Sunday, 1 December 2013

Vodafone Iceland data breach exposed 70000 user personal information

Today the official Vodafone Iceland was breached by group of hackers Maxn3y, left defaced and a heap of data leaked from its servers.

Vodafone Iceland was hacked by the group of hackers Maxn3y (@AgentCoOfficial) who in the past has stolen data from  airports’ systems, electronic giants and fast food company.
The hackers announced via Twitter to have successfully compromised Vodafone Iceland server and defaced the official website ( and various other sub domains including the company mobile site.
Vodafone Iceland data breach5
The hackers disclosed a compressed 61.7MB rar file which is locked with password TURKISH and that contains a collection of files including one titled users.sql that appears to contain the 77,000 user accounts. The file includes user names, social security numbers, encrypted passwords as many other encrypted information.
Another file, MySQL file greind.sql appears to contain a small log of sms history that is dated 2011 as well as a sms logger.
Vodafone Iceland data breach4
The portal CyberWarNews posted the list of files disclosed and provided information on their content.
Vodafone Iceland website was rapidly restored, but at time I’m writing it is not reachable.
Vodafone Iceland data breach2 Vodafone Iceland data breach1
Following the complete list of files leaked.
Multi media database, nothing critical, 400K of user tracking and logging with user agents, refers etc.
sms history with what appears to be full text messages to a from numbers with timestamps, all dated 2011-08-19
SMS logger sender id, sms id, user ip, date.
900k rows of user contact details related to a SMS plan.
user names, ids, encrypted passwords, email addresses, social security numbers, dates, bank details (alot is incomplete)
account managers details
full names, phone numbers, email addresses.
sms_history.sql and signup.sql explained above.

XLS files

kennitala (social security numbers), dates, ticket numbers, campaign ids(unknown campaign), email addresses
count: 23,494
id, code(unknown), msisdn, sms, timestamp(ts)
count: 1001
id, full name (nafn), kennitala(ssn), pnr, confirmed, date, ticket, email, senda, recivier.
count: 4305
id, ipaddresses, user name, encrypted passwords, email addresses, first name, last name, phone, fax, reg date, last active, user level, notes
count: 334
id, school. login. clear text passwords, names, isadmin, active
count: 18
id, timestamp, ip, session id, social security numbers, email addresses
count: 1491
id, phone, social security numbers, email addresses, tickets id, registration status, date, ip
count: 1247
user names, clear text passwords, names, email addresses and permissions
count: 12
cart_id, names, social security numbers, post codes, email addresses, credit card names, nulled credit card numbers and dates, sale amounts.
count: 3086
real name, email addresses, company’s, chairman name.
count: 31
id, content, date, email addresses
count: 1929
usernames,clear text passwords, active, company’s, full addresses, contact numbers, websites, nulled locations.
count: 767
user names, 5x full names, phone numbers, social security numbers
count: 71
names, partner countrys, to iceland (nothing important)
count: 10
session id and details encrypted, (nothing important)
count: 49, 468
file name says all, nothing of importance here.
file name says all, nothing of importance here.

Google Nexus vulnerable to SMS-based DOS attack

Bogdan Alecu, a system administrator at Dutch IT services company Levi9, discovered that Google Nexus phones are vulnerable to SMS-based DOS attack.

The popular family of Smartphones Google Nexus is vulnerable to SMS-based DOS attack that could cause the handset freeze and other anomalous behaviors.
Bogdan Alecu, a system administrator at Dutch IT services company Levi9, discovered the Google Nexus vulnerability that affects all  Android 4.x firmware versions on Google Galaxy Nexus, Nexus 4 and Nexus 5.
The expert disclosed the vulnerability recently in the DefCamp security conference in Bucharest, Romania.
An attacker exploiting the flaw can force mobile device to restart, loose network connection or freeze by sending a large number of a special type of SMS messages, flash SMS.
A Flash SMS is a type of SMS that appears directly on the handset screen without user interaction and is not automatically stored in the inbox. It is enough to send around 30 Flash SMS messages to Google Nexus phone to cause the phone DOS.
Alecu reported to Google the discovery more than a year ago and was told back in July that the flaw would be addressed in Android 4.3, but nothing is changed.
According to the expert the attack can produce various problems to the targeted Google Nexus Mobile:
  • It will either say that the Messaging application has stopped
  • Cause a reboot – this is what happens in most of the cases
  • Make only the Radio (mobile network communication) app restart, but then the device will no longer be able to use mobile data (it can not connect to the APN)
Alecu discovered the vulnerability casually, while he was testing different message types and for the class 0 messages he noted that the popup being displayed also adds an extra layer which makes the background darker.

“Then my first thought was: what happens if I send more such messages? Will it make the entire background go black? If so, wouldn’t this cause a memory leak? The answer is “Yes” for both of the questions. So, basically, by sending around 30 Class 0 messages, it will make the Google device behave strangely’.” said Alecu to my colleagues at the TheHackerNews.
Google Nexus Dos Flaw

Google Nexus Dos Flaw2
Waiting for the fix for Google Nexus mobiles, users can install the free Class0Firewall app to protect their handset from the DoS attacks.

Malware 'worse' than Stuxnet being plotted in the middle east

Iranian report: Israel, Saudis plotting new computer worm to sabotage our nuclear program
Saudi spy agency, Mossad last week hashed out proposal for production of malware 'worse than Stuxnet,' says the state-owned Iranian news agency.
Israel and Saudi Arabia are reportedly collaborating to create a new destructive computer worm to "spy on and destroy the software structure" of Iran's nuclear program, the semi-official Iranian news agency Fars said over the weekend.
Fars, the outlet of Iran's Revolutionary Guards, quoted "an informed source" close to the Saudi secret service as saying that Saudi spy chief Prince Bandar bin Sultan and Mossad head Tamir Pardo each sent a representative to Vienna on November 24 with the purpose of increasing the "'two sides' cooperation in intelligence and sabotage operations against Iran’s nuclear program."
“One of the proposals raised in the meeting was the production of a malware worse than the Stuxnet to spy on and destroy the software structure of Iran’s nuclear program,” the source was quoted by Fars, referring to a computer virus unleashed in 2010 targeting Iran's uranium enrichment facility at Natanz. American whistleblower Edward Snowden told Der Spiegel this year that the U.S. and Israel cooperated to produce the virus.
Arab media reported last week that Prince Bandar took part in a meeting in Tel Aviv with Prime MinisterBenjamin Netanyahu and French President Francois Hollande to discuss U.S. relations with Iran.
Meanwhile, the Sunday Times reported the week before that Israel and Saudi Arabia had been working together secretly on plans for a possible attack against Iran in case the Geneva talks fail to roll back its nuclear program.
The two countries' shared concern has put them at odds with the United States as the latter continues to seek an agreement with Iran to ease economic sanctions in return for pulling back nuclear development.

MS Windows XP CVE-2013-5065 Eleventh zero-day flaw found by FireEye

FireEye Security Experts discovered Microsoft Windows XP and Server 2003 privilege escalation zero-day exploit

Security experts at FireEye have discovered a new zero-day, a privilege escalation vulnerability in Windows XP and Windows Server 2003.
It’s is the eleventh vulnerability discovered by FireEye this year, really a great job for the researchers of the young company. The last zero-day flaw is coded by Microsoft as CVE-2013-5065, it is a privilege escalation vulnerability that is combined by hackers with another exploit in Adobe Reader (CVE-2013-3346).
Microsoft has issued a security advisory (2914486) informing the customers that Windows Kernel could allow elevation of privilege to attackers due the exploit of a bug in Windows XP’s NDPROXY.SYS driver.
“We are aware of limited, targeted attacks that attempt to exploit this vulnerability. Our investigation of this vulnerability has verified that it does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003.” reported Microsoft.
Windows XP privilege escalation zero-day
Hackers could exploit the flaw to execute arbitrary code in the system’s kernel running it from a standard user account, be aware the vulnerability cannot be used for remote code execution.
“An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users” states the advisory.
The attacker once elevated his privileges is able to conduct various activities, including accessing or deleting data, installing programs or creating accounts with administrative privileges.
It must be considered that on April 10, 2012, Microsoft announced that extended support for Windows XP and Office 2003 would end on April 8, 2014 and suggested that administrators begin preparing to migrate to a newer OS. This means that XP systems will no longer receive security updates provided by Microsoft … a good reason to upgrade the OS.