Compromised GlobalTrust database is published online

In the aftermath of last month's successful attacks against three of Comodo's affiliate Registration Authorities, Cryptome has just published a database purportedly belonging to GlobalTrust and InstantSSL. It is likely that the database was obtained during last month's security breach, where an Iranian attacker caused fraudulent certificates to be issued for several high-value domains including www.google.com. Many GlobalTrust websites were subsequently taken offline for forensic investigation.

GlobalTrust.it is still up and running, but it appears that InstantSSL.it has quickly been taken down again, possibly to defend it against any unauthorised access which may result from this latest leak. The site currently responds with a 403 Forbidden message:

The ComodoHacker stated via Twitter that the comodo-db.rar file on cryptome.org contains the "entire database of GlobalTrust and InstantSSL Italy". ComodoHacker proved his involvement in last month's attack by publishing the private key for one of the fraudulently issued certificates, so it is likely that this file does indeed contain the compromised database.

LiveJournal under DDoS attack

LiveJournal has been knocked offline by another DDoS (distributed denial of service) attack, less than a week after a separate sustained attack caused the site to go down for several hours. In response to last week's attack, LiveJournal upgraded their servers to make the site run faster; however, this does not appear to have prevented the current attack from succeeding.

Svetlana Ivannikova, Head of LiveJournal Russia, confirmed that the current outage was caused by another DDoS attack: "We can confirm that the service has not been working correctly for the last hour due to another DDoS attack on LiveJournal. Administrators are aware of the problem and trying to identify the source and target of the attack". No further details were given at this time.

The attack which caused last week's outage apparently began on 24th March, but LiveJournal largely withstood the attack until it was ramped up on 30th March. LiveJournal maintenance said, "Turns out we upset our attackers and they started hitting us 10x harder".

Both www.livejournal.com and news.livejournal.com were still inaccessible at the time of publication.

Xbox LIVE director’s account hijacked over bans

The Director of Policy and Enforcement for Xbox LIVE, Stephen Toulouse, had his Xbox LIVE account hijacked yesterday. The attacker purportedly used social engineering to convince Network Solutions to transfer DNS control of Toulouse's stepto.com domain name, allowing the attacker to receive any email sent to that domain. The attacker most likely used this to reset Toulouse's Xbox LIVE password and gain unauthorised access to his account, where he goes by the gamertag of Stepto.

The excited attacker subsequently uploaded footage of the hijack to YouTube, where he changed Stepto's motto from "Behave" to "Jacked by Predator". The attacker also advertised his account hijacking services in Stepto's bio, offering his AOL Instant Messenger contact details and payment methods. In his description of the video, Predator proudly boasts "ANY ACCOUNT $100 - $250 PayPal or AlertPay!!".

Predator revealed that the attack was carried out in revenge for being banned from using Xbox LIVE. During the video, he appears to hold Stephen Toulouse personally responsible for this: "Stepto, this is for console banning me over 35 times. You had it coming, man. Like, I'm tired of getting the console ban; now let's see what I can do to your account."

Proud of hijacking the Director's account, Predator ends his video's description with "I rest my name as Xbox Live's greatest account jacker."

Predator later uploaded a second video, noting that Stepto's account had been locked out. Toulouse regained control of his email and his domain's nameserver settings several hours after the attack, and his Xbox LIVE profile now looks to be restored.

False alarm over Samsung keylogger

Recent reports that "Samsung installs keylogger on its laptop computers" are likely to have been a false alarm, caused by a directory named C:\WINDOWS\SL being found on the newly purchased Samsung laptops. The mere existence of this folder causes some anti-virus software to incorrectly report the presence of the commercial Starlogger keylogging software, even if the software is not actually installed.

The Samsung Tomorrow website states that any claims of a keylogger on R525 and R540 laptops are false, pointing out that Microsoft's Live Application multi-language support legitimately creates this folder. Netcraft tested this by creating an empty C:\WINDOWS\SL folder on a malware-free Windows computer. VIPRE Antivirus Premium subsequently reported an elevated risk, claiming that the commercial Starlogger software had been found:

F-Secure's Chief Research Officer, Mikko Hypponen, was one of several security experts who found the original keylogging reports hard to believe. He solved the mystery for himself by going to a local computer shop and checking a range of Samsung laptops, none of which were running any keyloggers.

Two further Comodo RA accounts compromised

In a newsgroup posting by Robin Alden, CTO of Comodo, it has been confirmed that two further SSL Registration Authority (RA) accounts have been compromised since the original attack against GlobalTrust. Alden wrote: "Two further RA accounts have since been compromised and had RA privileges withdrawn. No further mis-issued certificates have resulted from those compromises."

It is not yet known which other RAs were compromised, or to what degree. In his latest Pastebin message, the Iranian ComodoHacker appears to claim responsibility for these other attacks:

"From listed resellers of Comodo, I owned 3 of them, not only Italian one, but I interested more in Italian brach because they had too many codes, works, domains, (globaltrust, cybertech, instantssl, etc.) so I thought they are more tied with Comodo."

According to an earlier message from ComodoHacker, the Italian attack was carried out by exploiting an SQL injection vulnerability on InstantSSL.it. The attacker subsequently escalated his privileges and caused the fraudulent certificates to be issued. The ComodoHacker unarguably proved his involvement in this attack by publishing a private key which corresponded to the fraudulently issued certificate for addons.mozilla.org. This private key has since been removed.

Both GlobalTrust.it and InstantSSL.it were shut down after the attack, but are now back online, offering a range of SSL certificates for sale.

Faulty switch sends BBC offline

The whole of the BBC's public-facing network disappeared from the internet late last night. Although the outage only lasted for around an hour, the unavailability of popular sites such as BBC News and iPlayer caused an eruption of comments and complaints on Twitter and other social networking sites.

Tony Ageh, the Controller of BBC Archives, broke more than 4 months of silence on Twitter to express his frustration. Fellow employee Mo McRoberts responded, saying that "somebody responsible for our routers did something very silly indeed. took out the whole lot." He later confirmed that the outage was not caused by a denial of service (DoS) attack. (McRoberts' tweets are his own, and not necessarily those of his employer).

The BBC's technology correspondent, Rory Cellan-Jones, summarised the widespread impact: "Love the terse bulletin on last night's BBC web failure. Cause of issue: faulty switch. Services impacted: Everything.."

The BBC News website suffered similar outages back in 2007 when a routine software deployment caused some unforeseen performance issues.