Downtime

China retail news reports that Yeepay, a Chinese online payments provider suffered a major denial of service attack. The story seems to be big in China, but hardly made it to the west.

Update (Jan 13^th 2009) - Ynet, an Israeli paper, reports that many of the sites defaced where actually DNS hijacked following a break-in to the servers of DomainTheNet, an Israeli registrar. And just like other recent DNS hijacking incidents, the fault was lack of sufficient authentications and the hackers got hold of passwords to the administration system.

The South African Democratic Alliance party's web site seems like another random victim of the Asprox family of bots. This specific incident demonstrates several issues:

• Aprox successfully attacks organizations that should really know better.
• While most known cases of Asprox attacks result in planting of malware on the web site, since this is easily detected by malware search services, the very brutal injection used by Asprox probably takes down more sites than it infects with malware.
• According to one comment, the site used an outdated version of WordPress, stressing again the problem with not upgrading in a timely manner, especially open source software.

More information:

• Mail & Guardian, Aug 15th 2008

### Dallas say the department shut down its Internet presence after a hacker took over its Web site and filled it with anti-American rants.

The vandalized Web pages included a doctored photograph showing American troops watching over four people lined up against a wall.

Each of the four prisoners had lines leading away from their faces to individual head shots of President George W. Bush, Vice President Dick Cheney, Secretary of State Condoleezza Rice and Sen. John McCain

Additional information:

Additional information:

Update (January 5th 2009)

We where informed by sources at eBay the Korean sites parent company that the issue was not CRSF or seesion hijacking. The attack method was not disclosed.

A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.

The attack description is vague but can be best described as session hijacking.

This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.

More Information:

• The Dark Visitor

The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.

Additional information:

This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.

I am sure that the guys at Light Blue Touchpaper have the expertise to protect their WordPress installation, but they don’t have the time. They made the compromise between ease of management of their web site and its security. Actually my personal blog might be just as vulnerable, since as I write this I am very much not paying attention to its security.

Apart from, or actually because of  the fact that the victims are security experts, this story is noteworthy due to two additional twists in the plot:

• Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.
• The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.

Additional information:

• Upgrade and new theme [Light Blue Touchpaper Blog, Oct 27 2007]
• Google as a password cracker [Light Blue Touchpaper Blog, Nov 16 2007]
• Forgotten your password? Google can find it for you. Unfortunately [Technology Guardian, Nov 23 2007]
• Wordpress cookie authentication vulnerability [Light Blue Touchpaper Blog, Nov 20 2007]

A command injection vulnerability at 1&1, a large German hosting provider, lead to denial of service and possible home page modification at 30 servers and up to 1700 web sites.

Additional information:

• Server hacked through holes in Confixx management software [Heise Security, Aug 1 2007]