STE WILLIAMS

Cisco goes public with major vulns

Win Spectre Laptop with HP and The Register

Users of Cisco’s Unified Communications Manager, UCM instant messaging and presence, and Prime Central hosted collaboration system need to get busy with patches, after the Borg announced denial-of-service vulnerabilities across all three platforms.

UCM 7.1, Cisco advises, has an improper error handling vulnerability that can be used in denial-of-service. An attacker can hose the system by sending malformed registration messages.


There are also vulns in versions 8.5, 8.6 and 9.0 of UCM: some UDP ports don’t rate-limit properly, and could therefore be hit with high-rate traffic for denial-of-service. The same versions also fail to rate-limit on UDP 5060, the SIP port.

There’s also a buffer overrun vulnerability on UCM 7.1, 8.5, 8.6, 9.0 and 9.1. If exploited, an attacker would be able to run arbitrary commands, corrupt data, and disrupt services on the systems.

UCM’s IM and Presence Service suffers from a memory leak, meaning large numbers of TCP connections to port 5060 or 5061 could DoS the system, requiring a restart.

And finally, Cisco Prime Central for HCS Assurance – a hosted application solution – has three vulnerabilities, all of them exposing the system to denial-of-service attacks. They are, in order:

  • A memory leak under which TCP flooding on vulnerable ports will crash the system;
  • Memory exhaustion vulnerabilities associated with TCP 61615 and 61616, and the Ephemeral Java Port (44444); and
  • A disk exhaustion vulnerability under which a TCP connection flood will fill the disk with error logs.

With no workarounds available, Cisco is advising patches be applied to all affected systems. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/21/cisco_goes_public_with_major_vulns/

ASIO beefing up telecoms interception teams

Win Spectre Laptop with HP and The Register

Australia’s security intelligence organisation (ASIO) is hiring a clutch of telecoms intelligence staff.

The agency is after a new “Assistant Director Telecommunications Interception” , a pair of ”Telecommunications Investigations Officers (we’ve linked to the better-paid of the two positions) and also a “Telecommunications Interceptions Specialist”.


The Assistant Director’s job says the successful applicant’s duties will include:

  • Supervision of technical staff involved in the development of telecommunications interception capabilities;
  • Contribute to policy and process development supporting telecommunications interception;
  • Liaison with telecommunications carriers for the development of lawful interception systems;
  • Liaison with industry for the development of specialist systems;
  • Compliance testing of interception solutions;
  • Trouble-shooting system faults; and
  • Development of in-house lawful interception solutions.

Vulture South can’t help but think the wording of those duties imply that new interception tools are contemplated.

Interceptions Specialists will be expected to perform duties including “Development of in-house lawful interception solutions”. Skills needed to score the job include:

  • Previous experience with carrier networks and/or interception systems
  • Project management in an ICT environment
  • Understanding of IP networks (architecture, systems and related protocols)
  • Understanding of the architecture of mobile telephony networks, including SMS, GPRS and LTE
  • Understanding of carrier-level VoIP implementations
  • Exposure to international ICT standards and specifications
  • Knowledge of mark-up languages such as XML and ASN.1
  • Ability to perform and analyse IP captures and perform protocol analysis and network-level problem-solving

The inclusion of LTE seems worth noting: 4G is growing fast in Australia and ASIO will doubtless be keen to monitor traffic on new networks. Intriguingly, “Applicants that have applied for this position in the last 12 months need not reapply,” suggesting this has proved a tough gig to fill.

The job description for the Telecommunications Investigations Officers says the new hires will “join a small team responsible for the collection, processing and dissemination of telecommunications-related data.”

Duties include “Assisting in the preparation and submission of lawful requests to telecommunications providers”, which sounds an awful lot like making warrantless requests for telecommunications metadata. Such requests are controversial because they’re made in their hundreds of thousands each year. If Vulture South’s guess is correct and ASIO feels it needs more people to make the requests, it could signal even greater volumes. Australia’s Greens party has tabled amendments to the Act permitting such requests in the hope of reducing their number.

If you fancy one of these jobs, care to check out the dozen or so other IT roles, or fancy a closer look at ASIO’s hiring trends, its vacancies page is here. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/22/asio_beefing_up_telecoms_interception_teams/

Bradley Manning sentenced to 35 years in prison

Free whitepaper : Supercharge your infrastructure

A military judge has sentenced US Army Private Bradley Manning to 35 years in prison for leaking classified material to Wikileaks.

He was also dishonourably discharged from the Army, busted from private first class to private and will forfeit all pay and allowances.


Manning has built up credit of three and a half years of pre-trial jail time, including 112 days that were given to him after the judge ruled he was “illegally punished” while being held at US Marine base Quantico, reducing his sentence to around 33 years. The Wikileaker has to serve at least a third of his jail sentence before he becomes eligible for parole.

The 25-year-old private first class had been facing up to 90 years in prison for leaking over 700,000 Iraq and Afghanistan battlefield reports and State Department diplomatic cables, along with the video of a US helicopter attack in Baghdad in which a Reuters news photographer and his driver were killed.

The soldier was cleared of the serious charge of “aiding the enemy”, which carries the death penalty, but was found guilty of 20 further charges related to accessing and handing over the documents.

Prosecutors had pushed for at least 60 years of jail time, saying that a longer sentence would dissuade other soldiers from a similar course of action, The Guardian, Associated Press and others reported.

But Manning’s defence attorney David Coombs asked for a sentence of no more than 25 years, one that wouldn’t “rob him of his youth”.

Manning told the court in February that he leaked the information in order to “spark a domestic debate as to the role of the military and foreign policy in general”.

While the prosecution has claimed that his leaks endangered military and diplomatic lives and risked national security, Coombs has consistently painted Manning as a naive youth whose disillusionment with his military life led to the leaks.

Under military law, the verdict and sentence have to be reviewed by the commander of the military district of Washington, currently Major General Jeffrey Buchanan, who could reduce the sentence. Because the sentence includes a dishonourable discharge and confinement for a year or more, the case will be automatically reviewed by the army court of criminal appeals.

Further appeals can be made to the US court of appeals for the armed forces, and the Supreme Court.

Coombs is scheduled to give a press conference about the sentence at 6.30pm BST today. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/21/manning_35_years_jail_wikileaks_assange/

Bank man: System’s down, let’s have coffee. Oh SNAP, where’s all the CASH?

Free whitepaper : Supercharge your infrastructure

Cybercrooks are running distributed denial of service attacks as a smokescreen to distract bank security staff while they plunder online banking systems, according to a researcher.

Avivah Litan, vice president at Gartner Research, reports that cyber criminals looking to attack financial institutions are getting more ambitious by targeting the internal wire applications of entire banks, instead of individual accounts, and covering their tracks using simultaneous denial of service attacks against bank systems as a distraction.


Fraudulent money transfers have traditionally been pulled off by taking over a mark’s bank account and moving money into accounts of “money mules”. The stolen cash is then passed around between mules until it ends up in the accounts of the cyber criminals. However, Litan says that the latest evolution of these attacks uses DDoSes as a cover for much more damaging attacks:

A new much more ominous attack type has emerged over the past few months – and uses DDoS as its cover. Once the DDoS is underway, this attack involves takeover of the payment switch (eg, wire application) itself via a privileged user account that has access to it. Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.

Considerable financial damage has resulted from these attacks. One rule that banks should institute is to slow down the money transfer system while under a DDoS attack. More generally, a layered fraud prevention and security approach is warranted.

Litan, an expert in financial fraud and banking security who has been covering the sector for years, said that three unnamed US banks lost millions through just this type of distraction-based cyberheist over against payment switches recent months.

“It was a stealth, low-powered DDoS attack, meaning it wasn’t something that knocked their website down for hours,” he told SC Magazine.

One popular DDoS toolkit, dubbed Dirt Jumper, which has been linked to extortion-based DDoS attacks against gambling sites, has recently been used in attacks against banks that occurred shortly after fraudulent wire transfers.

A report by Dell SecureWorks published in April 2013 explains that Dirt Jumper creates a botnet of compromised machines that can be used to swamp targeted websites with junk traffic. Dirt Jumper (or later variants dubbed Pandora) is readily accessible online through underground forums for around $200.

Banks are often in the firing line of Dirt Jumper-powered DDoS attacks, Dell SecureWorks explains:

Working with organizations affected by Dirt Jumper DDoS attacks revealed a threat scenario in which the threat actor first performed a short-lived “test” DDoS attack to determine if the actor’s botnet could make the targeted site unusable. If the test was successful, then the threat actor performed another DDoS attack in the near future, but this time the DDoS attack occurred shortly after an unauthorized wire or Automated Clearing House (ACH) transfer out of a compromised account. DDoS attack patterns revealed that short-lived attacks were an indicator of an unauthorized wire transfer, while longer attacks, which could last hours to days, were indicators of a fraudulent ACH transfer. The fraud attempts were non-trivial and were usually in the six-figure range, with some attempts in the millions of dollars. Transfers were being made to banks located in Russia, Cyprus, and China.

Eventually the “test” DDoS attack was phased out. Visibility on these attacks proved to be quite useful — in some cases, the DDoS attack was the initial notice that high-dollar fraud was occurring. Some of the fraud attempts and losses are staggering, with total dollar values of attempted fraud ranging from $180,000 to $2.1m.

Separately the FBI-affiliated Internet Crime Complaint Centre warned(PDF) that cybercrooks were targeting financial institution employee credentials to conduct wire transfer frauds back in September 2012.

Recent FBI reporting indicates a new trend in which cyber criminal actors are using spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee log in credentials. The stolen credentials were used to initiate unauthorized wire transfers overseas. The wire transfer amounts have varied between $400,000 and $900,000, and, in at least one case, the actor(s) raised the wire transfer limit on the customer’s account to allow for a larger transfer.

In most of the identified wire transfer failures, the actor(s) were only unsuccessful because they entered the intended account information incorrectly.

The attacks largely focused on small- to medium-sized banks or credit unions but a few large banks have also been affected.

“In some of the incidents, before and after unauthorised transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public websites and/or Internet Banking URL,” IC3 reports.

IC3, like Dell SecureWorks, reckons that the Dirt Jumper Trojan is the main vector of these DDoS smokescreens. The attacks reported by Litan appear to employ much the same tactics and tools, but targeting wire application systems rather than seeking to compromise trusted user accounts. As such, it represents an escalation in how banking attacks are run.

All this is carried out under the cover of denial of service attacks. However there’s no suggestion that a recent run of apparently politically motivated DDoS attacks against large US banks, claimed by the Izz ad-Din al-Qassam Cyber Fighters, is linked to this financial fraud. Hackers launched packet-flooding attacks against Wells Fargo, Bank of America, Citibank and many other US banking organisations using compromised WordPress installations, employing a hacker tool called Itsoknoproblembro.

Spooky US intelligence types suggested that the attacks were so sophisticated that they must be the work of a nation state, before pointing the finger of blame towards Iran. Security experts countered that the attack is well within the scope of ordinary hackers, and that the involvement of Iran is not supported by any hard evidence. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/21/cyberheist_ddos_smokescreen/

Forget hackers

Free whitepaper : Supercharge your infrastructure

Cyber attacks caused fewer problems to communications networks than unrelated system failures and natural disasters, a study by an EU security agency has found.

The European Union Agency for Network and Information Security (‪ENISA‬) reports that the average duration of cyber attacks was four hours ‪whilst o‬utages due to nature – mainly storms and heavy snowfall – lasted 36 hours.


The number of incidents caused, or partly caused, by cyber attacks came out at 8 per cent; more than the 5 per cent where human error played a role but dwarfed by problems caused at least in part by system failure (76 per cent).

The study, released on Tuesday, covers 79 outages across 18 EU nations that reported major incidents last year. About half of the incidents affected mobile telephony or mobile internet services. Outages affecting mobile telephony or mobile internet also affected most users (around 1.8 million users per incident) than comparable problem affected fixed line voice and data services.

Switches were the most frequent point of failure (e.g. routers and local exchange points) followed by mobile network home location registers.

Outages blamed on problems with third-party suppliers, mostly power supply failures, affected around 2.8 million users per incident, on average. Overload problems affected a greater number of users than simple power failures, affecting an average of 9.4 million user connections per incident.

In general, hardware failures were the most common cause of “systems failures”, followed by software bugs. Incidents dealing with hacker attacks are covered in the report – but despite all the hype, malicious activity was a far less significant issue than system failures, power supply problems or bad weather in causing the most significant outages in Europe last year. Human error generally took much longer to unravel than problems caused by malicious attacks.

Cyber attacks were a more significant cause of problems when it came to fixed internet services but even in those cases, it played a role in just a fifth of outages.

Anonymized examples of the incidents reported to ENISA range from overloads causing VoIP outage to a faulty upgrade halting IP-based traffic and a DDoS attack on DNS servers that affected mobile internet access. Up to 2.5 million mobile device users were affected by the DDoS attack before the attacking addresses were identified and blocked, a process that took around two hours.

The study also covers the impact of the theft of a stretch of fibre optic cable, which obviously caused a break in a communications link, and a faulty software update that affected a mobile telephony service. The cable theft incident in question affected 70,000 fixed telephony users and 90,000 fixed Internet users for 10 hours.

Professor Udo Helmbrecht, executive director of ENISA, explained that the report will be used to draw up best practice guidelines.

“The EU collaboration behind this report is key to improving the security and resilience of electronic communications networks in the EU, as well as for security in other critical sectors. Reporting major incidents helps us understand what went wrong, why, and how to prevent similar incidents from happening again.”

ENISA’s report, which is a must read for anyone involved in either disaster recovery or telecommunications network management, can be downloaded from their website (PDF). ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/21/enisa_comms_outage_breakdown_report/

‘Hacked’ estate agency Foxtons breaks glass, pulls password reset cord

Free whitepaper : Supercharge your infrastructure

Trendy UK estate agency Foxtons pushed the big red password reset button, as a precaution, after it appeared hackers lifted thousands of clients’ usernames and passwords from its systems.

Miscreants claimed to have leaked online user names, email addresses and passwords of nearly 10,000 Foxtons’ customers, Estate Agent Today reports. The supposed logins to MyFoxtons web portal, some partially obscured, were uploaded to Pastebin.


The list was quickly pulled but the assumption has to be that copies were made before this happened. Anyone with access to the list, whose authenticity remains unconfirmed, may have been able to log into Foxtons’ systems and access all sorts of sensitive information such as addresses, phone numbers and rent payment details. This wouldn’t include credit card or bank details but it would still provide rich fodder for follow-up social engineering attacks.

In an advisory to customers on Tuesday, forwarded to El Reg by readers, Foxtons said it was investigating the purported hack. In the meantime it had reset user passwords as a precaution:

We have been able to download the list of usernames and passwords that were posted and are currently running checks to determine its veracity. Please be assured though that any sensitive information, including credit card information that you may have provided in relation to payments made through Foxtons is completely secure with our external payment providers.

Immediate action, however, has been taken to safeguard your account and an investigation will continue. Should your account be upon the list, you will be contacted directly by our Team.

Whilst this investigation is underway, we are unwilling to run the risk that any live MyFoxtons account is upon the list and have initiated a trigger to reset user passwords upon your next successful login. It is not necessary to do this straight away, just the next time you want to use the account.

We asked a Foxtons representative whether the company hashed or salted stored passwords, a basic security practice. The rep declined to comment on any aspects of the incident beyond saying that it may decide to issue a statement at some point.

Ross Parsell, director of cyber security at Thales UK, said that tighter regulation might be needed to stem the growing list of data breaches.

“The recent spate of high-profile data breaches, such as this alleged attack on Foxtons, are evidence that organisations are either not taking cyber security seriously or are bewildered by the problem. Regulation in this case is a necessity to alter corporate behaviour.” ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/21/foxtons_password_reset/

Intel bakes super-snooper to stop industrial espionage

Free whitepaper : Supercharge your infrastructure

Intel has created a Hadoop-based rig that analyses just about every network event in the company – four to six billion of them on business days – in close to real time so it can spot threats including industrial espionage.

Intel officials declined to name the tool, saying it would not be “productive” to disclose its name, but said it was created by an 80-strong team of big data specialists working from its Israel offices and makes extensive use of Apache Hadoop. Ron Kasabian, Chipzilla’s general manager of Big Data, said the tool was developed because conventional malware detection tools – even those from Intel’s security-focussed subsidiary McAfee – can’t find the especially novel or subtle attacks Intel fears.


Kasabian described the tool as analysing “every access request by every employee, every time they access a file, sharepoint, email or ERP”. Watching all those activities is important because Intel’s intellectual property like product designs and manufacturing processes must be very closely guarded.

Moty Fania, Chipzilla’s principal engineer for big data analytics and a member of the team that built the tool, told The Reg the software collects data from many devices around Intel’s global networks, aggregates them and then analyses the results in close to real time.

“We were able to find with quite significant precision malicious activity that no other tool could find, with very high true positives across very, very large volumes of data,” Fania said.

Intel didn’t reveal details of the hardware powering the snooper, but did say it may consider releasing the software’s code and design to McAfee for conversion into a commercial product. If that happens, Fania feels it will be a tough sell as his team enjoyed easy access to Intel’s innards. A third party, he opined, may not enjoy the same level of open access to would-be clients and may therefore struggle to tune the tool to optimal effectiveness.

All is not lost, however, as Intel feels the work it did to build the tool has wider applications. Speakers at Intel’s Big Data and Cloud Summit in Ho Chi Minh City* made several references to an un-named “second tier Chinese city”** that has installed eight video cameras in every set of traffic lights. Intel feels the resulting data, when scaled across the city, resembles the challenge posed by monitoring its own networks to a sufficient degree that its work on the un-named security tool may be applicable elsewhere.

Those with suspicious minds may wonder if that “elsewhere” includes somewhere like the NSA, which has famously been revealed to be practising wide-scale collection and rapid analysis of data.

The Reg is in no way suggesting Intel is conducting surveillance of its staff, any third parties or is assisting any other entity to do surveil anyone. But given Edward Snowden’s revelations about PRISM and other NSA programs, this un-named tool’s capabilities represent an interesting proof of concept for ubiquitous surveillance being comfortably achievable with the resources of a colossal and technology-savvy multinational. Governments may struggle to match Intel for the latter quality, but probably have rather more people and money to throw at the problem than the 80 folks and “millions of dollars” we were told Chipzilla put to work on this project. ®

*The author attended the summit as a guest of Intel, which paid for flights and accommodation.

** Four Chinese cities – Shanghai, Beijing, Guangzhou and Shenzhen – are considered first tier. The Middle Kingdom has more than 150 cities with populations over a million. Second tier cities include Chongqing (pop 10m) and Chengdu (pop 5.5m), the local governments of which would both represent top-tier customers for most enterprise vendors.

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/21/intel_bakes_supersnooper_to_stop_industrial_espionage/

Brazilians tear strip off NSA in wake of Snowden, mull anti-US-spook law

Free report : Avere FXT with FlashMove and FlashMirror

Businesses selling online to Brazil-based consumers could be forced to store any personal data they collect about those individuals on local servers under proposed new laws under consideration in the country.

According to an automated translation of a report by the Reuters news agency, the federal government in Brazil has proposed amendments to a new civil rights law currently being worked on called the Marco Civil da Internet. Under the amendments, data collected about Brazilian internet users would have to be stored locally.


Google and Facebook have both raised objections with the plans, according to an automated translation of a report by Agência Brasil. Both are in favour of the original proposals.

“We have concerns with the [possible] changes, such as requiring the maintenance of data in Brazil,” said Bruno Magrani, head of public policy at Facebook Brazil, according to the report. “This requirement would entail huge costs and inefficiencies in online business in the country, it will impact small and new technology companies that want to provide services to Brazilians.”

Microsoft already has data centres in Brazil and so sees “the location of data” issue as “irrelevant”, Microsoft Brazil’s director-general of legal affairs and of institutional relations, Alexandre Esper, said, according to the Agência Brasil report.

The amendments may have been prompted by revelations made about a US internet surveillance programme called PRISM, according to William Beer, an information security expert at consulting firm Alvarez Marsal.

“There are a lot of datacenter-related issues already, such as the high cost of electricity, access to skills and even the temperature, which makes it expensive to run those facilities in Brazil,” Beer said. “Then if you add regulation that will present further obstacles, companies might end up moving their IT operations to other South American countries where the rules are not so strict.”

The PRISM programme, it is claimed, allows the US’ National Security Agency (NSA) to collect data from a number of major technology companies, including Microsoft, Facebook and Google. The revelations came from NSA whistleblower Edward Snowden and were reported by a number of newspapers, including the Guardian in the UK. They have sparked concerns about the scope and oversight of such surveillance.

The Prism revelations have prompted the European Commission to conduct a review of an existing agreement that governs personal data transfers from the EU to US. In addition, a US think tank has said that US cloud providers could lose out on up to $35 billion in revenues over the next three years as a result of the adverse publicity surrounding the Prism programme.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Free report : Seamless data management features with AOS 3.0

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/21/brazil_data_protection/

Palestinian Facebook flaw-finder getting $10,000 payday in online appeal

Free whitepaper : Supercharge your infrastructure

A Palestinian IT student who spotted a serious security flaw in Facebook’s coding – but was denied payment for it and booted off the social network – could be getting as much as $10,000 after members of the security community rallied around and set up an online compensation fund.

Khalil Shreateh found a bug that allowed an attacker to post images on anyone’s Facebook page, and reported it to the company’s security team twice. Initially Facebook’s security team denied it was an issue, so he demonstrated the hack by posting up a picture on Mark Zuckerberg’s page and a blog post explaining how he did it.


This immediately got Facebook’s attention and the security team got in contact with him to get the full details on the bug. However, they also informed him (correctly) that by posting the picture he had broken Facebook’s Terms and Conditions and would be both ejected from Facebook and denied the $500 that the company usually pays as a bug bounty, as explained by Facebook’s Matt Jones in a posting on the forums of Hacker News.

“In order to qualify for a payout you must ‘make a good faith effort to avoid privacy violations’ and ‘use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners’,” Jones wrote.

“Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they’re found and demonstrated within these guidelines.”

This has stuck in the craw of many in the security industry, and Marc Maiffret, CTO at security and compliance firm BeyondTrust, set up an online appeal to compensate the Palestinian student. The goal was a $10,000 donation, and the fund has already raised $9,140 in less than 24 hours and looks set to easily reach its target.

“Khalil Shreateh found a vulnerability in Facebook.com and, due to miscommunication, was not awarded a bounty for his work,” Maiffret said. “Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone.”

In a blog post, Facebook’s chief security officer Joe Sullivan apologized to Shreateh and said that the company will change the way it handles bug reports in light of the affair. Sullivan said that the team would improve its submission guidelines for bugs and tightening up its email procedures.

“I’ve reviewed our communication with this researcher, and I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him,” Sullivan said. “We get hundreds of submissions a day, and only a tiny percent of those turn out to be legitimate bugs. As a result we were too hasty and dismissive in this case.”

But Sullivan stood by the decision not to hand the student any bounty for his bug, on the grounds that he had compromised the security or privacy of other people (i.e., CEO Mark Zuckerberg), but did add he’d be happy to pay for other, properly-submitted bug reports. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/20/palestinian_facebook_flawfinder_getting_10000_payday_in_online_appeal/

Bloke leaks ‘1000s’ of Twitter login tokens, says he can hack ANY twit

Free report : Avere FXT with FlashMove and FlashMirror

A hacker calling himself the “Mauritania Attacker” claims he has compromised every Twitter user account on the planet – and leaked the OAuth tokens for thousands of Turkish tweeters.

Meanwhile, a security researcher claims to have obtained similar details by creating a fake app that masqueraded as Twitter’s own third-party client, Tweetdeck.


The Mauritania Attacker’s token dump reveals OAuth data rather than passwords. The miscreant boasted to Indian security site Techworm that he had access to the “entire database of users on Twitter” and that “no account is safe”.

The attacker has leaked more than 15,000 account details onto file-sharing service Zippyshare. He also claims to have the “oauth_token secret codes” which, he says, will allow him to log directly into victims’ accounts.

On cursory inspection, at least, the authentication tokens look genuine. The circumstances of the hack suggest that leak stems from a hacked third-party app rather than Twitter itself.

Matters would be a lot worse if actual passwords were leaked, in which case Twitter would be obliged to reset passwords to avoid account hijacking on a grand scale. As things stand, it might still be a good idea to reset access to connected third-party apps.

“The details, which appear to be genuine, do not include passwords,” writes David Meyer on tech analysis blog GigaOM. “They do include OAuth tokens, though, so Twitter users should probably revoke and re-establish access to connected third-party apps.”

‘Twitter’s implementation of OAuth2 is vulnerable many weeks ago’

OAuth tokens that are used to connect Twitter accounts to third-party services without obliging users to hand over passwords. Issues with the technology are not uncommon. For example, security researcher Kelker Ryan warned Twitter’s implementation of OAuth2 is vulnerable many weeks ago.

He was unable to get a response from Twitter and The Register passed his research to representatives of the micro-blogging firm with a request to bring it to the attention of techies two weeks ago.

We’ve yet to hear back from Twitter, but the latest claims of a hack ought to ought to be enough to prompt a deeper investigation into the issue in general. It’s unclear whether or not Mauritania Attacker exploited the vulnerability discovered by Ryan, though the security researcher suspects that this is at least possible.

“I don’t know anything about that in terms of the person who did it, but I imagine that my post gave a few people some ideas and they took advantage of the Twitter vuln by using APIs to request information from accounts without needing any user interaction,” Ryan told El Reg. “I would have to play around a bit to see if it’s possible, but I don’t see why it wouldn’t be.”

“The vuln that I wrote about on coderwall.com allows for anyone’s application to trick the Twitter service into thinking that the application request are authentically coming from the TweetDeck application,” he added.

A more detailed explanation of a compromised OAuth consumer secret uncovered by Ryan can be found on Stack Overflow.

However Mikko H. Hypponen, chief research officer at F-Secure, said that based on the leaked credentials the attack is probably the result of a phishing attack targeting Turkey. “My guess: it’s some phishing attack on a Turkish site,” Hypponen told El Reg. “Look how many of the accounts they list have a reference to Turkey. Even the ones which don’t have an obvious link to Turkey in name seem to be from Turkey.”

We passed on claims of a hack against OAuth tokens to Twitter but are yet to hear back. We’ll update this story as and when we hear more.

Mauritania Attacker founded a hacktivist collective called AnonGhost, which has so far specialised in hacking and defacing the websites of US and British firms and the oil industry, GigaOM adds. ®

Free report : Avere FXT with FlashMove and FlashMirror

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/20/twitter_oauth_token_hack/