The scale of this incident somehow reminds me of the whole TJ MAXX fiasco a few years back.

Anyway, this whole scheme sounds like a case of people installed VNC with weak passwords and someone finding it by accident – it doesn’t even seem to have been a targeted hack.

For thousands of customers of Subway restaurants around the US over the past few years, paying for their $5 footlong sub was a ticket to having their credit card data stolen. In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

In an indictment unsealed in the US District Court of New Hampshire on December 8, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims.

“This is the crime of the future,” said Dave Marcus, director of security research and communications at McAfee Labs in an interview with Ars. Instead of coming in with guns and robbing the till, he said, criminals can target small businesses, “root them from across the planet, and steal digitally.”

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.

It seems like there’s a pretty large ring behind this operation, just due to the sheer number of locations compromised and the amount of time it must have taken to install all the malware and logging software.

Plus the network infrastructure that was build to receive the logs via FTP upload, the criminals were pretty smart too – they even ‘backed up’ their stolen data to sendspace just in case their hosting got taken down.

Once they were in, the hackers then deployed a collection of hacking tools to the POS systems, including logging software that recorded all the input into the systems—including credit card scans. They also installed a trojan, xp.exe, onto the systems to provide a back door to reconnect to the systems to allow the installation of additional malware, and prevent any security software updates.

Collected data from the loggers was posted by the malware to FTP “dump” sites on a number of Web servers in the US created with domains they registered through GoDaddy.com using stolen credit card data. In addition to using the stolen data to register their own domains and pay for hosting service, the hackers periodically rounded up the dumped transaction data and moved it to sendspace.com, a file transfer site. Richard James of sendspace.com says that his company cooperated with the FBI in the investigation of the hack. ” Sendspace [is] a file hosting and transfer site used by millions every single day,” he said in an email to Ars Technica,”and as such can indeed be used for activities which are against our TOS and that we do not condone.”

Some of the data was used to print counterfeit credit cards using blank plastic cards and embossing machines. One of the alleged hackers, Cezar Iulian Butu, was generating counterfeit cards with an embossing machine out of a house in Belgium in October of 2010, and working with a group, used the cards “among other uses [to] place bets at local French ‘tobacco’ shops,” the Justice Department said in its filing. The rest of the stolen data was sold in blocks to other criminals from the Sendspace server.

According to a report by Schuman, Subway’s corporate IT and a credit card company discovered the data breach “almost simultaneously.” Subway Corporate Press Relations Manager Kevin Kane told Ars that “the tech guys who dealt with this moved and put steps in place [to block the theft of data] as soon as they discovered it.” He said the company wouldn’t discuss the measures taken, as “we don’t want to give away the blueprint” to other potential attackers. And Kane added that Subway had been asked by the Justice Department not to comment on other details of the case, as it is part of an ongoing investigation.

It’ll be a pretty interesting case to watch either way, we’ll have to see what else gets discovered (and more importantly released to the public).

Subway corporate IT has taken some measures against this, but as it was franchisee stores that got owned – I don’t honestly see how much they can do. Unless they implement a complete new POS system (which is secure and preferably doesn’t run Windows and connect to the Internet).

POS in this case should well stand for Piece of Shit.

Source: Ars Technica

As a hacker I know, the more information a system gives me straight off the bat – the easier it’s going to be for me to hack it. Well the latest news is that this tactic may not be so bad after all.

Security by obscurity may not be so bad after all, according to a provocative new research paper that questions long-held security maxims.

The Kerckhoffs’ Principle holds that withholding information on how a system works is no security defence. A second accepted principle is that a defender has to defend against all possible attack vectors, whereas the attacker only needs to find one overlooked flaw to be successful, the so-called fortification principle.

However a new research paper from Prof Dusko Pavlovic of Royal Holloway, University of London, applies game theory to the conflict between hackers and security defenders in suggesting system security can be improved by making it difficult for attackers to figure out how their mark works. For example, adding a layer of obfuscation to a software application can make it harder to reverse engineer.

I agree with this, I wouldn’t exactly say this is ground-breaking though – I’ve always believed this. It’s not that I’d use obscurity as a singular defence, but I don’t see how it makes a system any less secure – the fact is from my perspective it definitely makes it harder to attack.

I mean the way in which Pavlovic is looking at it is rather more complex (in terms of a game), but it’s the same idea – if the attacker has less information, he’s going to have a harder time. Surely this all goes way back to Sun Tzu art of war..

Pavlovic compares security to a game in which each side has incomplete information. Far from being powerless against attacks, a defender ought to be able to gain an advantage (or at least level the playing field) by examining an attacker’s behaviour and algorithms while disguising defensive moves. At the same time defenders can benefit by giving away as few clues about their defensive posture as possible, an approach that the security by obscurity principle might suggest is futile.

Public key encryption works on the basis that making the algorithm used to derive a code secret is useless and codes, to be secure, need to be complex enough so that they can’t be unpicked using a brute force attack. As computer power increases we therefore need to increase the length of an encryption key in order outstrip the computational power an attacker might have at his disposal. This still hold true for cryptography, as Pavlovic acknowledges, but may not be case in other scenarios.

Pavlovic argues that an attacker’s logic or programming capabilities, as well as the computing resources at their disposal, might also be limited, suggesting that potential shortcomings in this area can be turned to the advantage of system defenders.

Of course obscurity should never be used in cryptography, that would just be idiotic – but when it comes to defending networks, servers and systems – I’m fine with it as an additional precaution.

I think this might spawn some interesting discussion either way, what do you guys think?

You can read the paper here: Gaming security by obscurity [PDF]

Source: The Register

It’s come quite a long way and the authors are happy to announce that MagicTree version 1.0 has been released and is available for download.

MagicTree is a productivity tool for penetration testers. It allows consolidating data coming from various security tools, query and re-use the data and generate reports. It’s aim is to automate the boring and the mind-numbing work, so you can spend your time hacking.

Version 1.0 includes a lot of bug fixes and a number of new features, such as:

• Support for Acunetix data import
• Support for W3AF data import
• Support for OpenVAS 4 XML format
• Importing data from flat text files
• Simplified manual creation of ports
• Copy/paste and drag and drop support for tree nodes, table view data, queries and tasks
• mt:sort() custom XPath function for sorting data, such as findings, in TableView and reports
• More sophisticated auto-creation of tree nodes. We now support netblocks in various formats (192.168.1.1/24 , 192.168.1.0-192.168.1.255, 192.168.1.0/255.255.255.0), DNS names, IP addresses and URLs.
• Search in output files panel
• Creating cross-references by drag and drop
• Better support for KDE and XFCE desktop environments on Linux. View in Browser and opening reports now works on both.

The full changelog is available here – ChangeLog-1.0.txt

You can download MagicTree v1.0 here:

MagicTree-1.0-build1615.jar

Or read more here.

Basically Coliseum is a framework which allows students to learn web application security through 100% practical hands on training. With the specially crafted web applications ready for you to study, hack and learn from straight away! These web applications known in the system as battles within the arenas are sand-boxed environments that allow the student to benefit from complete user isolation without the need to configure local virtual machines.

The framework also allows the student to create from scratch their own vulnerable web applications which can be shared between the community to enhance the environment, giving everyone new and exciting challenges to continually study, hack and learn from.

Main Points

• 100% hands on training
• Virtual labs: no virtual machines needed
• 14 educational challenges
• Get hints and tips when you are stuck
• Goal based challenges: claim your trophy!
• Multi-platform: play on different targets
• Chat with fellow students during lab time
• Fits our Pentesting courses
• Prepares you for eCPPT certification
• Unlimited access for 1 or 2 months
• Enroll now and start your period later
• Access to our forums for support

This is an extremely practical way of learning more about pen-testing and getting to try out the tools you will have to master in a hands-on and task driven environment.

eLearnSecurity are offering some exclusive bundles for Darknet readers if you are interested in getting on the Coliseum Lab to help during your pen-testing course.

If you want to learn more about the eLearnSecurity penetration testing courses, you can read our reviews here – Pentesting Student or Pentesting Professional and read their article here:

Read this before signing up for any Penetration Testing Course

The discount coupon is DARKNELS-SEPT-30 and discounts the bundles by 5% if used before September 30th:

Professional course + 1 month in Coliseum Lab

Student course + 1 month in Coliseum Lab

Exclusively for Darknet readers you can get a free pass for Coliseum Labs here:

Coliseum Lab Demo

Please note – these offers are only valid BEFORE SEPTEMBER 30th – so don’t hang around.

Now, 2 years down the road, Facebook has decided it’s a good idea to offer up a $500 bounty for exploits reported to the Facebook security team.

They are claiming they will pay out larger amounts for ‘truly significant’ bugs, but they aren’t qualifying that claim with any guidelines or amounts.

Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook’s security team first.

The company is following Google and Mozilla in launching a Web “Bug Bounty” program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they’re truly significant flaws Facebook will pay more, though company executives won’t say how much.

“In the past we’ve focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,” said Alex Rice, Facebook’s product security lead. “We’re extending that now to start paying out monetary rewards.”

On Friday, Facebook will launch a new Whitehat hacking portal where researchers can sign up for the program and report bugs.

Many hackers go public with the software and website flaws they find to gain prestige. Finding an important bug on a widely used website such as Facebook can help make a journeyman hacker’s career, and going to the press with the issue can make him — or her — famous.

They have always credited people who made discovered of insecurities on the Facebook platform and gifted them with t-shirts and other goodies, but this is the first move Facebook has made towards paying for exploits.

It is true though, finding a serious bug in a prestigious web property like Facebook could make someone famous overnight. I would like to see more bounty programs and those bounty programs paying out larger amounts.

Although I have to say I don’t believe a flaw in a social network would be worth that much on the black market (as opposed to say a zero-day in the latest version of Apache).

But talking about the issue before Facebook has had a chance to patch it, can be risky for Facebook users. In recent years, other companies have started these bug bounty programs to encourage hackers to keep quiet about the problems they find until they are patched.

Google pays between $500 and $3,133.70, depending on the severity of the flaw.

Google started to pay for browser bugs in early 2010, and then in November it expanded the program to cover bugs in its Web properties too.

The Web bug bounty program has helped Google uncover a lot of programming errors in the past eight months, most of which have been in Google’s lesser-known products, a company spokesman said this week.

Google sees its Web program as a big success. “We’re very happy with the success of our vulnerability reward program so far. We’ve already given out $300,000 and have seen a variety of interesting bugs,” the spokesman said in an e-mail message.

Facebook’s security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three “actionable bugs,” per week, Rice said. Most of these are cross-site scripting or cross-site request forgery issues. These are both very common Web programming errors that could be abused by scammers and cybercrooks to rip off Facebook users.

Google have given out over $300,000 since they started their program in 2010 – initially it was only for Chrome bugs – but they expanded it to cover all of their web properties and they’ve reaped the rewards by being able to fix all kinds of issues.

I foresee Facebook not having to pay out so much, the site is fairly closed and it’s not as expansive as the Google empire. Plus they don’t have any kind of actual software offering like Chrome.

It’s an interesting program though and I hope it leads to Facebook becoming more secure.

Source: Network World

This is just a reminder that this offer expires in THREE days on June 30th. So you need to grab it now!

COUPON CODE: DARK-ELS-10

You can buy the course now here.

It seems to be a very targeted attack and most likely uses multiple attack vectors rolled into one. The IMF has had to severe network connections with the World Bank as a precaution against further damage. Although they say it’s not linked to RSA SecurID – how can we be sure really?

The main problem with this situation? The IMF hold some EXTREMELY sensitive information about all kinds of nations and their economies.

The International Monetary Fund (IMF) has reportedly become the target of a concerted hack attack.

The resulting breach was severe enough for the economic development agency to temporarily suspend network connections with the World Bank, as a precaution. The link was quickly restored.

According to internal emails leaked to Bloomberg the precautionary disconnection followed the detection of “suspicious file transfers”. “[A] subsequent investigation established that a Fund desktop computer had been compromised and used to access some Fund systems. At this point, we have no reason to believe that any personal information was sought for fraud purposes.”

The IMF reported told staff on or around 8 June that it planned to replace RSA SecurID tokens used for remote authentication. RSA last week publicly offered to replace two factor authentication token after defence contractor Lockheed Martin said it had come under attack from hackers using information gleaned from an earlier high-profile attack on RSA back in March.

However an IMF staffer told the New York Times that the attack on its systems is not linked to the earlier RSA breach. Unconfirmed reports suggest that the IMF was the target of a spear phishing attack designed to plant malware inside its systems.

And the info about it not being linked to RSA SecurID comes from someone who actually works at the IMF, so it should be fairly legitimate info.

As per usual, in these kinds of situations – the IMF isn’t really saying a whole lot about what’s going on – unsurprisingly so. What we do know though is a senior official has stated that it was a “very major breach”.

It wouldn’t surprise me as well if they did get owned by a very accurate, targeted and personalized phishing attack.

If so – and it’s a big if – then the IMF has come under the type of attack previously faced by both a French economics ministry and its Canadian counterpart over recent months. Both the Canadian and French hack coincided with international government leader conferences.

The IMF itself is saying little about the attack other than to confirm that it is under investigation. The motives, much less the identity of attackers, remain unclear.

David Beesley, managing director of security consultancy Network Defence, said that targeted (spear phishing) attacks of the type that might have been launched can be very tricky but not impossible to thwart.

“Spear phishing is difficult to defend against because it primarily targets users not PCs, and the information that attackers can gather from social networking sites makes the phishing emails look very convincing,” Beesley said. “As we’ve seen, it makes these attacks effective against any size of organisation.”

“Really, firms need to use a mix of user education and layered security solutions to defend themselves. Employees should be aware that even plausible-looking emails should be treated with suspicion, and IT teams should look at their AV and anti-spam solutions to try and stop malware propagating,” he added.

So far we don’t know what the hackers were able to access and where the attack originated from (geographically speaking).

And well, it’s extremely unlikely they are going to publish details – because well that just doesn’t happen does it?

We’ll keep our ears to the ground anyway and see if anything else comes to the surface.

Source: The Register

You may remember a while back we reviewed the Penetration Testing – Pro course by eLearnSecurity here – eLearnSecurity – Online Penetration Testing Training and we posted about the course update here – Penetration Testing Course Pro 1.1 – New Version & New Module.

The latest news is they’ve come out with a truly entry level course for ABSOLUTE beginners called Penetration Testing – Student.

It’s basically the definitive online penetration testing training course for beginners. It’s for all those people who e-mail me with no idea where to start, it’s priced competitively and it’s really meant for something starting out fresh.

I think it’s a great initiative as the hardest part of getting into any industry is the very first part, when you don’t even know what you are supposed to be looking for and you can’t start searching because you don’t know the right terms or have the right keywords.

This Penetration Testing – Student caters for that audience, and if you are really serious you can even buy it together in a package with the Penetration Testing – Pro course for only $799USD.

The Course

At a glance, this is what you’ll get from the course:

• Learn preliminary skills
• Learn modern hacking techniques
• Understand how penetration testers work
• Test your skills with engaging quizzes
• Practice your skills with exercises
• Learn how to use the best tools
• 14 Video lessons
• Dedicated forums
• 500+ interactive slides
• Easy to follow: Audio narrations, videos and animations

The course itself is rather different to the normal, formal module based training materials we are used to seeing. It just has two basic paths, one which teaches you about stuff like networking and web app basics – this path is titled preliminary skills. The other branch covers penetration testing, but it’s more of a narrative than straight forward module based approach.

So rather than having a module for information gathering, then one for footprinting/scanning and so on – you follow along the process of a penetration test by step. One of the interesting parts is once you have accomplished the reconnaissance/info gathering part you will be presented with the remote network as it was uncovered in the previous stages as seen here:

At this point you can actually click on whichever workstation or server you want to attack and you will then learn the associated techniques, for example I clicked on the Web Server and was presented with this:

It makes the whole learning process a lot more interactive and keeps it interesting rather than the traditional method with modules and slides – which can get a little dry. Especially for a subject like Penetration Testing where you need to cover so many different topics, tools and techniques.

The courseware itself is very in-depth and I feel it does move slow enough for a beginner to take everything. Of course to get the most out of it (as with any form of studying) anyone taking this course will have to do some learning/searching/research/reading on their own.

Other stuff included is 14 small self assessment quizzes at the end of every chapter and a simple lab to get familiar with some tools – it’s using BackTrack and Metasploitable.

Features wise you can work at your own pace and the software remembers what section/slide you were on so you can resume where you left off. Students can also get access to the eLearnSecurity Coliseum web app hacking lab where they can practice web app hacking topics, when it is released (which should be very soon!).

Conclusion

So overall, what’s the conclusion? I think if you are just starting out, perhaps still studying at University or College this is a great place to start. It’ll get your basics up to scratch and start you out without bombarding you with jargon and technical terms.

If you are already pen-testing, or interning or doing any kind of technical stuff – this isn’t really the course for you. I’d suggest you look at the Penetration Testing – Pro course.

This course will get you up to speed on the basics of networking, the tools available, web applications, web application security and the whole process of pen-testing.

If you are really interested I suggest you sign up now, as a reader of Darknet we are offering you 10% off the course.

COUPON CODE: DARK-ELS-10

Buy the course now!

Please note – this coupon will only work until the end of June (June 30th) – so don’t hang around!

For a demo/free module you can sign-up here:

Penetration Testing – Student Demo

There’s more info here:

Penetration Testing Training Course for Beginners

And you can find the full syllabus for the course here:

Penetration Testing – Student Syllabus [PDF]

It has a sandbox, ASLR and DEP and that’s a pretty heavy combination to keep users safe from malicious software coming in via the web browser. VUPEN (a French infosec consultancy) claims to have broken ALL of these defenses allowing them to execute code using the browser on the latest version of Chrome.

Do bear in mind however as of now this is just a claim, there’s a video of the exploit in action – but that doesn’t prove anything either.

Researchers say they’ve developed attack code that pierces key defenses built into Google’s Chrome browser, allowing them to reliably execute malware on end user machines.

The attack contains two separate exploits so it can bypass the security counter measures, which include address space layout randomization (or ASLR), data execution prevention (or DEP), and a “sandbox” designed to isolate browser functions from core operating-system operations. So far, there have been relatively few reported exploits that can penetrate the sandbox, and that’s one of the reasons the browser has managed to emerge unscathed during the annual Pwn2Own hacker competition for three years in a row.

“While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP,” researchers from France-based Vupen Security wrote in a blog post published on Monday.

The interesting part, and the thing that is causing a lot of debate (as per usual) is the disclosure policy by VUPEN. These guys are not going to tell Google, they say they will tell their clients for attack and defense purposes – but honestly? What good would a working exploit like this be in terms of defense? Unless you can perhaps add it into your IPS/IDS.

The only power/value I can see it having is in attack circumstances and from their attitude it seems like they will sell/rent this exploit out to the highest bidders. Scruples aside I have to say the bounty offered by Google definitely wouldn’t cut it in this case.

The Vupen researchers said they plan to share technical details of the exploit only with government customers “for defensive and offensive security.” Neither Google nor the public will be privy to the specifics.

“We’re unable to verify VUPEN’s claims at this time as we have not received any details from them,” a Google spokesman said. “Should any modifications become necessary, users will be automatically updated to the latest version of Chrome.”

Google to date has awarded more than $150,000 under its bug bounty program, which pays as much as $3133.7 for reports of serious security bugs.

As is typical with attacks that bypass security sandboxes, the Vupen proof-of-concept actually contains two separate exploits, said Chaouki Bekrar, the company’s CEO.

It’s an interesting attack vector if it does really work and if as is claimed – it’s reliable and repeatable. I’d like to see it verified somehow though, but unless Google gets their hands on the code – that’s extremely unlikely.

And well if it is real these two exploits combined into a deadly package would certainly be worth a LOT on the black market. Either way, it’s certainly providing a lot of PR coverage for VUPEN.

Source: The Register

They don’t have a great reputation for testing their software before releasing (the latest 10.2.x versions seem to be causing a LOT of problems on Firefox), so we’ll just have to hope it’s a good patch. They promised the patch for another deadly 0-day back in March, roughly about a month ago.

At least it’s patched now and I truly hope that the latest version also stabilises Flash Player for Firefox.

Adobe today patched a critical vulnerability in Flash Player that the company said criminals were already exploiting with malicious Microsoft Word and Excel documents. On Monday, Adobe acknowledged the bug , said exploits were circulating, and promised to fix the flaw with an emergency update.

Today’s update was Adobe’s second rush patch in less than four weeks. The new version, Flash Player 10.2.159.1, is available for Windows, Mac, Linux and Solaris. Missing from that list is Android, the Google mobile operating system that also runs Flash. A fix for the same flaw will be issued to Android users no later than the week of April 25, said Adobe.

Adobe will patch the popular PDF viewer Adobe Reader that same week. The Flash vulnerability also exists in Reader and the more advanced Acrobat because both include code that renders Flash content embedded in PDF files. Although initial attacks were launched using malicious Word attachments, hackers later expanded the campaign to include malformed Excel files, according to Mila Parkour, the independent security researcher who reported the Flash flaw to Adobe.

Parkour, who has been tracking the attacks for more than a week, has published information about them on her Contagio Malware Dump blog.

There’s no patch yet for the Android version of Flash, but Adobe has promised it will be pushed out by April 25th (next Monday). Incidentally they will also be patching PDF Viewer and Adobe Reader next week as they both render Flash and are also vulnerable to this exploit.

So Flash content embedded in PDF files is a viable vector for infection using this vulnerability, in the wild both Word and Excel files were being used (with embedded Flash files) to exploit the vulnerability.

Some of the earliest messages in the attack tried to get recipients to open the attached Word or Excel files by claiming they offered information on China’s antitrust laws, or a purported Japanese nuclear weapons program. Later messages were more mundane, and posed as corporate reorganization plans or new company contact lists.

Parkour also traced the resulting malware’s “phone-home” communications to a server registered in China, and noted that some of the malicious Word and Excel documents had been originally crafted in Chinese.

Google updated its Chrome browser — which includes a copy of Flash Player — Thursday, fixing not only the Adobe bug but a trio of critical vulnerabilities in the browser’s hardware acceleration technology. Like Internet Explorer and Firefox, Chrome taps the computer’s graphics processor (GPU) to handle some page composition and rendering tasks.

Google usually tags as “critical” only those bugs that attackers could use to escape the browser’s “sandbox,” an anti-exploit technology designed to prevent malicious code from escaping the browser.

Users running other browsers can download the patched version of Flash Player from Adobe’s site.

Google also updated Chrome recently with this Flash Player update and 3 other critical vulnerabilities related to the hardware acceleration in the browser.

I wonder how long it will be until the next critical 0-day vulnerability in Adobe Flash Player is exposed? Perhaps we’ll see another one in May.

And don’t forget to follow us on Twitter @THEdarknet to keep up with other interesting stories as they break.

Source: Network World