252 posts categorized "ADC Team"
May 02, 2012
 France's Anti-Script Kiddie Strategy
Pin It

Tomorrow is a significant day in the history of the French language.  AFNIC, a French organization that manages domain names, will authorize .FR, .RE, .PM, .YT, .WF, and .TF domain owners to register the accented form of their domain that currently don't contain accents. The additional characters will include:

What will be the impact, if any, to hacking?  Script kiddies will need a French keyboard--they can’t touch touché.fr.


April 10, 2012
 Why Do Hackers Want Facebook Data, Part I of II
Pin It

Late in 2011, Max Schrems asked Facebook for a profile the social networking company assembled based on his posts, likes and friends.  Max received a 1200 page PDF file with lots of personal details.  Being a law student, understandably, Max examined the information from a privacy perspective.  But what about security?  We examined the content from Max’s report and asked: 

  • What Facebook data do hackers find interesting (part I)?
  • How can hackers go about and obtain that data (part II)?

In the first of this two-part series we’ll tackle each question respectively. But before we do, some background on personal information and social media:

  • Facebook contains much more data than most people realize.  Again, Max Schrems got a 1200 page document from Facebook.  Max noted that the document contained not just a lot information about him—but on his friends as well.
  • Not all of the user’s private data is directly accessible to the user. Although some of the information is accessible via the application (a user can view their pictures, wall, and so forth), some of the data is not as accessible. For instance, dynamic data (such as unsaved chat logs) or geo info (such as IP addresses) are not typically retrieved. These are the things that Max, an EU citizen, requested to receive. Facebook, complying with EU regulations, obliged Max with all of his “inaccessible” data.
  • The issue is not confined to Facebook alone.  Webmail apps, for example, hold much more revealing personal information. Further, Google’s recent privacy policy change allows Google to cross-referencing the content with the user’s search queries and GPS location. This type of cross-referencing may potentially have more severe implications, raising many privacy concerns.

So what data does Facebook contain?  It is a treasure-trove for information diggers since it contains:

  • Personal Identifiable Information (PII) as well as general personal information. Included in this category are date of birth, home address and even the mother’s maiden name (and yes, some banks still use this information as an identifier). Even social security numbers can be extrapolated from many Facebook profiles, as shown by researchers at Carnegie Mellon University.

This type of data can be used for various purposes. With enough gleaned information, a hacker can even gain control of the user’s other online accounts. For example, using the “Forgot Password” feature which exists in many systems. This feature requires people to identify themselves by supplying an answer to a pre-determined personal question, such as the name of the user’s dog. An information digger can retrieve that type of info from the individual’s Facebook profile (click to BIGGIFY):

Hackers can also use this information to create more credible phishing emails. The email may contain a personalized message requesting that the user click on a link which actually refers to an attacker-controlled site, or even download a malware-laden file.

Hackers can also use this information for extortion purposes. A student in Pennsylvania, for example, was told by hackers that they would post a private video of online unless he wired $500 to a man in Morocco. 

Finally, professional identity thieves can use much of this data to build a better profile of the victim.

  • Passwords. Although this may also be considered PII, we found it reasonable to include it as a separate section due to its sensitivity. Gaining access to the victim’s account ultimately gives the hacker the knowledge and control over the user’s password. Consumers are notorious for using the same password across multiple sites, and the Facebook password may just as well be the same password to other online services. In effect, allowing the hacker to impersonate the users to other services.
  • Friend-Mapping. Facebook is all about “Friends”. From a hacker’s perspective, this means that getting hold of a victim’s account will also provide the knowledge of the user’s circle of friends.  Once in a circle of friends, a hacker posing as a trusted friend can cause mayhem:
    • This allows hackers to create better scams (aka “419 scams”).  For example, a message could seem to come from a friend requesting the transfer of monetary funds (“This is your friend, Tom. I am stranded in the middle of Paris with no money”). These phishing messages could be similar to those described above - containing links to malware or include malware-laden files. Since they purportedly come from the victim’s friend, the victim may be more susceptible to follow those links.
    • Through friends-mapping, a hacker can also gain enough personal information on the user which can also be used for extortion purposes. For instance, MIT researchers released a piece of software which can determine a user’s sexual orientation according to their circle of friends. Many raised the implications of this to the outing of closeted individuals.  The same approach could be applied to race or religion.
  • Organizational structure. Similarly to friends-mapping, hackers can analyze the interleaved connections between individuals and analyze them in order to map out the structure of members of different organizations – as well as units within the organization. This is a stronger concern with other social networks, such as LinkedIn. However, this type of mapping can also be applied in Facebook, especially with businesses adopting “Fan” pages. The organizational structure can be used for corporate espionage, foreign-government and even military intelligence.  
  • Business plans. As a professional social network, LinkedIn provides a hotbed for competitive intelligence. But even Facebook provides enough info which is usable for competitive intelligence. In fact, different companies exist which offer exactly this kind of service. Users can follow what their competitors are discussing and what conversations they are participating in.  
  • Geo location information. Through geo-location information, a hacker can build a profile of the victim’s whereabouts. There were cases where law enforcement agencies actually were able to use this type of information to find and capture fugitives.  Geo location data is all together more valuable when cross-referencing it with the organizational structure. This can be very useful, say, to gain military intel on the location of the adversary’s military units. In fact, last year an IDF operation was cancelled following a soldier’s status update of the operation’s time and location.

Who then are the hacking groups who would attempt to use or hack Facebook?

  • Private hackers: This is your regular hacking for profit types. They just want to make money by duping consumers. As such, their focus is more on gleaning PII and passwords. Private hackers have also been known to perform extortion.  Here's an example of one hacker who is trying to build a business hacking Facebook (click to BIGGIFY):


  • Government-sponsored hackers:  These hackers work for governments with the purpose of advancing some national agenda. They may use Facebook data for military intel purposes, uncover dissidents, and squashing dissention.
  • Corporate-espionage hackers: These hackers may work for a certain organization or independently. The independent hackers may attempt to glean sensitive business information over time and then sell it to interested competitors. These hackers are mostly focused on corporate structure, business plans, and gaining enough information which will lead them to access other accounts (for you Girl With a Dragon Tattoo fans, think Lisbeth Salander).
  • Hactivists: So far, hacktivists have used Facebook as a means of communication as opposed to a resource for taking data.  For example, Anonymous claims to have taken some “revealing” photos of BART spokesperson Linton Johnson from Facebook.  As hacktivism evolves, this will likely change. For example, we could see Facebook data exposed by hacktivists designed to embarrass individuals or an organization.



April 03, 2012
 Anatomy of an RFI/LFI Attack
Pin It

In yesterday's blog, we described how an RFI/LFI attack worked in the case of How do they work in general?  Today's blog attempts to describe how these attacks works in the wild.  We will show how malicious code can be uploaded to the server. Our hope from this exercise?


Step 1:  Take an innocent jpg image and some malicious code:


Why pictures? Because many sites (such as militarysingles) allow only picture upload and no other file types.  Here's a malicious code example:


This specific code was used to find vulnerable servers to RFI and would likely get detected by most anti-virus packages available today. This simple code instructs the server to concatenate the strings “FeeL” and “CoMz” in both the ‘echo’ and ‘die’ functions, write the strings back to the user and exit the current script. If the user will see these strings in the response from the server, he can know that the server is vulnerable to RFI.

Step 2:  Copy and paste the malicious code in the Camera maker property:


Step 3:  Load the infected image to a web server.

Step 4:  Use the URL of the infected image as an input to the vulnerable server:


Note the ‘FeeLCoMzFeeLCoMz’ output received from the server.  In order to have better immunity to anti-virus software, one can modify step 2:

What was done?  You divide the malicious code into two parts. Paste one part in the Camera maker property and the second part in the Camera model property.  This will produce the same infection as before--with zero antivirus detection.  Also, the picture still look benign to the eye and valid from the technical point of view.


April 02, 2012
 How Do They Attack? Analyzing the “New” Lulzsec Attacks
Pin It

The most recent Verizon Data Breach report states:

  • Of the 174 million records lost, 100 million (or 58%) were the result of hacktivism against large organizations.
  • No losses had been attributed to hacktivism in previous years.

Will 2012 be any different?  So far, it seems the answer isn’t just no, but rather “hell no.”

Last year, we described with precision how the first instantiation Lulzsec performed their attacks using common application vulnerabilities such as SQL injection, cross site scripting, directory traversal, remote file inclusion/local file inclusion (RFI/LFI) coupled with DDoS.  This year, we detailed how Anonymous attacks using SQL injection, cross site scripting, directory traversal and DDoS.  With the “new” Lulzsec announcing operations, the question is:  how will they attack?  Answer, so far, isn’t different from Lulzsec’s forefathers.  One of their first victims?, a dating site for military personnel.  We cannot know for certain – but with high probability it was by using Local File Inclusion (LFI) / local code upload. 


Our first Hacker Intelligence Initiative (HII) report described RFI/LFI and warned it was a favorite exploit among hackers but neglected by the security community.  Today, we released another HII report on RFI/LFI to reiterate exactly the same message:  RFI/LFI is a favorite among hackers but is neglected by the security community.  For more on why RFI/LFI gets no respect, see our explanation here.  

But here’s the gist:

The main reason we don't see LFI/RFI in code review is because many website owners/security officers are not necessarily aware of the underlying tech that powers their website. For example, if you install Wordpress, the most popular content management system on the Internet, you get PHP on your server.  Not surprisingly, no one is paying attention to PHP code—especially when it comes to code scanning.  This is because most organizations who invest in code review technologies (or serious web scanning) are not using PHP for their core application. On the other hand, PHP applications are the most prevalent (in terms of absolute numbers) in the web, hence a strong interest by attackers.

How many of the internet’s websites are written in PHP?  Nearly 70 percent.

To make the point again, we've redone our report on RFI/LFI and it can downloaded here.  Not coincidentally, hacktivists are using RFI/LFI again.  With the rebirth of Lulzsec (we use the term “rebirth” with caution, only time will tell if they’re successful), exactly how was hacked by Lulzsec II?  Here’s how we think the RFI/LFI attack went down…

The web app, a dating site, allows the upload of profile picture, a crucial functionality for a modern dating site.  In order to prevent rogue uploads a filter exists to allow only picture files:


This filter has two flaws

  • It validates picture format by extension only.  For this reason, we can upload a currupted file:


  • The filter seems to trust the content type as passed by the browser which is a client side control instead of checking it on server side.  So by using a proxy we can change it to be an "image."  And our arbitrary file gets uploaded


An attacker could do the same – but change file extension to be php – and therefore executable on victim's machine.  We found record of such uploads:


That's the probably the how "LulzSec" attacker has obtained control over the server.  The info that was leaked  was around 150K  user's data that included real names, usernames, e-mail addresses, IP addresses, MD5 hashed passwords, real world addresses (for some users full address) , phone # (some users), birthday (some users).


February 26, 2012
 Anonymous Attack Graphic
Pin It


Below you'll find a graphical summary describing the attack sequence used by Anonymous in the attack we recorded.  

The view the full report, please click on this link to download the PDF (no registration required).

Click image below to BIGGIFY:



 Still Life With Anonymous
Pin It

Paul Cezanne:  Still Life with Skull (Nature morte au crane)

You have seen our report featured in the New York Times article which details the people, process and technology used in a failed Anonymous attack.  This is the first time we’re aware of someone chronicling, from cradle to grave, a full Anonymous attack.  The report can be downloaded here (registration not required).

This is a fairly technical overview of an attack.  In this case, the Anonymous approach is to steal data first and, if that fails, bring down a target website with a great flood of traffic.  We detail the tools—such as Acunetix, Nikto and Havij—that were used by fairly savvy hackers. 

We also detail the attack sequence which is summarized in the graphic below which we posted here.

Anonymous hacking operation fell into three distinctive phases:

  1. Recruiting and communications phase (Day 1-18)—In this phase, Anonymous leverages social media to recruit members and promotes messages and campaigns.  In particular, they use Twitter, Facebook, and YouTube to suggest and justify an attack.  If a sufficient number of volunteers are persuaded to participate, the skilled hackers begin initial reconnaissance.
  2. Reconnaissance and application attack phase (Day 19-22)—During this phase, the skilled hackers carefully hide their true identity and place of operation.  They probe applications in an effort to identify weaknesses that could lead to a data breach.
  3. DDoS phase (Day 24-25)—If data breach attempts fail, the skilled hackers elicit help from the laypeople.  At this point, a large volume of individuals download attack software such as was done in Operation Payback or go to custom-built websites that perform DDoS attacks.

Disclaimer:  We are not certified sociologists, historians or psychologists.  For an interesting history and sociological analysis of Anonymous, read Gabriella Coleman’s essay here.


February 07, 2012
 Stopping Fraud: Getting Rid of the Man in Your Browser
Pin It

As attacks on customers expand beyond banking and popular retail applications, organizations cannot sit on the sidelines and expect the average consumer to avoid infection and mitigate attacks on their own.

Fraud is a key--and evolving--challenge facing security teams today. In order to thwart the impact of client-side attacks, such as man-in-the-browser, businesses must take charge of securing the interaction with their clients.

This webinar will:

  • Highlight tactics organizations can deploy to dramatically reduce incidents of fraud.
  • Provide a high-level, technical overview of client-side attacks and demonstrate how man-in-the-browser attacks operate.
  • Reveal two techniques that can be used by a Web application to detect infected clients.
  • Discuss practical aspects of implementing these two methods and how to use the output of the detection process in the application.


 Syrian President's Password: 12345
Pin It

In an interview, the Syrian president Assad claims that the 'American psyche can be easily manipulated.'

Not as easy to manipulate as his email password, however:

Some 78 inboxes of Assad's aides and advisers were hacked and the password that some used was "12345". Among those whose email was exposed were the Minister of Presidential Affairs Mansour Fadlallah Azzam and Assad's media adviser, Bouthaina Shaaban.

As one of our blog readers noted, "I have the same combination on my luggage."


January 26, 2012
 Anatomy of Business Logic Attacks
Pin It

Today we published our second Web Application Attack Report (WAAR).  The full version is available here (no reg required).

Last report we described the most common attacks against applications which included SQL injection, Local File Inclusion, Cross Site Scripting and Directory Traversal.  This time we added Business Logic Attacks.  Here's an excerpt from our WAAR detailing the nature of attack.

Business Logic Attacks
A Business Logic Attack (BLA) is an attack which targets the logic of a business application. “traditional”, technical, application attacks contain malformed requests. On the other hand, business logic attacks include legitimate input values. This lack of unusual content attributes makes a business logic attack difficult to detect. BLAs abuse the functionality of the application, attacking the business directly. A BLA is further enhanced when combined with automation, where botnets are used to challenge the business application.

BLAs follow a legitimate flow of interaction of a user with the application. This interaction is guided by an understanding of how specific sequences of operations affect the application’s functionality. Therefore, the abuser can lead the application to reveal private information for harvesting, allocate her a disproportionate amount of shared resources, skew information shared with other users, etc. The motivation for BLAs is that the attacker can convert these effects to monetary gains.  We followed two types of BLAs:  email extraction and comment spamming.

Email Extraction
Email extraction (also called email scraping) is the practice of scanning web applications and extracting the Email addresses and other personal contact information that appear in it. These emails are then used for promotional campaigns and similar marketing purposes. Email extraction is one of several activities that harvest data from web applications against the intent of the data owners and the applications’ administrators.

On average there were 20000 such attacks each month, but clearly there was a peak of activity during September-October and much lower activity during other months:

Email extraction is a “grey area” practice: attackers earn easy money by selling information extracted illegitimately from web applications. The attack does not exploit vulnerabilities in the application. Rather, the data is extracted by automatically scanning the targeted application, while imitating a user’s browsing activity. To speed up the attack and avoid black listing, several scans are run concurrently using web proxies.

Email extraction is offered on the web both as an online service (i.e., “pay on delivery”) and as software tool for download. The notorious “Beijing Express Email Address Extractor”, a software tool freely available on the web, was responsible for over 95% of the Email Extraction activity we identified. Usage of the commercial software Advance Email Extractor was also seen in the traffic.  This is the Beijing Express Email Address Extractor:


Hosts that sent Email extraction traffic to the observed application had very unusual geographic locations: Of the 9826 hosts, 3299 (34%) were from Senegal and 2382 (24%) were from Ivory Coast. Other unusual countries (Thailand, Malaysia, Ghana and Nigeria) were also prominent in the list of attacks’ geographic sources. Obviously, attackers are hiding their tracks by employing remote and perhaps less monitored hosts for this attack type.

Comment Spamming
Comment spamming is a way to manipulate the ranking of the spammer’s web site within search results returned by popular search engines. A high ranking increases the number of potential visitors and paying customers of this site. The attack targets web applications that let visitors submit content that contains hyperlinks: the attacker automatically posts random comments or promotions of commercial services to publicly accessible online forums, which contain links to the promoted site. 

Comment spamming is based on automatic tools that masquerade as a human that surfs the web, but with a “hidden agenda” of leaving traces of good feedback (in various forms) to promoted sites. The observations from the last 6 months show a long term trend of growth in traffic related to comment spam. It should be emphasized that not all of this traffic contains the actual spam – the automatic tools must interact with the application like a user (for example, find a forum for posting data, register as a user, login and find a popular thread for posting the spam) before actually injecting the spam link into the site.  The volume of traffic associated with comment spamming is:


We have observed several variants of comment spamming within the monitored traffic. For example:

  • The spammer posted comments to an application’s web forum. In some of these posts the Referer HTTP header was a URL of a Facebook page promoting specific prescription drugs were given in posts. This URL would show up in the spammed site’s logs, increasing the ranking of the promoted site in search engine results. (See picture below).
  • The spammer promoted the reputation-based ranking of specific answers in a discussion forum. In this application, experts answer questions posted by users. Answers and experts are ranked and displayed based on users’ feedback (e.g. based on correctness and usefulness). By artificially increasing the good reputation of specific answers, this promoted content becomes more visible.


An unusual attribute of the observed Comment Spamming attacks is the geographic locations of the involved hosts: Hosts from Russian Federation, Ukraine, Latvia and Poland were very active in this sort of attack. We note that this phenomenon was also detected by other researchers through other means.

Comment spamming can be tricky to identify, since a large part of the spammers traffic looks no different than the traffic generated by an innocent user. Good indications of potential malicious activity of this kind are black lists of User Agent values and hosts’ IPs, based on activity observed in many applications. Generic indications of automatic attacks, like high rate of requests and missing HTTP headers that are normally sent by browsers, are relevant as well.

One of the mechanisms used by applications to defend against comment spammers is CAPTCHA challenges, which require the user to visually identify a specific text within a non-trivial image. We have observed attempts by automatic tools to answer these challenges, probably using a predefined pool of responses to challenges. Even if these attempts are mostly unsuccessful, with enough retries the automatic spamming tool has a chance to eventually get the answer right and complete its spamming task.


January 24, 2012
 Anonymous Takes Down Brazilian Websites
Pin It

Yesterday we mentioned that the Polish government experienced numerous DDoS attacks.  Today, it is Brazil's turn.


This pastebin site shows that several Brazilian government sites were brought down: 

Here's an image of a downed Brazilian government site:

All in all, many websites were taken down. The fact that most of them are up again indicates that this was not the most sophisticated attack. However, the speed and power of the DDoS attacks is something to worry about.  

Looking at the LOIC downloads in Brazil, they were high but not compared to the US, Poland or France. It seems these attacks were propogated mostly through websites which enabled DDoS attacks.




Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: