This script is used by hundreds of thusands of sites and is quite popular in the WordPress theming community. It was discovered last month that a vulnerability existed within certain versions of the script (http://code.google.com/p/timthumb/issues/detail?id=212). If you are using a WordPress theme with your mobile WordPress web site then it is highly likely that the Timthumb WordPress Hack can be exploited on your site (depending on when you last updated your theme). The author of the Timthumb script has provided a fix that you should apply to your site now.

It’s Not Personal

Most hacked sites are just black hat SEO scam artists trying to increase their own site ranking for whatever purposes. It’s not personal so don’t panic if you find you have been hacked. Don’t take it personally, they are not out to get you in particular.

Sites being hacked have always been a problem, if yours has never been hacked then consider yourself to be lucky. You have to do your best to make sure this kind of thing doesn’t happen but it still can.

Trusteer reports that an Android variant of Spitmo (SpyEye for mobile) has been discovered.

The methodology sounds familiar for those familiar with ZeuS Mitmo and SpyEye Spitmo: infected computers inject a message into targeted netbanks prompting their customers to install software on their phones. Once Spitmo is installed, the SpyEye attacker is able to monitor incoming SMS and to steal MTAN authentication messages.

More from Trusteer: First SpyEye Attack on Android Mobile Platform now in the Wild

On 13/09/11 At 03:22 PM

The suspect applications cover a variety of topics, including horoscopes, farm and pet games/info and the Chinese calendar, to name a few. Below is a screenshot of the permissions requested by one of these applications:

However some of them do not even look like what they claim to be and eventually crash (probably bad programming):

Before the application crashes however (and usually right after its execution), it will retrieve the phone’s International Mobile Subscriber Identity (IMSI) number, then attempts to connect to a remote site:

- h t t p://mobile.tx.com.cn:[...]/client.[...].do
– h t t p://mobile.tx.com.cn:[...]/client/[...].do

to check if the phone’s IMSI already exists (at time of writing, the remote sites were still accessible).

If the application isn’t able to access the remote site, or the site somehow returns an error response, it will proceed to send out an SMS message.

The SMS sending component first determines the phone’s subscriber ID, then depending on the retrieved information, it will select a different recipient number that it will send the message to.

The SMS body contains the following format:

- 99# [ IMSI ]#android#[ app_specific_string ]

As of the moment, we’re still investigating the implications of the application’s behavior; this may or may not be another example of fraudulent SMS registration for services. Nevertheless, the fact that it automatically sends out an SMS with the phone’s IMSI ID without the user’s awareness or consent is something that is not very desirable.

This is aside from the possible charges incurred and and unwanted identification of the phone’s number (when the other party receives the message).

We will detect these applications as Riskware:Android/MobileTX.A.

For example: In 2003, Saad Echouafni, owner of Orbit Communications (a satellite television reseller), paid for an Ohio botmaster (Richard Roby) to DDoS the websites of two competitors. In 2005, Roby, the botmaster, was convicted of computer crimes in US federal court. Investigation into Roby’s crimes revealed a link to Echouafni and a co-conspirator (Paul Ashley) who also pleaded guilty to related crimes in 2005. Echouafni paid bail and fled US jurisdiction.

Reportedly, at the height of the DDoS attacks, Rapid Satellite and WeaKnees were offline for two weeks. It’s quite an interesting tale and you can read more here: Feds bust DDoS ‘Mafia’, by Kevin Poulsen.

Wow, a DDoS Mafia, circa 2003. But what’s the situation in 2011?

Well — it’s a lot simpler. It’s also more “social”. And it isn’t just about online business anymore.

Today, if you want to hurt a real-world competitor, they don’t even need to have a website, you can just take them off the map.

Google Maps, that is.

Monday’s New York Times has an interesting article on a trending issue: fraudulent “problem reporting” of Google Places.

It seems that numerous small business owners are discovering their businesses are “permanently closed”.

And how does that happen?

Well, here’s F-Secure’s place on Google:

Under the “more” menu is an option to “Report a problem”.

One of the problems that can be reported is that the “Place is permanently closed.”

A couple of submissions will cause the place to be “reported” as closed, but it doesn’t take long before Google labels the place as “permanently closed”. At that point, some business owners are finding it difficult to “re-open” their business.

And if you don’t exist on Google, you might has well not exist in real life.

According to the New York Time’s article, Macadamia Meadows Farm, a bed-and-breakfast in Naalehu, Hawaii suffered a significant decline in business for weeks before the owners discovered their change of status on Google.

Now that’s a subtle (and ingenious) “denial of service” attack.

Google is apparently working to provide better tools and preventions (e-mail alerts), especially so after blogger Mike Blumenthal and a friend closed Google’s HQ on August 15th.

In the meantime, if you haven’t examined the details of your business’s Google place, you might want to do so now. Google Maps is a very popular way for people to search for new businesses, especially via their mobile devices.

You don’t want your business labeled as “closed” and end up losing out on potential new customers.

Somehow, somebody managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name .google.com.

What can you do with such a certificate? Well, you can impersonate Google — assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.

But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.

We saw a similar attack in May (via Certificate reseller instantssl.it in Italy). That case was tied to Iran. So is this one. It’s likely the Government of Iran is using these techniques to monitor local dissidents.

Iran does not have its own Certificate Authority. If they did, they could just issue rogue certificates themselves. But since they don’t, they need such certificates from a widely trusted CA. Such as Diginotar.

How was Diginotar breached? We don’t know yet.

But here’s something we just discovered.

This is a screenshot of the page online right now at https://www.diginotar.nl/Portals/0/Extrance.txt:

Diginotar’s portal has been hacked. Somebody claiming to be an Iranian Hacker has gained access.

This would look like a smoking gun. Obviously this has to be connected somehow to the rogue certificate.

But if you keep looking, you’ll find this page from https://www.diginotar.nl/Portals/0/owned.txt:

Another Iranian hacker group?

If you keep digging deeper, you’ll find that although these web defacements are still live right now, they are not new. Much worse: they were done years ago.

Here’s another one, done in May 2009 by Turkish hackers at https://www.diginotar.nl/Portals/0/fat.txt:

In fact, these hacks are so old, it’s unlikely they are connected to the current problem. Or at least so we hope.

P.S. The news of the whole incident was first broken on Twitter by S. Hamid Kashfi (@hkashfi). He has blogged about man-in-the-middle attacks in Iran already in 2010. Here’s his blog post from May 2010 (via Google Translate).

P.P.S. More on problems with SSL as a whole in one of our previous blog posts.

P.P.P.S. Diginotar’s public statement on the breach is out now. It raises more questions than answers. Diginotar indeed was hacked, on the 19th of July, 2011. The attackers were able to generate several fraudulent certificates, including possibly also EVSSL certificates. But while Diginotar revoked the other rogue certificates, they missed the one issued to Google. Didn’t Diginotar think it’s a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a mid-sized Dutch CA, of all places? And when Diginotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?

Updated to add: As of 5th of September, here’s the list of known domains that the attacker managed to create fake certificates for:

*.*.com
*.*.org
*.10million.org
*.android.com
*.aol.com
*.azadegi.com
*.balatarin.com
*.comodo.com
*.digicert.com
*.globalsign.com
*.google.com
*.JanamFadayeRahbar.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.mozilla.org
*.RamzShekaneBozorg.com
*.SahebeDonyayeDigital.com
*.skype.com
*.startssl.com
*.thawte.com
*.torproject.org
*.walla.co.il
*.windowsupdate.com
*.wordpress.com
addons.mozilla.org
azadegi.com
friends.walla.co.il
login.live.com
login.yahoo.com
my.screenname.aol.com
secure.logmein.com
twitter.com
wordpress.com
www.10million.org
www.balatarin.com
www.cia.gov
www.cybertrust.com
www.Equifax.com
www.facebook.com
www.globalsign.com
www.google.com
www.hamdami.com
www.mossad.gov.il
www.sis.gov.uk
www.update.microsoft.com

In addition, the attacker created rogue certificates for these names:

Comodo Root CA
CyberTrust Root CA
DigiCert Root CA
DigiCert Root CA
Equifax Root CA
Equifax Root CA
GlobalSign Root CA
Thawte Root CA
VeriSign Root CA

Meanwhile, we’ve been busy digging into the details and reading between the lines.

And there’s lots of details to consider:

Wait… there’s more:

Aha! Now this is interesting (Facebook buried a good lead here…):

“This setting has been replaced so that instead of just being about your friends, this now prevents anyone you shared something with from re-sharing it with applications.“

If we are interrupting this correctly — Facebook will now prevent third-party applications from seeing your information via your friends. This is something that the American Civil Liberties Union (ACLU) took issue with already back in December 2009 (the last time that Facebook made similar changes).

The ACLU even created an application to demonstrate just how much access applications have via your friends:

And this is the information that is available by default:

Based on our polling, not many people realize just what this privacy setting controls.

And the only real way to be sure your friend’s third-party applications are blocked is to completely disable Facebook’s “platform”.

Facebook recently began offering refined privacy controls in its Application Settings for what your applications share with your friends. Each individual application’s “App privacy” can be adjusted:

But based on our reading of these new details, it looks as if Facebook is about to take this one step further and will simply prevent all third-party application access via Friends.

And that would be excellent news.

Still, if you have a Facebook account, don’t wait, take the time now to examine your Privacy Settings and adjust the “Info accessible through your friends” in the “Apps, Games, and Websites” section, just to make sure that your settings reflect your personal preferences… before Facebook’s changes are applied.

P.S. to the ACLU: You really should consider decommissioning your “Quizzes” application and delete its page.

The application doesn’t work properly anymore, and you’ve allow the page to become overrun by spam.

Regards.

On 25/08/11 At 12:46 PM

Of these, obviously Windows XP has the weakest security, by far. And Windows XP has the biggest marketshare, too. Globally close to half of all computers still run XP. And today, Windows XP is ten years old. Ten years is an eternity in this business. So it’s no wonder XP’s security architecture is not up to date.

As a result, attackers right now would be stupid* o spend their time and money targetting any other operating system. That makes no sense as long as they have this huge, easy low hanging fruit. Obviously XP is going away.

And Why Would this Bother Mobile Phone Users?

Ever plugged your phone in to your computer to do a file synch, an update or to transfer files? How about hooking your phone up to your homes XP Wi-Fi network? Think about it.

As we can see from this chart, Windows 7 will pass in XP in the near future and will become the most common operating system.

And when XP’s marketshare drops low enough, attackers need to start looking around. Some will focus on Windows 7. Others will look at OS X, Android, iOS and so on. The attackers have never had it so good. The easiest target is also the most common target. This can’t change quick enough.

Do a good deed today. Uninstall an installation of XP.

Knowing that Chinese malware likes to spy, we’ve been keeping an eye out for various functions, such as photo scraping. Stealing photos from a phone could be used for harassment and blackmailing.

We didn’t have to look for long. A member our Threat Response team just found something interesting in a Symbian malware sample.

Here are our analyst’s notes

The code of Trojan:SymbOS/Spinilog.A (md5: b346043b4efb1e9834a87dce44d6d433) includes a class named CMyCameraEngine which inherits and implements the Symbian class MCameraObserver. This enables the trojan to receive control when an image has been captured with the camera. Spinilog.A then encodes the raw bitmap to a JPG, which it saves to the phone’s memory. This feature seems to still be unused and possibly incomplete as the constructor of the CMyCameraEngine class is not called in the code. Other data stolen by the trojan is more traditional such as the content and details of SMS and e-mail messages, phone call details and calendar and contact information.

So while this particular backdoor won’t yet steal your photos, it’s clear which direction we’re headed to.

Hacker collective Anonymous released a “press release” on Saturday announcing OpBritian, a reaction to UK Prime Minister David Cameron’s suggestions that social media should be restricted in a time of crisis.

And while Anonymous states that actions by rioters were “violent”, they have no love for police authority, and so the enemy of my enemy is my friend. Besides promising online hacks, Anonymous has called for rebellion peaceful real-world protests on October 15th.

Meanwhile in the USA, San Francisco Bay Area Rapid Transit (BART) authorities interrupted phone services at some BART stations on August 11th in a move to prevent protesters from disrupting travelers and creating in their words, “unsafe conditions”.

Not surprisingly, or it shouldn’t be, Anonymous announced OpBART, complete with its own modified Bartman logo. And a hack of myBART.org, currently offline, followed in which names, e-mails, and passwords of myBART members where dumped to pastebin.com. OpBART also calls for a real-world peaceful protest at Civic Center station at 17:00 PST (approximately nine hours from now). Of all places, San Francisco may well be the heartland of the Anonymous collective, so it should be interesting to see just how many people attend the gathering, and how it is reported by the USA and UK press.

If today’s OpBART protest turns violent… expect the negative feedback loop to continue.

According to Caspar:

“A normal user doesn’t know how to delete the biometric data. And besides, we have demanded that biometric data be stored with the subject’s express consent.”

Another keyword appears to be “stored” (though… Deutsche Welle’s article also states that no data can be “collected” without consent). Collected or stored biometric data, which is it?

Is on the fly facial recognition analysis legal if the data isn’t retained or stored after it’s used?

In any case, having several self-tagged Wall photos, I decided to test the feature with my own personal Facebook account. (Existing tagged photos is a prerequisite, even if the user hasn’t opted-out. No tagged photos, no biometric data will exist.)

First, I re-enabled my “Suggest photos of me to friends” option in Facebook’s privacy settings.

And then I uploaded a photo:

While Facebook’s photo upload service “detected” two faces, neither of them were “recognized” and no tag suggestions where offered. So it would appear that there’s no hidden biometric “faceprint” of me in Facebook’s databases. Either none was collected between the time when the feature was introduced and I opted-out, or else they deleted what was stored after I disabled the feature.

I ask myself, is Facebook’s biometric data really such a big deal?

Google Images recently released reverse image search. That feature is much more likely to be used in future photo comparisons than any Facebook data that falls “into the wrong hands”. If you have an iPhone/Android device, try Google Goggles and then imagine the Google+ possibilities.

Then there’s current camera technology to consider. My Canon S90 does a very decent job of detecting faces on its own. If a face is detected, the photo’s EXIF metadata includes “SceneCaptureType – Portrait” and the faces are tagged.

And that’s just a start. Some vendors, such as Samsung, have “Smart Face Recognition”, as demonstrated in this video from April 2009. It’s not a far leap at all before our cameras are detecting, recognizing, and tagging faces in our photos at the moment they’re taken. And that includes camera phones: Apple reportedly plans to include facial recognition features in iOS 5.

Mr. Caspar may indeed have legitimate concerns regarding Facebook’s current biometric practices. But what happens if (when) it’s no longer a matter of analysis? If consumers upload photos that contain facial tags, can Facebook then make the suggestion?

It should be noted that Facebook currently strips EXIF metadata from uploaded images. (Kudos.)

Germany (and the EU) has excellent data protection laws. But the law itself cannot hope to forestall the issue of facial recognition forever. The technology exists and policy makers need to address the issue and seek solutions as if biometric data is already freely available.

Because even if legitimate companies can be successfully regulated from storing this type of data, criminals won’t be so restrained. Computing power is cheap, and getting cheaper. The worst case scenario could be unregulated black market search engines providing facial recognition services as a service.

It wouldn’t be the first time such a business model developed.

Be seeing you,
Sean

See also:

Kashmir Hill — If Everyone’s A Celebrity In The Internet Age, Shouldn’t We Expect To Be Recognized By Face?
Alessandro Acquisti — Faces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be

On 10/08/11 At 07:40 PM