South Korea’s SK Telecom hacked, detailed forensics released

• Between July 18th and 25th, SK Telecom’s systems were compromised, and all of their customer records (35 million customers) were compromised. The records included a wealth of information, including username, password, national ID number, name, address, mobile phone number and email address.
• The attack was classified as an Advanced Persistent Threat, the attackers compromised 60 computers at SK Telecom in total, biding their time until they could compromise the database. Data was exchanged between the compromised computers at SK Telecom, and a server at a Taiwanese publishing company that had been compromised by the attackers at an earlier date.
• The attack was very sophisticated, specifically targeted, and also seems to indicate a degree of knowledge about the the target. The well organized attackers managed to compromise the software updates server of another company (ESTsoft) who’s software (ALTools) was used by SK Telecom, then piggyback a trojan in to the secure systems that way. Only computers from SK Telecom received the malicious update.
• The attackers send the compromised data through a number of way points before receiving it, masking the trail and the identities of the attackers. A similar pattern was seen with the RSA APT attack, the attackers uploaded the stolen data to a compromised web server, and once they had removed the data from there, destroyed the server and broke the trail back to them selves.
• Proper code signing, or GPG signing could have prevented this
• Original BBC Article about the attack

Mac OS X Lion may expose your hashed password

• The Directory Services command allows users to search for data about other users on the machine. This is the intended function.
• The problem is that the search results for the current user also include sensitive information, such as the users’ password hash. You are authorized to view this information, because you are the current user.
• However, any application running as that user, could also gain that information, and send it back to an attacker.
• Using the hash, an attacker could perform an offline brute force attack against the password. These attacks have gotten more common and less time consuming with the advent of better parallel computing, cloud computing and high performance GPGPUs.
• My bitcoin mining rig could easily be converting to a password hash cracking rig, especially now that the current value of bitcoin is sagging. If there were a big enough market for cracking hashed passwords, there are now a huge number of highly specialized machines devoted to bitcoin that could be easily switched over.
• The tool can also allow the current user to overwrite their own password hash with a new one, without the need to provide the current plain text password. This means that rather than spend time cracking the password, the attacker could just change the current users password, and then take over the account that way.
• These attacks would require some kind of exploit that allowed the attack to perform the required actions, however we have seen a number of flash, java and general browsers exploits that could allow this.
• The current recommended work around is to chmod the dscl command such that it can only be used by root
• Additional Article

MySQL.com compromised, visitors subject to drive by infection

• The MySQL.com front page was compromised and had malicious code injected in to it.
• The code (usually an iframe) caused a java exploit to be executed against the visitor. The exploit required no interaction or confirmation from the user. This type of attack is know as a ‘drive by infection’, because the user does not have to take any action to become infected.
• Two different trojans were detected being sent to users, Troj/WndRed-C and Troj/Agent-TNV
• Because of the nature of the iframe attack, and the redirect chain the attackers could have easily varied the payload, or selected different payloads based on the platform the user was visiting the site on.
• There are reports of Russian hackers offering to sell admin access to mysql.com for $3000
• Detailed Analysis with malicious source code, video of the infection process
• Article about previous compromise
• When the previous compromise was reported, it was also reported that MySQL.com was subject to a XSS (Cross Site Scripting) attack, where content from another site could be injected in to the MySQL site, subverting the browsers usual ‘Same Origin’ policy. This vulnerability, if not repaired, could have been the source of this latest attack.

Feedback:

Continuing our Home Server Segment – This week we are covering file servers.
Some possible solutions:

• Roll Your Own (UNIX)
• Linux or FreeBSD Based
• Install Samba for SMB Server (allow windows and other OS machines to see your shared files)
• Setup FTP (unencrypted unless you do FTPS (ftp over ssl), high speed, doesn’t play well with NAT, not recommended)
• Configure SSH (provides SCP and SFTP) (encrypted, slightly higher cpu usage, recommended for Internet access)
• Install rsync (originally designed to keep mirrors of source code and websites up to date, allows you to transfer only the differences between files, rather than the entire file) (although it is recommended you do rsync over SSH not via the native protocol)
• Configure NFS (default UNIX file sharing system)
• Build your own iSCSI targets (allows you to mount a remote disk as if it were local, popular in virtualization as it removes a layer of abstraction. required for virtual machines that can be transferred from one host to another.
• Roll Your Own (Windows)
• Windows provides built in support for SMB
• Install Filezilla Server for FTP/FTPs (Alternative: CyberDuck)
• There are some NFS alternatives for windows, but not are not free
• There is an rsync client for windows, or you could use cygwin, same goes for SSH. Similar tools like robocopy and synctoy
• FreeNAS
• FreeBSD Based. Provides: SMB, NFS, FTP, SFTP/SCP, iSCSI (and more)
• Supports ZFS
• Chris’ Previous Coverage of FreeNAS:
• FreeNAS, IN DEPTH
• FreeNAS Vs. HP MediaSmart WHS
• FreeNAS vs Drobo

Round Up:

• To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework
• The NSA Wants Its Own Smartphone
• New Mac OS X Trojan Imuler Hides Inside Malicious PDF
• IBM Seeks Patent On Retailer-Rigged Driving Routes
• Anonymous Goes After the Pepper Spray Cop’s Personal Info

Bitcoin Blaster:

• Merged Mining – What is it?
• Bitcoin version 0.4.0 released
• Bitcoin rigs make excellent food dehydrators
• Bitcoin Market cap this week: $34,861,283 USD