From the Matrix:
Trinity: Hello Neo.
Neo:How do you know that name
Trinity: I know a lot about you
Neo: Who are you?
Trinity: My name’s Trinity
Neo: Trinity…THE Trinity? The one who hacked the IRS D-Base?
Trinity: That was a long time ago
Neo: Jesus
Trinity: What?
Neo: I just thought…you were a guy
Trinity: Most guys do

To the horror of Latvia’s political establishment, a mysterious group of computer hackers is threatening to expose the incomes of top officials after stealing millions of government tax records.

The group, calling itself the People’s Army of the Fourth Awakening, claimed to have downloaded more than 7.5 million documents, including VAT receipts and income tax returns, from the State Revenue Service
(SRS) after exploiting a security loophole on its website.

One hacker used the name Neo, in apparent tribute to the hero of The Matrix science-fiction films, in which a vast system for enslaving humanity is exposed. He or she claimed that the documents revealed the
extent of official hypocrisy over belt-tightening reforms introduced as Latvia’s economy reeled under the impact of the global economic crisis. “The purpose of the group is to unmask those who gutted the country,”
Neo told the Latvian television current affairs programme Kas Notiek Latvija in an interview posted on its website.

Neo has been hailed as a digital Robin Hood by disgruntled Latvians after posting details from the documents on the internet to contrast the earnings of top officials with cuts experienced by other workers.

Times Online – Latvia in turmoil after hacker exposes establishment salaries

Based on Ubuntu and well tested this is an outstanding release, and we wish the Offensive Security Team all the best with the 2010.

Download Back-Track now and get cracking with some serious Security Testing. Explore the Offensive-Security, Back-Track websites, and the forums for Guides, Tutorials and FAQ’s.

Real security can only be achieved through awareness, knowledge and some clever tools.

What has happened is that entities within China, that may or may not be the Chinese Government or at least backed by the Chinese Government have been caught accessing Google’s computer systems through unauthorised means. Some articles say some Gmail accounts were hacked, others indicate it may have been more serious, as Google has a back end system that allows them to easily collect all data on individuals from Google services. This is used when supplying information to law enforcement, and the indications are this system may have been accessed.

The most notably thing is that it has been caught and is being talked about in a big way.

Here is a good perspective from the Shadowserver foundation.

Little by little organizations of all types are being broken into and having intellectual property and other information stolen.

Unfortunately we can tell you these scenarios are playing out day in and day out on a massive scale, whether we recognize it or not.

Cyber Espionage Intrusions Run Rampant: Google Compromise is *NOT* atypical

Targeted cyber intrusions are occurring daily at a very staggering level. Industries in the United States are heavily targeted but this truly is a global problem that is facing nearly every nation. These are not your run of the mill cyber attacks. They may have varying levels of sophistication, however, the attacks are often much more advanced than what most users have and will likely ever see. The next closest thing, perhaps on a parallel playing field, is those that are stealing vast amounts of money from banking systems that require two-factor authentication and/or dual approvers to transact. In these cases the attacks often start off extremely broad and are narrowed down.

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100119

Whether we get the full picture or not, the one thing that is certain is that something annoyed Google, who had up until now been censoring results on behalf of the Chinese Government.

Additional Links:
http://www.csmonitor.com/USA/2010/0113/China-cyber-attacks-Google-only-one-of-many-US-targets
http://www.wired.com/threatlevel/2010/01/hack-for-oil/
http://www.ironcove.net/2008/04/when-dragons-attack-tibetan-hacking-review/

Now would be a good time to check your site try our scanner for a quick check against possible HTTP GET injection. Be sure to enter the full url with the additional parameters that will be tested. Ie: www.mysitetotest.com/listproducts.php?cat=3 or www.examplesite.com/article.asp?id=3. Once you have checked this form don’t forget that form based SQL Injection is also very easy to exploit. For testing form based sql injection attacks try the firefox plugin SQL from Security Compass – SQL Injection – Exploit Me – Firefox Plugin

Several high-profile hacks over the past year including those at Heartland, Hannaford Bros., and 7-11, all have had one thing in common: they were launched with a SQL injection attack.

Cross-site scripting (XSS) had been the king of Web attack techniques for some time, and for good reason — the ability to steal user credentials, hijack active Web sessions and take action on behalf of a user without their knowledge is particularly nasty. But the classic SQL injection attack has regained the lead as the most popular of Web attacks. Most of all reported Web breaches the first half of this year, according to the new Web Hacking Incidents Database (WHID) report, were conducted via SQL injection. And SQL injection is one of the most common vulnerabilities in Web applications today.

Dark Reading – SQL Injection Demystified

Researchers at security firm Finjan said on Wednesday that they have uncovered an underground botnet-leasing network where cyber criminals can pay $5 to $100 to install malware on 1,000 PCs for things like stealing data and sending spam.

The Golden Cash network, dubbed “Your money-making machine” on its home page, sells access to botnets comprised of thousands of compromised PCs to cyber criminals for custom malware spreading jobs, according to issue 2 of the Cybercrime Intelligence Report for 2009.

Here’s how it works: a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor
that reports back to the Golden Cash command and control server.

‘Golden Cash’ botnet-leasing network uncovered

It seems that like any web hosting service the Amazon Clould Web Services are open to exploitation. Of course in this post I am not saying that amazon is attacking or even the owner of this slice of the cloud is attacking me, they likely have had their slice compromised and it is now being used to launch those pesky ssh brute force attacks that fill up all our logs.

This popped into my inbox today from one of my ossec sensors:

OSSEC HIDS Notification.
2009 Jun 17 15:53:48

Received From: htarget02->/var/log/auth.log
Rule: 5551 fired (level 10) -> “Multiple failed logins in a small period of time.”
Portion of the log(s):

Jun 17 15:53:47 htarget02 sshd[10047]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root
Jun 17 15:53:44 htarget02 sshd[10045]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root
Jun 17 15:53:42 htarget02 sshd[10043]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root
Jun 17 15:53:39 htarget02 sshd[10041]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root
Jun 17 15:53:37 htarget02 sshd[10039]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root
Jun 17 15:53:35 htarget02 sshd[10037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root
Jun 17 15:53:32 htarget02 sshd[10035]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com user=root

Here is a good article on securing your AWS instance including improving your sshd security.

Yet another example of simple security errors resulting in mass hacks of websites that whose ultimate purpose is the installation of trojans onto end user machines. The trojans can then be used in bot armies or for collection of data, passwords, financial accounts from keys stroke loggers.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it’s crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.

F-Secure Details of the hack
Sans Article

“A vehicle used by an off-site archive company to transport patient data was broken into on March 17. The University of Miami just made the theft public last week, saying the thieves removed a transport case carrying the school’s six computer backup tapes. On those tapes were more than 2 million medical records. In fact, the archive company waited 48 hours before notifying the university itself. A University spokeswoman said the school has stopped shipping backup tapes off-site for now.”

Slashdot Discussion

While we had a general idea about what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked, or what tools the attackers used. The strategy was relatively simple: they used search engines in order to find potentially vulnerable applications and then tried to exploit them. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site.

Full details over at Sans.org

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9073098&source=rss_topic17
http://www.vnunet.com/vnunet/news/2213090/search-engine-attack-lingers

The trend of drive by downloads from compromised websites continues or in this case compromised hosts hold the malware, with search engine optimization is driving people to them. Malware is a big money game – it is not going away any time soon. As always keep your servers secure and your desktops patched.