Malware

Scoop’s Open Source Adserver

There has been a great deal of talk about the poor coding efforts of Wheedle.

NBR broke that story and found security holes in the site of another Trademe wannabe.

This post is about another woeful coding effort, this time from Scoop.co.nz. This has all the hallmarks of the infamous Labour Party screw up with their website but with a very real risk in this instance of someone placing malicious code within sites that are having ads served by Scoop.

To be extremely clear before I go into the story. I have not hacked or performed any hacking of Scoop or any other site. The aderver is completely open to the public and searchable via Google. 

I also shared my discovery with some media so as to protect myself from accusations of hacking. You simply do not need to perform any such illegal activity as Scoop has left the door wide open and the keys in the ignition.

I was searching on Google for some details about adservers for a project I am working on and stumbled upon something that is very concerning about the set up of Scoop’s adserver. For a start to you can google it. (Image of search).

Even basic protections like creating a disallow for the folder that contains the adserver in their robots.txt have not been perfomred. That is not security, rather it is obscurity that at the very least would have hidden the adserver from search results.

Once you find it however, then you have unfettered administrative rights to the entire adserver:

I was able to view their entire adserver setup:

Including settings for individual ads:

Access and edit live ads:

Control which sites they would appear on:

Create new campaigns:

Place new ads:

And ad code including iframe code that would allow me, or anyone else for that matter to place malicious code within sites that Scoop delivers ads to:

This line in their source calls code into an iframe:

<iframe id=”ad_50767E148AB1_SCSG” align=”center” src=”/xl?c=SCSG;iframeid=ad_50767E148AB1_SCSG” width=”988″height=”26″ frameborder=”0″ marginwidth=”0″ marginheight=”0″ vspace=”0″ hspace=”0″ scrolling=”no”>

Because the content of that iframe is editable, anyone could inject their own malicious code to distribute malware etc. You could happily play havoc without them being any the wiser.

To prove my point I have placed ads on Scoop and on The Standard…ads they really wouldn’t want on there, but I could do it nonetheless, without any hacking.

On Scoop:

On The Standard:

This is very shoddy work from Scoop Media. If I had my advertising with them  I would be distinctly unhappy that they had potentially exposed my site to the risks of malicious code. If I was an advertiser I’d be more unhappy that all my campaign details are there for all to see.

One wonders what other security holes exist on Scoop’s website.

Those Israelis are cunning

ᔄ The Telegraph

It seems the Israelis have done even better than they did with their Stuxnet virus:

The world’s most complex computer virus, possessing a range of complex espionage capabilities, including the ability to secretly record conversations, has been exposed.

Middle Eastern states were targeted and Iran ordered an emergency review of official computer installations after the discovery of a new virus, known as Flame.

Experts said the massive malicious software was 20 times more powerful than other known cyber warfare programmes including the Stuxnet virus and could only have been created by a state.

It is the third cyber attack weapon targeting systems in the Middle East to be exposed in recent years.

Iran has alleged that the West and Israel are orchestrating a secret war of sabotage using cyber warfare and targeted assassinations of its scientists as part of the dispute over its nuclear programme.

Stuxnet attacked Iran’s nuclear programme in 2010, while a related programme, Duqu, named after the Star Wars villain, stole data.

Flame can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats.

The virus was discovered by a Russian security firm that specialises in targeting malicious computer code.

It made the 20 gigabyte virus available to other researchers yesterday claiming it did not fully understand its scope and said its code was 100 times the size of the most malicious software.

Kaspersky Labs said the programme appeared to have been released five years ago and had infected machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about,” Roel Schouwenberg, a Kaspersky security senior researcher, said.

Pullar admits to hacking ACC

The ACC debacle gets murkier and murkier. It todays’ Dominion Post Bronwyn Pullar, through her tame journalist, has admitted to installing malicious code at ACC in order to track her case from within.

Ms Pullar sent Dr Smith’s emailed letter to Ms Parker-Dennis on July 14. Ms Pullar forwarded the email using computer software that allows her to track each time her email has been opened and who it is subsequently forwarded to.

Ms Pullar is now demanding answers as to why her former case manager re-viewed Dr Smith’s letter four times between March 13 and March 19, the day before the New Zealand Herald published details of the contents.

Ms Parker-Dennis opened the letter three times the day before the story broke, Ms Pullar said.

She believes Ms Parker-Dennis had no legitimate reason to re-read the letter, given that she was no longer her case manager, days before its contents were leaked.

People have been wondering how she got sent the ACC spreadsheet that contained the names and addresses of more than 6000 claimants. I don’t think we need to wonder too much anymore.

These types of malicious code (malware) can also allow screenshots of what is open at the time, and the logging of keystrokes, and even the surreptitious emailing of attachments. It seems Bronwyn Pullar has hacked into the ACC systems in a calculating, premeditated and malicious manner.

The funny part is Labour has been dying in a ditch protecting her and and Michelle Boag when is it now clear from Pullar’s expose to Phil Kitchin that she was sitting at her computer in Auckland watching their every move through a piece of malicious code:

Ms Parker-Dennis reopened Dr Smith’s letter at 12.37pm on March 13. It was the first time she had opened the document this year, Ms Pullar said. “She had no business going back into my file because if she was looking for the email containing the mass privacy breach ACC had been clearly told that was an email sent to me, not one I sent to them.”

The email tracking software Ms Pullar attached to Dr Smith’s email shows it was received by Ms Parker-Dennis on July 14 last year. Ms Parker-Dennis forwarded the email to three senior ACC managers.

 The wonder is that an experienced investigative journalist has fallen into the trap of running the story of a hacker. If I were the Police investigating this case I would be serving warrants on Bronwyn Pullar and also Michelle Boag to grab their computers. Since Boag has worked very closely with Pullar it is possible that they used the same type of malicious code to try and set up Judith Collins.