September 24th, 2008

Posted by Dancho Danchev

In what is slowly turning into a endless loop of hacktivism activities, Bill O’Reilly’s BillOreilly.com has been compromised during the weekend, with personal details including passwords in plain text for 205 of the site’s members already leaking across Internet forums, as a response to his remarks regarding Wikileaks as a “one of those despicable, slimy, scummy websites” which recently published private information of Sarah Palin’s private email.

On Friday, Wikileaks issued the following press release :

“Fox News demagogue, Bill O’Reilly, has been hacked and the details passed to Wikileaks. Wikileaks has been informed the hack was a response to the pundit’s scurrilous attacks over the Sarah Palin’s email story–including on Wikileaks and other members of the press, Hacktivists, thumbing their noses at the pundit, took control of O’Reilly’s main site, BillOReilly.com. According to our source, the security protecting O’Reilly’s site and subscribers was “non-existent”.

The following image, submitted to Wikileaks and confirmed by Wikileaks staff, offers proof of the hack. The image, clearly obtained from BillOreilly.com’s administrative interface, shows a detailed list — including passwords — of BillOreilly.com subscribers. Although Wikileaks has only released one page, it must be assumed that Bill O’Reilly’s entire subscriber list is, as of now, in the public domain.”

How did they do it “this time”?

According to the article at Wikileaks, the hacktivists seem to have been brute forcing the URL for the administration panel, and once successfully finding it, access the unencrypted data :

“According to Marston, the hackers were able to access the list by trying a large number of variations of the website’s administrative URL. He said all affected members have received an email and a phone call informing them of the breach and urging them to change their password. The site has since been completely locked down, Marston said.”

Moreover, it’s also worth pointing out that the passwords were stored unencrypted, evidence of the practice can also be seen within the screenshots of the admin panel. As far as the website’s administrative URL is concerned, it has since been changed once it leaked online (w3.billoreilly.com/pg/jsp/admin/managecustomers/newpremiummembers.jsp), which isn’t excluding the opportunity for abuse of the subscribers email addresses in spear phishing attacks, “for starters” since some of the users have already admitted of using the same password at different web sites, including PayPal.

The impact of the breach, and the measures taken to notify the victims according to the site :

“The BillOReilly.com site experienced a minor hacking incident on Friday, September 19th, 2008.

** ALL CREDIT CARD INFORMATION FOR EVERY MEMBER IS SAFE
** NO MEMBERS WHO JOINED BEFORE WEDNESDAY, SEPTEMBER 14th, 2008 WERE AFFECTED AT ALL.
** 205 new Premium Members who signed up last week had their name, hometown, email address, & BillOReilly.com password stolen.
** We have contacted those 205 members by email and telephone.
** We are working with the proper authorities to track down the perpetrators. “

Another personal message issued by Bill O’Reilly regarding the process of tracking down the “perpetrators” was posted on Sunday :

“The FBI and Secret Service are close to indicting some of the perpetrators and cialis shelf life we will keep you posted when the arrests are made. All premium members receive the full backing of our legal team and if anyone is hassled in the least, please inform us immediately. In the latest case, no proprietary information was obtained by hackers and we have safeguards in place to protect everyone who does business with us.

Rest assured that we are on this. Our defense of Sarah Palin has led some criminals to attempt to disrupt our enterprise. At this moment federal authorites and our attorneys are compling information against these people. Again, if any person is bothered in any way – please let us know. We stand behind our products but, most importantly, we stand behind you. We’ll get the bad guys. Count on it.

Bill O’Reilly
9/21/08″

Who’s claimed responsibility? 4chan members planning at Ebaumsworld using “secret words” :

“According to my source this is a common tactic among the secret hacking group hidden amongst the users of ebaumsworld. he states “yeah we will start planning on 4chan so ebaums doesnt get in trouble…we use secret words and stuff to let the others know who we are” when i asked why he was telling me all this he said “man this has just gone too far.. at first it was a joke then we found out that the same usernames and passwords worked for those peoples paypal accounts and im afraid of what they will do.”

It appears that the “forum fraction” is also planning a DDoS attack against BillOreilly.com according to this interview, which wouldn’t be the first time the site has been under DDoS attack, and definitely not the last. From an analyst’s perspective, nation2nation hacktivism conflicts always provide the best and most accurate understanding of a particular’s country’s capabilities into this space, compared to hacktivism actions basically sticking to the standard practices as DDoS attacks, which just like any tip of the iceberg receive most of the attention due to the ease of measuring their impact next to the rest of the hacktivism tactics used.

The bottom line – good time to point out why you shouldn’t use the same password on different web services, and that the big picture having to do with Wikileak’s vision of a little less secrecy, and a little bit more transparency, ultimately better serves the world and gives power to the people whose collective consciousness, if not brainwashed, is supposed to be shaping the way we live.

IEHistoryView can allow an administrator to quickly see a user’s browsing history without extensive preparation and configuration.

——————————————————————————————

Tracking a user’s browsing history can be both an expensive and a daunting task, especially if you’re a one-man shop in a small company. For those that are blessed with users that behave while they’re online at work, you are lucky indeed. For the rest of us, there is IEHistoryView.

Created by Nir Sofer, owner and operator of NirSoft, IEHV is a simple, yet powerful, tool with a fairly small footprint (37 KB). Downloading and installing IEHV is as simple as getting the zip file from the Web site and extracting the three included files into the folder of your choice.

Included are the executable (with both GUI and command-line functionality), a compiled HTML (.CHM) help file, and a ReadMe file that contains version history and some quick-start instructions.

This blog post is also available in the PDF format in a TechRepublic Download, which includes all the code in a separate file for easy copying.

Initial look

The first thing you see when opening IEHV is a grid interface of the current user’s Internet Explorer history (Figure A). As we look around, there are several toolbar buttons and a few standard menus as well.

Figure A

Current user’s Internet Explorer history

As in most well-designed Windows programs, all the toolbar functions can be found in one of the standard menus. In these menus (Figure B) we see several familiar options as well as many more that we will either have to guess at or try out. (I edited the opened four menus together in the same image. The actual application does not function in this manner.)

Figure B

All the menu screens at the same time

Delving right in, scroll through the grid to get a nice reverse-order history of the user’s browser activity (Figure C, which is edited together from several screen shots).

Figure C

Scrolling through the history

Looking at this user, after they went through the Microsoft RunOnce wizard they first fired up XKCD.com (important things first) then went to TechRepublic and read several articles and blogs as well as viewed a photo gallery or two. After leaving TechRepublic, the user Googles the Google Headquarters and then checks out the headlines on MSN.com. Finally, this person Googles “crack WEP encryption” (must have gotten the idea from “Video: How to Spoof a MAC Address” viewed earlier) and then spent some time browsing a few sites on the topic before logging off.

Viewing other users, other folders, and subfolders

So, now we know what the logged-in user has done on the Internet. But, what if you wanted to look at another user’s history on the same machine, a different machine, or just wanted to look at a particular date or range of dates? IEHV has the ability to browse the list of user accounts on the local machine as well as give the user the ability to specify a history folder (useful for networked computers) or a history subfolder (to look at a shorter period of time), which can be seen in Figure D.

Figure D

Viewing different folders

Choosing either another user from the user accounts chooser or specifying a history folder will give the same type of information as we saw in the initial view. The main difference is in the history subfolder. As you can see in Figure E, the Hit counts are much smaller than in the main view. I was unable to find anything in the documentation to explain this, so I simply chalked it up to a functionality of Internet Explorer (perhaps the main view shows image hits as their own hit under the page they are loaded from).

Figure E

History subfolder of another user

Saving, deleting, exporting, and printing

By checking the boxes next to one or more of the entries in the grid, several of the menu options become usable.

Other functionality

So, what else can we do with it? Well, there are a couple of different Search functions. The first, “Find History Item,” is your traditional search dialog. Also available is “Select by URL,” which allows the user to input several carriage-return-delimited strings that are searched for and automatically selected in the grid.

One feature in the menus that stood out was “Show All Google Searches” (Figure F). This does exactly what it says: it shows all Google searches that haven’t been cleared from the browser.

Figure F

Showing all Google Searches

After pretty much exhausting the menus, the next thing to try is right-clicking on one of the records. Some of the same functionality that is in the menus and toolbars is also available via a right-click context menu (Figure G).

Figure G

Right-click context menu

Let’s look into the properties screen (Figure H). The properties screen shows the same information that is in the grid, just laid out in a traditional data form format.

Figure H

Properties screen

Command-line functionality

The command-line functionality is a little more difficult to jump right into, and a simple “iehv /?” just launched the GUI.

Here is the command-line syntax:

• Action: tells IEHV what type of file you would like to export to. Options are similar to the GUI Save function.
• Destination File: absolute or relative path and file name to store the exported data
• Source Type and Source: optional parameters used to redirect IEHV away from the currently logged-on user (similar to the functions above in Figure D)

Figure I shows the failed attempts at discovering command-line options as well as a simple implementation of the command line that exports all History for User “TRTest” to a tab-delimited text file named “export.tab.” While not as easy to use for simply viewing, the command line would be very useful for reporting and archiving.

Figure I

Command line

Aggregating cialis effectiveness and archiving

The following section is simply a “proof of concept” that should not be taken as a complete solution. I have used VB.NET 2005 to demonstrate these ideas.

The core to this concept is executing the command line, writing the data to a temporary file, and then reading that data into a VB.NET application for aggregation and archival. The challenge is to build the command line for each computer/user/folder you want to aggregate.

Executing a command line from Visual Basic is limited to a few options. I could use the Shell() command, but the outputs of that are very limited and Shell can be temperamental. The .NET Framework also has a Process class within the System.Diagnostics namespace that seems a bit more robust, so we’ll use that.

NOTE: Please refer to the documentation on System.Diagnostics.Process for more detail.

Among other things, the Process class has options for a File Name as well as Arguments. The File Name is the full path to the IEHV executable and the Arguments will be filled in dynamically with the custom-built string we’ll create later. The command line we will use is:

What this command does is create an output of a specified History folder to a temporary tab-delimited text file in the user’s temp folder. So, we first break off the “iehv” because that is being handled in the Process class’ File Name property. Next, we need to use the .NET Framework to get the user’s temp folder path and substitute that in for “%temp%”. Finally we need to ask the user to specify the path to import into our application.

Prompting the user for this information can be done in one of many ways, depending on how sophisticated you want the application to be and how many folders you want to import in a batch. For the purposes of this proof, we will assume that you want to gather usage for all users on one specified machine and load that information into a DataTable, which can be tied to a backend database.

Code Listing A shows a snippet of how to get the user’s temp folder as well as loop through the user directories gathering the Internet Explorer History and loading it into the DataTable.

Listing A

Considerations

IEHistoryView can allow an administrator to quickly see a user’s browsing history without extensive configuration and preparation. For more advanced archival needs, the command line can be used alongside some custom programming to create a simple, low-cost (time is money) Internet usage monitor.

Using IEHV to monitor Internet usage is dependent on users not deleting their browsing history through Internet Explorer. Fortunately, those rights can be controlled via Group Policy as discussed in this IT Dojo blog post.

A tool like Spider 3 can protect sensitive data with little effort or cost.

—————————————————————————————

There are many reasons why you would want to do a thorough scan on a PC for specific data. You could be recycling computers, bringing in new employees (to take over previous employees’ machines), or simply removing sensitive information from a permanently networked machine. Regardless of your reason, a 120GB hard drive is a large drive to manually search for strings of data. But with the help of Cornell University’s Spider tool, this task becomes quite a bit easier.

Spider works by scanning archive, normal, compressed, and temporary files (so long as the file isn’t locked for use or encrypted) for data types such as U.S. Social Security numbers, Canadian Social Security numbers, credit card numbers, U.K. National Health Insurance numbers, and any data type for which the user supplies a regular expression. Spider can be run in two different ways: GUI and command line. And best of all, Spider is open source and crossplatform (Windows, OS X, UNIX.)

This blog post is also available in PDF format in a TechRepublic download.

Getting and installing

You first need to download the correct binary package (which includes the source) from the download Cornell University security tools page. For Windows you will be downloading a compressed .zip archive. Uncompress that file, and you will have a new directory called “Spider_release.” Inside this folder is a README, a installation binary, and a directory containing the source code. Double-click on the installer package to install Spider 3.

The installation is a no-brainer. Just let it do its thing, and you will wind up with a new entry in your Start menu. This entry, Spider 3, contains three subentries:

Starting Spider 3

From the Spider 3 menu, click the spider_3.0.exe entry to fire up Spider 3. The first window you will see is the main window (there is no initial configuration). Figure A shows the main window ready for a scan.

Figure A

Not much to it on the outside. It’s what’s on the inside that counts.

If you click Run Spider, you are going to initiate a default scan that will scan drive and network shares for strings matching: 15-string credit card numbers and U.S. social security numbers. This scan will create a log on your local drive (it is critical that this file be deleted when you are finished examining Spiders’ findings).

So click Run Spider. The window will only change by showing what file the application is scanning (see Figure B).

Figure B

If Spider is taking a long time on a particular file, you can skip that file by hitting the Esc key.

During the scan you will probably notice when Spider locates any multimedia files because it will slow down. This is only because of the size of the file. As stated above you can skip this file by hitting the Esc key. If you have a lot of these, this process can be a pain. Fortunately Spider 3 has a way around this.

Configuring Spider 3

From the main window, click on the Configure menu and select the only entry: Settings. From this window (Figure C) you can take care of every possible Spider configuration you could hope for.

Figure C

Any time you feel you have monkeyed with the options beyond recognition you can reset to default.

Say you do not want Spider 3 spending too much time with your music collection (and any file associated with said collection). To avoid this, you will want to go to the File Extension Management tool. To get there, cialis costs click on the Scan Options tab and then click the File Extension Management button (see Figure D).

Figure D

As you can see the default skip list is fairly lengthy.

By default most media extensions are already included in the skip list. But say you have another type of file (or even an in-house file type) that you want to skip. To add a new extension to skip is simple. Click on the Add button under File Extensions to Skip, which will open up a new window (Figure E).

Figure E

Once you have added the new extension, click OK and the window will close.

Naturally, depending on the size of the drive and the amount of files on the drive, the scan can take quite some time. But once the scan is done, the log viewer will open to show you the complete results of the scan.

Viewing the results

Once the scan is complete, the Spider 3 log viewer will automatically open. This log viewer is a very helpful tool in that it gives you instant information on each file and what hit type Spider 3 has found. Take a look at Figure F. You will see a number of files that drew flags from Spider 3.

Figure F

I actually had more hits than I thought I would.

When you highlight a suspected file, below the file listing you will see all the information you will need to have. In the example above you can see that the file klein.pdf is flagged with a credit card number. I happen to know this is a false positive, so I can ignore that file. However there were file listings (not shown) that did have bank account information. Those files had been backed up, and their location was mostly obfuscated. So I most likely would have completely forgotten of their existence. Thanks to Spider 3 I can delete them.

Taking action

To take action on a file (which basically means to delete the file), you do not have to open up Explorer and navigate to said file. Instead you can simply highlight the file within the log viewer and click the Erase or Delete File button.

Now the Run button is interesting. Say the file flagged has an associated application (for example Adobe Reader for PDF files). If you have a PDF file highlighted, clicking the Run button will open that highlighted file in Adobe Reader. This is a quick way to view the file to make sure Spider hasn’t hit a false positive.

Final thoughts

Without applications like Spider 3 many people would be exchanging PC hard drives with very sensitive data on them. But thankfully applications like this do exist and they are simple to use. I would highly recommend Spider 3 to any IT admin (or even home user) who wants to make sure sensitive data is not found on their hard drives.

KeyScrambler cialis 8 cpr riv0mg Personal

Encrypt keystrokes to protect your username and password from keyloggers.
License: Free
OS: Windows 2000/XP/2003 Server/Vista

September 25th, 2008

Posted by Ryan Naraine

[ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ]

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery — Robert Hansen (left) and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue.

So, what exactly is Clickjacking?

According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:

• In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx.  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.

• Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.  “It makes it easier in many ways, but you do not need it.”  Use lynx to protect yourself and don’t do cialis 40 mg dynamic anything.  You can “sort of” fill out forms and things like that.  The exploit requires DHTML.  Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page.  Each click by the user equals a clickjacking click so something like a flash game is perfect bait.

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

• In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.