Defacement

Attacking web sites by going to the source, targeting DNS servers rather than the web sites themselves shows both the boldness of hackers as well as the fragility of the Internet.

While not new, DNS hijacking attacks took an important turn this year showing how much we rely on the web and now little we care for its protection. In the past DNS hijacking required complete control over the DNS server. In recent years most applications are controlled through a web interface, including DNS servers. Earlier this year attackers found an XSS vulnerability in a common DNS platform to hijack unused DNS entries for phishing

But this was only a small prelude to the real thing. CNet reports that this time hackers took over an entire TLD (Top Level Domain, or country) DNS server using SQL injection, virtually defacing the Puerto Rican site of companies such as Google and Microsoft.

The amazing story unfolds in the comments to CNet story, which outlines a mischievous professor and slow authorities who let him privatize and monetize on domain registration in Puerto Rico without any control.

The question we are left with is whether other countries and geographies different? Or even other industries for that matter?

Information Week reports that a well known Turkish hacker penetrated two sensitive US army servers, one at McAlester Ammunition Plant in McAlester, Okla., and the other at the U.S. Army Corps of Engineers' Transatlantic Center in Winchester, Va. The hacks are the currently under criminal investigation by Defense Department officials.

The breaches where not publicly disclosed and the level of exposure is therefore not known. It is known however that web site visitors where redirected to a site protesting against climate change.

The Register speculates that the attack method was SQL injection.

Twitter reports in a blog entry that 750 accounts were hacked. The hacker posted messages linking to a porn webcam. While Twitter did not disclose how the attack was carried out, the suggested remediation hints that the account passwords were guessed, probably using a brute force attack.

Twitter is certainly bypassing Facebook as the most popular site out there, at least when it comes to security incidents.This time somebody decided abuse Twitter to demonstrate Clickjacking, an attack that RSname and Jeremiah Grossman re-christened in the OWASP conference in New York in September.

Whenever a defacement appears in WHID we need to explain why. After all isn't Zone-H a better repository of simple defacement. Well, yes, but according to this report by The Register this time it was Zone-H which was defaced.

XSSed reports another XSS worm in Orkut. Since Orkut is big in Brazil, it is quite natural that a Brazilian group created the worm.

I have used this occasion to sort out worms reporting in WHID.

• A worm is now considered an attack method rather than an outcome. If nothing else, the outcome of a worm is "planting of malware": itself.
• I have added a "Web 2.0" organization type as many of the XSS worms infect Web 2.0 sites.

Not all defacement are created equal. I have a second grader who has just started to use her school's web site so this defacement of 20 primary school web sites with porn hit me deep inside. We do so much to screen our young ones from the sleazy world outside, and getting it in the school's web site is just unimaginable. Just thinking about the questions I would be asked if my daughter would get such pages.

The incident also highlights the total breakup of cyber security. The incident is blamed on an unpatched version of Moodle, an open source on-line education software. The naive way ot thinking would be that schools don't have the budgets to protect their applications or even to upgrade them. However, as this incident shows, proper security is fundamental and a substantial part of the budget should be allocated to it, even it means we spend less on the application features. We need to move slower but ensure security. After all, what is the value of an educational system that shows porn?

Another insight is that real time controls for protecting web applications are essential. You need a WAF. While the specific vulnerability exploited is unknown, Installing ModSecurity would have probably prevented the exploit.

This is a first time a hacking report is a video flick. If, like me, you find it hard to understand, you can read a written summary on this Kiwi site. I guess that their readers also needed a translation of the speech in the video to English.

In a nutshell, hackers defaced Soulja Boy's MySpace page and published his e-mail and YouTube passwords on the net. They demanded $2,500 to give him his web presence back. For an artist that grew our of the Internet this presence is naturally very important, however he is now important enough that his record label was able to contact the different sites to get him his web properties back without paying the money.

In this case I have decided to categorize the attacked entity as Soulja Boy and not MySpace or YouTube, as I used to do in the past. The fact that the attack was against Soulja Boy properties around the web makes him, rather than any technology platform, the attack target.

It might have been a random hack, but the pornographic pictures splashed on an insider fashion industry blog where quickly blamed on the fashion icons and magazines offended by the blog.

Netcraft reports that a hacker managed to redirect traffic from Barak Obama's web site to Hillary Clinton's site during the primaries held between the two.The culprit, an XSS bug in the Obama's site community blogs section, highlights the danger of user contributed content to web sites.

An interesting side story is that Oliver Friedrichs from Symantec was quoted in a Computer World article only a week earlier saying that presidential campaign web sites are "clueless" about security. Was this a prophecy of or the trigger for the hack?

Additional technical information can be found on XSSed.