OpenX Ad Server Source Compromised

Weak LinkOpenX is a tool used by hosting providers and webpage developers to provide ads on webpages.  Rotating banner ads have been an attack vector that has been quite popular and effective in the recent past.  This is probably one reason why.

An announcement this week from the OpenX ad server team noted that a backdoor had recently been discovered in their official source code distributions, that has been present since November 2012.  This vulnerability only applies to the free downloadable open source product, OpenX Source.

Exploitation is occurring in the wild, with attacks consisting of simple POST requests to a specific file that allows for remote code execution on the affected server. Users are urged to follow instructions being provided by the community for checking their servers, and rebuilding any that are impacted immediately.

References:

Anonymous ‘FFF’ Attack Schedule

Oh, for crying out loud.  Why don’t these guys just go away?   According to Wired, Anonymous is giving itself a weekly deadline now, a new attack every Friday.  How entertaining.  Following the Tuesday compromise of tear gas maker Combined Systems’ website, Antisec attacked a Federal Trade Commission webserver which hosts 3 FTC websites.  They claim this hack was in opposition of the controversial international ACTA copyright treaty, widely protested around the world for its potential impact on freedom of expression.

Those responsible for this week’s attacks spoke with Wired, and claimed that the attacks renewed a promise, previously noted in the defacement of CSI, and reiterated on the FTC websites, “every Friday will bring a new attack against government and corporate sites under the theme of #FFF” (‘F’ the Feds Friday).

They’ve decided try to balance between protest defacements like these two most recent ones, and posting material that can damage firms and agencies.   Jerry Irvine of the National Cyber Security Task Force told the New York Times last week that attacks would become more frequent, describing the collective as “unstoppable,” because of the poor state of online security.

Canadian’s Online Privacy At Risk

From the “I can’t believe this is Canada” file, the government is pushing a new “lawful access” bill, basically granting the police and government officials the rights and means to freely and on a hunch, spy on your internet usage.  Assuming that if you have nothing to hide, you should have no fear of arbitrary search and seizure, of course.

Michael Geist has a good article about the bill and why it is crazy.  The insanity first becomes evident when Public Safety Minister Vic Toews tells people “You can stand with us, or you can stand with the child pornographers“.   As if everyone with a desire for online privacy and against widespread internet surveillance is somehow automatically “for” child pron!  Yep, there is no middle ground here.  Line up with the rest of ’em, mate.

I agree with Tech Dirt’s post, this is totally ridiculous, and a cynical political move that assumes the Canadian public is stupid and will just roll over.  I sincerely hope that is not true, that there is enough outcry against this bill that it is thrown out faster than last week’s Metro.  Yes, it may be difficult and time consuming to obtain a judge’s consent in the form of a warrant, but you don’t just subtract an individual’s rights from the equation in the name of expediancy and convenience for law enforcement.  You cannot and should not assume that the entire public is suspect, and then launch a witch hunt to see who floats and who sinks! Continue reading

Foxconn Hacked

As if it wasn’t toxic enough out there, it looks like we have another group of hackers playing their little games on the Internet.  They claim that they are only in it for the thrill of destroying networks and impacting businesses.  Their claim to fame target?  Foxconn, the Asian firm that is under the microsocope after a NY Times article exposing dismal working conditions and recent deaths of employees.

The Swagg Security group has released information on both Foxconn and its clients, which include Microsoft and Apple, stolen during an attack on the company, through Pastebin and Pirate Bay posts.

“Now as a first impression Swagg Security would rather not deceive the public of our intentions.  Although we are considerably disappointed of the conditions of Foxconn, we are not hacking a corporation for such a reason and although we are slightly interested in the existence of an iPhone 5, we are not hacking for this reason.  We hack for the cyberspace who share a few common viewpoints and philosophies. We enjoy exposing governments and corporations, but the more prominent reason, is the hilarity that ensues when compromising and destroying an infrastructure”.

The information released contains contact details of a number of Foxconn’s global sales managers, usernames, IP addresses, credentials, and a list of clients’ purchases.

Of Skimmers & Scumbags

A skimming device came off in the hands of a Bank of America customer when she tried to use her debit card at an ATM recently, police said.  The man who had planted the credential stealing device appeared and asked for it back.  The woman refused to return the card and growled at the man who fled.

Sixth Precinct police are seeking two male suspects in connection with the  incident. The first is about 40, stands 5 feet 10 inches tall, and weighs 170  pounds. The second male is about 30, stands 5 feet 8 inches tall, and weighs 160  pounds, police said.

The two suspects face felony forgery charges and up to 15 years in  prison.  I wouldn’t advise anyone to do this, but that 23 year old woman sure has moxxy.  I hope the bank rewards her for her valiant stance.  DNAinfo

The reason that I don’t advise people to take this kind of action?  Read the article just published in The Compliance Exchange blog about Aaron Hand, already convicted in a $100 million mortgage-fraud scheme and serving a sentence of eight years and four months to 25 years.  He was sentenced to 8 – 16 more for plotting to have a key witness in his case killed.

Please remember that these guys mean business, and that there is more than just your current balance at stake.  These guys are all in it for the big money payoff.  If you find yourself involved in a confrontation or an investigation, a little paranoia is healthy, and caution is not cowardice, in my humble opinion.

How Was FBI Call Compromised?

I am pretty sure that everybody knows that the FBI and Scotland Yard were embarassed recently by the notorious hacking group, Anonymous, when they spilled the beans that they were now watching the watchers, listening in to a confidential phonecall taking place between investigators accross the pond.  If you haven’t heard it, find it here.  The New Statesman has an overheated article here that can provide additional details.

So how did this brazen and seemingly high tech hack take place?  A conference call was arranged two weeks earlier by FBI agent Timothy Lauster, who wanted to discuss on-going investigations into Anonymous and other hacktivist groups.  In an email to Scotland Yard’s e-crimes unit, the time, date and phone number to call were provided, along with the pass code for entry. Continue reading

The Anonymous ‘Movement’?

I’ve been reading way too much of this garbage on the Internet lately, and it is starting to stick in my craw.  Crap like this.  It seems that everyone has accepted that the hacking group Anonymous is above the law, and has some special insight that makes them a voice of reason.  21st century Robin Hoods.  I hope that this is just the result of sensational journalism, and not what people are really believing.

“The beginning years have intensified their activities demonstrating great technical skills.”

No, what it has demonstrated is a disregard for your privacy, a lack of moral fiber, a little too much technical knowledge, and the patience that is common in a good criminal.

“As always, the movement gives voice to social dissent and protest against amendments and decisions of governments guilty of not listening to the masses.”

The Movement?  What bloody movement?  This is a bunch of self-entitled, self-indulgent, egotistical miscreants that are incapable of operating within the confines of the law or rules of society.  These are people that have an abundance of tools, have found cracks in programs and protocols, and are taking advantage of those flaws.  They are no more a movement than the clowns that walk into a bank with a note in one hand and a formiddable looking pocket in the other. Continue reading