HackrNews

If you haven’t changed the default password on your home router, let this recent threat serve as a reminder.
Attackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered. The researchers first
published their work in December, but Symantec publicized the findings on Thursday.
The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in “www.mybank.com,” the request could be sent to a similar-looking fake page created to steal sensitive data.
“I have been able to get this to work on Linksys, D-Link and Netgear routers,” Symantec researcher Zulfikar Ramzan said. “You can create one Web site that is able to attack all routers. My feeling is that it is just a matter of time before phishers start using this.”
After a router’s DNS setting is changed, all computers connected to the device will use the DNS server set up by the attacker to find their way on the Internet. DNS functions like the phonebook of the Internet, mapping text-based addresses such as www.news.com to actual numeric Internet Protocol addresses of a Web site.
The attack works on any type of home router, but only if the default router password hasn’t been changed, Ramzan said. The malicious JavaScript code embedded on the attacker’s Web page logs into the router using the default credentials–often as simple as “admin” and “password”–and changes the settings.
“One of the issues is that the set-up steps in the router don’t prompt you to change the password,” Ramzan said. As a result, many people never properly configure their networking gear, he said.
In crafting their proof-of-concept attack code, Ramzan and researchers at Indiana University built upon earlier research that showed how JavaScript could be used for malicious purposes. Jeremiah Grossman, chief technology officer at WhiteHat Security, demonstrated how JavaScript let outside attackers target internal corporate networks.
Grossman is impressed by the Symantec and Indiana University work. “This is very dangerous stuff and could be highly effective if used in the wild,” he said.
Router makers already know of the problems with default passwords as well as other security concerns, they said. Linksys, for example, recommends that customers change the default password during the installation procedure, said Karen Sohl, a representative for the company, a division of Cisco Systems. “We are aware of this,” she said.
On its Web site,
Linksys warns users that miscreants are taking advantage of the default passwords. “Hackers know these defaults and will try them to access your wireless device and change your network settings. To thwart any unauthorized changes, customize the device’s password so it will be hard to guess,” the company states.
Still, although Linksys’ software recommends the password change, consumers can either plug in their router without running the installation disk or bypass the change screen, keeping the defaults. The company offers detailed information on how to change the router password on its Web site. Netgear and D-Link also recommend password change

another trojan, this time targeting MSN Live logins for. The trojan has been made public by some kind citizen calling himself “Our Godfather” on the BitTorrent network.

The sad thing is…I guess it works and hundreds of people will have installed it.

Malware designed to steal users’ Windows Live Messenger password has been released onto the net. The password stealer was released for download via BitTorrent earlier this week by a hacker using the handle “Our Godfather”.

The malware comes in the form of an IMB download confirmed by anti-virus firm Sophos as containing a password-stealing Trojan horse. Victims would need to be tricked into downloading and executing the malware, which might be renamed in a bid to disguise its identity, in order for the exploit to work.

It works a bit like the common phishing schemes, but it uses actual software to emulate the MSN Messenger login screen rather than a web-page.

“It displays a fake Windows Live Messenger Login Screen and prompts for login details. Username and password are captured and stored in C:\pas.txt,” explained Sophos senior technology consultant Graham Cluley.

Sophos has named the malware as MSNfake-M and added protection against the code to its security software packages. Other anti-virus firms can be expected to follow suit.

Another reason to use Sophos I guess, they are always ahead of the curve on this stuff.

A hacker stole sensitive data from a computer in the offices of French far-right leader Jean-Marie Le Pen, police said, fueling his fears that rivals used it to try and keep him out of the presidential race.

The security breach at Le Pen’s National Front party headquarters comes as the campaign intensified ahead of the April and May election with several candidates facing smear scandals in recent weeks.

Le Pen, who shocked France by finishing second in the 2002 presidential election, is struggling to secure the backing of at least 500 elected officials needed to run this time round.

He says he has been the target of a well-prepared offensive to persuade the officials, including mayors, not to sign and asked police to open an investigation after suspecting that a mole might have leaked the names of his potential backers.

After a visit to the headquarters of his National Front party on Friday, the police said the list of officials who had agreed to back Le Pen had been stolen by a hacker.

The hacker had gained access using an Internet site specializing in breaking entry codes. A National Front employee who used the computer that was hacked into was detained but later released.

News of the electronic break-in, came just a week after the Socialist party demanded an investigation into what it said was a spate of burglaries targeting its campaign team.

Le Pen has until March 16 to gain the sponsorship of at least 500 of France’s 42,000 elected representatives, including parliamentarians and mayors, to become a candidate.

He says he is 100 short and has accused a far-right rival of trying to poach his sponsors.

Despite his success in 2002, when he won 16.8 percent of the vote, Le Pen’s National Front party does not have any mayors and he has criss-crossed France for months to find backers.

Supporters of mainstream conservative candidate Nicolas Sarkozy have appeared increasingly uneasy at the prospect of Le Pen being blocked from running.

They believe National Front supporters will prove a vital pool of potential voters in an expected second-round run off between Sarkozy and Socialist candidate Segolene Royal, and fear a high abstention rate if Le Pen is shut out of the first round.

Among other candidates who may not make the sponsorship grade are anti-globalization leader Jose Bove who says he has accumulated just 350 signatures. Greens candidate Dominique Voynet says she has 500 pledges, but only 15 returned forms.

The candidates fear some mayors will not come good on their promises and say they need at least 600 pledges to feel safe.

Source: Reuters

© 2007 Reuters Limited. All rights reserved.

Hackers are starting to agitate for Microsoft to start paying for information on security flaws found in its software products.

The issue surfaced this week after the MSRC (Microsoft Security Response Team) posted a message on the sla.ckers.org message board, calling on third-party researchers to submit vulnerability information directly to Redmond before going public. 

The invitation — which extended to bugs found in all of Microsoft online web properties such as *.microsoft.com, *.msn.com and *.live.com — is part of Microsoft’s insistence on the concept of “responsible disclosure,” where researchers give advance notice to affected vendors but, for the first time, the response from hackers suggest it’s time for Microsoft to offering cash rewards for flaw information.

Immediately after Microsoft’s Sla.ckers.org post, “digi7al64″ replied with this:

I propose MS implement a reward system where you agree to pay cash for vulnerabilities found within your domains. The benefit of this I suggest would be flood of vulnerabilities reported the first few months which would tapper off to only 1 or 2 intermittently as new systems come online.

The cost of this type of project would be relatively low and if you placed a sliding scale on amount paid (based on the vun) I’m sure you could get away with it for less then 20-50k all told… which in the big scheme of things is a drop in ocean for MS.

Information on software defects are considered extremely valuable — vendors use it to improve the quality of products — but the existing “responsible disclosure” system gives the information for free to software vendors, even those with deep pockets.

The existence of third-party brokers like Verisign’s iDefense VCP and 3Com Tippingpoint’s ZDI has validated the market for software flaws and given white hat hackers a place to make money for their work but there is a growing feeling that the big vendors — especially Microsoft — should set up a bug-bounty program that tangibly rewards external researchers.

Microsoft’s official policy is that responsible disclosure works just fine and the credit given to bug finders in security bulletins is more than enough but a burgeoning black market and the spike in zero-day attacks provide proof that the status quo needs fixing.

Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, weighs in:

Now think about this… if given the option, how many of the organizations that have been outted would have gladly paid a voluntary reward for the disclosure and saved themselves the negative press? Probably a fair number would have participated. Also of course, if they choose not to participate, there’s nothing lost and things remain the same. Though if an organization budgeted say $10,000, which could help to eliminate a ton of XSS and SQL Injection issues. And at some point vulnerabilities would get much hard to find and system security would improve. Obviously a lot of details would have to be worked out to counteract any extortion or blackmail schemes. I’m not quite ready to begin recommending this approach, but I think it’s worth continuing a dialog over.

Chris Eng, director of security services at Veracode, urges caution, especially when it comes to auditing Web applications:

These posters either don’t realize or are conveniently ignoring the fact that it is illegal to stage unauthorized attacks against these websites to begin with. There are a lot of shady underground economies, but that doesn’t necessarily make them legal or ethical.

From the “neat-find-department” comes word from McAfee that Windows Vista is vulnerable to a Sticky Keys backdoor that could be exploited — under perfect circumstances — to launch malicious executables.

McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.exe) before executing it.

Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is “cmd.exe.” After replacement, one could invoke this command prompt at the login prompt without the need to authenticate,” Thomas said in a note posted on the McAfee Avert blog.

Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authoritysystem account. And from this point on an attacker has full access to the system.

Although this is considered a neat find, it is hardly a critical issue that puts uses at risk of remote code execution attacks.  For starters, as Thomas himself admits, an attacker must already be logged in as an administrator to replace the executable.  

An attacker with full admin rights already owns the box so it makes little sense to be manipulating executables to exploit a built-in backdoor.  McAfee’s Thomas suggests it could still be useful, warning that a determined attacker can always find workarounds to elevate user rights and use the backdoor to create a new user, add the new user to the administrators group via the net command and then use the account to rightfully log in using the certain commands.

Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft’s own files to archive this, it will be difficult to detect for a typical administrator.

[NOTE: Sticky Keys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as Shift, Ctrl, Alt, or the windows key, and have it remain active until another key is pressed. Windows Vista users can activate the feature by pressing the Shift key five times].

Source: ZDNet.com