Attacks/Breaches
11/6/2012
10:49 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Hackers Hit Symantec, ImageShack, But Not PayPal

Despite threats, Anonymous did not take down Facebook or Zynga on Monday. But other hackers detailed their own exploits, releasing employee credentials and source code.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
November 5 came and went without Facebook or mobile game developer Zynga seeing their websites get taken down by promised online attacks executed by the Anonymous hacktivist collective.

In the run-up to the Guy Fawkes Night holiday -- celebrated annually in Britain and featured in the 2005 film "V for Vendetta," from which Anonymous borrows its trademark mask -- multiple Anonymous factions had promised to take down various websites, presumably via distributed denial of service (DDoS) attacks. They also threatened to release a broad swatch of Zynga's mobile games for free. None of that came to pass.

Monday was, however, a notable day for hacking attacks that didn't involve Anonymous. In particular, hacking group Hack The Planet Monday released a Pastebin post with data that the group claimed to have stolen from ImageShack, Symantec, and ZPanel. As part of the hacking "zine" the group released, it said there was also "a heap of personal information that is claimed to belong to some people that are close to the infosec and anonymous scene," which the group said it hadn't had time to fully review.

[ For more on Anonymous's threatened Guy Fawkes Day takedowns, see Anonymous Threatens Zynga, Facebook Takedowns. ]

The leaked Symantec data appears to have involved a breached database containing email addresses and apparent password hashes for 3,195 employees.

A Symantec spokesman, reached via email, said the company is investigating the alleged breach. "Symantec is aware of the claims being made online," he said. "We take each and every claim very seriously and have a process in place for investigating each incident. Our first priority is to make sure that any customer information remains protected. We are investigating these claims and have no further information to provide at this time."

Meanwhile, Hack The Planet claimed that its ImageShack hack was much more extensive than the Symantec breach: "ImageShack has been completely owned, from the ground up. We have had root and physical control of every server and router they own. For years." The group also listed, tongue in cheek, nine factors it found that illustrated "the hardened security on all of ImageShack's equipment." Among them: running "all MySQL instances as root," having outdated kernels from 2008 or earlier, hard-coding passwords into numerous files, and having "a firewall that allows outgoing backconnects." The hacking group also released a large amount of data supposedly stolen from ImageShack, including lists of file permissions and source code.

ImageShack didn't immediately respond to an emailed request for comment about whether the leaked data was genuine, or whether attackers had also deleted the site's blog, which now resolves to a page with a "not found" error.

According to Hack The Planet, its Pastebin post also includes zero-day exploit code for ZPanel, which is a free, open source Web hosting control panel for Windows, Unix, and Linux. "We have a Zero Bug attacking all the login and overlay files," Hack The Planet said, noting that the exploit code can be used to reset root passwords in the system remotely and without authentication. Interestingly, the code's author is listed as "joepie91," which is the handle of a hacker previously associated with LulzSec.

Tuesday, however, ZPanel's head developer and project leader, Bobby Allen, said in a ZPanel forum post that the exploited flaw was patched almost three months ago. "We was (sic) made aware of this bug several months back by our professional security firm 'WebSec' and we have already released a fix of which is implemented in version 10.0.1 of ZPanel," he said. "We can therefore only assume that 'Anonymous' was 'hacking' version 10.0.0 of ZPanel of which we have already released a fix for." (Again, Hack The Planet, not Anonymous, has claimed credit for the attack.) That fix was issued on August 14, 2012.

What about PayPal? Cyber War News had originally reported that the list of sites exploited by Hack The Planet included PayPal, but it later corrected that report to note that PayPal hadn't been targeted. Similarly, a PayPal spokeswoman said via email, "It appears that the exploit was not directed at PayPal after all, it was directed at a company called ZPanel." PayPal said it's found no evidence that it was hacked, or that any of its employees' data was obtained or released, as was originally reported.

That's contrary to this Monday statement issued via the Anonymous Press Twitter channel: "Paypal hacked by Anonymous as part of our November 5th protest." That post linked to a PrivatePaste file, which has since been removed, but according to news reports, Anonymous claimed to have breached 18,000 PayPal usernames and passwords. By Tuesday, however, the consensus was that the breached data belonged to another organization -- perhaps ImageShack. Was the Cyber War News report responsible for Anonymous channels getting their own news wrong?

Still, all wasn't quiet Monday on the bona fide Anonymous data breach front. Notably, the Anonymous Intelligence Agency (aka Par:AnoIA) released what it said was a preview of a "dump of internal files from the Organization for Security and Cooperation in Europe," which it said highlighted attempted election manipulation in last week's Ukrainian elections.

But the failure of so many threatened Anonymous attacks to materialize led Cult of the Dead Cow official "Oxblood Ruffin" to dub Guy Fawkes Day as "the Anonymous version of April Fools."

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Rebeccat73
50%
50%
Rebeccat73,
User Rank: Apprentice
11/14/2012 | 11:27:12 PM
re: Hackers Hit Symantec, ImageShack, But Not PayPal
Paypal is lying. They have limited my account and are demanding to know why someone in Iran accessed my account. I have provided them with a photo ID, proof of address, confirmed my accounts and reset my password this week at their request. And they still haven't fixed it. I live in Wisconsin, my paypal account is 10 years old, I've had the same address for the last 7 years and my billing addresses all match that same address. Quite obviously, someone got a hold of my information. And it just happened to occur right after anonymous claimed to have stolen passwords. Coincidence? Ha. They are lying and just don't want people to know.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web