UN Site Compromised, Usernames and Passwords Exposed

• Team Poison attacked and compromised one or more servers at the UN
• The data exposed via pastebin mostly came from UNDP.org, the UN Development Program, but also included the Organisation for Economic Co-operation and Development (OECD), the World Health Organisation (WHO) and the UK’s Office for National Statistics (ONS)
• The UN responded saying “The server goes back to 2007. There are no active passwords listed for those accounts” and “Please note that UNDP.org was not compromised.”
• Even though the UN claims the data is not current, it suggests that passwords are stored in plain text, without salting and hashing, and that no password requirements are enforced. Many of the passwords appeared to be overly short, and did not contain
• Teampoison hackers have previously attacked the RIM/Blackberry website and published private information about former UK Prime Minister Tony Blair
• Teampoison included a message with the pastebin, officially joining Anonymous in Operation Robinhood, against banks and financial institutions

Duqu Attackers Destroyed Their C&C Server, Covered Tracks

• On October 20 at around 18:00 GMT, the root user logged in to a number of Duqu C&C servers and proceeded to destroy /root, /etc, /var/log and some other files
• The attackers securely erased the log files so they could not be recovered
• However, due to the nature of the ext3 file system, some fragments of the logs had been relocated to reduce fragmentation, and these bits were not securely erased. While brute force searching the slack space, Kaspersky Labs was able to find a fragment of sshd.log showing root logins and the source IP address from another server in Germany.
• Researchers followed the trail back to Germany, and used the same technique to find more IP addresses. However the logs were from mid November (and were found in early November), and do not indicate which year. Based on other log files, this server may back been part of the Duqu C&C infrastructure as far back as 2009.
• There is also evidence that the Duqu operators upgrading the OpenSSH that came with CentOS on the server, to the latest versions, 5.8p1 and 5.8p2 when they were released. The attackers also enabled GSSAPIAuthentication on all of their servers. The article below includes more evidence of a possible long lived 0-day exploit for OpenSSH 4.3
• The Duqu C&C network was made up of hacked servers from all over the world, including: Vietnam, India, Germany, Singapore, Switzerland, the UK, the Netherlands, Belgium, and South Korea. Most if not all of the compromised machines were running CentOS
• These servers were used as reverse proxies to the real C&C Mothership, which still has not been identified.
• Very Detailed Analysis of the C&C Servers

Apache Vulnerability Could Expose Internal Systems, Trivial Island Hopping

• A problem with the way Apache handles rewrite rules could allow an attacker to gain access to internal systems that they would not normally be able to reach
• The problem was found while looking at a recent fix to the same vulnerability
• In some specific cases it is still possible to exploit the vulnerability
• The vulnerability only exists if you use mod_rewrite (almost everyone does) and mod_proxy (fewer people do)
• You can work around the issue by changing your rewrite rules slighty

Feedback:

Allan finished the build of his ZFS server and shared the results with us:

Parts List

Photos

Q: What OS
A: FreeBSD 9.0-RC2, Will upgrade to 9.0-RELEASE when it comes out.

Q: What version of ZFS?
A: ZPool 28 and ZFS 5 (ZPool 21 introduces the deduplication system, which isn’t available in FreeBSD 8.2 which only has ZPool 15)

Q: What kind of throughput do you get?
A: Sequential read and write: 600+ megabytes/second. I write out a 16gb file in under 27 seconds. Reading it back took under 2.8 seconds (over 6 gigabytes/sec) because the entire file was stored in the ZFS ARC (Adaptive Replacement Cache)

Q: Power Supplies
A: Redundant 920watt Platinum Level (94%+) Efficient Power Supplies, fed from APC 7900 PDUs

Q: Do you suggest I build a server or buy a server?
A: I usually build, but I am a control freak. Buying can be a good option too

Q: What about the RAID Controller
A: Adaptec 6805, comes with FreeBSD drivers for 6.x, 7.x and 8.x, but not 9.x (because it is not out yet). Luckily, they include the source code, so I was able to compile the driver as a loadable module for 9.x. Adaptec has also submitted the changes to FreeBSD to be included in future releases.

Round-Up

• US judge orders hundreds of sites “de-indexed” from Google, Facebook
• Researchers Crack Blu-Ray Encryption With Cheap Hardware
• Filipino police arrest four suspected AT&T hackers | wfaa.com Dallas – Fort Worth
• YaCy – The Peer to Peer Search Engine
• Twitter buys Moxie Marlinspike’s Mobile Encryption Startup