The Hypocrisy Weblog

According to the Swedish IDG news-service, Swedish home electronic chain “TeknikMagasinet” is selling USB memory sticks (ZAP Slider USB 8G) that are/were infected with a trojan.

An angry reader of IDG’s daily IT-newspaper “Computer Sweden” contacted them and shared his story. The reader had bought 3 usb memory sticks and all of them were in unbroken casings. All 3 usb memory sticks had 60 Megabyte used and when plugged into a Microsoft Windows Vista computer, the anti virus application reacted and warned against a trojan being present on the memory stick. Also Microsoft Windows XP were used as a test-subject and the anti virus application reacted on this platform as well.

The reader claimed to have contacted TeknikMagasinet, asking for an explanation, however there was no alleged return-contact by anyone over at the home electronics chain.

Christian Ekstrand at TeknikMagasinet says that only a small number in a particular batch of usb memory sticks that TeknikMagasinet manufacture themselves in Taiwan were infected and that “only 50 usb memory sticks were infected” (as far as he knows). Mr Ekstrand says that he can however not speak about how many , if any, of the customers of TeknikMagasinet that bought the particular products were affected by the incident. He also says that this is the first incident over the last 4-5 years that TeknikMagasinet has co-operated with the particular plant in Taiwan. Also, he said that the reason to why the Computer Sweden reader didn’t hear from TeknikMagasinet was that they weren’t able to reach him and that they in no way or form is trying to tone down the incident.

Mr Ekstrand continues to say that “the virus is pretty harmless and for example only tries to steal World of Warcraft login information” and that “the customer should not be at risk if they have an anti virus program installed” (translating / paraphrasing).

A personal reflection here is that I don’t know if I agree that calling a keylogger that tries to steal information and installs itself automatically as something minor. Who knows what other information the keylogger can harvest if deployed in a customer’s computer. Would it still be a “minor issue” if the customer ends up losing financial information such as his/her credit card number?

UPDATE: Christian Ekstrand comments in the article’s comment section that the virus came in through a control computer that was used by an employee of the plant to surf privately. Private surfing is prohibited at the plant, Christian says. Check this link for information about the trojan.

It is possible for a malicious site visitor to register a special username and gain administrative privileges on your Wordpress Blog. (Described below)

It is recommended to update now!

Wordpress 2.5 Cookie Integrity Protection Vulnerability

Original release date: 2008-04-25
Last revised: 2008-04-25
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
CVE ID: CVE-2008-1930
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>

Systems Affected:

Wordpress 2.5

Overview:

An attacker, who is able to register a specially crafted username on
a Wordpress 2.5 installation, is able to generate authentication
cookies for other chosen accounts.

This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
integrity protection.

If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.

The vulnerability is fixed in Wordpress 2.5.1

I. Description

Since version 2.5, Wordpress authenticates logged-in users through a
cryptographically protected cookie, based on papers by Fu et al [1]
and Liu et al [2]. This measure was introduced partly in response to
vulnerability CVE-2007-6013 [3,4].

The new cookies are of the form:

“wordpress_”.COOKIEHASH = USERNAME . “|” . EXPIRY_TIME . “|” . MAC

Where:

COOKIEHASH:  MD5 hash of the site URL (to maintain cookie uniqueness)
USERNAME:    The username for the authenticated user
EXPIRY_TIME: When cookie should expire, in seconds since start of epoch
MAC:         HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived
from a secret and USERNAME . EXPIRY_TIME.

The flaw in this scheme is that USERNAME and EXPIRY_TIME are not
delimited in the MAC calculation. Hence the cookie may be modified,
without altering MAC, provided that the concatenation of USERNAME and
EXPIRY_TIME remains unchanged.

This class of vulnerability, the cryptographic splicing attack, was
commented on by Fu et al [1], but Wordpress does not employ their
recommended defence.

An attacker wishing to exploit this vulnerability would therefore
create an unprivileged account with its username starting with
“admin”. The cookie returned on logging into this account can then be
manipulated so as to be valid for the administrator account.

II. Impact

A remote attacker, who can create an account with specially crafted
username, is able to gain administrator level access to the Wordpress
installation. Through standard techniques, this can be escalated to
arbitrary PHP code execution as the web server system user.

III. Solution

Upgrade to Wordpress 2.5.1

Workarounds:

- De-select “Anyone can register” in the Membership section of
General Settings to disable account creation.

References:

[1] Dos and Don’ts of Client Authentication on the Web,
Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster
http://pdos.csail.mit.edu/papers/webauth:tr.pdf
[2] A Secure Cookie Protocol,
Alex X. Liu, Jason M. Kovacs, Chin-Tser Huang, Mohamed G. Gouda
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
[3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013
Steven J. Murdoch,
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
[4] http://trac.wordpress.org/ticket/5367

Timeline:

2008-04-22: security@wordpress.com notified
Confirmation of receipt received
2008-04-25: Wordpress 2.5.1 released incorporating patch
Vulnerability notice published

Reference: [Link]

There’s a lot of talk about “social media” and “social networks” these days, but what I think really makes a difference for many of us is the social filtering made by one or more (sometimes online) friends.

I have a few good friends that are active within a wide range of areas, where-as one person is a bleeding edge kind of software guy (open source / Ubuntu Linux) and whom both try out and give me tips on cool new software for my Ubuntu box (yes, I run both Windows and Ubuntu). Instead of me having to put down time and effort (and sometimes risk) in trying new software, my Linux friend does that job for me.

Another friend is an avid web 2.0 fan, whom jump on basically every site out there. Through him I get reviews of what is good or not, and combining this intelligence with a more general buzz I can decipher what is hot or not.

A third friend is an experienced journalist, and he gives me fresh ideas and angles – especially when it comes to politics, but also other fields.

The fourth friend is a security expert, who shares his deep knowledge from within the security community.

The fifth friend… Well, you get the point – right?! The friendship chain of trust is a very good and (most often) trust-worthy source of information. This is why it is so important to form social bonds with the right people, this is not something that Google, Facebook or Wikipedia can offer you.

In short; never understimate the value of personal relationships.

Via slashdot: xseedit writes “The RIAA has moved their main Web site www.riaa.com from IIS on Win2003 to Apache 2.2.3 on Red Hat. It appears that the move did not go smoothly as it resulted in an 8-hour downtime starting yesterday around noon, according to Netcraft. And the RIAA is still showing a ‘temporarily under construction’ page. They also moved their DNS from the small company that had been hosting them for the past 4 years, Tomorrow’s Solutions Today (TST Inc.), to Mindshift Technologies. One can only guess what happened here, but the move seems to have been sudden and unplanned. They still haven’t moved the riaa.org, riaa.net, and musicunited.org domains — those are still pointing to the TST nameservers that no longer accept queries for those domains. TST Inc. deserves credit, however. They seem to have managed to host the RIAA quite successfully for the past 4 years. Will Mindshift do a better job hosting one of the most reviled, and therefore most attacked, Web sites in the world? I wonder if anybody at the RIAA or TST would care to comment on the reasons behind this sudden move. Could it be that the RIAA is being sued by its hosting provider? Or perhaps the sue-happy organizaiton is suing its provider?”

As seen above, RIAA’s website has moved both server environment as well as ISP (Internet service provider). Comments on slashdot express the irony they see of RIAA moving from the closed-source environment being Microsoft Windows Server 2003 to the GPL:ed ditto of Red Hat Enterprise Linux.RIAA is probably one of the prime targets for various attacks (code, ddos, dos) on the Internet, and the move to a more resilient environment such as Red Hat Enterprise Linux was probably a necessity in the end. Also, one can figure that they grew out of the resources that their old ISP, Tomorrow’s Solutions Today, could provide.

What do you think was the reason for switching both server-environment as well as ISP?

After the Mac-hack contest announced by CanSecWest in April, Apple has been a popular target to find security flaws in. I should think that the more a brand sell, the more popular it is to hack…

However, the Safari-hack must’ve broken some kind of record as 3 minutes after the public beta of Apple’s Safari-browser for Microsoft Windows was released, self-proclaimed security-expert Aviv Raff found a serious bug in Safari which will make the browser crash and much possibly open up the browser for exploits.

Raff was clearly unhappy with Apple’s claim that Safari was designed to be “secure from day one” (he called this claim “pathetic”) but he said he wasn’t particularly going after Apple. “I don’t pick just on Apple,” he said. “I’ve posted about Microsoft and Mozilla issues too.”

It is not clear if this flaw exists on the Mac OS-version of Safari.

In other words; Do not think that you’ll be secure just because you opt-in for Apple OS X (or Ubuntu, or… yes, you get it). Apple, in this case, has been having security-issues with their products. An example of that is their multimedia player Quicktime, where serious vulnerabilities went for weeks without being patched.

Via PC World

The Registry writes:

“Level 3, the supposedly secure back bone provider, has lost all services at its Braham Street data centre thanks to a robbery.

The company refused to speak to the Register this morning but many of its customers have been in touch.

According to Level 3 customers thieves got into the building on Braham Street, E1, and stole core router cards.

An email sent by Level 3 to its customers said only: “There was a security breach in our Braham St gateway early this morning. A number of service affecting cards were removed without authority from live equipment. This has resulted in the loss of IP and voice services to a number of customers at Braham St. We are currently attempting to restore service as quickly as possible. We will issue further updates as information becomes available.”

We were told no spokesperson was available or likely to be available.

Other technology companies hit by the downtime include easyspace.com.

The theft has raised fears that data centres and large IT departments in the City of London could be the target of an organised gang – last month Easynet’s centre on nearby Brick Lane suffered a similar robbery.

In other news BT Broadband suffered a major failure last night.

A spokesman for BT told the Reg: “About 100,000 BT Retail customers lost access late last night but normal service has now been restored. There was an authentication problem with our servers and it was not related to events at Level 3.”"

The above is a warning sign to all of you whom is looking for the cheapest deal possible. When you pay a little bit extra you not only pay for better network accessibility, but you also pay for physical security at the datacenter where your equipment is standing.

It is most unfortunate if thieves start to target datacenters, as this will bring the costs of hosting and co-location up, as well as it will bring uncertainty for us customers of these datacenters.

One of my sites, located at Easyspace, was down during a long night because of a said power-failure, though this article “Mystery surrounds Easynet ‘robbery’” and the attached customer letter really makes me wonder. I know that Easyspace and Easynet aren’t the same company(?), but I can’t help but put two and two together. Perhaps I’m conspiracy-minded, but it is a very fitting co-incident…

Perhaps the problems at Easyspace was linked to the issues with Easynet, I am not sure. But what is serious is that customers were in fact lied to regarding the status of their services. I can understand the “cover-up” from Easynet’s view point, but they will only lose in the long term by hiding the status of their organization’s services.

Every user of vbportal (vBulletin add-on) should check this thread over at The Admin Zone! Apparently the software contains security holes which makes it possible for an outsider to edit the content of a site running vbportal as well as editing the apache-configuration.