[SecurityRatty] tag: sony

Global Dispatches

Mon, 08 Sep 2008 01:39:28 +0000

The airport in Manchester, England, tests a facial recognition system as part of a nationwide effort to better control the country's borders; and Sony recalls 438,000 laptops because of a problem that could lead to overheating.

Compromised Cpanel Accounts For Sale

Mon, 18 Aug 2008 06:42:50 +0000

Is the once popular in the second quarter of 2007, embedded malware tactic on the verge of irrelevance, and if so, what has contributed to its decline? Have SQL injections executed through botnets turned into the most efficient way to infect hundreds of thousands of legitimate web sites? Depends on who you're dealing with.

A cyber criminal's position in the "underground food chain" can be easily tracked down on the basis of tools and tactics that he's taking advantage of, in fact, some would on purposely misinform on what their actual capabilities are in order not to attract too much attention to their real ones, consisting of high-profile compromises at hundreds of high-profile web sites.

Embedded malware may not be as hot as it used to be in the last quarter of 2007, but thanks to the oversupply of stolen accounting data, certain individuals within the underground ecosystem seem to be abusing entire portfolios of domains on the basis of purchasing access to the compromised accounts. In fact, the oversupply of compromised Cpanel accounts is logically resulting in their decreasing price, with the sellers differentiating their propositions, and charging premium prices based on the site's page ranks and traffic, measured through publicly available services, or through the internal statistics.

SQL injections may be the tactic of choice for the time being, but as long as stolen accounting data consisting of Cpanel logins, and web shells access to misconfigured web servers remain desired underground goods, goold old fashioned embedded malware will continue taking place.

Interestingly, from an economic perspective, the way the seller markets his goods, can greatly influence the way they get abused given he continues offering after-sale services and support. It's blackhat search engine optimization I have in mind, sometimes the tactic of choice especially given its high liquidity in respect to monetizing the compromised access.

The bottom line - for the time being, there's a higher probability that your web properties will get SQL injected, than IFRAME-ed, as it used to be half a year ago, and that's because what used to be a situation where malicious parties would aim at launching a targeted attack at high profile site and abuse the huge traffic it receives, is today's pragmatic reality where a couple of hundred low profile web sites can in fact return more traffic to the cyber criminals, and greatly extend the lifecycle of their campaign taking advantage of the fact the the low profile site owners would remain infected and vulnerable for months to come.

Related posts:
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Injecting IFRAMEs by Abusing Input Validation
Money Mule Recruiters use ASProx's Fast-flux Services
Malware Domains Used in the SQL Injection Attacks
Obfuscating Fast-fluxed SQL Injected Domains
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Summarizing Zero Day's Posts for July

Fri, 08 Aug 2008 10:35:52 +0000

Different audience provokes different approach for communicating a particular event. In case you aren't reading ZDNet's Zero Day, where I blog next to Ryan Naraine and Nathan McFeters - join us.

Also, consider subscribing yourself to my personal RSS feed, or Zero Day's main feed in order to read all the posts. Here's a quick summary of my posts for last month :

01. Blizzard introducing two-factor authentication for WoW gamers
02. Sony PlayStation's site SQL injected, redirecting to rogue security software
03. 300 Lithuanian sites hacked by Russian hackers
04. Antivirus vendor introducing virtual keyboard for secure Ebanking
05. Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers
06. Storm Worm's Independence Day campaign
07. Approximately 800 vulnerabilities discovered in antivirus products
08. $1 Million prize offered for cracking an encryption algorithm
09. U.K's most spammed person receives 44,000 spam emails daily
10. Storm Worm says the U.S have invaded Iran
11. Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails
12. Verizon, Telecom Italia, and Brasil Telecom top the botnet charts in Q2 of 2008
13. XSS worm at Justin.tv infects 2,525 profiles
14. Remote code execution through Intel CPU bugs
15. Ringleader of cybercrime group to be offered a job as cybercrime fighter
16. Spam coming from free email providers increasing
17. Kaspersky's Malaysian site hacked by Turkish hacker
18. Georgia President's web site under DDoS attack from Russian hackers
19. 75% of online banking sites found vulnerable to security design flaws
20. McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position
21. Click fraud in 2nd quarter of 2008 more sophisticated, botnets to blame
22. How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability
23. DNS cache poisoning attacks exploited in the wild
24. The Neosploit cybercrime group abandons its web malware exploitation kit
25. OS fingerprinting Apple's iPhone 2.0 software - a "trivial joke"
26. HD Moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame

Smells Like a Copycat SQL Injection In the Wild

Mon, 28 Jul 2008 01:51:23 +0000

In between the massive SQL injections, that as a matter of fact remain ongoing, copycats taking advantage of the very same SQL injection tools using public search engine's indexes as a reconnaissance tools, are also starting to take advantage of localized and targeted attacks, attacking specific online communities. Among these is mx.content-type.cn /day.js using day.js to attempt multiple exploitation using publicly obtainlable exploits such as Adodb.Stream, MPS.StormPlayer, DPClient.Vod, IERPCtl.IERPCtl.1, GLIEDown.IEDown.1, and targeting primarily Chinese web communities.

Compared to a bit more sophisticated attack tactics applied by Chinese hackers, taking advantage of localized versions of the de facto web malware exploitation kits, those who don't have access to such continue using cybercrime 1.0 DIY exploit embedding tools at large. The rest of the SQL injected domains as well as the exploits themselves are parked on the same plaee - 222.216.28.25, also responding to :

down.goodnetads .org
ads.goodnetads .org
real.kav2008 .com
hk.www404 .cn
err.www404 .cn
mx.content-type .cn
sun.63afe561 .info
ads.633f94d3 .info
ads.1234214 .info
ad.50db34d5 .info
ads.50db34d5 .info
ad.8d77b42a .info
web.adsidc .info
free.idcads .info
free.cjads .info
ads.adslooks .info
list.adslooks .info
ad.5iyy .info

The SQL injected domains :
ads.633f94d3.info/day .js
ad.8d77b42a.info/day .js
ad.5iyy.info/day .js
free.idcads.info/day .js
efreesky.com/day .js
v.freefl.info/day .js

The internal structure :
free.idcads.info/f/index .htm
free.idcads.info/014 .htm
free.idcads.info/real11 .htm
free.idcads.info/real10 .htm
free.idcads.info/lz .htm
free.idcads.info/bf .htm
free.idcads.info/kong .htm
free.idcads.info/f/swfobject .js
ad.50db34d5.info//rm%5C/rm .exe

Parked domains responding to the command and control locations, 60.191.223.76 and 222.216.28.100 :
ftp.gggjjj .info
live.ads002 .net
log.goodnetads .org
dat.goodnetads .org
root.51113 .com
sun.update999 .cn
abb.633f94d3 .info
up.50db34d5 .info
web.cn3721 .org
dat.goodnetads .org
cs.rm510 .com
sb.sb941 .com
k.sb941 .com
info.sb941 .com
day.sb941 .com
post.ad9178 .com
v.91tg .net

Centralizing their scammy ecosystem always makes it easier to monitor, keep track of, and of course, expose.

Related posts:
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Obfuscating Fast-fluxed SQL Injected Domains

Thu, 17 Jul 2008 11:31:06 +0000

It's all a matter of how you put it, and putting it like represents a good example of tactical warfare, namely, combining different tactics for the sake of making it harder to keep track of the impact of a particular SQL injection campaign. Consider the following examples of obfuscated domains, naturally being in a fast-flux in the time of the SQL injection that several Chinese script kiddies were taking advantage of :

%6b%6b%36%2e%75%73 - kk6.us
%73%61%79%38%2E%75%73 - s.see9.us
%66%75%63%6B%75%75%2E%75%73 - fuckuu.us
%61%2E%6B%61%34%37%2E%75%73 - a.ka47.us
%61%31%38%38%2E%77%73 - a188.ws
%33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D - 3.trojan8.com
%6D%31%31%2E%33%33%32%32%2E%6F%72%67 - m11.3322.org

As always, these obfuscations are just the tip of the iceberg considering the countless number of other URL obfuscations techniques that spammers and phishers used to take advantage of on a large scale. For the time being, one of the main reasons we're not seeing massive SQL injections using such obfuscations is mostly because the feature hasn't been implemented in popular SQL injectors for copycat script kiddies to take advantage of. However, with the potential for evasion of common detection approaches, it's only a matter of personal will for someone to add this extra layer to ensure the survivability of the campaign.

The folks behind these obfuscations are naturally multitasking on several different underground fronts. Take for instance 3.trojan8.com (58.18.33.248) also responding to w2.xnibi.com which is also injected at several domains, w2.xnibi.com/index.gif to be precise. The fake .gif file in the spirit of fake directory listings for acquiring traffic in order to serve malware, is actually attempting to exploit a RealPlayer vulnerability - JS/RealPlr.LB!exploit. The deeper you go, the uglier it gets.

Related posts:
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Scareware runs amok on PlayStation site

Thu, 03 Jul 2008 11:28:35 +0000

Gamers visiting the US Sony PlayStation website risk malware infection after the site was hit by hackers.

Sony USA PlayStation Website SQL Injected And Redirects Visitors To Fake Anti-Virus Scam

Wed, 02 Jul 2008 14:41:28 +0000

Sony’s USA PlayStation website, a website with a very large number of daily visitors according to Alexa, had been the victim of an SQL injection attack. Sony PlayStation’s site is another high trafficked web site that fall victim into the continuing waves of massive botnets (ASProx botnet for example) SQL injections. The purpose of this wave [...]

Eye-Fi Adds Geotagging, Splits Up Product Line

Fri, 09 May 2008 10:07:15 +0000

The folks who brought us simple Wi-Fi for digital cameras add locations, modify pricing: Eye-Fi developed a supremely simple 2 GB Secure Digital card that can work with any digital camera and transfer photos over known Wi-Fi networks with no effort. Now they've split their original $99 product offering into three items differentiated by features: Eye-Fi Explore, with Wi-Fi-based geotagging ($129); Eye-Fi Share, for uploading to photo-sharing systems ($99); and Eye-Fi Home, which is a cable-replacement service ($79). The Eye-Fi Explore will be available starting 9-June-2008.

The Eye-Fi Explore product relies on Skyhook Wireless's system of analyzing the signal strength of nearby Wi-Fi networks to extrapolate latitude and longitude. Eye-Fi ties that into their system to stamp images with locations. This deal also ties into Wayport's domestic network of 10,000 hotspots, most of which are McDonald's outlets, allowing free uploading via those systems. The purchase price covers one year of hotspot service. You can upgrade an existing Eye-Fi to the new feature for a fee. All three products work with Mac OS X Tiger and Leopard, and Windows XP/Vista.

Because Skyhook needs a live Web connection to look up the Wi-Fi environment, Eye-Fi can store the Wi-Fi snapshot when the picture is taken, and manage inserting the appropriate photo metadata (EXIF format) at upload for Flickr and other services that support geotagging.

Geotagging is a very popular idea, something that I'm quite taken with because it pairs the act of taking a photograph with the location at which the picture is taken, making a digital photograph seem a little less untied to reality. But until now, it's been generally quite involved to match a picture with coordinates. A handful of specialized cameras embed GPS chips, and there's software to facilitate other methods, but the cost and battery drain of GPS chips have apparently so far kept it from being a widely deployed feature, while the wonkiness of alternatives doesn't appeal to mainstream users.

Sony once sold this wacky GPS companion (which I just found out isn't available in either released model) that would track your location over time, and use that information to geotag images via a special software program that let you pair its stream of data with your photographs.

Eye-Fi and Skyhook are doing something almost the same, since the camera isn't capturing the GPS data, and the Eye-Fi isn't applying the information live, much of the time. But it's eminently more usable than the Sony system, because the Eye-Fi handles the assembly seamlessly for you.

Now there's just one thing to worry about. Think about this: McDonald's are everywhere, and nearly all of the U.S. locations have Wi-Fi. The Eye-Fi uploads whenever it can, as long as the camera is turned on. You're geotagging images without any effort. Okay, got it? So...you call in sick to work, and run off to take some photos. Your boss, using RSS to subscribe to your Flickr feed, not only sees your pictures as you wander the town, unknowningly promiscuously uploading them via quick-serve restaurants' networks, but also knows precisely where you are.

This makes me suggest that you might set your Flickr upload preferences to keep images private and your geotagging preferences the same. You can then expose the images you want for public consumption. The Panoptican is...us!

Wayport Tops 10,000 McDonald's Locations

Tue, 29 Apr 2008 05:25:32 +0000

Ten thousand is an arbitrary place to put a stick in the sand, but significant nonetheless: The milestone of 10,000 McDonald's wired up--a few hundred have back access only, due to being stores within WalMart centers--is a vindication of Wayport's long-term strategy, dating back to 2004. Wayport switched at that point from a slightly more public-faced, public-access company to one that understood that back-office operations could be just as valuable, if less sexy, than front-facing consumer networks. Dan Lowden, Wayport's long-time marketing and business development chief, said yesterday, "In a lot of these venues, the back office comes first. The Wi-Fi public access for some is a big priority, but for others it's a nice to have, great thing to have, but the priority is the back office."

Although several other quick-service restaurants like McDonald's lack any comprehensive Wi-Fi plan--Burger King, Wendy's, and Subway to name three of the largest--Wayport is locked out of working with direct competitors. This opens the potential for another firm to handle a several-thousand-location network. Wayport has worked with both McDonald's corporate-owned stores (about 2/3rds of stores in the U.S.), as well as reaching out to franchisees, who Lowden noted pay a predetermined flat rate for the service via McDonald's. "It's made them incredibly efficient to be able to offer this to their franchisees at one price, instead of variable pricing," he noted. Wayport acts as the layer between various telecom providers, applications and services, and the stores.

Wayport provides several kinds of back-office services, although credit-card processing was the first thing htey rolled out. They've extended to remote video feeds for security, Redbox DVD rental systems that are found in some McDonald's, and kiosks used for job applications. Lowden said Wayport offers things as straightforward but critical as a dial-up fail-safe when a broadband connection drops.

Wayport also manages AT&T's hotspot network, which puts them in the unwiring seat for the 7,000-odd Starbucks stores that will converted from T-Mobile to AT&T service during 2008. Wayport was once the clear leader in the hotspot builder market, with T-Mobile in the second position. Now, Wayport will be operating through a direct contract or management agreement over 18,000 hotspots in the U.S.; T-Mobile will likely be the second biggest with a couple thousand locations (Borders and FedEx/Kinko's tops among them). The No. 3 player is hard to figure. Panera?

I've been predicting for some time that media on the edge--music, videos, movies, and games stored on servers on the local Wi-Fi network--will be the next big development in venue-oriented Wi-Fi, with Starbucks likely far in the lead. Lowden wouldn't comment on any specific plans in the works, of course, but said generally, "Storing and caching all that content on the edge...hasn't been leveraged in the past, but it will be in the future to create a very unique experience." At Barnes & Noble, Wayport caches some multimedia data that's available to customers in the stores.

The advantage for in-store media storage is that you can leverage the speed of the local network, and add additional access points to distribute network load. The choke point is no longer the Internet connection, but local network speed. I expect--though Wayport, AT&T, and Starbucks haven't said it--that Starbucks infrastructure will be all 802.11n for this reason, likely with both 2.4 GHz and 5 GHz support for the best throughput in the higher-frequency band for media transactions. (In fact, I wouldn't be surprised if you could only buy movies via 5 GHz.)

Lowden also noted that the proliferation of mobile devices with Wi-Fi built in have led to them reaching out to venues that wouldn't have made sense for them to work with previously, and for unlikely candidates to reach out to them, too. Wayport is now working with a number of healthcare facilities that, while they have their own network infrastructure, wanted to outsource public access Wi-Fi (whether they choose to charge or underwrite it), and certain applications that they're not as experienced with running themselves.

A little history: In 2001 and again in 2004, the heat seemed to be on the public side of Wi-Fi: lots of money to be made, ostensibly, lots of partnerships and venues to be built, and an overcrowded supply of infrastructure builders. The year before, Wayport looked to be an also-ran in the hotspot provider business.

Despite being one of the earliest firms to put Ethernet and then Wi-Fi into hotels, and build out hotspots in airports; and despite their survival of the first hotspot meltdown in 2001 during the dotcom crash and brief venture capital shortage; and despite their early entrance into allowing wholesale pricing for hotspot aggregators; the firm seemed about to be eclipsed by apparently deep-pocketed Cometa (with AT&T, IBM, and Intel in various capital and support roles), Toshiba's mom-and-pop focused turnkey system, and T-Mobile, which had the Starbucks contract. What a difference a year makes.

Cometa, Toshiba, and Wayport contended for the contract to build out back-office and public-access service at McDonald's in the U.S., and Wayport won. Within a few weeks, Toshiba passed its few hundred locations to Cometa, which shut its doors in May 2004. Wayport, meanwhile, had cooked up a strategy for McDonald's that it announced later that month.

Their approach involved a fixed-rate charged for unlimited access by retail network partners for all the locations in their pool. This meant that partners had a fixed cost, instead of a per-session cost, and Wayport could obtain specific revenue even before usage by a partner ramped up. Wayport hasn't discussed the details of this arrangement in depth since, but has partnered with Sony with its Mylo, Nintendo with its DS game player, and ZipIt with its wireless messaging appliance.

The McDonald's deal also apparently gave Wayport a way to extend its work with SBC-later-AT&T; Wayport had earlier in 2004 became the managed-services contractor for SBC to build out The UPS Store/Mailboxes Etc. nationwide. (UPS dropped AT&T as its partner in mid-2007, although that didn't appear to have anything to do with Wayport's role.)

AT&T through Wayport developed its large resold/managed footprint that incorporated resale of Wayport's McDonald's locations with the UPS Store and a few hundred other managed locations, including a handful of airports. The Cingular acquisition of AT&T Wireless put more airports in SBC's hands, too. (SBC was once the 60 percent majority owner of Cingular; when SBC and BellSouth, the other owner, merged that put the newly rebranded AT&T in charge of Cingular which it relabeled as AT&T. Confusing, huh?)

With Vista breached, Linux unbeaten in hacking contest

Fri, 28 Mar 2008 21:00:00 +0000

The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.