Posted by Halla @ Mon 04 04, 2011 01:03
March was an interesting month for the IT security field.Why you ask?
Oh no reason really, with the exception of successful attacks on ENORMOUSLY important infrastructure/encryption tools.
First, major sites got their security certificates (SSL) compromised. I mean major sites like yahoo, google, skype, mozilla, and live (microsoft).
Comodo Group which issues digital certificates that assure users of websites authenticity issued nine certificates to what turned out to be fraudulent websites set up in Iran.
What this means is that users going to yahoo for example, could have been redirected or even misdirected in the case of malware on a local scale or DNS modification on a regional scale or exploits like a BGP table exploit on a global scale.
At bare minimum the attacker could have stolen logins from anyone who entered a user name and password into the fake page.
Whoops.
All certificates were revoked immediately on discovery, and comodo has been pretty forthcoming on the details, which is good news.
Its also interesting to note that it seems that only email was really targeted in the attack.
A lone Iranian has taken credit for the hack, saying he acted alone and that the attack was retribution for the Stuxnet virus which was discovered sabotaging Irans nuclear facilities.
Then came RSA.
I mean, wow.
Quote:
"The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”
The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609)."
Next set was to use a Poison Ivy Trojan variant (Poison Ivy? Really? Better than getting owned by SUb7 I guess but still...) for remote access, and begin privilege escalation, then find the data the attacker(s) wanted and finally sent it out to an FTP server under the attacker(s) control.
The attack was detected by its Computer Incident Response Team WHILE IT WAS IN PROGRESS, which is pretty good. This basically means they saw what was going on as it was going on and because of this the damage that COULD have been caused if the attacker(s) had a few hours or even days before they were detected could have been way worse.
That being said however, we still dont know what was taken so that could be a moot point all together.
Next, an automated SQL attack named Lizamoon came in (called this because the first rogue domain appearing on compromised sites was lizamoon.com) and infected hundreds of thousands, possibly millions, of websites and injected a redirection link to a site hosting fake security software or scareware which was installed onto the visitors machines.
Really all this shows is something that the security community has known for years...that many, possibly the majority of websites on the internet have poor security, and that includes sites belonging to governments and well-known organizations and brands. Lets not even bring up the users.
No one cares about security until they are ruined, just like no one likes cops until they need one.
More info pertaining to the subject(s):
http://www.comodo.com/Comodo-Fraud-Inci ... 03-23.html
http://online.wsj.com/article/SB1000142 ... 03988.html
http://news.yahoo.com/s/pcworld/2011032 ... erconflict
http://blogs.rsa.com/rivner/anatomy-of-an-attack/
https://secure.wikimedia.org/wikipedia/en/wiki/LizaMoon
http://www.reuters.com/article/2011/04/ ... 7520110401
https://secure.wikimedia.org/wikipedia/en/wiki/Stuxnet
https://secure.wikimedia.org/wikipedia/ ... kets_Layer
[1]