Enclave Security Blogs

Twitter blog post says company leaked no user data: DHS Infrastructure Highlights May 11th

By Kelli Tarala | May 11, 2012

None of the recently leaked Twitter logins and passwords came from within the company, according to a message posted on Twitter’s Japanese blog May 10. “We have confirmed that no one’s information has been leaked from Twitter,” the blog said, after apologizing to users for their concerns. The comments came after 58,978 login and password combinations were published May 7 to Pastebin, a Web site designed to share programming code but often used by hackers to show off stolen data. The company already said much of the account information posted was duplicates, unmatched log-in credentials, and spam accounts. In its Japanese blog posting, Twitter said account data was likely leaked from a different site, and it sent password reset requests to users on the list. It also warned users to avoid “fishing” Web sites, which try to con log-in information out of unwary users, and to use strong passwords that are unique for separate sites.

Full Story:
http://www.computerworld.com/s/article/9227040/

Silicon Valley engineer convicted in Marvell trade secrets case
A Silicon Valley engineer accused of stealing trade secrets from Marvell Technology was convicted of 5 felony charges in a case that has been unfolding in federal court in San Jose, California, for more than 6 years. In a decision made public May 8, a U.S. district judge convicted the man of five counts related to the trade secrets theft but cleared him of four other charges. The man is scheduled to be sentenced in August. He faces up to 10 years in federal prison. A grand jury indicted the man in 2005, charging him with exploiting his position as an engineer with Netgear, a Marvell customer, to gain access to Marvell’s tech secrets. During trial, prosecutors alleged he downloaded a host of confidential materials from Marvell onto his laptop when he moved from Netgear to Marvell rival Broadcom in 2005. The man, prosecutors alleged in court papers, went on a “downloading spree of proprietary and trade secret materials from Marvell’s Extranet that had no legitimate explanation.” The collection of tech secrets was found on the man’s computer when FBI agents raided his Belmont home in June 2005.

Full Story:
http://www.chicagotribune.com/business/sns-mct-silicon-valley-engineer-convicted-in-marvell-trade-20120509,0,5183675.story

Personal information on North Carolina Charlotte students and faculty exposed
The University of North Carolina Charlotte said bank account numbers and Social Security numbers of more than 350,000 students and faculty were accidentally exposed in a computer security breach. The university released results of a study May 9 after the breach was discovered by staff members in February. The university said part of the problem was improper access settings that made the electronic data accessible on the Internet. The information from the school’s general system was exposed for about 3 months, and information from the engineering college was exposed for more than 10 years. State and federal officials continued to investigate how the breach occurred.

Full Story:
http://www.therepublic.com/view/story/3eb77ef4ab304284984b1b9b23226eb7/NC–UNCC-Data-Exposed/

North Miami Marine arrested on tax-related fraud charges
A U.S. Marine from north Miami was arrested May 8 on charges of selling the stolen identities of dozens of fellow soldiers in Afghanistan to a Broward County, Florida woman recently convicted of filing false income-tax returns in their names. The man was arrested at Camp LeJeune in North Carolina by agents for the FBI and the Naval Criminal Investigative Service (NCIS). Based at Camp Leatherneck in Afghanistan, the Marine used his mobile device to send text messages and e-mails to the woman with the names of other Marines in December 2011 and January, according to a criminal complaint. When NCIS agents searched his quarters at Camp Leatherneck, they seized a list containing the names and Social Security numbers of 44 U.S. Marines, according to the criminal complaint. Of those, 21 were on lists found by FBI agents in the woman’s residence when they arrested her in February.

Full Story:
http://www.miamiherald.com/2012/05/08/2789799/a-north-miami-marine-arrested.html

Apple closes numerous holes in Mac OS X and Safari
With the 10.7.4 Mac OS X Lion update and security update 2012-002 for 10.6, Apple closed numerous critical vulnerabilities in Mac OS X and its components. The most prominent fix in this update stops Lion from storing plain text passwords. Due to a mistake in the previous update, Lion stored the passwords of users who mounted their home/user directory from a network volume in the system log unencrypted and readable by anyone with administrative or physical access. Those who continued to use the first version of the FileVault encryption after upgrading from Snow Leopard to Lion were also affected. Further vulnerabilities were fixed in components such as the LoginUIFramework, where a race condition allowed guest users of Lion to log in as another user without having to enter a password. Apple also closed a hole in the HFS filesystem that allowed Lion systems to be infected with malicious code by mounting a specially crafted disk image. Curl is now protected against problems such as the “BEAST” attacks on encrypted connections. One fix, specifically for Mac OS X 10.6, Snow Leopard, is for the Samba server which, if active, allowed remote attackers to inject malicious code into a system without providing any valid access credentials. The Samba server is not a user in Mac OS X 10.7. Apple also released a security update for its Safari browser for Mac OS X and Windows.

Full Story:
http://www.h-online.com/security/news/item/Apple-closes-numerous-holes-in-Mac-OS-X-and-Safari-1572174.html

Critical vulnerability in vBSEO patched
The developers of the vBSEO extension to the vBulletin forum software closed a critical vulnerability in their plugin. The vBSEO plugin adds search engine optimization (SEO) functionality to the vBulletin core code. The vulnerability — a SQL injection flaw that allows attackers to execute commands and manipulate the contents of the forum’s database — comes only a short time after the developers patched another flaw, which was recently misused to attack online forums en masse. Affected users can download the patched versions of 3.3.x, 3.5.x, and 3.6.0 from the download area of the vBSEO Web site. The vBSEO forum also provides instructions on how to close the security hole manually. Since an exploit was already found in the wild, users should update their installations immediately.

Full Story:
http://www.h-online.com/security/news/item/Critical-vulnerability-in-vBSEO-patched-1572141.html

Research uncovers IRC bot malware for Android
McAfee Labs researchers discovered Android malware that acts as an Internet relay channel (IRC) bot. The Android malware, which masquerades as the Madden NFL 2012 video game, has three embedded modules that perform various malicious activities, explained a researcher with McAfee Labs. The main component is a dropper that installs a set of other components — a rooting exploit, IRC bot, and SMS trojan — onto the compromised Android device. The researcher warned that if the user of a compromised Android device receives a message from his/her bank using a two-way authentication code, that message along with the mobile number is sent to the remote attacker, who can use it to compromise bank transactions.

Full Story:
http://www.infosecurity-magazine.com/view/25673/research-uncovers-irc-bot-malware-for-android/

Security of industrial control systems questioned at DHS conference
Operators of America’s power, water, and manufacturing facilities use industrial control systems (ICS) to manage them. However, the security of these systems, increasingly linked with Microsoft Windows and the Internet, is now under intense scrutiny because of growing awareness that they could be attacked and cause massive disruptions. Industrial facility operators are making efforts to follow security procedures, such as using vulnerability-assessment scanning tools to check for needed patches in Windows. However, ICS environments present special problems, said managers who spoke on the topic at a conference organized by the DHS. Currently, energy and manufacturing facilities are being openly warned by DHS and its Industrial Control Systems Computer Emergency Response Team that they are being targeted by attackers who will often try to infiltrate business networks, often through spear phishing attacks against employees, in order to also gain information about ICS operations.

Full Story:
http://news.idg.no/cw/art.cfm?id=F6A00A23-93CE-4ADC-E9CC5545017384EC

ICANN sets target date for re-opening database
The Internet Corporation for Assigned Names and Numbers (ICANN), the group that runs the Internet’s address system said it is aiming to re-open the application process for those seeking to launch a new domain name by May 22. If it meets this goal, ICANN said the application process would remain open for 5 business days, not counting Memorial Day, and would close May 30. ICANN shut down its application database in April after discovering a glitch that exposed some information about applicants. The group denied its system was hit by a cyberattack. ICANN said it took the database offline to find out what caused the problem and to ensure it would not happen again. The week of April 30, ICANN said that of the 1,268 registered users and 95,000 file attachments in the applications system, about 455 might have been viewed by another applicant. An ICANN spokesman said the group is trying to review all the relevant data before re-opening the application process. It launched its program in January allowing for the introduction of almost any new top-level domain name to compete with the 22 existing generic domain names. The application process for the program was originally scheduled to close April 12. ICANN eventually suspended the application process after discovering the database problem.

Full Story:
http://www.nextgov.com/big-data/2012/05/icann-sets-target-date-re-opening-database/55651/?oref=ng-dropdown

Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.

Topics: DHS Infrastructure Reports | No Comments »

Apple engineering mistake exposes clear-text passwords for Lion: DHS Infrastructure Highlights May 7th

By Kelli Tarala | May 8, 2012

Apple’s latest update to OS X contains a programming error that reveals the passwords for material stored in the first version of FileVault, the company’s encryption technology, a software consultant said. He wrote on Cryptome that a debugging switch inadvertently left on in the current release of Lion, version 10.7.3, records in clear text the password needed to open the folder encrypted by the older version of FileVault. Users who are vulnerable are those who upgraded to Lion but are using the older version of FileVault. The debug switch will record the Lion passwords for anyone who logged in since the upgrade to version 10.7.3, released in early February. Apple has two versions of FileVault. The first version allowed a user to encrypt the contents of the home folder using the Advanced Encryption Standard (AES) with 128-bit keys. An upgraded product, FileVault 2, which shipped with OS X Lion, encrypts the entire content of the hard drive. When someone upgrades to Lion but still uses the first version, the encrypted home folder is migrated, which is now vulnerable with this security issue. The consultant said the password is accessible to
anyone with root or administrator access. He said passwords can also be read by “booting the machine into FireWire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file.”

Full Story:
http://www.computerworld.com/s/article/9226916/

Gas pipeline cyber intrustion campaign
In March, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identified an active series of cyber intrusions targeting natural gas pipeline sector companies, ICS-CERT reported May 4. Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations. Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign. It appears to have started in December 2011 and remains active. Analysis showed the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization. ICS-CERT has issued an alert to the United States Computer Emergency Readiness Team Control Systems Center secure portal library and also disseminated them to sector organizations and agencies to ensure broad distribution to asset owners and operators. ICS-CERT is currently engaged with multiple organizations to identify the scope of infection and provide recommendations for mitigating it and eradicating it from networks.

Full Story:
http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Apr2012.pdf

NASA, ESA confirm hacks; The Unknowns says systems patched
NASA and the European Space Agency (ESA) confirmed they were recently hacked, ZDNet reported May 4. The hacking group The Unknowns said most of the 10 companies it attacked patched their systems, which was supposedly their goal. “NASA security officials detected an intrusion into the site on April 20 and took it offline,” a NASA spokesperson said in a statement. “The agency takes the issue of IT security very seriously and at no point was sensitive or controlled information compromised. NASA has made significant progress to better protect the agency’s IT systems and is in the process of mitigating any remaining vulnerabilities that could allow intrusions in the future,” it said. “The group used SQL injection … The use of SQL injection is an admitted vulnerability,” an ESA security office manager told ZDNet. “This needs to be addressed at a coding level.”

Full Story:
http://www.zdnet.com/blog/security/nasa-esa-confirm-hacks-the-unknowns-says-systems-patched/11902

Adobe preps silent Flash updates for Macs
May 4, Adobe released a new beta of Flash Player, 11.3 or “Beta 3,” that includes silent updates for Macs. This updated program pings Adobe’s servers every hour until it receives a response. If it reaches Adobe and finds no ready update, the tool re-checks the servers 24 hours later. Found updates are applied entirely in the background, and do not display notices on the screen or require the user to take any action. By default, Flash 11.3 has silent updates switched on, but users can change the setting to continue to receive on-screen alerts. Another prominent feature is a “sandboxed” plug-in for Mozilla’s Firefox on Windows Vista and Windows 7, the second step in Adobe’s plan to stymie attacks that exploit unpatched Flash bugs. Adobe plans to ship the final version of Flash Player 11.3 before the end of June.

Full Story:
http://www.computerworld.com/s/article/9226921/Adobe_preps_silent_Flash_updates_for_Macs

Phishers mimic OpenID to steal credentials
New spam e-mail campaigns are taking advantage of the users’ vague familiarity with the OpenID authentication method to phish their log-in credentials for many different and popular online services, warn Barracuda Labs researchers. The e-mails in question currently take the form of an offer from a real estate company or of a bogus UPS tracking alert. After following the offered link, users are presented with a fake log-in page hosted on a compromised site. The page itself does not mention OpenID, but the logos of large and popular Web sites that use and provide the option of OpenID authentication (Google, AOL, Yahoo!, etc.) can fool users into thinking the page is legitimate. Whichever e-mail the user selects, a pop-up window requesting log-in credentials appears. “This is not how OpenID authentication works,” the researchers point out. With genuine OpenID authentication we would be directed to a secure Yahoo Web page which would ask for credentials.” In this case, the inputed credentials are simply forwarded in plain text to a remote server operated by the phishers, and the user is redirected to the real estate agency’s or UPS’ legitimate Web site.

Full Story:
http://www.net-security.org/secworld.php?id=12874&utm

PHP will try again to patch chip flaw
The PHP Group plans to release new versions of the PHP processor May 8 to patch two publicly known critical remote code execution vulnerabilities, one of which was improperly addressed in a May 3 update. One the vulnerabilities is known as CVE-2012-1823 and is located in php-cgi, a component that allows PHP to run in a Common Gateway Interface (CGI) configuration. It was discovered and reported to the PHP Group in mid-January by a team of computer security enthusiasts called De Eindbazen. The bug allows for URL query strings that contain the “-” character to be interpreted by the php-cgi binary as command line switches, such as -s, -d, -c. The vulnerability can be exploited to disclose source code from PHP scripts or to remotely execute arbitrary code on vulnerable systems. May 3, the PHP Group released PHP 5.3.12 and PHP 5.4.2 as emergency updates to address the remote code execution flaw after technical details about it were accidentally made public. However, shortly afterward, the creator of the Suhosin PHP security extension and other security experts noted the CVE-2012-1823 fix included in PHP 5.3.12 and PHP 5.4.2 can easily be bypassed. The PHP Group acknowledged the ineffectiveness of its original patch May 6 and announced plans to release new updates May 8.

Full Story:
http://www.computerworld.com/s/article/9226923/PHP_will_try_again_to_patch_chip_flaw

1,000+ WordPress sites compromised through automatic update feature
More than 1,000 WordPress blogs were modified to redirect visitors to sites serving malware, affiliate, and pay-per-click redirectors and low quality PPC search result aggregators through the WordPress’ automatic update feature. The individuals behind the attack discovered how to add the malicious code to the update.php file, which prompts WordPress to update. This code then injects other code in the wp-settings.PHP file, and effects the redirects.

Full Story:
http://www.net-security.org/secworld.php?id=12865

Cyber security is weakest link in state preparedness, according to FEMA survey
Although States have made huge strides in emergency and natural disaster preparedness, they are still vulnerable to cyber disasters, according to the Federal Emergency Management Agency National Preparedness Report released May 4. The study said despite progress across core areas such as planning and operational coordination for natural disasters, and information sharing among intelligence agencies on terror activity, States indicated cyber security was their weakest core capability.

Full Story:
http://www.gsnmagazine.com/node/26273

Topics: DHS Infrastructure Reports | No Comments »

Service automates boobytrapping of hacked sites: DHS Infrastructure Highlights May 3rd

By Kelli Tarala | May 3, 2012

One aspect of hacks seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites. This is another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that distribute malware and browser exploits. A decent iFramer service will allow customers to verify large lists of file transfer protocol (FTP) credentials used to administer hacked Web sites, scrubbing lists of invalid credential pairs. The service will then upload the customer’s malware and malicious scripts to the hacked site, and check each link to ensure the trap is properly set. Currently, a huge percentage of malware in the wild has the built-in ability to steal FTP credentials from infected PCs. This is possible because those who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials. Some services offer a menu of extras to help customers maintain their Web-based minefields.

Full Story:
http://krebsonsecurity.com/2012/05/service-automates-boobytrapping-of-hacked-sites/

Trusteer finds new ransomware variant
Ransomware is malware that locks-up computers and demands payment for their release. A common ruse is to pretend the malware is actually a “seizure” by law enforcement agencies. Trusteer recently discovered a new variant. Using the Citadel malware platform — a descendant of the Zeus trojan — the new malware is called Reveton and claims to have come from the U.S. Department of Justice. It locks the computer and displays a warning screen claiming the IP address of the computer was detected accessing child pornography sites. A fine of $100 is payable. It advises how the payment should be made in order to unlock the computer.

Full Story:
http://www.infosecurity-magazine.com/view/25490/trusteer-finds-new-ransomware-variant/

New Flashback variant using Twitter as backup C&C channel
The latest version of the Flashback malware infecting Macs has a new command-and-control (C&C) infrastructure that uses Twitter as a fallback mechanism in the event the normal C&C system is not available. This version of Flashback, which infects Macs through exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type is used as a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack Web search traffic and push it to servers they control. The second tier is used to send commands to infected machines to perform specific actions on Macs. Analysts at Dr. Web, a Russian security firm, found that when infected Macs connect to the second type of C&C server, if they do not receive a correctly formatted reply, they will perform a search on Twitter for a specially formatted string.

Full Story:
http://threatpost.com/en_us/blogs/new-flashback-variant-using-twitter-backup-cc-channel-043012

Attackers place command and control servers inside enterprise walls
Skilled attackers are burrowing their command and control (C&C) servers inside the networks of compromised businesses to circumvent security measures, according to a security expert familiar with the innovative new attack method. Trend Micro observed dozens of incidents where these tactics were used. In many cases, the compromised servers being used for C&C were compromised in previous attacks and hackers were able to maintain access, the researcher said. The technique helps attackers remain stealthy as they exfiltrate data, as very little C&C traffic leaves the network. Also, the cyber criminals that conduct these types of attacks were seen applying software patches to the compromised systems to ensure other attackers are kept out and the systems are not potentially red-flagged.

Full Story:
http://www.securityweek.com/new-attack-method-puts-command-and-control-servers-inside-enterprise-walls

Firefox add-on exposes visited URLs
A Sophos researcher reported that the ShowIP add-on for Mozilla’s Firefox browser sends the URLs of visited Web pages to a Web service called ip2info.org in unencrypted form. Apparently, the browser extension does not restrict this behavior to the normal browsing mode — it also transmits URLs accessed via HTTPS and any sites visited while in “Private Browsing” mode. ShowIP displays the IP addresses (IPv4/IPv6) of the current Web page in the browser’s status bar and gives access to querying services. The extension is particularly popular with network administrators and developers; according to Mozilla, the add-on has been installed by nearly 170,000 Firefox users. The described behavior was first observed in version 1.3 of the GPLv2-licensed add-on, which was published April 19, and remains in newer releases. Many users complained about the privacy violation on Mozilla’s add-on page; the ShowIP Dev Team, the developer of the add-on, responded by explaining that the add-on sends the URL to the server “to access the ip2location database” and promised HTTPS will be added as soon as possible. Mozilla responded by rolling back the available version of ShowIP on the Mozilla Add-ons site to version 1.0, and said it is working with the developer to address the issues.

Full Story:
http://www.h-online.com/security/news/item/Firefox-add-on-exposes-visited-URLs-1565273.html

Microsoft detects new malware targeting Apple computers
Microsoft detected a new piece of malware targeting Apple OS X computers that exploits a vulnerability in the Office productivity suite patched nearly 3 years ago. The malware is not widespread, a researcher from Microsoft’s Malware Protection Center said. However, the malware shows hackers pay attention to people not applying patches when fixes are released, which puts their computers at a higher risk of becoming infected. The security update Microsoft released in June 2009, MS09-027, addressed two vulnerabilities that could be used by an attacker to gain remote control over a machine and run other code. Both vulnerabilities could be exploited with a specially-crafted Word document. The exploit discovered by Microsoft does not work with OS X Lion, but does work with Snow Leopard and prior versions. The researcher said it is likely attackers have knowledge about the computers they are attacking, such as the victim’s operating system version and patch levels. The malware delivered by the exploit is written specifically for OS X and is essentially a “backdoor,” or a tool that allows for remote control of a computer. Microsoft advised those who use Microsoft Office 2004 or 2008 for Mac or the Open XML File Format Converter for Mac to ensure those products applied the patch.

Full Story:
http://www.computerworld.com/s/article/9226777/

Oracle makes SSL use in database clusters free
A recent exposure of a vulnerability in current Oracle databases made Oracle issue a new advisory and offer SSL support to particular customers for free. The vulnerability allows an attacker to listen in on database queries and has no appropriate patches. An Oracle blog post provides the background to why the company issued the new advisory — Oracle Security Alert for CVE-2012-1675 directs customers to two support notes, one for customers without Oracle Real Application Clusters (RAC) and one for those with Oracle RAC. For those without RAC, Oracle recommends limiting registration of new listeners to the local node and IPC protocols; instructions are provided in the Oracle Support note “Using Class of Secure Transport (COST) to Restrict Instance Registration.” For those with RAC or Exadata, the problem is more complex and the use of COST in those situations also means the use of SSL/TLS Encryption as detailed in the support note. The issue was SSL/TLS encryption was sold at extra cost as Oracle Advanced Security. However, Oracle has now updated its licensing so customers can use the SSL/TLS mechanisms to protect themselves against the vulnerability. With the change in licensing and the availability of an effective workaround, it is unlikely Oracle will be producing a patch for its databases in the near future. Oracle is, however, emphatic that users should fix the problem. The advisory indicates the problem affects Oracle Database 11gR2 11.2.0.2 and 11.2.0.3, 11gR1 11.1.0.7, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5. Users of Oracle Fusion Middleware, Enterprise Manager, or E-Business Suite should also be aware of the issue as these products include the vulnerable Oracle Database software.

Full Story:
http://www.h-online.com/security/news/item/Oracle-makes-SSL-use-in-database-clusters-free-1565661.html

Topics: DHS Infrastructure Reports | No Comments »

Skype investigates tool that reveals users’ IP addresses: DHS Infrastructure Highlights May 2nd

By Kelli Tarala | May 2, 2012

May 1, Skype said it was investigating a new tool that collects a person’s last known IP address, a potential privacy-compromising issue. Instructions posted on Pastebin April 26 show how a person’s IP address could be shown without adding the targeted user as a contact by looking at the person’s general information and log files. In October 2011, Skype acknowledged a research paper that showed how a Skype user’s IP address can be determined without the user knowing. It also demonstrated that more than half the time the IP address could be accurately linked to sharing content using the BitTorrent file-sharing protocol. Skype uses a peer-to-peer system to route its data traffic, which is also encrypted. However, the program’s encryption system is proprietary and not been open for scrutiny, which has prompted caution from security experts.

Full Story:
http://www.pcworld.com/businesscenter/article/254763/

Feds: Soldier sold stolen arms on eBay
A U.S. soldier with connections to Orlando, Florida, sold stolen arms to buyers on eBay while he was deployed in Iraq in 2010, according to DHS investigators. The man is accused of violating federal law regarding the export of sensitive technology such as night-vision equipment, rifle scopes, and high-powered infrared lasers not intended for the public, according to an affidavit filed in federal court in Orlando. The man told buyers he was retired from the military and based in Orlando selling surplus equipment, investigators said. His listing touted the arms as being extremely rare and “impossible to find on the international market,” the affidavit said. He shipped lasers to buyers in Japan and Nevada, a high-tech satellite phone was sent to Kuwait, and other equipment was shipped to California. The items were sold for a few thousand dollars each. eBay eventually took down the postings because they violated its policies. Investigators tracked down some recipients and recovered stolen items. The man told investigators that while he was in the military guarding non-combat envoys, he came across a container with the items and brought them all back to Orlando. He claimed he did not know civilians were prohibited from possessing the equipment, but knew it was wrong to sell them. However, the man’s e-mails with a buyer in Japan show he knew he was violating international arms trafficking regulations and falsified shipping documents to conceal the items as “auto parts.”

Full Story:
http://www.military.com/news/article/feds-soldier-sold-stolen-arms-on-ebay.html

Incessant Blackhole spam runs likely made by same group
An incessant string of spam e-mail campaigns leading to Web sites hosting the Blackhole exploit kit are hitting inboxes around the world in waves. The latest and most prominent ones consisted of the fake Facebook, LinkedIn, U.S. Postal Service, and US Airways notifications, while the most recent one spotted masquerades as an e-mail from employment Web site CareerBuilder.com, indicating the recipient might find a job opening appealing. The offered link takes the recipient through many redirections and lands the user on a compromised site. According to a recent analysis by Trend Micro researchers, these spam messages are mostly targeting U.S. users, and are often realistic spoofs of the companies’ original and legitimate e-mails. “We found clear evidence that all these attacks were linked. In many cases, the same sets of compromised URLs by multiple spam runs,” the researchers said. “This suggests that at least some of the parties responsible for these attacks were identical, if it was not the same group altogether.” The ultimate goal of these attacks is the same: the exploit kit is used to allow installation of malware — predominantly Zeus trojan variants — onto users’ computers.

Full Story:
http://www.net-security.org/malware_news.php?id=2089

Chrome 18 update closes high-risk security holes
Google released a new update April 30 to the stable 18.x branch of its Chrome Web browser to close a number of security holes found in the application. The update, labelled 18.0.1025.168, addresses five vulnerabilities, three of which are rated as “high severity” by the company. These include use-after-free problems in floating point handling and the XML parser; all of these bugs were detected using the AddressSanitizer. Two medium risk problems related to IPC validation and a race condition in sandbox IPC were also corrected.

Full Story:
http://www.h-online.com/security/news/item/Chrome-18-update-closes-high-risk-security-holes-1564337.html

Targeted attacks, mobile vulnerabilities on the rise, report states
The findings of the latest “Internet Security Threat Report” from Symantec can be summed up as: “Attacks are rising, but the number of new vulnerabilities is decreasing.” This describes the threat landscape in 2011 in which hackers continued to exploit known vulnerabilities through new vectors as enterprises and end users failed to keep up with the flood of security updates from vendors patching their software. “The old vulnerabilities still work,” said the manager of Symantec’s security technology and response product group and a contributor to the report. Malware variants are being packaged in attack toolkits that effectively circumvent signature-based defenses. The data in the report is gathered from the company’s Global Intelligence Network monitoring activity in more than 200 countries. The total number of vulnerabilities reported in 2011 dropped 20 percent, from a high of 6,253 in 2010 to fewer than 5,000. Over the same time, the number of unique variants of malware identified in the wild increased 41 percent and the number of attacks blocked by Symantec tools jumped 81 percent to 5.5 billion in 2011. The vectors for delivering the malware are shifting, with Web attacks and social engineering through social networks replacing e-mail as the method of choice. This is due in part to successful law enforcement campaigns against command-and-control systems for spam-spewing botnets in 2011, and also because the Web offers a good alternative. Targeted attacks, which have proven to be effective in breaching high-value organizations through carefully crafted social engineering, increased during 2011, from 26 such attacks identified in January of that year to 154 in December. At the same time, the attacks are now targeting smaller organizations and lower-level employees.

Full Story:
http://gcn.com/articles/2012/05/01/internet-threat-report-targeted-attacks-mobile-vectors.aspx

VMware patches vulnerabilities in ESX 4.1
Virtualization specialist VMware is warning customers about multiple security holes in versions 4.0 and 4.1 of its ESX enterprise-level computer virtualization product. According to the company, the Service Console in ESX 4.1 on unpatched systems can be exploited by a local user in a guest virtual machine to gain escalated privileges, or by a malicious remote user to cause a denial-of-service condition or compromise a victim’s system. In its advisory, VMware notes that some of these holes, found in previous versions of the libxml2 XML C parser and toolkit used by the ESX Console Operating System (COS), were closed by updating libxml2 to a newer release. Versions 4.0 and 4.1 of ESX are affected; vCenter, ESXi, and ESX 3.5, as well as hosted products such as VMware Workstation, Player, ACE, and Fusion, are not vulnerable. Patches are available for ESX 4.1 that correct these problems, while patches for version 4.0 are listed as “pending.”

Full Story:
http://www.h-online.com/security/news/item/VMware-patches-vulnerabilities-in-ESX-4-1-1564129.htm

Topics: DHS Infrastructure Reports | No Comments »

Gamex trojan threatens Android users: DHS Infrastructure Highlights May 1st

By Kelli Tarala | May 1, 2012

A new Android trojan that paves the way for the download of other applications has been spotted on third-party Web sites, camouflaged as legitimate file managing, ad blocking, and performance boosting apps. According to Lookout researchers, the Gamex trojan’s functionality is split across three components. Once the downloaded app repackaged with the trojan is granted root access by the user, the malware takes advantage of this permission to install another app onto the device, which then functions as a privileged installation service. “A third component communicates with a remote server, downloads apps, and triggers their installation. Gamex also reports the installation of these applications, along with the IMEI and IMSI, to a remote server,” researchers explained. “We believe that this information is used to operate and/or report installations to a malicious affiliate app promotion network.”

Full Story:
http://www.net-security.org/malware_news.php?id=2086

Phishing email targets Santander clients
Customers of Santander, one of the largest banking groups in the world, are currently being targeted with a phishing e-mail masquerading as a bogus notification of a scheduled software upgrade. According to Hoax-Slayer, the offered link takes users to a spoofed Santander online banking Web site, where they are asked to enter their ID, passcode, customer PIN, mobile number, landline number, and date of birth. Having done that, the site requests users to set up three security questions and answers, which are then misused by the phishers to gain access to the users’ account. In the end, users are redirected to the legitimate Web site of Santander’s United Kingdom branch in order to maintain the illusion that nothing out of the ordinary happened.

Full Story:
http://www.net-security.org/secworld.php?id=12834

New email claims to be from FDIC, threatens users confidential and personal data
A fraudulent e-mail offering cash in return for survey information could obtain access to personal and confidential data, WEWS 5 Cleveland reported April 27. The Federal Deposit Insurance Corporation (FDIC) issued a warning to computer users that it received numerous reports of fraudulent e-mails that have the appearance of having been sent by the FDIC. The e-mail contains a subject line “Survey Code: STJSPNUPUT.” It reads “you have been chosen by the FDIC to take part in our quick and easy 5 question survey. In response, will credit $100 dollars to your account just for your time.” The FDIC is warning consumers not to click on the link provided in the e-mail, as it is intended to obtain personal information or load malicious software onto users’ computers. The FDIC reminds consumers that it does not send unsolicited e-mail to consumers or business account holders.

Full Story:
http://www.newsnet5.com/dpp/news/local_news/investigations/new-email-claims-to-be-from-fdic-threatens-users-confidential-and-personal-data

AntiSec hackers steal 40 GB of data from Lake County Sheriff’s Office
Softpedia reported April 28 a massive 40 gigabytes worth of files were stolen by Anonymous hackers operating under the AntiSec banner from the internal networks of the Lake County Sheriff’s Office (LCSO) in Florida. One of the hackers that participated in the operation told Softpedia that out of the 40 gigabytes of data, around 35 gigabytes represent forensic software and other applications used by law enforcement agencies. The other 5 gigabytes are made up of reports that detail LCSO operations such as Op Inmate Intelligence Gathering and Operation Screen Savers. The files also include corporate security IPDR reports from Sprint Nextel that show the telecoms firm hands over private data to the authorities. Phone lists that reveal financial crimes, intelligence bulletins from the FBI, communication codes, and communications equipment are all contained in the data dump. Furthermore, hackers leaked the locations of U.S. Army Reserve facilities, badge numbers, 9-1-1 calls, log-in credentials, manuals, and official bulletins from the Department of Justice.

Full Story:
http://news.softpedia.com/news/AntiSec-Hackers-Leak-40-GB-of-Data-from-Lake-County-Sheriff-s-Office-266784.shtml

Down but not out: Conficker camouflages new Windows infections
Windows PCs infected with Conficker are more likely to be compromised by other malware because the worm masks secondary infections and makes those machines easier to exploit, a security expert found. That is the biggest reason why Conficker, although crippled and seemingly abandoned by its makers, remains a threat and should be eradicated, a senior technologist at Neustar and a cybersecurity adviser to the White House said. Neustar is an information and analytics provider, and one of the corporate members of the Conficker Working Group (CWG), which has been “sinkholing” the Conficker botnet for more than 2 years. The week of April 23, Microsoft said Conficker infected, or tried to infect, 1.7 million Windows PCs in 2011’s fourth quarter. Microsoft called on users to strengthen passwords to stymie the malware. Conficker provides the cover the researcher spoke about because of two defensive tactics designed to keep it alive: the worm disables most antivirus software, including Microsoft’s Windows Defender and Security Essentials, and switches off Windows’ Automatic Updates, the service used by virtually all Windows users to keep their PCs patched. It also blocks access to security product Web sites — preventing signature updates for antivirus software — and to the Windows Update Web site. Without antivirus software, Conficker-infected systems are unlikely to detect and deflect other malware. If Automatic Updates is disabled, the machine will not receive any new security patches from Microsoft, leaving it open to attack by new threats that exploit those underlying vulnerabilities.

Full Story:
http://www.computerworld.com/s/article/9226697/

Cybercriminals control Android TigerBot via SMS
At the beginning of April, security researchers found a number of Chinese Android stores were pushing applications that masked a piece of malware called TigerBot (ANDROIDOS_TIGERBOT.EVL). Also known as Spyera, the malicious element was analyzed by Trend Micro experts. They discovered the malware was controlled by its masters via SMS or phone calls, being capable of performing a number of tasks, including call recording and GPS tracking. The list of commands accepted by TigerBot includes DEBUG, CHANGE_IAP, PROCESS_LIST_ADD, PROCESS_LIST_DELETE, ACTIVE, and DEACTIVE.

Full Story:
http://news.softpedia.com/news/Cybercriminals-Control-Android-TigerBot-Via-SMS-267066.shtml

Snow Leopard users most prone to Flashback infection
Of the Macs infected by the Flashback malware, nearly two-thirds are running OS X 10.6, known as Snow Leopard, a Russian antivirus company said April 27. Doctor Web, which earlier in April was the first to report the largest-ever malware attack against Apple Macs, mined data it intercepted from compromised computers to develop its findings. The company, along with other security vendors, has been “sinkholing” select command-and-control domains used by the Flashback botnet — hijacking them before the hackers could use the domains to issue orders or update attack code — to estimate the botnet’s size and disrupt its operation. April 27, Doctor Web published an analysis of communications between 95,000 Flashback-infected Macs and the sinkholed domains. Those communication attempts took place April 13. Flashback uses a critical vulnerability in Java to worm its way onto Macs. Although Apple, which continues to maintain Java for its OS X users, patched the bug in early April, it did so 7 weeks after Oracle disclosed the flaw when it shipped Java updates for Windows and Linux. Sixty-three percent of Flashback-infected machines identified themselves as running OS X 10.6, or Snow Leopard, the newest version of Apple’s operating system that comes with Java. Snow Leopard accounted for the largest share of OS X in March, according to metrics company Net Applications, making it the prime target of Flashback.

Full Story:
http://www.computerworld.com/s/article/9226696/

Backdoor that threatens power stations to be purged from control system
Mission-critical routers used to control electric substations and other critical infrastructure are being updated to remove a previously undocumented backdoor that could allow vandals to hijack the devices, manufacturer RuggedCom said April 27. The announcement by the Ontario, Canada-based company comes 2 days after Ars Technica reported the company’s entire line of devices running its Rugged Operating System contained a backdoor with an easily determined password. The backdoor, which cannot be disabled, had not been publicly acknowledged by the company until now, leaving the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear vulnerable to sabotage that could affect the safety of huge populations of people.

Full Story:
http://arstechnica.com/business/news/2012/04/backdoor-that-threated-power-stations-to-be-purged-from-control-system.ars

Topics: DHS Infrastructure Reports | No Comments »

« Previous Entries Next Entries »