As of December 10, 2009 over 132,000 websites have been compromised and are serving up the malicious content.  The attack loads up an Iframe onto the websites via the data returned from the database which eventually leads the user (without there knowledge) to download data from 318x.com which then installats a rootkit-enabled variant of the Buzus backdoor trojan.  The full path of what happens can be found on the link above.

We’ve talked about the securing your website from SQL Injection attacks here, here and here, apparently there are tons of sites out there which haven’t been listening.

Denny

Google has a translation of the article, and the original can be found here.

The power company is question claims that the blackout which hit 18 Brazilian states on Tuesday was not caused by the hackers.  However the timing out the attack and the outage is very suspicious.  This just goes to show that utilities needs to take even more care that other companies to secure there environments to ensure that the services which they provide remain online as peoples live depend on the power staying on.

Based on the results of testing against the sites as reported by Darkreading the standard SQL Injection attack may have been used in this case to attack the site and break in.  One would think that a company as large as a countries power company would be able to have developers which wouldn’t allow SQL Injection attacks.

Denny

In a perfect world this should be done at all layers of your application, both at the front end and at the back end.  At the front end, this is usually easy, as you control the application, and the code that goes into it.  Adding a module like this is pretty easy.  On the back end you’ve got less options available to you.  You are pretty much at the mercy of your database vendor on this one.

However the database vendors have heard our requests for more security in the platforms and they have begun to respond.  As an example Microsoft SQL Server has since the release of SQL Server 2005 included the ability to have the SQL Logons follow the same security requirements as Windows Logons on the Windows Active Directory domain.  (Other database vendors may offer similar features, but as I mostly use Microsoft SQL Server I’m not aware of them.  If you are please feel free to comment below.)

Now with this comes some risk.  Because if you were to enable these settings and someone did try to break into the database server using this account, the account would lock out.  This is both good and bad.  Its good because they aren’t able to continue the attack, however its also bad because your business application isn’t able to log into the database either.

Open source apps such as WordPress are starting to get these features added into them.  There’s a plugin for WordPress called “Login LockDown” which allows the WordPress admin site to lock it self down if the same person gets the password wrong more than n number of times.  The options are totally configurable by the blog owner, so you can set your settings as high or as low as you want.

So, what’s the point of all this you ask?  It’s pretty simple, and it is easier when you look at the math.  Assume you wanted to attack a system which takes 1/10th of a second to check a password.  Using the characters on the standard keyboard (letters, numbers, symbols) you’ve got ~94 characters to work with.  Assuming an 4 character password of say “test” there are 78074896 character combination to try.  Assuming you try all the combination (just to make sure you get the correct password) it will take about 90 days to test all the options.  Now if every 5 failed attempts we lock the account for one hour that test times goes from 90 days to 3012 years (if I’m done my math correctly).

The next question then becomes, why would anyone take 90 days to break my password.  The answer is that they wouldn’t.  They would use more than one machine to reduce that 90 days down to a more manageable number.  If using 10 computers and you break with workload up evenly across the 10 computers that 90 days, is now 9 days.  20 computers will get it done in 4.5 days.  50 computers will get it done in 1.8 days.  All of a sudden by simply throwing a few computers at the problem the password gets broken very quickly.  Now longer passwords will make this take longer, but if you have a system which people really want to break into they could get access to one of the large botnets and have 100,000 computers work on breaking into your site.  Even with a very strong password, it wouldn’t take all that long to brute force your way into your passwords.

The only sure fire way to stop someone from brute forcing there way into your accounts is to lock those accounts after the password has been tried incorrectly several times.  Don’t make the limits to low that your customers can get into there own services, but don’t make them so loose that people can break into those services.

Denny

I just received this text message “First Heritage Bank Alert: Your CARD has been DEACTIVATED. Please contact us at 877-649-1737 to REACTIVATE.”. Now I know this is a scam for a couple of reasons.

1. I don’t have an account with First Heritage Bank
2. A bank wouldn’t text me to have them call me.
3. They’d tell me to call without providing a number, instead telling me to use the number on my card.
4. They’d identify the account which has a problem.

If you see this don’t call them. I’d say report it to your local law enforcement but they probably don’t really care, and probably won’t do anything about it. Good luck if you decide to call your local law enforcement.

Denny

P.s. Sorry for any spelling issues. This was posted from my blackberry. I’ll spell check from home.

When you leave your workstation unlocked you are giving anyone that walks by access to everything on your computer.  Your email, access to the company intranet, etc.  Anything that you have access to without entering a username and password (or that has a saved username and password) they have access to.

Have iTunes installed on your work computer with a credit card saved in it so you can grab the new song that just came out?  So do they.  They could download 10,000 songs on your account and you wouldn’t know it until the next time you opened iTunes or checked your credit card statement.  (I’m assuming that iTunes will save your credit card, I don’t actually use it but you get the idea.)

Have usernames and passwords saved in your browser so you can easily log into various websites like your bank, credit cards, forums, etc?  So does anyone who sits at your computer.

You are probably sitting there thinking to your self, if some strange person was sitting at my desk, someone would notice.  They might, but probably not.  Lots of times I’ve had strange people sitting in my chair waiting for me with no one around to question them.

If you have an office, you aren’t exempt.  Yes I know that you lock your office door at night.  Look around your office, do you have a trash can sitting in there somewhere?  Do you use it?  Is it empty in the morning?  The magic trash can fairy doesn’t clean out your trash.  Someone who makes way to little money to clean up after the slobs in the office (sorry I’m projecting a little here, or depending on your office maybe I’m not) comes in and cleans it out and dusts your desk off.  You know how they get in, either they have a key or the guards open the doors for them.

I know that one company I worked at everyone who had an office would be gone by 7pm.  At about 9pm the security guards would come around and unlock every single office from the lowest manager to the highest C level exec.  I know this because I worked swing there as a Database Engineer for several years (pretty much every department except for Marketing was staffed 24×7 365 days a year).  After the guards would open the offices the cleaning crew would come through and clean all the offices, empty the trash, etc.  Some offices had a window to the inside of the building, some didn’t.  Most had blinds that could be closed for privacy.  Lost of people had only a laptop, many were left at the office on weeknights, and many people had a desktop.  I would say that 80% of offices had a computer in them at night.

How hard would it be for an outside person to pay someone from the cleaning crew $5000 to get them to copy some data to a USB drive, or infect the network with a virus?  That’s probably more than most people on the cleaning crew make in a month for just a few minutes of work.  To most people, especially in this economy this would probably be to much money to pass up.

If a competitor (or an employee for that matter) wanted access to data that was private, and we didn’t have a policy in place to automatically lock the computers, it would have been a piece of cake for someone to sit at a desk and download all sorts of confidential data from the persons computer.  All without anyone knowing about it.

Fortunately at this company we had a policy which required the computers to lock them selves, but many smaller companies don’t enable this feature for one reason or another.

If your computer isn’t locked when you get to work in the morning I urge you to talk to your IT staff and have them enable auto-locking on the company computers.  It’s a slight annoyance to have to unlock your computer in the morning, but it’s much better than having someone walk in and simply take all your personal and corporate data.

Denny

His lawyer claimed that he is “extremely remorseful as to what has happened” in a statement to the AP on Thursday.  Personally I think that he’s remorseful that he was caught, not that he swindled and stole, but that’s just me.

As part of the plea dea Gonzalez must forfeit his computers, home, car and cash, in addition to the $1.1 million that federal agents found buried in his parents back yard.  His girl friend, her father and friends also have to turn over to authorities watches and jewelry which Gonzalez gave them as gifts.

Under the terms of his plea deal Gonzalez will be behind bars for 15 to 25 years (reality 7-10 years with good behavior and early release).  His computer usage will be restricted for 5 years post release (which probably means not a whole hell of a lot).  If convicted at trial Gonzalez could have been sentenced to several hundred years, effectively a life sentence.

May he enjoy the next 7 years of his life in club fed.

Denny

More information about the specifics of the technique can be found in a paper they jointly published.

If you are using WPA 2 you are still safe, for now.

Network World has a good writeup on the paper and the issue at hand.

Denny