Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

LinkedIn accounts hijacked through man in the middle attacks

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 20, 2014

Click here to order the best dedicated server and at a great price.

It was revealed this morning that LinkedIn accounts can easily be hijacked through simple man in the middle (MITM) attacks due to a failure to promptly patch a SSL stripping vulnerability.

The security flaw is described as a zero-day vulnerability and it allows attackers to gain full control of a user's account after they had logged in via SSL.

Attackers could jump between the user and the service and replace the secure protocol with HTTP allowing access to their account.

User IDs, passwords and all LinkedIn data could then be siphoned off by hackers. All users outside of Europe and the United States who didn't tick a box to activate optional HTTPS beyond the login screen were vulnerable to the attack, said Zimperium CEO Zuk Avraham.

"Through a relatively straightforward MITM attack that leverages an SSL stripping technique, hackers can steal a user’s credentials and gain full control of the user’s account," Avraham said.

"We have reached out to LinkedIn six times over the last year to bring this critical security vulnerability to their attention and have urged them to improve their network security, but more than a year after disclosing the security hole they have yet to implement a patch for this vulnerability," he added.

"When the victim types in an email and a password, it’ll be sent over the network in an unencrypted form that can be easily read by any attacker, even the most amateur ones," he stated.

Avraham used his companies hacking tool to demonstrate the attack against his own account. He said accounts could be randomly accessed via the same flaw affecting LinkedIn's mobile app.

He warned that attackers could soil an organizations' reputation by breaking into their account and changing details or sending out messages.

LinkedIn has been gradually implementing full SSL across its websites since December last year and is testing various techniques to handle mixed content and speed up page loading under tighter security arrangements, we are told.

But LinkedIn did provide us with the following statement about the issues raised by Zimperium-- "LinkedIn is committed to protecting the security of our members. In December 2013 we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in the US and the EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default."

In other internet security news

Thousands of Supermicro baseboard management controllers (BMCs) continue to reveal administrator passwords in clear text after a security patch described as unsuitable was not applied by system administrators.

Overall, accessing the machines could be extremely simple for the tech savvy. Vulnerable servers would pop during a network or Shodan scan for port 49152.

Any of the roughly 3296 exposed BMCs could easily be accessed with the hardware's factory default password.

The world's worst access code "password" would grant full access to plenty of others. Baseboard management controllers were an element of motherboards that were the central component of Intelligent Platform Management Interfaces (IPMI) which provided remote access over UDP to system admins for physical state monitoring of machines.

In 2013, H.D. Moore of metasploit fame warned that Supermicro had a security issue. Fixes weren't very effective, leaving Carinet Security Incident Response Team security engineer Zachary Wikholm blown away by the Supermicro security flaw.

"This simply means that as of this this writing, there are 31,964 systems that have their passwords available on the open market, Wikholm wrote on web host Carinet's security incident response team's blog.

The issue wasn't noted by Tony Carothers of the SANS Internet Storm Centre which verified the flaw.

"The security vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152," Carothers said.

"One of our team has tested this security vulnerability, and it works very well." Admins would need to reflash their systems with a new IPMI BIOS issued by Supermicro as a fix, but this was not possible for some system admins, Wikholm said.

He offered an alternative work-around that he said did the trick for those unable to reflash.

The Shodan scan run by the sites proprietor John Matherly returned 9.8 million replies for HTTP GET requests from a scattering of devices running on port 49152, many of which ran embedded Linux platforms and broadcasted their kernel and hardware architectures.

Some 6.4 million of these were AT&T U-Verse web media boxes and did not spew critical data.

For the Supermicro controller subset, information on kernel versions could be matched against Shodan to help identify embedded host information.

Many of the total pool ran old Linux kernel versions-- 23,380 operated on kernel 2.4.31.x, 112,883 on 2.4.30.x kernel, and 710,046 systems maintained 2.4.19.x.

The news follows a few revelations last week that 207,000 BMCs exposed to the pubic internet could be exploited via a handful of basic configuration and protocol weaknesses.

Worse, access to the various BMCs permitted hackers to compromise the host server as well as other BMCs within its management group which shared common passwords, the researchers said at the time.

In other internet security news

Dell said today that hackers have made a staggering US $620,000 in the Dogecoin crypto-currency system by exploiting vulnerable Synology network attached storage (NAS) servers.

The clever attackers pulled off the largest heist of its kind so far by planting mining software on the NAS servers to 'borrow' their computational power.

Several NAS now boast powerful multi-core CPUs that would be capable of mining such coins.

Several unpatched Synology servers were infected and continued to mine Dogecoins for the assailants, according to Dell.

It took just two months for the attackers to accrue 500 million coins worth US $620,000, Dell Secureworks researcher Pat Litke wrote in a blog post.

"To this date, this incident is the single most profitable, illegitimate mining operation," Litke wrote."

"This conclusion is based in part on prior investigations and research done by Secureworks, as well as further searching of the internet," he added.

Secureworks' analysis suggests that an experienced hacker, likely of German descent and using the alias Folio, was behind the Dogecoin mining spree. And that he could probably as well had mined Bitcoins instead.

In a brazen stunt, Folio stored the mining software in a folder labelled PWNED, a move that could have foiled the plans earlier should forum warnings have been reported by the press.

Users first reported the attacks on web forums in February after noticing the folder and a drop in NAS performance due to the resource-intensive, non-authorized mining operation.

Worse, users remained vulnerable to a string of even more dangerous attacks due to the five-month-long exposure of Synology NASs to very serious security issues within the Linux-based DiskStation Manager.

These included unauthenticated remote file downloading and a command-injection security flaw.

Vulnerable servers could be found using only an advanced Google search (Google dorking) with keywords which could drop attackers right into exposed Synology NASs.

"Back in October of 2013, simply Googling for '' resulted in excess of one million results. By going to '', the user is routed directly to their NAS," Litke said.

Over time, awareness of the security flaws grew even more and by March of this year the SANS internet storm centre reported a huge spike in scans against port 5000 which was the default listening port for Synology NASs.

We approached Synology for comment, but the company had not replied as this article was published.

In other internet security news

Internet security startup company G-Data is warning its users about its discovery of malware that is already shipping preinstalled on some Chinese smartphones.

The German research firm said that it followed up on customer tips to study the Star N-9500 mobile phone.

The handsets, sold on eBay and many other online retail sites, are said to primarily be shipped out of China, and can be loosely described as a clone of the Samsung Galaxy S4.

While G-Data said that it has been unable to track down the company behind the N-9500, the security company still believes that one or more organizations are selling the smartphones new with malware bundled in.

G-Data said in its report that researchers have spotted a spyware bundle on handsets being offered for sale in Europe at costs ranging from €130 to €165.

The Android handsets were found to contain a fake copy of the Google Play application and the Uupay Android trojan installed directly in the handset's firmware.

Researchers believe that the malware performs a number of basic spyware functions such as listening in on phone and SMS conversations, reading email messages, and collecting mobile browsing information and account data.

G-Data reported that the infected handset it reviewed was uploading user information to a server in China, though the location of the person (s) actually extracting the data was not known at this time.

The report comes as Android malware continues to increase. Apple CEO Tim Cook recently gloated over a mobile security situation for Android he called a "hellstew" of malware.

Last week, researchers with Kaspersky also noted that malware writers in Russia have been repackaging their ransomware trojans to target mobile phone users in the United States.

China, which has long had a strong market for domestically produced clone hardware and devices, has also seen an underground market for attack tools and services arise in recent years.

In other internet security news

Brace yourself one more time-- a new banking trojan has just been discovered, again. It uses browser hooking schemes to steal data from Internet Explorer, Chrome and Firefox users.

Dubbed Dyreza, it consists of a phishing e-mail (a lesson that's never learned well enough for the approach to fail), and the email message contains what purports to be a zipped document that actually drops the malware payload into the PC, laptop or smartphone.

Danish researchers CSIS say that they've identified various command and control servers, and were able to view money-mule accounts in Latvia associated with the servers.

CSIS also warns that the payload's code segment suggests a future attack is planned, in which the phishing e-mail will purport to be a Flash Player update.

The extra element in Dyreza is that it tries to launch a man-in-the-middle attack to capture what traffic users think is encrypted, and tries to crack two-factor authentication.

An infected user's browser traffic is controlled by the attackers, writes CSIS's Peter Kruse, meaning that attackers “are able to read anything, even SSL traffic in clear text.

In that manner they will also try to circumvent 2FA. PhishMe, which calls the Trojan Dyre, says the infected user will believe they're establishing SSL sessions, but the “attacker can bypass the SSL mechanism of a web page”.

That's because the malware intercepts user requests and redirects them to IPs the attackers control.

Both PhishMe and CSIS believe it's a new RAT (remote access trojan) rather than another Zeus variant.

So far, CSIS has identified Bank of America, Natwest, Citibank, RBS and Ulsterbank as target institutions, but there may be more as time progresses.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: LinkedIn.

Click here to order the best dedicated server and at a great price.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.