Twitter Hacked: About 250,000 User Accounts Possibly Compromised

Seems to be the week for large media attacks. The NY Times and WSJ were hacked earlier this week and Twitter announced earlier today that they had a security breach and the credentials for about 250,000 accounts could have been compromised.

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.”

Apparently the culprit of the breach was, drum roll please, a Java vulnerability. Twitter recommends disabling Java if it is not necessary, use different passwords for each site and if you are using weak passwords to change them now!

“Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.”

Apparently Twitter was able to catch the hacker in progress and shut him out. They are working with Law Enforcement agencies to track the attackers and shut them down.

No source has been mentioned as to who the hackers were or where they were from. There was a lot of finger pointing at China earlier this week with the NY Times and WSJ attacks, not sure if I buy into that at this point. China (at least the military backed hackers) is usually more interested in cyber espionage and targets of strategic importance.

The New Social Engineering Toolkit vs Windows 7 (and 8!)

Cyber genius David Kennedy (aka The Mad Hugger 🙂 ) and his rockstar team have done it again. Just when you thought your Anti-Virus was safe, the TrustedSec team has shown once again that pinning all your corporate security hope on AV protection alone is not a good strategy.

A ton of new features have been added (check out their video above) and some of the older features have been re-written and revamped. Making SET 4.0 codenamed “Balls of Steel” (who makes up these names??) one of the coolest pentesting tools out there.

I just had to check out the new “PyInjector” feature (injects shellcode straight into memory) and see how it fared against a fully updated Windows 7 with one of the best AV/network protection suits installed:

Looks like it worked pretty good!

Okay, I have been playing around with Windows 8 for a while now, checking out it’s updated security features and I have been pretty impressed so far. Here is a screenshot of the same attack against a Windows 8 system using only the included Microsoft Windows Defender:

No shell, only an ever repeating screen of errors.

Okay, let’s try the new Java 7 attack against both and see how it fairs. First the Windows 8 system:

Hmm… Seems to have stopped it at the request stage. Windows Defender did have an update that I installed just prior to running this test. Though I thought it odd that nothing showed in the Windows Defender log.

Okay and the Windows 7 system with the good AV:

Just got to the sending applet part, but no shell. Looks like it stopped it too.

I tried the regular Java attack that has been re-tooled and I was able to get a remote shell with both versions of Windows. It was odd though as neither would let me actually do anything with the shell. Anything I tried to input into the shell would just be echoed onto the webpage on the target machine.

This just shows that even though in some cases the AV was able to stop the attacks, I was still able to get a full remote shell. Users must be educated about online risks, and network defense can not be focused on AV protection alone. Social Engineering is one of the top targeted attack methods used against corporate networks.

Sometimes your user is your last and greatest line of defense.

Internet Explorer Zero-Day Discovered, Metasploit Module Released

A new 0-Day IE exploit puts a lot of internet users at risk. According to Rapid7 (creator of the Metasploit testing platform) the new zero-day, discovered by security researcher Eric Romang, affects IE 7,8 and 9 on Windows XP, Vista (Anyone really use that anymore?) and Windows 7.

The Zero-Day was found when Eric was analyzing a machine that was infected with “Poison Ivy” a malicious remote administration tool (RAT). Apparently the 0-Day was actually used to install Poison Ivy, possibly by the “Nitro” hacker gang.

Check out the video Eric made (above) and his website for more information.

Microsoft urged users to use their free security tool, the Enhanced Mitigation Experience Toolkit (EMET). Rapid7 countered this saying that the stop-gap does not work well in all circumstances and should switch to another browser until a security patch to IE is released.

Rapid7 also released a Metasploit module (pictured above) so corporate security teams could test their networks to see if they are vulnerable to the exploit. All Metasploit users need to do is just update their install and the module will be pulled down. Backtrack users can simply run “msfupdate”.

Vulnerability in Sun Java Discovered

On Friday two advisories were released about a serious Java vulnerability that opens current versions of Windows and Linux up to web based attacks.

Tavis Ormandy of Google and Ruben Santamarta both discovered the flaw independently. Ormandy notified Sun of the flaw and when Sun decided not to patch right away, published an advisory with a work around for the issue.

According to ZDNET Zero day the flaw occurs:

 “…because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters. These parameters can be controlled by attackers via specially crafted embed HTML tags within a Web page,” Santamarta warned.

For more information and a temporary solution see the full ZDNET Zero Day article.