High value hacked or infected sites | Portland, Oregon procedures security monitoring

The "No Network is 100% Secure" series
- High Value Site Hacks, 2009 edition -
- In the news -
A White Paper

Vulnerability test: There is no malware on this page.

Click on the "How vulnerable am I?" button above to run a (completely safe) test to see if you are vulnerable to drive-by explots. If a new window does NOT open, you are about as safe as you can be, at least until these hackers come up with some new exploit. Note that you still need to have ALL of your software (not just the operating system) patched to the latest level since there are lots of other ways to pick up trojans and viruses besides visiting a compromised, infected drive-by web site.

A recent study revealed that the average PC in the USA (including computers in a corporate environment) have over a dozen current vulnerabilities. And remember, these hackers only have to exploit one vulnerability and you're hacked! The same study confirmed that there is an over-dependance on anti-virus software to keep computers safe. This is an absolute fallacy! AV software is a 1999 solution to a 2009 problem. The drive-by attacks described in this white paper go largely unnoticed by AV software. If your computer failed our vulnerability test, it's just a matter of when, not if, you get hacked.

Feedback: We value the opinion of IT professionals. If you have comments about this series of white papers (too detailed, not detailed enough, helful, boring, or whatever) we would appreciate hearing from you. The information contained in these white papers is intended to help IT Managers better secure their networks. The more on-point our white papers are, the more useful the information will be to our target audience. Thanks in advance!

Not all hackers attack using the Internet: June 30, 2009. DALLAS (AP) - Federal prosecutors say a 25-year-old contract security guard accused of hacking into computers at the clinic where he worked has been arrested. Jesse William McGraw, of Arlington, is being detained following his arrest Monday afternoon. The U.S. Attorney's Office says McGraw is the leader of the "Electronik Tribulation Army" hacker group. He worked for United Protection Services as an overnight shift security guard at the Carrell Clinic in Dallas. The affidavit alleges McGraw intruded into the clinic computers that controlled climate and ventilation and those that contained confidential patient information. Investigators say McGraw planned a massive computer attack for July 4.

It's not enough to secure your network from an outside intrusion. Current or former employees, security guards, cleaning people and anyone else who has physical access to your computers can cause problems too! What does your IT department do to prevent this and what sort of best practices do you have in place? Do your users use locking screensavers, BIOS passwords and things of this nature? Are server terminals always logged in as root? This guy obviously had no difficulty running amok inside the network although as a contract guard, it's unlikely that he was given his own account on any of the clinic's computing systems. The time to do a security audit to check on physical access vulnerabilities is now!

More on being hacked from the inside: July 1, 2009 TENAFLY, N.J. (AP) -- Three students in New Jersey are accused of hacking into their school's computer system to access final exams. The Tenafly High School sophomores are charged with theft by accessing a computer system without authorization. Police say a 16-year-old and a 15-year-old tracked keystrokes to obtain passwords and obtained the geometry, algebra and humanities exams. Officials say another 15-year-old obtained a teacher's password from one of the other boys to change his grades.

If any of your users leave their computers turned on over night and don't use password protected screensavers, they make very attractive targets for miscreants wishing to install keyloggers.

Search engine hacked!: July 1, 2009 - Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Adobe Acrobat Reader and Adobe Shockwave. If the user's browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The malicious file has an extremely low AV detection rate. The file (MD5: 24bd24f8673e3985fc82edb00b24ba73) is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP.

More on the nine-ball attack: A Trojan, dubbed FFsearcher, was among the pieces of malware installed by sites hacked with the Nine-Ball mass compromise, which attacked some 40,000 Web sites in June, 2009. The Trojan takes advantage of Google's "AdSense for Search" API, which allows Web sites to embed Google search results alongside the usual Google AdSense ads. While most search hijackers give themselves away on the victim's machine by redirecting the browser through some no-name search engine, FFsearcher does the following: FFsearcher converts every search a victim makes through Google.com, so that each query is invisibly redirected through the attackers' own Web sites, via Google's Custom Search API. Meanwhile, the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com (and with Google.com in the victim browser's address bar, not the address of the attacker controlled site). Adding to the stealth is the fact that search results themselves aren't altered by the attackers, who are merely going after the referral payments should victims click on any of the displayed ads. What's more, the attackers aren't diverting clicks or ad revenue away from advertisers or publishers, as in traditional click fraud: They are simply forcing Google to pay commissions that it wouldn't otherwise have to pay. Pretty crafty...

Another unpatched Internet Explorer vulnerability: July 6,2009. Malicious hackers are currently launching code execution exploits against an unpatched vulnerability in the Microsoft Video ActiveX Control - msvidctl.dll. The attacks are currently targeting users of Microsoft's Internet Explorer browser. An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. One more reason to not let your Corporate Users operate with Administrator or Power User rights. When using Internet Explorer, malicious code execution is remote and may not require any user intervention or participation. Microsoft says that this buggy ActiveX Control can be safely removed without any compatibility issues. We would strongly advise doing exactly that. This critical ActiveX vulnerability is (in our opinion) a prime candidate for another Conficker-scale attack

SEOUL, South Korea : July 7, 2009. Suspected cyber attacks paralyzed Web sites of major South Korean government agencies, banks and Internet sites in a barrage that appeared linked to similar attacks in the U.S., South Korean officials said Tuesday. The sites of the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, Korea Exchange Bank and top Internet portal Naver went down or had access problems since late Tuesday. The alleged attacks appeared to be linked to the knockout of service of Web sites of several government agencies in the United States. The U.S. sites were hit by a widespread and unusually resilient computer attack that began July 4. In the United States, the Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web sites were all down at varying points over the holiday weekend and into this week, according to officials inside and outside the government. Some of the sites were still experiencing problems Tuesday evening. Some of the South Korea sites remained unstable or inaccessible on Wednesday morning. The paralysis took place because of denial of service attacks, in which floods of computers all try to connect to a single site at the same time, overwhelming the server that handles the traffic. There have been no immediate reports of financial damage or leaking of confidential national information from the alleged cyber attack, which appeared aimed only at paralyzing Web sites.

The Homeland Security Department, says there were 5,499 known breaches of U.S. government computers in 2008, up from 3,928 the previous year, and just 2,172 in 2006.

July 16, 2009 update: The master server used to launch cyber attacks on leading websites i in Korea and the U.S. last week has been traced to a TV contents provider based in Miami, Florida. A master server is a high-capacity computer that can serve as the command center when hackers launch cyber attacks. U.K. Internet TV company Global Digital Broadcasting in a statement Tuesday said, "The master server is located in a partner company in Miami, Florida, which shares contents with us through a connected system." In other words, the IP address used to orchestrate the attacks was that of GDP in Britain, as a Vietnamese computer security company claimed, but the actual server computer was in the data center of Miami-based Digital Latin America.

Still think you don't need a professional security audit?

Alberta Health Services computer system hack in Edmonton: Electronic medical records were exposed from May 14-29, 2009 after an attack by new variations of a Trojan-horse-style virus called Coreflood and Coreflood.C that could have come in via an e-mail, a laptop or other device, says Bill Trafford, AHS senior VP and CIO. He adds that Coreflood infected only the Edmonton network, but patient files from anywhere in Alberta may have been affected. The virus worked by taking sporadic screen shots of infected computers. "So say somebody was looking at a Word document, it might have taken a screen shot of that and then that data would be uploaded to a server outside the AHS network," he said.

HIPPA compliance certification testing and claims of patient records confidentility are meaningless if the servers that store this information get hacked! "Oh gee... we're really sorry" just isn't going to cut it.

Network Solutions web site hack: July 25, 2009. Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months. Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores. The payment data stolen was captured from transactions made between March 12, 2009 and June 8, 2009. Network Solutions is offering to pay for 12 months of credit monitoring service through Trans Union for each consumer whose financial and personal data was compromised.

Some International cyber attacks in recent years: April, 2009. The Aurora vulnerability - A former U.S. government official said that spies had hacked into the U.S. electric grid and left behind computer programs that would let them disrupt service, though it was not clear when the breach occurred. The official said the intrusion was "almost without a doubt" done by state sponsors.

March, 2009. Ghostnet - A Canadian research group concluded that hackers likely based in China stole sensitive information from thousands of hard drives worldwide and hacked into the computer system of the Dalai Lama, the spiritual leader of Tibet. China denied any involvement.

March, 2009. Ghostnet - U.S. Sen. Bill Nelson, D-Florida, said his office computers were hacked three times by "cyber-invaders thought to be inside China." Nelson, a member of the Senate's Intelligence, Armed Services and Finance committees, described one of the incidents as serious, but said he did not believe any sensitive information was stolen.

In 2008, Georgian government and corporate Web sites began to see "denial of service" attacks just ahead of the outbreak of war with Russia. The Kremlin denied involvement, but a group of independent Western computer experts traced domain names and Web site registration data to conclude that the Russian top security and military intelligence agencies were involved.

In 2007, alleged Russian hackers crippled government and corporate computer networks in Estonia for nearly three weeks following deadly riots that were sparked by the relocation of a Soviet war memorial.

Twitter, Facebook: This is old news, but... Social networking sites such as Twitter and Facebook have become feeding grounds for cybercrime. A threat report by net security firm Sophos warns that Web 2.0 companies are too focused at growing their user bases, at the possible expense of paying attention towards defending their existing customers from internet risks. In our opinion, smart IT Managers should prohibit users from accessing these sites using company computers and should block access on their proxy servers.

Sophos estimates that a quarter of all business networks have been exposed to spam, phishing or malware attacks via sites such as Twitter, Facebook, LinkedIn and MySpace. Web 2.0 companies need to examine their systems and determine how, now they have gathered a huge number of members. They need to protect their users from virus writers, identity thieves, spammers and scammers. This is currently not being done. Personally identifiable information is at risk as a result of constant attacks that the websites are simply not mature enough to protect against. At a minimun, social engineering sites like Twitter and Facebook need to scan for links to sites hosting malware or promoted via spam messages. These sites also need to force users to use stronger (harder to guess) passwords and do more to prevent cross-site scripting attacks.

Figures from Sophos also point to the growth in scareware scams, where users are tricked into buying rogue security packages of little or no utility on the basis of false security scans. Sophos picked up an average of fifteen such scareware sites per day during the first half of 2009, a three-fold increase over the same period last year. Sophos now catalogues 22.5 million different samples of malware, almost double the level it recorded in June 2008. Around 40,000 new suspicious files are examined by security analysts at Sophos every day. The firm discovers an infected webpage once every 3.6 seconds, on average, four times faster than in the first half of 2008. Two years ago, 50 per cent of all web-based malware was hosted in China. This figure dropped to just 14.7 per cent in the first half of this year, with the USA eclipsing China as the biggest single locus of drive-by-download threats (39.6 per cent). Compromised US computers also make the single greatest contribution to spam (15.7 per cent), which cumulatively makes up nine in 10 (89.7 per cent) of all business email.

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
More high value site hacks in the news
Still more 2009 hacks in the news
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
ISO/IEC 27005:2008 Standard for Security Risk Management
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service
Portland, Oregon Network Security Consulting

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting