Major Secunia hijacking problemsPosted on November 26th, 2010 at 12:26 12 comments
Secunia – one of the most-respected computer security organizations, and purveyor of the Secunia PSI system checking tool – has been hacked.
A few hours ago, somebody managed to change the DNS entry for secunia.com. The DNS entry – similar to a giant Internet “phone book” number – translates the name “secunia.com” into the numbers that are used by the Internet to connect to other computers. The IP address for Secunia.com is 18.104.22.168. The DNS entry had been altered to 22.214.171.124.
Predictably, the main page for 126.96.36.199 had been defaced. Somebody calling himself TurkGuvenligi put up a sign saying “Is?ms?z Kahramanlar”: people who typed www.secunia.com into their browser address bar were greeted by that cryptic message. (Details on the SANS Internet Storm Center site .)
That’s nothing new. DNS poisoning, as it’s called, happens every day. Somebody figured out how to hijack the record at Secunia’s Domain Registrar, successfully impersonated Secunia – probably by logging on to the Domain Registrar and providing the correct incantations to access the Secunia account – and changed the DNS entry. With traffic routed to a different site, the defacement was trivial.
That isn’t the real problem. The Big Deal is that Secunia PSI, the system scanning tool, apparently connects to secunia.com. So for a couple of hours, everyone who ran Secunia PSI was bouncing off a database controlled by TurkGuvenligi. And THAT, my friends, is a big time problem.
I keep having nightmares that somebody’s going to figure out a similar way to re-route Windows Update someday. I know it can’t happen. But then again, it couldn’t happen to Secunia, could it?
12 responses to “Major Secunia hijacking problems”
>I keep having nightmares that somebodyâ€™s going to figure out a similar way to re-route Windows Update someday. I know it canâ€™t happen.
Why couldn’t it happen? The site doesn’t use SSL, so it could presumably be impersonated easily. In fact, if you’re using a locked-down version of IE, you have to turn off the requirement that trusted zone sites must be HTTPS just to get windows/microsoft update to work.
But surely Microsoft has a gazillion levels of validation, yes?
Please say yes…
Nota Bene: This article doesn’t have the oomph that it should have, because it doesn’t tell the newbs what Secunia is.. and does.
Secunia is a third-party program that scans a user’s entire PC and decides which programs require security updates…then provides those updates in an easy click-to-install list.
A hacker being able to substitute his own patches for the ones Secunia provides for those many dozens of security-sensitive programs… man, a breach like that makes my hands shake and sweat more than the half-consumed thirteenth cup of caffeinated tasty beverage next to my keyboard.
So, why’d he do it?
The DNS poisoning, JUST to show off a graffittied mock front page, seems a wasted opportunity. It’s like sneaking into the whitehouse just so you can play “fetch” with the first family’s dog.
If he’d had any sense, the hacker/cracker shoulda-woulda-coulda, during his man-in-the-middle stint, actively substitute his own “patches” instead of Secunia’s.
Sure, doing that with Windows patches would be scary. However, given the wide range of sensitive programs that Secunia patches, I don’t need to imagine a Windows patch nightmare (there’s an obvious joke to be made here about normal Redmond software patches… I… shall….resist…!) to imagine a total disaster from subsitute patches. This is something governments should know how to do to one another, during wartime.
This guy could have planted back-doors, keyloggers, botnets, and countless other malware into every PC using Secunia during those few hours. Let’s count ourselves darned lucky at the lightheartedness of the attack, and wonder why Secunia is using their domain name rather than the direct IP address numbers.
Woody: So does this mean that Secunia should not be used right now. If not, what do we have to do to with the program to stop it from automatically checking our system?
If, and when, Secunia is ok, how will we know everything’s been corrected and it’s safe to use once again.
rc primak November 27th, 2010 at 04:41
I have been in contact with Secunia’s staff over the past few months on another issue, and they conveyed some information which may make this seem a bit less scary. First, PSI uses a secure connection (https and SSL with a security Certificate which has to be validated). Second, there are other levels of validation. It is only those who come in through their browsers who may not be using a proper https with SSL connection. Third, what SANS describes isnâ€™t even the PSI login page at all.
What SANS is talking about is Secuniaâ€™s web site, which is on a different server from the PSI and OSI scanners. The PSI logins were never compromised by the looks of things in that SANS report. The details confirm that this is not the PSI login page. I have seen some information for the PSI page, and this is nowhere near the same thing.
Microsoft Update uses WGA, two other levels of authentication, and (initially) a secure login (contrary to the above comment). MS Updates does use a security Certificate, as far as I know. Only after the secure login does the page revert to an unsecured page (http). They probably shouldnâ€™t do this, but it is a reasonably secure practice. Anyway, at more than one point along the way, intruders would be caught.
While not as secure as MS Update, Secunia PSI when installed as a desktop application, does use secure logins to do its checking. It is only the online version (OSI) which is not as secure. And Secunia never said OSI was secure. SANS may not know the difference between the two versions, and they do not say in their report that this DNS hijacking ever affected OSI or PSI. Totally different servers.
Perhaps more happened than the SANS report states, but it looks like this is a non-story.
matt parker November 27th, 2010 at 04:52
it may have 1-3 pass phrases. But that’s probably it
May I quote you or Secunia on any of this?
I’d like to write it up for InfoWorld….
It was all fixed within hours of it happening. See RC Primak’s post above.
For those of us who are truly paranoid, to scan or not to scan, that is the question…. Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous malware. Or to take arms against a sea of hackers. And by opposing end them?
OK, I got carried away. Is it safe to come out from under the rock?
Sorry for my impertinence, but does RC work for Secunia? And, if there were security risks in the patches (as Sethness points out), were they only in the patch downloads, not the scanner itself?
In other words, presuming were there a risk (now fixed, as noted), could one safely use the scanner and then go to the respective download sites to get the updates?
rc primak November 29th, 2010 at 23:07
To all —
As I said above, I do not work for Secunia, but I had specific PSI-2 issues which brought me into contact with (among others) Emil Petersen at Secunia. Any “official” information I received was posted in the Secunia PSI and PSI-2 Support Forums, where I go by the rc primak screen name, just as here and in Comments at Infoworld.com. (I go by bob primak at the Windows Secrets Lounge.)
What communications I received which included specific information about the actual addresses which the Internet Explorer calls in PSI-2 use to connect to the scanner and update servers were transmitted via e-mail, and remain confidential. I am not trying to be evasive about all of this — I just do not wish to give hackers any further clues.
[...] CSI and PSI use an HTTPS secure connection with a validated security certificate, and according to RC Primak on the AskWoody blog, Secunia has assured him “there are other levels of validation.”Nobody’s released [...]
Leave a reply