Facebook chat phishing attack impersonates Facebook security team: DHS Open Source Infrastructure Report Jan 18th
By Kelli Tarala | January 18, 2012
A new phishing attack spreading through Facebook chat modifies hijacked accounts to impersonate the social network’s security team. The attackers replace the profile picture of compromised accounts with the Facebook logo and change their names to a variation of “Facebook Security” written with special Unicode characters, said a Kaspersky Lab expert. Facebook claims changing the profile name can take up to 24 hours and is subject to confirmation. However, in the expert’s tests the change occurred almost instantly and required only the password. This was also confirmed by a victim whose profile name was modified within 5 minutes of their account being compromised, he said. After the victim’s profile name and picture get changed, the attackers send out a chat message to all of their contacts informing them their accounts will be suspended unless they re-confirm their information. The rogue messages appear to be signed by “The Facebook Team” and contain a link to a phishing page hosted on an external domain. The Web page mimics Facebook’s design and asks for name, e-mail, password, security question, country, birth date, and other information needed to hijack the account. However, the attack does not stop there. According to the expert, a second form asks users for their credit card details and billing address. This is unusual for Facebook phishing attacks, the majority of which target only social networking account information.
Full Story:
http://www.computerworld.com/s/article/9223432/
Israel rattled as hackers hit bourse, banks, El Al
Hackers disrupted online access to the Tel Aviv Stock Exchange (TASE), El Al Airlines, and three banks January 16 in what the government described as a cyber-offensive against Israel. The attacks came just days after an unidentified hacker, proclaiming Palestinian sympathies, posted the details of thousands of Israeli credit card holders and other personal information on the Internet in a mass theft. Stock trading and El Al flights operated normally despite the disruption, which occurred as Israeli media reported pro-Palestinian hackers had threatened to shut down the TASE stock exchange and airline Web sites. While apparently confined to areas causing only limited inconvenience, the attacks caused particular alarm in a country that depends on high-tech systems for much of its defense against hostile neighbors. Officials insisted, however, that they pose no immediate security threat. The First International Bank of Israel (FIBI) and two subsidiary banks, Massad and Otzar Hahayal, said their marketing sites had been hacked but that sites providing online services to clients were unaffected. Israel’s third-largest bank, Discount, said it had been spared attack, but that it was temporarily shutting down foreign access to its Web site as a precaution. The Tel Aviv bourse Web site could only be accessed intermittently, but screen-based trading was not hit. There was no claim of responsibility for the incidents.
Full Story:
http://www.reuters.com/article/2012/01/16/israel-hackers-idUSL6E8CG26X20120116
Altamonte Springs man convicted of bank fraud
A U.S. attorney announced January 13 that a federal jury in Florida January 11, found a man guilty of one count of conspiracy to commit bank fraud, six counts of bank fraud, and one count of making a false statement. He faces a maximum penalty of 30 years in prison. According to evidence, the members of the conspiracy set up bank accounts over the Internet using stolen identities. Those accounts were then funded by unauthorized wire transfers made from accounts at other banks. Before the banks could detect the scheme, the conspirators sent the fraud proceeds to accounts in central Florida either by wire transfer or a check that would be deposited. The defendant participated in the scheme by withdrawing some of the fraud proceeds into a central Florida bank account. He also recruited other individuals in central Florida to provide their bank accounts to be used for receipt of the proceeds from the scheme. After funds were transferred to those accounts, he took the individuals he recruited to
multiple bank locations, and over the course of several days, supervised them in the withdrawal of thousands of dollars in fraudulent proceeds. The six bank fraud counts represent more than $396,000 in fraudulent transactions. Two men connected to the scheme have each pled guilty to one count of conspiracy to commit wire and bank fraud, and one count of aggravated identity theft.
Full Story:
Source: http://www.justice.gov/usao/flm/press/2012/jan/2012011_Prophete.html
San Francisco college exposed to hackers since 1999
City College of San Francisco staff members noticed computers found in a lab were infected with a computer virus. A thorough investigation found the institution’s networks were plagued with malicious software from more than a decade ago, Softpedia reported January 14. Originating from countries such as Russia, Iran, the United States, and China, the malware was harvesting sensitive information and sending it to people who controlled the viruses, the San Francisco Chronicle reported. City college’s CTO shut down the first lab that was found to be infected, but he soon realized the problem was much more serious than initially believed, some of the threats being present since 1999. While some of the data collected by the malicious software was unimportant, such as lesson plans, other information that the viruses could have accessed represented sensitive information, such as banking information.
Full Story:
http://news.softpedia.com/news/San-Francisco-College-Exposed-to-Hackers-Since-1999-246558.shtml
Apache Tomcat developers advise updates to avoid DoS
The Apache Tomcat developers are advising users of the 7.0.x, 6.0.x, and 5.5.x branches of the Java servlet and JSP container to update to the latest released versions 7.0.23, 6.0.35, and 5.5.35. Recent investigations revealed inefficiencies in how large numbers of parameters and parameter values were handled by Tomcat. Analysis of the recent hash collision denial-of-service vulnerability allowed the developers to identify “unrelated inefficiencies” which could be exploited by a specially crafted request, causing large amounts of CPU to be consumed. To address the issue, the developers modified the code to efficiently process large numbers of parameters and values.
Full Story:
http://www.h-online.com/security/news/item/Apache-Tomcat-developers-advise-updates-to-avoid-DoS-1414580.html
Critical hole in McAfee products still open after more than 180 days
Zero Day Initiative (ZDI) released information on a security problem in McAfee’s Security-as-a-Service products (SaaS). The vulnerability broker said it told McAfee about the hole in April 2011, and it now decided to publicly release the information because the vendor still has not provided a patch. The flaw is contained in the myCIOScn.dll program library. In this library, the MyCioScan.Scan.ShowReport() method insufficiently filters user input and executes embedded commands within the context of the browser. The flaw can be exploited when a user opens a specially crafted file or Web page. ZDI rates the issue as very severe and has given it a CVSS score of 9 –- maximum severity is 10. ZDI’s advisory does not state exactly which products are affected. McAfee’s range of SaaS products includes “SaaS Email Encryption” for encrypting e-mails, and “Vulnerability Assessment SaaS,” which checks software for potential vulnerabilities.
Linux developers fix a homemade network problem
Linux kernels 3.0.17, 3.1.9, and 3.2.1 fix a problem with the handling of IGMP packets that was introduced with updates in Linux 2.6.36. An IGMPv3 protocol packet being processed soon after the processing of an IGMPv2 packet could lead to a system crash caused by a kernel panic. On January 6, a researcher reported strange crashes of his Linux notebook in the Debian bug database. A Debian developer found the problem was caused by a division by 0 that can occur with IGMP packets that have a Maximum Response Time of 0. As a result, Linux systems running a kernel version from 2.6.36 or later, up until the patched versions, can be crashed remotely using certain IGMP packets if a program has registered to receive multicast packets from the network. Typical examples for such programs include the avahi mDNS server or media players, such as VLC, that support RTP. Active attacks should technically only be possible within local networks, because IGMP broadcasts are usually not routed beyond network boundaries. However, the Debian developer pointed out particular unicast packets may serve for attacks via the Internet unless they are blocked by a firewall. As a fix was released, distributors should soon offer updated kernel packages that no longer contain the vulnerability.
Full Story:
http://www.h-online.com/security/news/item/Linux-developers-fix-a-homemade-network-problem-1414033.html
Open Automation Software plugs DoS flaw in ICS application
Open Automation Software issued a patch for a vulnerability to its OPC Systems.NET industrial control system application that could be used for a denial of service attack. The vulnerability is remotely exploitable by sending a malformed .NET remote procedural call packet to cause a denial of service through Port 58723/TCP, explained the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in an advisory. All versions of OPC Systems.NET prior to version 5.0 are affected. There are public exploits that target this vulnerability, which requires a moderate skill level to exploit, the advisory said. OPC Systems.NET is a human-machine interface application deployed across several sectors, including manufacturing, information technology, energy, water and wastewater, defense, and others. A researcher publicly reported the vulnerability in OPC Systems.NET along with proof-of-concept exploit code. This report was released without coordination with Open Automation Software, ICS-CERT, or any other coordinating entity known to ICS-CERT, the advisory noted. ICS-CERT worked with Open Automation Software to fix the security hole, a fix which the researcher confirmed is effective, the advisory said.
Full Story:
http://www.infosecurity-magazine.com/view/23217/
Popular live-blogging site says data files were breached
CoveritLive, a popular, Web-based live-blogging program used worldwide, said January 13 it discovered “certain proprietary data files” of its users “were accessed without authorization,” but “no financial account information has been compromised. We have not yet determined if, or to what extent, CoveritLive account information (i.e., user names, email addresses and/or passwords) was accessed,” Demand Media, which bought CoveritLive in 2011, said in an e-mail to its users. Those users include bloggers, journalists, and mainstream media organizations, including msnbc.com, FoxNews.com, ESPN, and the BBC. Many people use CoveritLive’s free services, but there are premium accounts. Live-blogged events hosted by CoveritLive draw more than 60 million people every month, the company says, 60 percent of whom are from outside the United States. CoveritLive said the files were breached “starting on or about” January 7, and an investigation is “ongoing.” In the meantime, as a “precautionary measure,” all users were asked to re-set their passwords January 14.
Smashing the Linux heap
A researcher found there is a heap allocator in the Linux kernel that is extremely exploitable. The security consultant at Virtual Security Research, who does work on Linux kernel research, investigated heap allocators in the operating system’s kernel. There are three main allocators: SLUB, SLAB, and SLOB. The researcher focused on SLOB, mainly because there has not been as much research done on it. In a talk at the Infiltrate conference, the researcher said he found virtually nothing in the way of methods to mitigate exploit attempts. SLOB is mainly used in embedded systems, favored there because of its small footprint, he said. Any given system will only have one allocator, and SLOB is used in Linux systems on many routers and switches and also in some firmware systems. In his talk, he presented several possible overflow scenarios that could be exploitable, ranging from the simple to the highly complex.
Full Story:
http://threatpost.com/en_us/blogs/smashing-linux-heap-011312
T-Mobile USA hacked
A group of hackers that goes by the name “TeaMp0isoN” claims to have obtained access credentials belonging to staff at US Deutsche Telekom subsidiary T-Mobile USA, H Security reported January 17. To back up their claim, the hackers posted data to the Pastebin anonymous text hosting service. One member of the group told Softpedia the hack involved exploiting SQL injection vulnerabilities on the t-mobile.com and newsroom.t-mobile.com Web sites. According to T-Mobile, the problem was limited to the T-Mobile USA newsroom. This would limit the scale of any problems arising as a result –- the intruders may be able to publish fake press releases. Based on the information provided, private customer data was never at risk. Most of the passwords consist of a simple six-digit number composed of two numbers repeated such as “112112.” T-Mobile USA said it has now fixed the vulnerabilities.
Full Story:
http://www.h-online.com/security/news/item/T-Mobile-USA-hacked-1414307.html
Federal body concludes LightSquared can’t work with GPS
A key federal agency involved in testing the proposed LightSquared Long-Term Evolution (LTE) network has concluded there is no practical way to solve interference between that network and the Global Positioning System (GPS), possibly dealing a crippling blow to the startup carrier’s hopes for a terrestrial mobile network. In a memo released January 13, the National Space-Based Positioning, Navigation, and Timing Executive Committee (PNT ExComm) said the nine federal agencies that make up the body had concluded unanimously that none of LightSquared’s proposals would overcome significant interference with GPS. LightSquared in 2010 received a waiver from the Federal Communications Commission (FCC) allowing it to operate a terrestrial LTE network on frequencies that have until now been devoted to much weaker satellite signals. The PNT ExComm has been involved in testing and results analysis at the request of the FCC and the National Telecommunications and Information Administration (NTIA). Both the original and modified proposals by LightSquared would cause harmful interference to many GPS receivers, the PNT ExComm chairs said in the memo. The agency also said a Federal Aviation Administration analysis had concluded the network would be incompatible with aircraft safety systems.
Full Story:
http://www.computerworld.com/s/article/9223447/
Hackers zap Zappos
Info from 24 million users stolen. Popular online shoe retailer Zappos.com said January 15 that hackers accessed its network and stole account information from as many as 24 million customers. Credit card information was not stolen, the company CEO said in a statement sent to users, but e-mail addresses, billing, and shipping addresses, phone numbers, the last four digits from credit cards — and more — may have been compromised. The company said it already reset the passwords for existing customers to prevent abuse of the stolen data.
Read the Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_011812.pdf
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Reddit going dark to protest SOPA: DHS Open Source Infrastructure Report Jan 12th
By Kelli Tarala | January 12, 2012
Reddit, in protest of the proposed Stop Online Piracy Act (SOPA), will be shutting down normal operations January 18 from 8 a.m. to 8 p.m. Eastern Time. During that window, visitors to the site will find a message about the SOPA and its sister bill in the U.S. Senate, the Protect IP Act (PIPA). There will also be links that will provide more information about the two bills and suggestions on how to take action against SOPA and PIPA. The Reddit community has been very active and outspoken in its opposition to SOPA. Redditors have created anti-SOPA Web sites and mobile apps, campaigned against elected officials they perceived to be pro-SOPA, and they posted and discussed any article related to SOPA they could find. The Reddit team, invited all users to leave suggestions on what to do with the site during the SOPA blackout.
Full Story:
http://mashable.com/2012/01/10/reddit-sopa/
Man gets year in prison for hacking, wiping medical competitor’s computer
An Atlanta man has been sentenced to serve a year and a month in prison for hacking into a competing medical practice’s computer to lure away patients. According to prosecutors he was an information technology specialist who worked for Atlanta Perinatal Associates, a medical practice in Atlanta. He left that company in November 2009 and went to work for a competing perinatal medical practice in the same building. In April 2010, he used his home computer to hack into his former employer’s patient database. He downloaded the names, phone numbers, and addresses of its patients, and then deleted the information from his former employer’s system. He then used the data to launch a direct-mail marketing campaign to benefit his new employer. There is no evidence he downloaded or misused specific patient medical information, prosecutors said.
Full Story:
http://www.ajc.com/news/atlanta/man-gets-a-year-1298348.html
U.S. authorities probe U.S.-China commission e-mail hack
U.S. authorities are investigating allegations an Indian government spy unit hacked into e-mails of an official U.S. commission that monitors economic and security relations between the United States and China, including cyber-security issues, Reuters reported January 10. The request for an investigation came after hackers posted on the Internet what purports to be an Indian military intelligence document on cyber-spying, which discusses plans to target the commission — apparently using technical know-how provided by Western mobile phone manufacturers. Appended to the document are transcripts of what are said to be e-mail exchanges among commission members. “We are aware of these reports and have contacted relevant authorities to investigate the matter. We are unable to make further comments at this time,” said a spokesman for the U.S.-China Economic and Security Review Commission. The document’s authenticity could not be independently verified. However, the U.S.-China commission is not denying the authenticity of the e-mails.
Full Story:
http://www.reuters.com/article/2012/01/10/us-usa-india-hacking-idUSTRE80828N20120110
Phishing emails from spoofed US-CERT addresses
The U.S. Computer Emergency Readiness Team (US-CERT) has issued a public warning about a phishing e-mail campaign using spoofed US-CERT e-mail addresses. “The subject of the phishing email is: ‘Phishing incident report call number: PH000000XXXXXXX’ containing an attachment titled ‘US-CERT Operation Center Report XXXXXXX.zip’, with the ‘X’ possibly indicting a random value or string,” US-CERT explained on its site. “The zip attachment contains an executable file with the name ‘US-CERT Operation CENTER Reports.eml.exe’. Reports indicate that SOC@US-CERT(dot)GOV is the primary email address being spoofed but other invalid email addresses are being used.” According to the organization, the e-mail was sent to employees of many private sector organizations and of federal, state, and local governments during the last few days. The attached executable is a yet unspecified type of malware. US-CERT advises users not to download and run the attachment or even open the e-mail in question, but to delete it.
Full Story:
http://www.net-security.org/malware_news.php?id=1958
Latest Snort provides alarm for industrial control systems
Version 2.9.2 of open source network intrusion detection system Snort has been released with new preprocessors that add support for protocols used in industrial control systems. The additional functionality should allow Snort to detect targeted attacks on networked supervisory control and data acquisition (SCADA) systems. The two protocols implemented to date, DNP3 and Modbus, are industry standards. The addition of SCADA protocols to Snort is in part due to the presence of significant vulnerabilities in such systems. The development team is looking to implement further SCADA protocols is seeking development and testing support. Exploit framework Metasploit added SCADA vulnerability detection in August 2011.
Security updates from Microsoft and Adobe
Microsoft and Adobe each released a series of security patches for their products January 10. Microsoft released seven bulletins to close eight security holes in its products. These include vulnerabilities — in Windows Media, Windows Packager, and Windows Object Manager — which the company rates as critical. The bugs could be exploited by attackers to inject and execute malicious code on a victim’s system via a specially crafted file. However, Windows 7 is not affected by the problem in Windows Media. The company finally released an update for Internet Explorer to fix the vulnerability in the SSL3.0/TLS1.0 protocol that has been known about since September. The related attack, known as BEAST (Browser Exploit Against SSL/TLS), allows attackers to, for example, decrypt cookies that are transmitted in encrypted form and use them for unauthorized Web page logins. Microsoft planned to publish this update in December but later delayed the release due to compatibility issues with third party products. Adobe published versions 10.1.2 and 9.5 of its Acrobat and Reader products for Windows and Mac OS X. The updates fix critical vulnerabilities that could be used by an attacker to cause the application to crash and potentially take control of an affected system. Versions 10.1.1 and 9.4.7 and earlier of Acrobat and Reader are affected; all users are advised to upgrade.
Full Story:
http://www.h-online.com/security/news/item/Security-updates-from-Microsoft-and-Adobe-1407247.html
PHP 5.3.9 released with hash DoS fix
The developers of PHP announced the release of PHP 5.3.9, which includes the ability to limit the number of input parameters in HTTP requests. The fix addresses the denial of service attack issue that was presented at the 28th Chaos Communication Congress and led to fixes being applied to many Web servers, frameworks, and languages. The underlying flaw — that it is possible to make hashes collide and force a system to spend much more CPU time reordering hashed data structures — still persists, but by setting the max_input_vars directive to a suitably low value, it makes it impossible to send sufficient parameters to trigger that problem. Another denial of service fix in 5.3.9 addresses an integer overflow when processing EXIF headers in JPEG files.
Full Story:
http://www.h-online.com/security/news/item/PHP-5-3-9-released-with-hash-DoS-fix-1407472.html
New Android trojan poses as detection tool
A new Android trojan masquerading as a tool to detect Carrier IQ software is covertly running up the phone bills of unsuspecting smartphone users. Dubbed Android.Qicsomos by Symantec researchers, the trojan is a version of an open source project designed to detect Carrier IQ, a diagnostic tool built into a host of smartphones from all different carriers. Carrier IQ sent the security world into an uproar when, in late November, a researcher discovered that the software, designed to enhance consumers’ mobile experience, actually logs keystrokes, text messages, and encrypted Web searches. Carrier IQ reps refuted the original claims the software harvests users’ personal data. The drama, however, was enough to make Carrier IQ — and smartphone privacy — a hot-button issue, and it is by leveraging that concern that crooks are keeping the new Qicsomos trojan alive and spreading. According to researchers, Qicsomos, which is currently affecting French Android customers, hides in an app called “Detecteur de Carrier IQ” and appears on devices with an icon similar to Orange, a major European telecom operator. When the user notices the icon and presses “Desinstaller” (to uninstall Carrier IQ ), the trojan goes to work: it sends four premium rate text messages, which the smartphone owner is then billed for, then erases itself. Symantec researchers said there is no trace of the phony app, “Detecteur de Carrier IQ 2.0.4,” in Google’s official Android App Market. They believe the app may be spreading through social engineering or phishing campaigns pretending to be from an official mobile carrier. While Qicsomos is affecting French Android users, it is possible the attackers could target the United States.
Full Story:
http://www.msnbc.msn.com/id
Read the Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_011212.pdf
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Smart grid security inadequate, threats abound: DHS Open Source Infrastructure Report Jan. 9th
By Kelli Tarala | January 9, 2012
A recent report by Pike Research found a lack of security standards, ahodgepodge of products, and increasingly aggressive malicious hackers will make 201a challenging year for securing smart grids, IDG News Service reported January 4. “After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended,” said a Pike analyst. There is also a danger of overlooking the insider threat. “One of the main reasons for increased spending on smart grid security software and management systems is simply to make sure the correct people have access to the equipment and systems they should have access to.” Among other things, this means protecting systems from disgruntled employees or others who might commit internal sabotage, an ABI Research analyst said. The Pike Research report suggests the lack of enforceable security standards or regulations for power distribution grids “leads to a scene of mass chaos in utility cybersecurity”, and will cause utilities to take a wait-and-see approach to significant security investments.
Full Source:
http://news.idg.no/cw/art.cfm?id=A127ABC9-B53E-AC90-3176B393E1D42341
ArcelorMittal hacked by Anonymous, tons of information leaked
Loose-knit hacker collective Anonymous managed to breach the main Web site belonging to ArcelorMittal, the largest steel-producing company in the world, leaking a large quantity of information from their databases, Softpedia reported January 6. ArcelorMittal’s Web site was offline January 6. Several cross-site scripting and SQL injection vulnerabilities allowed the hackers to breach the Web site and leak information on users and administrators. Only a few days have passed since Anonymous first threatened Luxembourg-based ArcelorMittal for closing production sites in Belgium.
Full Story:
http://news.softpedia.com/news/ArcelorMittal-Hacked-by-Anonymous-Tons-of-Information-Leaked-244898.shtml
Symantec confirms source code leak in two enterprise security products
Symantec confirmed January 5 that source code used in two of its older enterprise security products was publicly exposed by hackers the week of January 2. In a statement, the company said the compromised code is between 4 and 5 years old and does not affect Symantec’s consumer-oriented Norton products as was previously speculated. “Our own network was not breached, but rather that of a third party entity,” the company said in the statement. “We are still gathering information on the details and are not in a position to provide specifics … Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions,” the statement said. A Symantec spokesman identified the two affected products as Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2. Both are targeted at enterprise customers and are more than 5 years old, he said. Symantec is developing a remediation process for enterprise customers still using the affected products, he noted. An Indian hacking group calling itself Lords of Dharmaraja earlier claimed it accessed source code for Symantec’s Norton AV products.
Chrome 17 enters beta, improves speed and security
Version 17 of Chrome has been released into the WebKit-based browser’s Beta channel, H Security reported January 6. Its developers said the new Chrome beta, version 17.0.963.26, is focused on improving security. With this version, Chrome’s Safe Browsing technology has been extended to protect against malicious downloads by analyzing executable files, including Windows .exe and .msi files. If a user visits a Web site and is tricked into downloading, for example, a fake anti-virus product, Chrome will issue a warning if the file appears to be malicious and will advise the user to discard it. The Chrome team at Google also updated the browser’s Stable channel to version 16.0.912.75, closing three high risk security holes. These include a use-after-free in animation frames, a heap-buffer-overflow in the libxml software library, and a stack-buffer-overflow in glyph handling.
Full Story:
http://www.h-online.com/security/news/item/Chrome-17-enters-beta-improves-speed-and-security-1404530.html
Sony website defacer pwned by second hacker
A defacer affiliated with Anonymous vandalized Sony’s online front door the week of January 2 over the company’s support of the Stop Online Piracy Act a hated anti-piracy law proposed in the U.S., The Register reported January 6. The Sony Picture’s Web site was defaced and unauthorized comments were posted on the company’s Facebook page. The digital graffiti was scribbled by a hacker who uses the Twitter handle s3rver_exe. Both acts of vandalism were rapidly purged, while the YouTube video illustrating the hack was quickly pulled. The latest security breach comes after Sony announced it was bolstering its electronic defenses following the PlayStation Network hack in 2011, which forced Sony to take down its gaming platform for weeks.
Full Story:
http://www.theregister.co.uk/2012/01/06/sony_defacement/
Pastebin downed by second DDoS attack this week
Pastebin.com found itself hit by a distributed denial-of-service (DDoS) attack January 5 for the second time in a week. The site was previously taken offline for a portion of the day January 3, though no motives or culprits for that attack have been named yet. A post to the service’s Twitter account (@pastebin) around 1:30 p.m. acknowledged the attack: “Pastebin is under DDOS attack again guys, working on it …” Initially started as a site to allow developers to share code, over the last year Pastebin has proved to be the favored drop-off spot for hacktivist groups such as Anonymous and Lulzsec for dumping long diatribes of text detailing accounts of hacks, exploits, and other information. As of the late afternoon January 5, the site was still offline.
Full Story:
http://threatpost.com/en_us/blogs/pastebin-downed-second-ddos-attack-week-010512
Microsoft plans big January Patch Tuesday
Microsoft said January 5 it would deliver seven security updates the week of January 9 to patch eight vulnerabilities in Windows and its developer tools. However, the company declined to confirm the slate will include a patch pulled at the last minute a month ago. One of the seven updates was tagged “critical,” while the others were marked “important,” even though some of them could conceivably be exploited by attackers to plant malware on users’ PCs. Altogether, three of the updates were labeled as “remote code execution,” meaning they could be used to hijack an unpatched system, Microsoft said in its monthly advance notification. A twist to this month’s Patch Tuesday is Microsoft’s classification of one of the updates as “security feature bypass,” a label it has never applied before.
Full Story:
http://www.computerworld.com/s/article/9223180/
New denial-of-service attack cripples Web servers by reading slowly
A researcher published proof-of-concept code January 5 that takes a different spin on the slow HTTP denial-of-service (DoS) attack simply by dragging out the process of reading the server’s response — and ultimately overwhelming it. The senior software engineer with Qualys also added this new so-called Slow Read attack to his open-source Slowhttptest tool. Slow Read basically sends a legitimate HTTP request and then very slowly reads the response, thus keeping as many open connections as possible and eventually causing a DoS. The researcher’s Slowhttptest attack tool initially was inspired by related open-source tools Slowloris and OWASP’s Slow HTTP Post. Slowloris keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing, while the Slow HTTP POST distributed DoS (DDoS) tool simulates an attack using POST headers with a legitimate “content-length” field that lets the Web server know how much data is arriving. Once the headers are sent, the POST message body is transmitted slowly, thus gridlocking the connection and server resources. Slow HTTP attacks are gaining in popularity among miscreants as a way to quietly wage a DoS attack because these exploits are relatively easy to perform, require minimal computing resources, and often are tough to detect until it is too late.
Full Story:
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232301367/
Read the Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_010612.pdf
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Microsoft releases security update for DoS issue in ASP.NET: DHS Open Source Infrastructure Report Jan. 4th
By Kelli Tarala | January 4, 2012
Microsoft rushed to release an out-of-band security update to resolve a denial-of-service (DoS) issue that affected ASP.NET versions 1.1 and later on all supported variants of the .NET framework. A large number of Web platforms are affected by the hash collision problem, but the company was among the first to act on it. The MS11-100 security bulletin fixes a vulnerability that exists in the way ASP.NET hashes specially crafted requests. The hash collisions that occur when malicious data is inserted into hash tables could overwhelm a server’s CPU resulting in a DoS condition. Besides this, other weaknesses are resolved in the latest security update. A phishing attack could be launched by a hacker using a spoofing vulnerability that verifies return URLs during the form authentication process. By exploiting this flaw, an attacker can redirect a user to a malicious Web site set up to obtain private data. An authentication bypass vulnerability that exists in ASP.NET forms is more difficult to exploit, but if an attacker manages to register an account on the application and knows the name of the targeted account, he could utilize a special Web request to initiate any action, including code execution, using the targeted account. Finally, an authentication ticket caching weakness allows for a cybercriminal to execute arbitrary code due to the way cached content is handled by the framework when Forms Authentication is used with sliding expiry. Combined with some social engineering, an attacker could send potential victims, ones with elevated privileges, a specially crafted link. Microsoft is not aware of any attacks taking place in the wild using these vulnerabilities, but to prevent any unfortunate incidents, users are advised to install the update.
Full Story:
http://news.softpedia.com/news/Microsoft-Releases-Security-Update-for-DoS-Issue-in-ASP-NET-243764.shtml
Aggressive phishing attack targets military
A recent phishing attack is making the rounds in an e-mail which appears be from USAA, a financial services company that serves military members, their families, and veterans, DoD Live reported December 31. The e-mail subject begins with “Deposit Posted.” Members are asked to open a Zeus-infected attached file. Once opened, it launches a malicious virus that could provide access to personal information and may require a complete reinstall of the computer operating system.
Full Story:
http://www.dodlive.mil/index.php/2011/12/aggressive-phishing-attack-targets-military/
Antisec hacks California Law Enforcement Association, email content leaked
As part of Project Mayhem, AntiSec hackers took down the official Web site of the California Law Enforcement Association. The site was still down January 3 and the attackers claim other sites hosted on the same domain are also “wiped off the net.” Besides defacing the Web site and posting their messages on its main page, the black hats also leaked the contents of some e-mails belonging to their staffers and billing information from customers. The e-mails sent between employees show they suspected they were victim of a data breach, but it took some time for them to change the passwords. Until they did so, the hackers managed to obtain a lot of sensitive data, including the unencrypted content of some database tables that was sent via e-mail. Among one of the e-mails, the hacktivists also found a list of personal e-mail addresses belonging to New York police chiefs. “For our next owning we bring you multiple law enforcement targets in the state of New York, who has been on our crosshairs for some time due to their brutal repression of Occupy Wall Street,” they said.
Stuxnet, Duqu and others created with ‘Tilded’ platform by the same team
After an extensive analysis of a large number of Stuxnet and Duqu drivers, Kapersky Lab experts concluded the two trojans, along with other pieces of malware, were created by the same team, using a platform called Tilded, created around 2007-2008. They believe Tilded (named so because its authors tend to use file names that start with the symbol tilde followed by a letter d (~d)) was utilized to create the two now infamous trojans, which may have been the results of simultaneous projects. The details indicate other spyware modules and programs are based on the same platform. Now, researchers present a precise timeline to show the connection between Duqu and Stuxnet, but also to show the evolution of their drivers from one year to the other. Their studies show a driver called jmidebs.sys is the connecting link between mrxcls.sys and the drivers later used in Duqu. “The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date,” the chief security expert at Kapersky Lab said. “We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team.” In mid-2010, Tilded went through some changes that may have resulted from the need to better avoid detection by antivirus software, but also because its code could be improved.
Host storage devices vulnerable with KVM Linux virtualization
According to a kernel update advisory by Red Hat, root users in a guest system virtualized with KVM (Kernel-based Virtual Machine) can, in certain circumstances, gain read and write access to the Linux host’s storage devices. The advisory said the hole exists when a host makes available partitions or LVM volumes to the guest as “raw disks” via virtio. Privileged guest users can send SCSI requests to such volumes the host will execute on the underlying storage device – which allows the guest system to access all areas of the device rather than just permitted partitions or volumes. The hole has been rated as “important” and is listed under CVE ID 2011-4127. Further background information is available in an entry in Red Hat’s bug database and in a blog posting by a Red Hat developer. Meanwhile, kernel developers are discussing the most suitable way to fix the problem; a patch suggested by another Red Hat developer has not met the approval of Linux’s developer. He also thinks the patch is too dangerous to be integrated into the Linux main development branch at this point the main development branch is expected to produce version 3.2 of the Linux kernel in early January.
Read the Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_010411.pdf
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Continuous Monitoring with PowerShell
By James Tarala | January 3, 2012
Welcome back from the holidays! I imagine many of you are just returning from the holidays and are ready get started on those new year’s resolutions. If one of them was to implement continuous monitoring or learn more about scripting, do I have a treat for you! Now that I’m back from some holiday travel myself, I think it’s time to continue our series on automating continuous monitoring and the 20 Critical Controls.
I don’t want these blog posts on an introduction to PowerShell. There are plenty of fine references on that available to you. In talking with Jason Fossen (our resident Windows guru), I have to agree with him that one of the best starter books on the topic is Windows PowerShell in Action, by Bruce Payette. So if you’re looking to get started learning PowerShell, start here, or maybe try some of the Microsoft resources available at the Microsoft Scripting Center.
But let’s say you’ve already made a bit of an investment in coding and you already know what tasks you’d like to perform. For example, maybe you wonder who is a member of your Domain Admins group, so you use Quest’s ActiveRoles AD Management snap in to run the following command:
(Get-QADGroup ‘CN=Domain Admins,CN=Users,DC=sans,DC=org’).members
Or on the other hand, maybe you are concerned about generating a list of user accounts in Active Directory who have their password set to never expire, you’d likely have code such as:
Get-QADUser -passwordneverexpires
Or maybe even you want to run an external binary, like nmap, to scan your machines, you might have a command such as:
Nmap –sS –sV –O –p1-65535 10.1.1.0/24
In any case, the first step is to come up with the code you want to automate. That’s step one.
Next, you don’t just want to run the code, you want the code to be emailed to you on a regular basis, say once a day or once a week. The next step is to use a mailer to email you the results of your script. Now you have a few choices here. One option is to use a third party tool like blat to generate your email. But since we’re using PowerShell, let’s stick with that. Version 2.0 of PowerShell also has some built in mailing capabilities in this regard.
The easiest way to get started is to save the output of the commands you want run to a temporary text file, mail the text file as the body of an email message, and then delete the temporary file. An easy way to do this to get started would be to use the following commands:
$filename = sometextfilewithoutputresultsinit.txt
$smtp = new-object Net.Mail.SmtpClient(”mymailserver.sans.org”)
$subject=”SANS Automated Report - $((Get-Date).ToShortDateString())”
$from=”automation@sans.org”
$msg = New-Object system.net.mail.mailmessage
$msg.From = $from
$msg.To.add(”automation@sans.org”)
$msg.Subject = $subject
$msg.Body = [string]::join(”`r`n”, (Get-Content $filename))
$smtp.Send($msg)
remove-item $filename
Save your data as an appropriate PS1 file, automate the command to run once in a while using Task Scheduler, and you’re off to the races!
We certainly have more to discuss, but hopefully this inspires some thinking on the matter. I’ll post again soon with some other steps to consider, before we move on the Bash. There’s a lot we can talk about here. Until next time…
Topics: 20 Critical Controls, Scripting | No Comments »
Kaspersky claims ‘smoking code’ linking Stuxnet and Duqu: DHS Open Source Report Jan 3rd.
By Kelli Tarala | January 3, 2012
Researchers at Kaspersky Lab claimed to have found proof that the writers of the Stuxnet and Duqu malware are one and the same, and are warning of at least three new families of advanced malware potentially in circulation, The Register reported December 30. The chief security expert at Kaspersky Lab said that researchers had examined drivers used in both Stuxnet and Duqu and concluded that a single team was most likely behind them both, based on the timing of their creation and their methods of interacting with the rest of the malware code. The researcher’s data suggests both were built on a common platform, dubbed Tilded because it uses many files beginning with the tilde symbol “~” and the letter “d.” The platform was built around 2007 or later, and was updated in 2010. Kaspersky’s director of global research and analysis told Reuters that the platform and drivers involved would indicate five families of malware had been made using the platform already, and that others may be in development. The modularity of the systems makes it easy for the malware writers to adapt their creations to new purposes and techniques.
Full Story:
http://www.theregister.co.uk/2011/12/30/kaspersky_stuxnet_duqu_link/
Your smartphone from Amazon has shipped, malware-spreading spam
Softpedia reported December 30 a malware scam involving an e-mail allegedly sent by Amazon to confirm that an electronic device such as a smartphone has already been paid for with the recipient’s credit card. Users who click on the links contained in the message are taken to a Web site that serves a variant of Cridex, especially designed to steal personal and financial information from the computer it lands on, according to Hoax Slayer. Win32/Cridex is usually delivered via spammed malware such as variants of Exploit:JS/Blacole and is programmed to spread to removable drives. Besides banking credentials, it also targets local certificates and it is able to execute files. Once executed, the malicious element drops a copy of the worm as a randomly named file and modifies the registry to make sure it is executed each time the operating system boots. After the dropper is deleted, Cridex injects itself into every running process, even ones that are later created.
Full Story:
http://news.softpedia.com/news/Your-Smarthpone-from-Amazon-Has-Shipped-Malware-Spreading-Spam-243839.shtml
Verizon attributes 4G LTE service disruptions to ‘growing pains’
Verizon Wireless December 29 attributed recent service disruptions on its 4G LTE network to “growing pains” associated with building out an advanced network. Verizon’s network has experienced three separate disruptions this month: on December 7, 21, and 28. During those incidents, Verizon said it “proactively moved” customers from 4G LTE to 3G, though for a brief period December 28, “4GLTE customers could not connect to the 3G Network as quickly as we would have liked,” a press release from Verizon said. “Each incident has been different from a technical standpoint,” Verizon said. Verizon’s statement did not go into full detail, but in an interview with GigaOm, the vice president of network engineering for Verizon Wireless said the problems were associated with something known as the IP Multimedia Subsystem (IMS), or Verizon’s service delivery core. As GigaOm explained, IMS has been in use for years, but Verizon is the first to use it for a 4G LTE network. That has produced some problems, like the widespread outage that hit the company’s network back in April. This time around, there were three separate incidents. “The first outage on Dec[ember] 7 was caused by the failure of a back-up communications database,” GigaOm reported. “The second, last week, was the result of an IMS element not responding properly, while [the December 28] outage was caused by two IMS elements not communicating properly.” Essentially, some phones just kept trying to sign in to 4G without success until Verizon forced them to drop down to 3G. Verizon said it is taking a number of steps to prevent similar outages in the future.
Full Story:
http://www.pcmag.com/article2/0,2817,2398203,00.asp
Anonymous targets military-gear site in latest holiday hack
In what it is calling another round of “LulzXmas festivities,” an Anonymous-affiliated hacktivst group December 29 claimed to have stolen customer information from SpecialForces.com, a Web site that sells military gear. The hackers said they breached the SpecialForces.com site months ago, but only just got around to posting the customer data. Even though the site’s data was encrypted, they claim to have 14,000 passwords and details for 8,000 credit cards belonging to Special Forces Gear customers. Special Forces Gear’s founder confirmed that his company’s Web servers were compromised by Anonymous in late August, resulting in a security breach that allowed the hackers to obtain customer usernames, passwords, and possibly encrypted credit card information in some cases. He added that the compromised
passwords were from a backup of a previous version of the Web site that is more than a year old, and that most of the credit card numbers are expired. No evidence of credit card misuse was found, and the site no longer stores customer passwords or credit card information.
Read the Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_010312.pdf
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Microsoft plans 20 patches next week, will fix Duqu and BEAST bugs: DHS Open Source Infrastructure Report December 12th
By Kelli Tarala | December 12, 2011
Microsoft announced December 8 it will issue 14 security bulletins the week of December 12 to patch 20 vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows Media Player. Among the patches will be ones that plug the hole used by the Duqu intelligence-gathering trojan, and fix the secure socket layer 3.0 and transport layer security 1.0 bug popularized 3 months ago by the Browser Exploit Against SSL/TLS hacking tool. Three of the 14 updates were tagged with Microsoft’s “critical” label, while the remaining 11 were marked “important.” Bugs in 10 of the updates could be exploited by attackers to remotely plant attack code on unpatched PCs, Microsoft said in its monthly advance notification that precedes each Patch Tuesday. A number of those bulletins were pegged as important, a move Microsoft makes when the bugs cannot easily be exploited because the pertinent components are not switched on by default, or because defensive technologies like ASLR and DEP help protect users.
Full Story:
http://www.computerworld.com/s/article/9222530/UpdatetaxonomyId=17
Iran shows off downed U.S. spy drone on TV as U.S. assesses loss of technology
The downed Lockheed Martin RQ-170 Sentinel spy drone, which is designed to be virtually invisible to radar and carries advanced communications and surveillance gear, made a 2 and a half minute television debut December 7 on Iran’s state-owned Press TV channel. U.S. intelligence officials are assessing the apparent loss of its highly classified technology. The official Iranian Republic News Agency reported the foreign ministry December 7 protested the “violation of Iran’s airspace by a U.S. spy drone on [December] 4,” the day Iranian forces claimed to have shot down the aircraft, 140 miles inside the Iranian border from Afghanistan. Several U.S. officials said the greatest concern is access to the aircraft could give Russian or Chinese scientists insight into its flight controls, communications gear, video equipment, and any self-destruct or return-to-base mechanisms. In addition, they said, the remains of the RQ-170 could help a technologically sophisticated military or science establishment develop infrared surveillance and targeting technology that under some conditions are capable of detecting stealth aircraft such as drones, and the new Lockheed Martin F-35s.
Full Story:
http://www.bloomberg.com/news/2011-12-09/
Credit , debit scam hits more than 1,000 Ukiah-area bank customers
Hundreds of Ukiah, California area residents had their credit and debit card information breached the week of December 5, resulting in fraudulent charges and blocked and canceled cards. The illegal usages were made outside of the county, a Ukiah police detective said. Illegal transactions occurred as far away as Milan, Italy. The department is following leads to determine how and where the breach occurred, and whether it could be related to the Lucky’s Supermarket card skimming incident, he said. The breach affected debit and credit cards issued by multiple banks in the Ukiah area, but is not believed to have occurred within the institutions, he said. As a precaution, Savings Bank of Mendocino County blocked access to about 1,000 debit cards that Master Card notified them could have been compromised, a bank spokeswoman said. Only a small percentage of those account holders reported their accounts were accessed by an unauthorized party, she said. Other area banks also were blocking at-risk debit and credit cards, the detective said. He suspects there were multiple skimming devices being used to steal information from credit and debit card scanners.
Full Story:
http://www.pressdemocrat.com/article/20111208/
Four charged with hacking point-of-sale computers
Four residents of Romania have been charged for their alleged participation in a multimillion-dollar scheme to remotely access point-of-sale systems (POS) at more than 150 Subway restaurants and other U.S. merchants, and steal payment card data, the U.S. Department of Justice (DOJ) said. The four-count indictment, unsealed December 7, charges the four Romanians with conspiracy to commit computer fraud, wire fraud, and access device fraud. From 2008 until May 2011, the four suspects conspired to remotely hack into more than 200 U.S.-based merchants’ POS or “checkout” computer systems to steal customers’ credit, debit, and gift card numbers and related data, the DOJ said. Subway restaurant systems were compromised in New Hampshire, New York, California, and elsewhere, according to the indictment. A POS system allows merchants to process customer purchases and typically includes a computer, monitor, credit-card processing system, signature capture device, and a customer pin pad device. The four compromised the payment card data of more than 80,000 customers, and made millions of dollars worth of unauthorized purchases, the DOJ said.
Full Story:
http://www.computerworld.com/s/article/9222520/taxonomyId=17
Feds launch cloud security standards program
Federal agencies will soon have a government-wide security standard for assessing, authorizing and monitoring cloud products and services. The Federal Chief Information Officer December 8 unveiled the Federal Risk and Authorization Management Program (FedRAMP), which establishes a set of baseline security and privacy standards all cloud service providers will need to meet to sell their products to government agencies. The program requires that all agencies use only FedRAMP-certified cloud services and technologies for public clouds, private clouds, hybrid clouds, and community clouds. The program also covers all cloud service models, including Software as a Service (SaaS) and Platform as a Service (PaaS). FedRAMP will also provide federal agencies with standard procurement language to use in requests for proposals from cloud service vendors. A Joint Authorization Board, comprising of security experts from the DHS, General Services Administration, and the Department of Defense will be responsible for updating the FedRAMP security requirements on an ongoing basis. A group of third-party assessors hired from the private sector will be responsible for independently assessing cloud service providers and certifying their compliance with the standards.
Full Story:
http://www.computerworld.com/s/article/9222525/taxonomyId=17
Verizon outage hits long-distance
Much of Verizon’s long-distance telephone service in Florida turned off December 8 after a piece of network equipment broke down near Orlando. The outage appeared to start about 1:30 p.m., a Verizon spokesman said. By 5:37 p.m., the system was back to normal, he said. The outage affected some data services that travel over long-distance lines, including some wide-area networks at companies. Depending on how calls were routed, customers trying to call to or from Tampa received error messages. Verizon provides service to about 1 million access lines in Pinellas and Hillsborough counties, and portions of Polk, Pasco, Manatee, and Sarasota counties. Local phone service did not appear to be affected, and Verizon’s cellular service appeared to be functioning as well.
Full Story:
http://www2.tbo.com/news/news/2011/dec/09/menewso1-ar-332760/
Line cut disrupts phone, Internet service in West Melbourne, Palm Bay
An AT&T line cut the morning of December 8 caused telephone and Internet disruptions for as many as 6,000 telephone and Internet customers in West Melbourne and Palm Bay, Florida. The outage could have lasted until the morning of December 10. A contractor for West Melbourne cut the line while working on a waterline project on Minton Road, the city manager said. The outage impacted customers differently, he said; some had phone, but not Internet service, others had Internet, but not phone, while more were without both services. Included in those without services were the West Melbourne City Hall and the police department. The outage did not affect emergency medical, fire, and police calls to 9-1-1.
Full Story:
http://www.floridatoday.com/article/20111208/
Read the Full Daily Open Source Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_121211.pdf
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Busted! Secret app on millions of phones logs key taps: DHS Infrastructure Open Source Report December 1st
By Kelli Tarala | December 1, 2011
Malware targeting Android devices continues to surge, according to a new report from McAfee, pushing 2011 to become the busiest year in history for mobile and general malware. The amount of malware infecting Android devices during the third quarter grew almost 37 percent from the second quarter, according to McAfee’s Third-Quarter Threats Report. Android’s growing demand among consumers has made it an increasingly ripe and inviting target for cybercriminals — almost all new mobile malware over the third quarter was aimed squarely at Android. Among all mobile platforms, Nokia’s Symbian OS still saw the greatest amount of malware. As a result of the onslaught against Android and the growth in overall malware, McAfee believes the industry will see 75 million unique pieces of malware by the end of the year, up from its previous forecast of 70 million. Phony antivirus products, AutoRun malware, and password-stealing trojans were among the most common types of malware in the quarter, staging a rebound from previous quarters. Malware aimed at the Mac also continues to grow. The number of botnet infections inched down over the third quarter but staged dramatic gains in countries such as Argentina, Indonesia, Russia, and Venezuela. Cutwail, Festi, and Lethic proved to be the most dangerous and damaging botnets last quarter. Though spam dropped in numbers since 2007, it has grown in sophistication, according to McAfee. Spearphishing, or targeted spam, is increasingly being adopted by more attackers and is proving to be highly effective.
Full Story:
http://news.cnet.com/8301-1009_3-57328575-83/androids-a-malware-magnet-says-mcafee/
Criminal probe into online mortgage scams widens
A criminal investigation into mortgage swindlers expanded beyond deceptive advertising on Google’s Internet search engine to root out con artists who were luring their victims on Bing and Yahoo, the Associated Press reported November 21. News of the widening probe confirmed the Internet’s three largest search engines were turned into tools of prey for crooks looking to bilk homeowners scrambling to avoid foreclosure. The scams involved online ads making bogus promises to help people hold onto their homes under a government-backed program to modify mortgage payments. After finding their victims using ads triggered by phrases such as “stop foreclosure,” the swindlers extracted upfront fees or arranged to have the mortgage payments sent to them without providing any help. The crackdown shuttered 125 mortgage scams by November 21, up from 85 the week of November 14, when the Office of the Special Inspector General for the Troubled Asset Relief Program announced it was cleaning up misconduct on Google. The U.S. Treasury Department division said many con artists bought ads on all three search engines. Like Google, Microsoft’s Bing search engine agreed to stop accepting ads from hundreds of Internet advertisers and agencies tied to the scams. The ban also applies to Yahoo, because it depends on Microsoft to sell its search advertising as part of a revenue-sharing partnership.
AT&T says attempted hack of customer accounts failed
AT&T November 21 acknowledged an organized attempt to hack information on fewer than 1 percent of its 100 million wireless customers, but it said no accounts were breached. A spokesman said the hackers appear to have used auto-script technology to find whether AT&T telephone numbers were linked to online AT&T accounts. He did not elaborate, but said an investigation is continuing. The spokesman said fewer than 1 percent of AT&T’s 100.7 million wireless subscribers were contacted by hackers through e-mail — a number that could mean about 1 million customers were affected. “Our investigation is ongoing to determine the source or intent of the attempt to gather this information,” the AT&T spokesman said. He said the AT&T account holders were advised of the attempt “out of an abundance of caution.”
Full Story:
http://www.computerworld.com/s/article/9222079/Update_AT_T_says_attempted_hack_of_customer_accounts_failed
Read the Full Daily Open Source Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_113011.pdf
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes
Topics: Assurance, DHS Infrastructure Reports | No Comments »
Danger worm hijacks Facebook accounts to inject banking trojan: DHS Infrastructure Open Source Report November 30th
By Kelli Tarala | November 30, 2011
A dangerous worm is using Facebook to spread itself by posting malicious links on the social networking Web site that point to malware-tainted sites loaded with a variant of the Zeus banking trojan as well as other pieces of malware. The malware uses stolen Facebook account credentials to log into compromised accounts and post links, according to security researchers at CSIS in Denmark, who were the first to detect the threat. The malicious links generated by the worm pose as links to a photo file posted by the account-holder’s friend or online acquaintance. In reality, the file is a booby-trapped screensaver file with a .jpg file extension. Users have to download and open the file but if tricked into doing so, the consequences can be serious –- especially since anti-virus detection rates are quite low. CSIS added the worm is also using other domains to spread.
Full Story:
http://www.theregister.co.uk/2011/11/29/facebook_worm_spreads
FBI Denver Cyber Squad advises citizens to be aware of a new phishing campaign
The FBI Denver Cyber Squad advised citizens of a new spear phishing campaign involving personal and business bank accounts, financial institutions, money mules, and jewelry stores. The campaign involves a variant of the “Zeus” malware called “Gameover.” The campaign features e-mails claiming to be from the National Automated Clearing House Association (NACHA), and advising the user of a problem with an ACH transaction at their bank that was not processed. Users that click on the link are infected with the Zeus or Gameover malware, which can key log as well as steal online banking credentials, defeating several forms of two-factor authentication. After accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to prevent a reversal of the transactions (if found). A portion of the wire transfers is being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100,000 in jewels (or whatever dollar amount was wired). An investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as “pending” and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time), and the jeweler is out whatever jewels the money mule was able to obtain.
Full Story:
http://www.fbi.gov/denver/press-releases/2011/
Criminals sabotaging Cyber Monday, security experts warn
Security experts November 28 warned consumers of a rapidly mutating spam campaign using bogus messages from United Parcel Service (UPS) claiming a package could not be delivered. The spam run, which actually began earlier in November, is just one way security researchers believe criminals will exploit the holiday season online buying spree. According to Cloudmark’s engineering director, the UPS-based scam uses phony e-mail to dupe recipients into opening an attachment or clicking on a link to infect machines with malware. “We’ve seen a number of variants … some with attachments, some with no attachments and bad links, all of them personalized to the recipient, and sent from an ever-changing list of fake UPS employees or the generic ‘UPS Customer Services,’ ” said the director in a blog post November 28. The attached files are .zip archives that contain malware, he said, while the links lead to compromised or hacker-controlled Web sites. Experts urged users — both at home and at work, where many shop using their office’s faster Internet connection — to be wary of fake sites and too-good-to-be-true discounts pitched via e-mail and social media. SecureWorks also encouraged users to ensure their browsers and browser plug-ins, especially document viewers such as Adobe Reader, abd music, and video player utilities like Flash, are up to date with the most recent security patches.
Full Story:
http://www.computerworld.com/s/article/9222209/
United Nations agency ‘hacking attack’ investigated
A group of hackers posted more than 100 e-mail addresses and log-in details it claimed to have extracted from the United Nations. Many of the e-mails involved appear to belong to members of the United Nations Development Programme (UNDP). The group, which identifies itself as Teampoison, attacked the UN’s behavior and called it a “fraud”. A spokeswoman for the UNDP said the agency believed “an old server which contains old data” had been targeted. “UNDP is taking action to close any vulnerabilities on our Web site,” she said. “Please note that UNDP.org was not compromised.” The details were posted on the Web site Pastebin under the Teampoison logo. Many of the e-mail addresses gend in undp.org, but others appear to belong to members of the Organization for Economic Cooperation and Development, the World Health Organization, and the United Kingdom’s Office for National Statistics. The poster noted that several of the accounts had “no passwords”.
Full Story:
http://www.bbc.co.uk/news/technology-15951883
13 million gamers in ID theft scare after Nexon breach
An estimated 13 million gamers have been left at greater risk of ID theft following a breach at gaming firm Nexon. Data including names, usernames, encrypted resident registration numbers, and password hashes was exposed as a result of the breach at Nexon, which maintains the popular online role-playing game, Maple Story. The data breach followed a hack on a backup server for Maple Story late the week of November 21. Details of the 5 million customers of other games maintained by Nexon were not exposed. Nexon promised to bolster its security in the wake of the attack, the Korean Herald reports. In addition, it is offering game items to gamers who change their passwords.
Full Story:
http://www.theregister.co.uk/2011/11/29/nexon_data_breach/
HP printers may be remotely set on fire, researchers say
Researchers at Columbia University in New York City found a HP LaserJet printer vulnerability that could allow a hacker to remotely control the device to launch cyber attacks, steal data that is being printed, and even instruct its mechanical components to overload until it catches fire. According to MSNBC, the researchers revealed the flaw they found does not affect only HP printers, but also other devices utilized by millions of individuals and companies that so far were considered to be safe. In the case of the HP printers which they thoroughly tested, the researchers relied on the fact remote software updates are not checked for signatures or certificates when they are being installed. In another demonstration, by sending a specially crafted print job, they were able to inject a code that would automatically scan printed documents for sensitive information, transmitting the data to a Twitter feed. They showed an infected computer could instruct the printer’s fuser, the one used to dry off the paper, to continuously heat up until the device self-destructs or, if it lacks a fuse, to set itself on fire. They also proved a hijacked printer could act as a gate-opener for a full-effect attack on a company network. They even made a demo from computers running Mac and Linux operating systems. HP representatives argue the situation might not be all that disastrous, claiming their newer models check for signatures while performing firmware updates. However, they are currently investigating the issue to determine exactly what is affected and what can be done about it. Even though later printer models should be more secure, the researchers claim one of the printers used in their tests was purchased not long ago.
Full Story:
http://news.softpedia.com/news/HP-Printers-May-Be-Remotely-Set-On-Fire-Researchers-Say-237254.shtml
Russian spammers rely on new techniques to mask phone numbers
Some spam messages contain phone numbers instead of links that point to locations where different products are advertised. To make sure they successfully avoid spam filters, Russian spammers devised new ways to keep phone numbers secret. Symantec researchers reveal the large number of methods utilized by Russian spammers to list phone numbers in e-mail messages without raising the suspicion of any anti-spam solution. One of the simpler methods implies placing symbols between the figures that compose the number. In some cases, Russian characters that resemble figures will be utilized to replace some numbers. Also, in some scenarios, the numbers were actually spelled in Russian words. One final strategy involves writing the area code with the actual name of the city it represents.
Full Story:
http://news.softpedia.com/news/Russian-Spammers-Rely-on-New-Techniques-to-Mask-Phone-Numbers-237269.shtml
FakeScanti rogue sends users to download additional fake AV solution
The Blackhole exploit kit has been getting a lot of attention recently, because it is continually updated with exploits for various flaws in popular software, and can deliver practically any malware the attackers want it to. Among those malware are rogue AV solutions such as those belonging to the FakeScanti malware family. One of the variants — named “AV Protection 2011″— can modify the infected computer’s HOSTS file (the file that allows the system to connect hostnames to IP addresses) so that when the user tries to visit the Google Search engine, Facebook, or Bing, he/she is redirected to a page hosted in Germany that serves up another variant of the same family. The hijacking of the HOSTS file is not unusual behavior when it comes to worms and backdoors, but it not often seen in rogue AV solutions, said a GFI researcher. The technique is also often used by phishers for seamlessly redirecting users to phishing pages when they try to visit legitimate ones.
Full Story:
http://www.net-security.org/malware_news.php?id=1920
Google+ security attracts praise and criticism
Security researchers at University College London subjected Google+ to a first IT security analysis, the main focus of which was on privacy. The currently preliminary results are ambivalent: the researchers commended new functions which improve networking security among friends, but they have also highlighted several potentially problematic details. Among these concerns is the way in which Google+ currently handles images. The researchers showed that photos uploaded to the network retain their metadata. However, they say the service does not inform users about this. Another problem area is the Google+ “About” section. There, Google is apparently prompting users to list previous addresses, previous names, and their maiden name. The researchers said this information could be particularly useful to identity thieves. The researchers commended the fact that Google+ uses SSL encryption by default, for the entire Google+ network connection. Facebook only uses this encryption for its lo-gin page, unless a user explicitly enables the security feature. The researchers concluded that, therefore, Google+ sessions offer better protection against “man-in-the-middle” attacks.
Full Story:
http://www.h-online.com/security/news/item/Google-security-attracts-praise-and-criticism-1386437.html
The Thanksgiving weekend brings site headaches for multiple online retailers
PC Mall Inc. and Crutchfield Corp. were among the retailers experiencing significant downtime on their e-commerce sites November 28, according to Web site, performance-monitoring firm Catchpoint Systems Inc. The e-commerce site operated by PC Mall had suffered 77 minutes of downtime as of noon Eastern time, Catchpoint said. The Crutchfield site had 60 minutes of downtime. Other e-commerce site also experienced problems over the holiday weekend, according to a report from Web site performance monitoring firm AlertBot. The site operated by American Eagle Outfitters Inc. was down for a little over 8 hours between about 9 p.m. Eastern time November 23 and November 28, an AlertBot sales and marketing manager said. “An error message appeared numerous times over the Thanksgiving break,” he said. The e-commerce site operated by Target Corp. experienced loading problems for more than 2 hours November 25, the day after Thanksgiving — the latest difficulty for the redesigned site since its introduction in August. The problems occurred between 3:30 p.m. and 4:10 p.m. and 5:10 p.m. and 6:45 p.m. Eastern time November 25, AlertBot said.
Full Story:
http://www.internetretailer.com/2011/11/28/thanksgiving-weekend-brings-multiple-site-headaches
Cellphone emergency call service failed following East Coast quake
A cellphone service that is supposed to grant priority to emergency government and public safety calls failed during the August earthquake that rocked the East Coast, a DHS official said November 28. The Wireless Priority Service, a voice feature that does not require a special cellphone, was overwhelmed by text-messaging traffic in the aftermath of the 5.8 magnitude shaker August 23, said the acting director of the DHS National Communications System. It is widely acknowledged that many Americans were unable to make personal calls for several minutes following the earthquake. DHS officials are working with carriers to modify their circuitry by the time of the Republican and Democratic national conventions late summer of next year, he said. “That is a significant requirement that we must have,” he said. He told Nextgov that Alcatel-Lucent’s hardware should be fixed by Christmas.
Full Story:
http://www.nextgov.com/nextgov/ng_20111128_2122.php
Read the Full Daily Open Source Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_113011.pdf
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http:// http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes
Topics: DHS Infrastructure Reports | No Comments »
150 domain names shut down in probe of counterfeit goods: DHS Open Source Report November 29th
By Kelli Tarala | November 29, 2011
U.S. officials used Cyber Monday (November 28) to announce court orders shutting down 150 domain names of commercial Web sites they say were selling “many millions” of dollars worth of counterfeit goods. Sports jerseys and uniforms, DVDs, shoes and handbags, golf sets, and exercise equipment were among the more popular purchases of “knock off” versions of name brand products, officials said. Investigations show the majority of those engaged in defrauding rights-holding companies and consumers are from China, but the phony goods are also produced in other countries, according to top law enforcement officials. The officials said they conduct undercover purchases with the help of legitimate rights holders to confirm the goods are bogus. They acknowledge the operators of the Web sites are beyond the reach of U.S. agents, and when the sites selling counterfeit goods are shut down, the same criminal enterprises sometimes change domain names and continue to prey on customers. The Immigration and Customs Enforcement agency, the FBI, and U.S. attorney offices cooperated in the investigation, dubbed Operation In Our Sites. The operation they announced November 28 is designed in part to educate consumers to be wary of Web sites that appear to be offering name-brand products at substantially reduced prices. Authorities said they are unable to provide estimates of losses, but are concerned some of the millions of dollars in proceeds may end up in the hands of organized crime rings.
Full Story:
http://www.cnn.com/2011/11/28/tech/websites-counterfiet-goods/index.html?hpt=hp_t3
BlackHole kit enhanced with new Java exploit
A security researcher discovered a new exploit kit that relies on a recently patched security flaw present in Java, being packaged with BlackHole. It appears all the versions of Oracle’s Java are susceptible to the attack, except for the latest variants, but considering many do not rush to update these components, the exploit could be used successfully against many devices. Also, these means of attack can be easily turned into automated tools, which once placed on a Web site, can infect the machines of unsuspecting Internet users without much effort. The Java exploit works on most browsers, except for Google Chrome, which for some reason often mitigates attacks launched with the new package. The security journalist also believes that, theoretically, such an attack can also work against Mac OS X operating systems, but so far it has only been tested on Windows platforms. The hacker that advertised the newest Java exploit is giving it away for free to customers that already purchased the BlackHole kit, but for newcomers, the price is around $4,000, plus the cost of the Blackhole license.
Full Story:
http://news.softpedia.com/news/BlackHole-Kit-Enhanced-With-New-Java-Exploit-236928.shtml
101Domain.com suffers security breach
101Domain.com appeared to suffer a security breach that “may have resulted in unauthorized access to your personal information and possibly payment information.” According to Webhosting.info, 101domain.com has about 10,000 domain names under management. A message by 101Domain.com to its customers explains: “We need to make you aware of a security breach that may potentially have affected your account. We were recently informed by one of our vendors that some of its systems, and those of a few of its customers, including 101domain.com, were compromised to varying degrees by a phishing attack. Although there is no direct evidence that your information was stolen and we have received no customer complaints, this attack may have resulted in unauthorized access to your personal information and possibly your payment information.”
Full Story:
http://www.thedomains.com/2011/11/27/101domains-com-suffers-securty-breach/
BEAST-driven SSL attack not as bad as it seems claims Context
Researchers at Context Information Security are playing down the level of risk to enterprises caused by the BEAST — Browser Exploit Against SSL/TLS — that was identified by researchers in late September. As previously reported, the researchers said they found a way of breaking the SSL/TLS encryption that is widely used to guarantee the reliability and privacy of data exchanged between Web browsers and servers. After analyzing the researcher’s findings, Context said hackers are very unlikely to use the complex attack methodology. The company also provided advice on how to further reduce risk. According to Context’s research and development manager, developers can increase complexity and mitigate the risk of malicious content being injected within the same origin by setting the HTTPOnly property that prevents applets or JavaScript to gain access to the cookie and prevent session hijacking. Against this backdrop, Context’s research team argues that — in terms of risk — the BEAST attack is similar to not setting the HTTPOnly property on cookies, which is something that is not unusual among Web sites.
Spotify music service resumes after login problems for users in U.S. and Europe
Users of the Spotify streaming music service were again able to log in the afternoon of November 27 after an outage that lasted several hours and affected users in the United States and Europe. The company did not explain what went wrong, but said in a tweet about 3 p.m. Pacific time that it had identified the problem. Beginning at some point before 1 p.m. Pacific time November 27 some Spotify users trying to log in to the popular music streaming service were greeted with error messages, sparking a flurry of tweets complaining the company was not keeping users informed. Spotify’s service status page reported “All systems are up and feeling jolly good’’ as of 1 p.m. Pacific time. But users trying to log in via the desktop or mobile client were receiving 404 errors. An attempt to log into an account on the Spotify.com Web site generated the error message: “Service Temporarily Unavailable. The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.” Spotify users from Spain, France, the United Kingdom, and the United States took to Twitter to complain.
Full Story:
http://www.mercurynews.com/business/ci_19421484?source=rss
Read the Full Daily Open Source Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_112911.pdf
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http:// http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes
Topics: DHS Infrastructure Reports | No Comments »
« Previous Entries