of customers and non-customer beneficiaries.
[Evan] I don't know the architecture of LPL's network or other infrastructure components, but I question why customers or financial advisors need access to Social Security numbers as part of a trading system. I know that LPL needs to store Social Security numbers for tax and other reporting purposes, but financial advisors, traders and customers don't need access to them.

At this time, LPL has no specific knowledge that any customer information was accessed or misused as a consequence of the breach

We also are unaware of any personal instance of identity theft related to these incidents.

LPL learned of the first incident on July 16, 2007 and took the following actions: (1) notified law enforcement; (2) notified our primary regulator, the Financial Industry Regulatory Authority; (3) investigated the situation; (4) determined what information had been compromised; and (5) notified and offered solutions to the affected individuals.

LPL has taken several important steps to improve its level of data security and compliance

LPL has increased the profile of data security issues within the company at all levels, up to and including senior management.

In March 2008, LPL hired Marc Loewenthal as SVP - Chief Security/Privacy Officer, a newly created position at LPL.
[Evan] This is the first breach notification that I have read that included this type of information. I don't know Mr. Loewenthal (which doesn't say too much), but I do know that he is stepping into a pressure situation.

Mr. Loewenthal has extensive experience in the area of data protection. As a member of senior management, he reports directly to the Chief Risk Officer of LPL.
[Evan] I like when I read about information security personnel occupying "senior management" positions. Effective information security management needs to be as "senior" as possible in order to effect change in the organization. Information security governance is NOT an IT issue, but an organizational issue. There needs to be more good CISOs and CSOs.

In addition, LPL has developed a new, comprehensive information privacy and security program with new policies and procedures that were implemented in April 2008.

In August 2007, LPL engaged the services of Kroll Inc. ("Kroll"), a risk consulting company, to provide various services

In addition, LPL has commenced a project to enhance security on its advisor facing trading and operations systems in September 2007 and expects the project to complete in December 2008.
[Evan] Details are not available, but I would be interested in knowing more. Maybe removal of SSNs from the advisor facing trading systems and two-factor authentication are part of the mix.

Finally, LPL recently engaged the services of Edwards Angell Palmer & Dodge LLP to advise Mr. Loewenthal and LPL's in-house counsel as needed on information privacy and security issues.

LPL Financial is providing affected individuals with credit protection services from Kroll, Inc.

If you have any questions or feel you have an identity theft issue, please call ID TheftSmart at 1-800-588-9839 between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.

If you want to talk to someone at LPL Financial to clarify or discuss the contents of this letter, please call us 1-800-558-7567, option 3 - Customer Service, between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.

We apologize for any inconvenience or concern this situation may cause.

We at LPL Financial believe it is important for you to be fully informed of any potential risk resulting from this incident.

We remain committed to maintaining customer privacy as a key priority and will continue to take the needed steps to protect your information.

Commentary:
What makes this breach so interesting to me is the fact that there were at least 18 points of attack. I don't get the feeling that this was some sophisticated high-tech "hack" of LLP Financial's systems. It is much easier to craft an email or call someone and convince them to give you their login information.

Good luck Mr. Loewenthal, I'm sure you'll do fine!

Past Breaches:
Unknown

Rhode Island Dept. of Administration can't find HR disk

Mon, 24 Mar 2008 12:36:58 +0000

Technorati Tag: Security Breach

Date Reported:
3/21/08

Organization:
State of Rhode Island

Contractor/Consultant/Branch:
Department of Administration

Victims:
State employees

Number Affected:
~1,400

Types of Data:
Human resources records including Social Security numbers

Breach Description:
"A state computer disk containing the social security numbers of nearly 1,400 people has been reported missing."

Reference URL:
SouthCoast Today
WPRI Eyewitness News

Report Credit:
Associated Press

Response:
From the online sources cited above:

A state computer disk containing the Social Security numbers of nearly 1,400 people is missing, the state Department of Administration announced Friday.

The department said there was no evidence that any number had been misused or that the disk had fallen into the hands of an unauthorized person.

It was working with the Rhode Island State Police to find the disk.

"We do not believe that it was stolen, we just believe it was misplaced at this point in time," said Melanie Marcaccio, the department's deputy personnel director. "We don't believe that individuals outside of the organization had any access to that data at any point in that time."
[Evan] Eventually the lost disk will be found. The question is by who and what will they do with it? The sad thing is that the information could cause damage if the answers are wrong.

The majority of the 1,400 people affected are state employees whose Social Security numbers were kept in human resources records

The information was discovered missing within the last two weeks when human resources staff members who had relocated from Providence to Cranston could not find the data on the server

The DOA sent a letter Thursday to all those affected, telling them the disk was missing and urging them to put a fraud alert on their credit file so creditors would contact them before any new accounts opened or any existing accounts changed.

Commentary:
Has anyone seen a disk lying around labeled "State of Rhode Island, Department of Administration - CONFIDENTIAL"?

Sensitive personal information requires more control than this. Was the disk encrypted?

Past Breaches:
Unknown

Thieves steal four Diocese of Providence computers

Mon, 04 Feb 2008 05:48:02 +0000

Technorati Tag: Security Breach

Date Reported:
2/1/08

Organization:
Roman Catholic Diocese of Providence

Contractor/Consultant/Branch:
None

Victims:
Current and former Catholic school employees

Number Affected:
about 5,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
Sometime during the weekend of January 27th, 2008 thieves broke into the Chancery of the Roman Catholic Diocese of Providence and stolen four desktop computers, one of which contained sensitive personal information belonging to current and former Catholic school employees.

Reference URL:
The Diocese of Providence online announcement
The Providence Journal online story

Report Credit:
The Diocese of Providence

Response:
From the online sources cited above:

An individual or individuals broke into the Diocesan Office Building (also known as the Chancery) located at One Cathedral Square in Providence. The perpetrator(s) gained access by breaking through an office window in the Catholic School Office suite.

Once in the building, the perpetrators forcibly entered through two locked office doors where they stole desktop computers and other equipment.

The office suite that was burglarized did not have an alarm system
[Evan] It was reported that the Diocese does employ a security guard, but it is not known where he/she was at the time of the break-in. The fact that the timeframe in question is 8 hours (10 PM Friday - 6 AM Saturday) is interesting. Typically security guards are expected to make regular rounds (~ once every hour or two) throughout the area being guarded. Eight hours is a long time for a break-in to go undetected, so an alarm system would have been very beneficial as an alert if not a deterrent.

One of the stolen computers (a desktop computer, not a laptop) contained a substantial amount of data that included personnel information on present and former Catholic school employees throughout the Diocese of Providence.

The Rhode Island State Police have been notified of this incident. Additionally, the Providence Police Department has assumed responsibility for the investigation.

Thus far, the stolen equipment has not been recovered however, the Catholic Schools Office is fully cooperating with law enforcement who are investigating the situation.

Present and former employees of Rhode Island Catholic schools may be affected.

A number of safeguards are in place such as: locked offices, password protected computers, local administrator account password protected, guest accounts disabled.
[Evan] These are all good security practices.

Employees have unique passwords that they are required to change every few weeks
[Evan] Another good security practice, but every few weeks might be a little too often. If we make people change their passwords too often we increase the chances that they will write them down.

Additionally, personal information of students, teachers, parents and others associated with the Catholic Schools Office are prohibited from storage on lap top computers.
[Evan] Yet another good security practice.

Personal information of students and their parents and or guardians was not stored on the stolen equipment.

In addition to notifying current and former employees by letters sent to last known addresses, the Catholic Schools Office has created this page on the web site and established a special phone number, 401/278-4678 to answer inquiries from those who feel they may have been affected

Another diocese office was broken into about a year ago and a computer stolen

“The Catholic schools office sincerely apologizes for any inconvenience this incident may cause its current and former employees,”

Commentary:
Judging from what the Diocese has told us about their security practices it is easy to see that they have made a conscience effort to secure confidential information. They put some sound information security practices to use, but now we understand that it wasn't enough. At least two vital information security controls were missed; data at rest encryption and adequate physical security (alarm system missing). There is no mention as to whether or not the Diocese or Chancery are surveilled.

Past Breaches:
Unknown

Blended Attacks and The Tiger Team

Tue, 08 Jan 2008 00:07:00 +0000

The following caught my eye during a review of the Cisco 2007 Annual Security Report, on page 16:

Blended Attacks Targeting Both Physical and IT Domains
In 2007, criminals demonstrated their evolving ingenuity by employing blended attacks to obtain sensitive information and evade detection. The most significant example of this trend was a string of attacks on Stop & Shop supermarkets in Rhode Island. Attackers broke into and vandalized supermarkets, leading police to believe the events were largely petty crimes. But during the break-ins, attackers tampered with the stores’ card readers to collect credit card information.

Of course, upon reading this there was a stream of attack ideas that occurred to me such as using a break-in as a cover for things like installing WIFI access to networks, card skimmers, key loggers, etc. Shortly after reading the Cisco report, I ran into a post on Black Bag (a physical security blog) about a TV show called Tiger Team. The TV show is about a team of penetration testers who (in addition to being very impressed with themselves) test complex physical security systems. I reviewed the first two episodes (which I have to confess I enjoyed), which are available via streaming video.

Interestingly, in the first two episodes (which is all I have watched so far…) the team always used a blended attack. There is a social engineering and digital attack as a prelude to the actual ‘theft’ in both episodes.

I think few people will face attackers of this sophistication, but the series is interesting nonetheless.

Cheers, Erik

Art of Information Security would love your feedback !

Blended Attacks and “The Tiger Team”