The FBI has launched an investigation into the exposure of email addresses of thousands of iPad customers on an AT&T website this week. Researchers with Goatse Security who this week revealed the weakness in the AT&T site — basically a business-logic flaw in AT&T’s app that was left available and accessible to the public — were able to get the email addresses of more than 100,000 iPad customers, including some high-profile people.

Escher Auernheimer, a security analyst with Goatse Security, said in an interview today that his firm “did the right thing” by going public about the hole in AT&T’s website.

UPDATE: AT&T sent a letter to Apple 3G iPad owners over the weekend that shed some light on AT&T’s position on the hack, according to a report in the New York Times. “On June 7 we learned that unauthorized computer ‘hackers’ maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service,” wrote Dorothy Attwood, a senior vice president and chief privacy officer at AT&T.

“The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity,” Atwood said.

Meanwhile, Goatse’s Auernheimer says the researchers went public with their findings via the Gawker website after AT&T fixed the flaw. They handed over the email address finds to Gawker, but stipulated that the site not publish the actual email addresses. “Our disclosure process was extremely proper and above and beyond,” Auernheimer says. “Many researchers do not wait for patches” before they disclose, he says.

“What influenced our decision was that there were so many people who were stewards of important infrastructure on the public and private list [exposed],” he says. “Someone else could have scraped this data.”

According to Auernheimer, his team got the data without a password or actual breach/intrusion. The researchers wrote a PHP script that grabbed the email addresses from the errant AT&T script. “It’s not uncommon to see this type of vulnerability,” he says.

The FBI’s involvement could be due to the high-profile iPad customers whose email addresses Goatse discovered, Auernheimer says. “We haven’t had any contact” with the FBI, however, he says. Meanwhile, the FBI issued this statement: “The FBI is aware of these possible computer intrusions and has opened an investigation to address the potential cyber threat.”

Among the email addresses Goatse was able to access were that of White House Chief of Staff Rahm Emanuel, New York City Mayor Michael Bloomberg, U.S. Air Force Col. William Eldridge, and New York Times Co. chief executive Janet Robinson, according to Gawker.

Security experts at Praetorian published the script written by Goatse. It basically grabs email addresses via the integrated circuit card identifiers that associate the iPad SIM card to a subscriber: “An e-mail address gets returned in the successful iterations (active ICCID) and parsed. There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it,” Praetorian’s Daniel Kennedy blogged on Wednesday.

Meanwhile, Auernheimer has taken issue with AT&T’s claims that his firm acted maliciously. He says he released a semantic integer overflow exploit for Apple Safari in March, which was later patched on Apple’s desktop Safari but has not yet been fixed for the iPad.

“This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system,” he blogged yesterday. “We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.”

You’ve probably read or heard about KOOBFACE malware propagating through social networking sites such as Facebook, MySpace, and Twitter. A lot of analysis is available online through blogs or malware descriptions. But I bet most of you probably still do not know some or all of these things about KOOBFACE.

1. KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, MySpace, or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities), and employment (employer, position, salary). So beware, KOOBFACE knows a lot!
2. KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
3. URLs leading to KOOBFACE malware are either in compromised or free Web hosting sites: Yep, call them cheap but the guys behind KOOBFACE are making good use of compromised and free Web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social networking sites with catch phrases like “funny video,” which lead to a fake YouTube or Facebook site, which then leads to KOOBFACE malware.
4. KOOBFACE zombies are made into Web servers on top of being social networking site spammers: KOOBFACE installs a Web server component into infected machines, which effectively makes the infected machine part of the malware’s distribution network. Infected machines serve fake YouTube or Facebook pages, which then lead to the KOOBFACE malware.
5. KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE Web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
6. Half of KOOBFACE infections occur in the United States: This is not surprising since majority of the social networking site users reside in the United States.
7. KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked.
8. KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, MySpace, and Twitter have recently implemented a spam-filtering mechanism where known spam URLs are blocked. KOOBFACE tries to circumvent this by first testing if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If you would like to read some more about KOOBFACE, check out the article over at Wikipedia here. So while you may not have been one of the ones to be infected by it, there is a good chance you have come across it before either from a friend’s infected account or just some random person who happened to target you after getting infected themselves. While it isn’t the nastiest worm out there, it is defiantly doing some damage so if you get some weird link from a friend on a social networking site, play it safe and please do not click on it!

Before I get started with this article, I would just quickly like to apologize for the lack of updates the past few weeks on the site. I have been in the middle of moving into my new location and it seemed that  the apartment complex was still trying to get the internet all setup when they let me move in. But everything is back to normal now so things should resume like normal! So here we go…

The tr.im link shortening service was shutdown by operator Nambu Network on Sunday after the company failed to find a buyer for the service.

“We regret that it came to this, but all of our efforts to avoid it failed,” the company wrote on its home page. “No business we approached wanted to purchase tr.im for even a minor amount.”

The tr.im service was one of a number that will convert a conventional URL into a shorter alphanumeric string. When the tr.im URL is kicked the service redirects users to the original URL. The services are primarily designed for Twitter users who face a 140 character limit in messages they send although can be used in any application.

In closing down the service Nambu Networks said it had approached a number of people in the Twitter development world about buying the service but “nobody wanted it in exchange for a token amount of money. No one perceived any value in it, or they wanted to operate a shortener under a differently branded domain name.”

Nambu was also critical of Twitter’s preference for the bit.ly link shortening service and the effect that had on business and growth potential.

“There is no way for us to monetize URL shortening — users won’t pay for it — and we just can’t justify further development since Twitter has all but anointed bit.ly the market winner,” the company wrote. “Twitter has all but sapped us of any last energy to double-down and develop tr.im further. What is the point? With bit.ly the Twitter default, and with us having no inside connection to Twitter, tr.im will lose over the long-run no matter how good it may or may not be at this moment, or in the future.”

URL shortening services have recently been in the spotlight because of use by criminals to trick people into visiting phishing or illicit Web sites. The shortened URLs provide no hint as to their actual destination making it easier to fool people into clicking and visiting malicious Web sites.

Tr.im is no longer accepting new URLs although said it would continue to redirect links until at least the end of this year. Even though there are a good number of these websites out there, people always seem to have favorites and stick to the one they like best. This only means that fans of tr.im will have to look for a replacement URL shortner to take its spot.

A U.S. district court has ordered key players in an international spam ring to give up $3.7 million they made by sending out illegal email messages pitching bogus Hoodia weight-loss products and a “human growth hormone” pill they claimed reversed the aging process.

In a Federal Trade Commission (FTC) law enforcement action, the court found that the five defendants, located in Canada and St. Kitts, violated the FTC Act and CAN-SPAM Act by participating in the spam operation. The court order bars the defendants from violating the CAN-SPAM Act and from making false or unsubstantiated claims about the health benefits of any food, drug, or dietary supplement.

The FTC charged that the operation used spammers to drive traffic to Websites selling an extract of the Hoodia gordonii plant it claimed would cause significant weight loss, and a “natural human growth hormone enhancer” it claimed would reverse the aging process. The FTC alleged that these claims were false or unsubstantiated, and charged the defendants with deceptive advertising in violation of federal law. It also alleged that the spammers sent e-mail that contained false “from” addresses and deceptive subject lines, and that they failed to provide a required opt-out link or physical postal address.

The case, filed by the FTC in October 2007, marked the first time the agency invoked the US SAFE WEB Act, a federal law designed to protect consumers from cross-border fraud and deception. The legislation enhances the agency’s ability to exchange information with foreign counterparts and helps protect consumers from cross-border spam and spyware distribution, as well as Internet fraud and deception. The FTC’s complaint charged eight defendants — Spear Systems (a U.S. company), three other corporate defendants, and four individuals.

The FTC settled with three defendants in the case — Spear Systems and two individuals, one in the United States and one in Australia — in May 2008. The agency was unable to reach settlements with the remaining five defendants, who are the subject of the court order announced today: Xavier Ratelle and Abaragidan Gnanendran, of Quebec, Canada; and corporate defendants 9151-1154 Quebec, Inc., 9064-9252 Quebec, Inc., and HBE, Inc. The final orders were entered by the United States District Court for the Northern District of Illinois, Eastern Division.

Although this seems to be a win for the good guys, the bad news is that something like this doesn’t even make a small dent in the problem of spammy emails that flood our inboxes from day to day. We can only hope for more and more of these types of cases to come up because over time, people might actually start to shy away from these methods if the penalties are too high.

A new injection attack that redirects users’ Web search queries is in the wild, and researchers at Websense believe it may have already affected more than 40,000 sites. In a blog posted yesterday, Websense researchers indicated that more than 40,000 legitimate sites have been compromised with “obfuscated code that leads to a multilevel redirection attack, ending in a series of drive-by exploits which, if successful, install a Trojan downloader on the user’s machine.”

When users visit one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code, the researchers say. The final landing page records the visitor’s IP address. When the site is visited for the first time, the user is directed to the exploit payload site. But if the user returns from the same IP address, he is simply directed to the benign site of Ask.com, the researchers report. This one-time download strategy may make the redirects less obvious and harder to detect, they say.

According to a spokesman, the labs first detected what appeared to be benign redirects embedded in compromised Web sites that sent users to Ask.com. “At that time, it seemed likely that hackers were looking to compromise as many sites as possible, getting their foot in the door before activating the campaign with a redirect to a malicious payload site,” he says. The attackers used polymorphic code to avoid detection in these early stages. Now the researchers understand that the malicious campaign actually began simultaneously with the Ask redirect, and the malicious payload site ninetoraq has been infecting users with malware.

Once the user’s computer has been redirected from a compromised site to ninetoraq, the site attempts multiple exploits through obfuscated code targeting vulnerabilities in MDAC, AOL SuperBuddy, Acrobat Reader, and QuickTime, the spokesman says. If it finds an open hole, it drops a malicious PDF file or a Trojan that is designed to steal the user’s information.

Most antivirus applications will not detect either one of these pieces of malicious code, Websense says. One of the exploits is detected by only three of the 41 most commonly used AV programs.

“The obfuscation code injected into these legitimate Web sites is somewhat random, but the deobfuscation algorithm is consistent amongst all the infections,” the researchers say. “The algorithm uses the JavaScript method ‘String.fromCharCode’ to convert a chunk of decimal values to a string. The string obtained after deobfuscation is an iFrame that eventually leads to an exploit site.”

The Websense researchers say the new attack is distinct from Gumblar or Beladen, two other injection attacks that have been redirecting users’ search queries in the past month. It is possible that the same hackers might be developing the different attacks, they say. So be careful when you are out there on the web, cause it seems the bad guys just keep thinking up new and more dangerous stuff everyday!

More than 40,000 websites worldwide have fallen under the spell of a sneaky piece of attack code that silently tries to install malware on the machines of people who visit them, security experts from Websense have warned. The mass attack has been dubbed Beladen because beladen.net is one of the internet domains used to unleash a swarm of exploits that target unpatched vulnerabilities in the Internet Explorer and Firefox browsers and programs such as Apple’s QuickTime. It plants highly obfuscated javascript on the bottom of websites that’s slightly different each time, making it impossible to spot infected sites using search engines.

The compromised websites are operated mostly by smaller businesses and government agencies, and so far security researchers have been unable to identify a common component that is being targeted. That leaves everyone guessing that the sites were penetrated by sneaking key-logging programs onto the PCs of people who maintain the sites.

“It’s all that we can assume because there is no common injection amongst all these 40,000″ sites, Chenette explained. “The only other possible explanation is the website owners have basically had their FTP credentials or account credentials compromised.”

It remains unclear how many end users are being affected, however. Mary Landesman, a researcher at ScanSafe, said less than 0.03 percent of its customer base tried to visit a site infected by Beladen in the entire month of May. That compares with more than 37 percent of its customers trying to visit sites hit by another mass infection that goes by the name Gumblar. Like Beladen, it attempts to install malware on the PCs of people visiting affected sites.

But that doesn’t mean Beladen isn’t important. Beyond it’s demonstrated ability to sneak itself onto so many webservers, it’s also notable because the attack bears the hallmarks of Russian mobsters. Before users are redirected to beladen.net, they are taken to one or more other addresses such as googleanalytlcs.net (note that “analytlcs” is spelled with an l instead of an i), which are attack sites designed to appear connected to Google Analytics.

Those same sites have been used in the past by the cybercriminals known as the RBN, or Russian Business Network. The group is known for producing highly sophisticated malware and offering a network of highly reliable webservers and other infrastructure used to deliver potent attacks. It has largely stayed out of the public eye since being outed in a series of articles by The Washington Post. Beladen may be a sign that the RBN is taking a more active role again.

Beyond that, it’s clear the attackers have taken painstaking steps to ensure the stealth of Beladen. In addition to javascript that is put through multiple layers of obfuscation, the attackers have also covered their tracks by shunting victims through a series of intermediary servers before arriving finally at beladen.net. In an attempt to thwart researchers, the servers check the previous site visited to make sure visitors have been referred by compromised server. I first read about this infection Friday where it had hit about 30,000 sites. It’s ability to grow by a third in less than 72 hours is worth taking seriously.

Sadly, Websense has had little success reaching the owners of the compromised websites.

“Half of the websites that have email addresses listed don’t respond to any security notification,” researchers from Websense said. “Many users think they can throw up a website and that’s the end of the day. They have to be more responsible in understanding that they have to protect the users of that site and the content.”

Website owners who suspect they have been hacked should inspect the source code on the site’s front page. If there’s a block of strange-looking code that mysteriously showed up recently, there’s a decent chance it’s Beladen. So keep your antivirus software up-to-date because even websites that you frequent could have been infected without anyone knowing. The only good thing with this type of infection growing, is that the security companies that produce antivirus software will respond quickly and have ways in their software to keep you safe.

A new attack that peppers Google search results with malicious links is spreading quickly, the U.S. Computer Emergence Response Team warned on Monday. The attack, which has intensified in recent days, can be found on several thousand legitimate Web sites, according to security experts. It targets known flaws in Adobe’s software and uses them to install a malicious program on victims’ machines, according to CERT.

The program then steals FTP login credentials from victims and uses that information to spread further. It also hijacks the victim’s browser, replacing Google search results with links chosen by the attackers. Security experts started tracking the attack in March, when it had infected several hundred Web sites, but in recent weeks the number of infected sites has jumped dramatically. The attack has been called Gumblar because at one point it used the Gumblar.cn domain, though on Monday it had switched to a different one.

Security vendor ScanSafe has counted more than 3,000 infected Web sites, up from around 800 just over a week ago. That kind of continued growth is unusual, according to senior security researchers with ScanSafe. Attackers have launched many widespread Web attacks over the past few years, but after a few months the total number of infected sites usually drops as Webmasters clean up their servers.

With Gumblar, more and more sites are now being infected. It is believed that it’s because Gumblar’s creators have been good at obfuscating their attack code and making it harder to spot on infected sites. And because they’ve been stealing FTP login credentials, they’ve been able to use a few new tricks to get their software onto the sites. They’re doing things like changing folder permissions … and leaving behind multiple ways that they can get back into the server which can make it difficult to clean up.

Still, Web attacks have become so widespread that Gumblar remains a relatively small-scale phenomenon, according to Symantec Security Response Product Manager John Harrison. Last year, Symantec counted 18 million online attacks against its customers. With Gumblar, it has counted 10,000. “It’s really just another day with drive-by downloads,” he said. “There really are so many of these.” Security experts say that if you’re using a fully-patched system with up-to-date security software, you should be protected from these attacks. To date, they’ve worked by hitting the victim with malicious PDF or Flash files.

For the icing on the cake today at work while I was working on cleaning up a pretty severe malware infection, I came across this infection on the system (which was easy caught and cleaned by a couple of my scanning tools) just hours after first reading about it. This itself was enough to make me put together this article to try and let everyone know!

FileFront is probably one of the biggest websites that hosts all kinds of files related to gaming in one way or another. Sadly though it seems the economy has effected event his massive website enough that they have decided to shut their doors for good at the end of March. By taking a quick look at their main page, one can see they host quite a large amount of stuff on the website:

Site Statistics: Over 1.5 million files totaling 48+ TB of space

Files from game demos to patches to user made videos and screenshots will be disappearing after the 30th as they will no longer be available through the website. With so many files being hosted here a lot of websites will have to find other places to host files for users to download if they want their content to be publicly available to everyone through a free service like FileFront.

It will be interesting to see which websites step up their hosting practices to try and take the place of FileFront… and only time will tell if any will be able to do it as good and as effective as they were able to over the years that they have been in service to everyone.

Will they find a way to make a comeback to the community? As it looks now the chances seem pretty slim but a lot of users are hoping they will find a way. Some are also speculating that this could be a big April Fools joke but most are agreeing that that is not the case here.

Either way they were a great site to host files on completely free of charge, with me being one of the users who used the site frequently. If they are going down for good it is going to be a sad day for everyone who used them, and I would just like to thank them for all that they were able to provide everyone while they were operating as a website. Here is a LINK to the farewell letter they put up on the site.