Conn. man gets 30 months in prison for 'warez' operation A Woodbury, Conn., man is sentenced to 30 months in prison for his role in Web sites selling unauthorized copies of movies, music and software. Read more...
Microsoft botnet-hunting tool helps bust hackers
"Although Microsoft is reluctant to give out details on its botnet buster -- the company said that even revealing its name could give cybercriminals a clue on how to thwart it -- company executives discussed it at a closed-door conference held for law enforcement professionals Monday. The tool includes data and software that helps law enforcers get a better picture of the data being provided by Microsoft's users, said Tim Cranton, associate general counsel with Microsoft's World Wide Internet Safety Programs. "I think of it ... as botnet intelligence," he said."
Microsoft highlights efforts to police the Net
http://www.crime-research.org/news/28.04.2008/3337/
Cybercrime in the UK has dropped in the first quarter of 2008 by nearly 2 per cent, compared to the same period last year, a new report reveals.While studies show an increase in Web-based threats globally compared to 2007, the UK only hosts 1.1 per cent of Web-based malware, compared to 3 per cent in the same period last year.
However, the Security Threat Report by IT security and control firm Sophos shows a new infected website is found every five seconds, compared to with one every 14 seconds last year.The US in particular has experienced unprecedented growth, from hosting less than 25 per cent of all infected pages overall in 2007, to almost half in the first three months of 2008.China has demonstrated the biggest drop, from hosting more than half of all the infected pages in 2007, to just under a third in the first quarter of 2008.
The report reveals that data leakage continues to be a major concern for organisations. Several high profile cases of businesses losing sensitive customer information were reported during the first three months of 2008.
The largest reported data breach this year involved the credit card numbers of more than four million customers being stolen from US supermarket chain Hannaford Bros. The data, taken by cyber criminals using malware installed on servers at the chain’s branches, have already been used in approximately 1,800 fraud cases.
Microsoft: June 30 not end of Windows XP support
Researcher finds new flaw in QuickTime for Windows
"More and more hackers are turning to exploiting vulnerabilities in applications as a means of launching attacks, since it's becoming increasingly difficult to find problems in operating systems, Alan Paller, director of research for the SANS Institute, said last week at the Infosec conference in London."
Antivirus vendors slam Defcon virus contest
After Web defacement, university warns of data breach
'Long-Term' Phishing Attack Underway - 4/28/2008 5:15:00 PM New phishing exploit doesn't bother asking for passwords, and its stealthy malware hides out on victim's machine
"The latest tack is phishing emails posing as Comerica Bank and Colonial Bank that ask banking customers to renew their digital certificates. When they click on the link for more information on the phony renewal process, it downloads the nasty Trojan onto their desktops."
Court rejects RIAA's 'making available' piracy argument
news.com — In Atlantic v. Howell, Judge Neil V. Wake denied the labels' motion for summary judgment in a 17-page decision (PDF), allowing the suit to proceed to trial. The argument--that merely the act of making music files available for download constituted copyright infringement--has been the basis for the Recording Industry Association of America's legal bMore… (Political News)
US Supreme Court Upholds Indiana Voter ID Law
The Supreme Court on Monday upheld (pdf) Indiana’s voter-identification law, declaring that a requirement to produce photo identification is not unconstitutional and that the state has a “valid interest” in improving election procedures as well as deterring fraud. EPIC had submitted a brief (pdf) detailing problems with the law. "Not only has the state failed to establish the need for the voter identification law or to address the disparate impact of the law, the state's voter ID system is imperfect, and relies on a flawed federal identification system."
Supreme Court Upholds Voter Identification Law in Indiana, New York Times, April 29, 2008.
(Minor) evolution in Mac DNS changer malware
Published: 2008-04-30,Last Updated: 2008-04-30 09:27:16 UTC
by Bojan Zdrnja (Version: 1)
Back in November last year we published a diary about Mac DNS changer malware (http://isc.sans.org/diary.html?storyid=3595). The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more.
While the malware itself was not anything spectacular (i.e. it did not exploit any vulnerabilities, but was based on social engineering), the way it was packed showed that the attackers meant real business.
All the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready.
The anti-virus coverage was especially disappointing. Only couple of anti-virus programs detected the original sample (a DMG file). This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it.
One of our readers, Matt, submitted a new sample today. I quickly analyzed it and the sample does exactly the same thing as the one from September – it changes the DNS servers and reports to a C&C server.
However, one thing I noticed was that the attackers started obfuscating the installation code. The obfuscation is very, very simple (they only use the tr command) but, unfortunately, it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs. Signature detection failure I would say …
...
SQL Injection Attacks Against Automatic License Plate Scanners
This picture is almost certainly Photoshopped, and a joke, but it's certainly a clever idea. As automatic license plate scanners become more common, why not get a SQL injection attack as a plate?
Reminds me of this xkcd cartoon.
Posted on April 29, 2008 at 03:21 PM • 26 Comments •
View Blog Reactions
Virtual Kidnapping
A real crime in Mexico:
"We've got your child," he says in rapid-fire Spanish, usually adding an expletive for effect and then rattling off a list of demands that might include cash or jewels dropped off at a certain street corner or a sizable deposit made to a local bank.
The twist is that little Pablo or Teresa is safe and sound at school, not duct-taped to a chair in a rundown flophouse somewhere or stuffed in the back of a pirate taxi. But when the cellphone call comes in, that is not at all clear.
[...]
But identifying the phone numbers — they are now listed on a government Web site — has done little to slow the extortion calls. Nearly all the calls are from cellphones, most of them stolen, authorities say.
On top of that, many extortionists are believed to be pulling off the scams from prisons.
Authorities say hundreds of different criminal gangs are engaged in various telephone scams. Besides the false kidnappings, callers falsely tell people they have won cars or money. Sometimes, people are told to turn off their cellphones for an hour so the service can be repaired; then, relatives are called and told that the cellphone’s owner has been kidnapped. Ransom demands have even been made by text message.
Posted on April 29, 2008 at 05:29 AM • 31 Comments •
View Blog Reactions
More Trouble With Ads on ISPs' Error Pages
http://blogs.washingtonpost.com/securityfix/
Posted at 06:00 AM ET, 04/30/2008
Last week, Security Fix examined new research suggesting that some major Internet service providers are exposing their customers to security flaws when they redirect wayward Web surfers to ad-filled pages. I'm revisiting this controversial practice because another major provider of these services (for one of the nation's largest ISPs) was found to be similarly vulnerable.
As noted here last week, Earthlink and a few other ISPs are using a service from a U.K. company called BareFruit, which helps ISPs redirect users to ad-filled pages when they either request a Web site that does not exist or when they mistype a real domain, e.g., ww.example.com (notice the missing "w"). Researcher Dan Kaminsky found that BareFruit's servers contained a security flaw that would have made it easy for hackers and scammers to trick the ISP's customers into visiting phishing sites or downloading malicious software.
...
German intel agency blasted for cyber espionageNews Brief, 2008-04-29Eight months after the nation's chancellor accused China of information attacks, Germany finds itself in the spotlight over planting programs to spy on other countries' officials.
Experts warn over SQL injection attacksNews Brief, 2008-04-28Attackers have exploited common vulnerabilities to leave behind code on thousands of sites, redirecting visitors to servers that host malicious downloads.
"We now know how the Whitehouse managed to lose about five million emails. It seems that they 'upgraded' their Lotus Notes system, which had an automatic retention and backup system, for Microsoft Exchange, which did not support the automatic system. So they changed it to a manual process, where aides would manually sort emails one by one into individual PST files, which they call a 'journaling' archive system. They're still building a replacement for the retention system. Right when they had one finished, the White House CIO complained that it made Microsoft Exchange too slow, so they hired yet another contractor to build another one, causing a senior IT official to quit in protest. So they still haven't completed the project after almost eight years, and rely on humans to sort millions of emails."
"The release of Wikiscanner last year brought much attention to white washing of controversial pages on the community generated encyclopedia. Apparently Wikipedia is very serious in fighting such behavior as they've temporarily blocked the US Department of Justice from editing pages for suspicious edits."
"As reported in the Washington Post's Security Fix blog, a substantial hunk of IP address space has apparently been taken over by notorious mass e-mailing company Media Breakaway, LLC, formerly known as OptInRealBig, via means that are at best questionable. The block in question is 134.17.0.0/16, which I documented in depth in an independent investigation. (Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.) Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."
Marvel Should Keep A Tighter Leash On Its Lawyers
from the yikes dept
On Tuesday, Mike Arrington of TechCrunch took a straw poll on Twitter and decided to set up a screening of the new movie Iron Man, based on the comic. By Wednesday morning the details were set. He had rented out the Metreon by calling the "Group Sales" phone number on the Iron Man website, and paid for 600 seats for the showing. He posted the info to his blog, and asked people to pay $1 per seat in order to hold the spot (and to avoid no-shows). All this was perfectly reasonable. And then... a lawyer from Marvel Comics sent Arrington a threatening cease-and-desist letter demanding that he pull down the information about the show, claiming that Arrington wasn't authorized to set up such a showing. Again, the whole thing was arranged by Arrington by calling the "Group Sales" line on the Iron Man website. All of the tickets were paid for. It's hard to see what Marvel can possibly be complaining about. Also, I know for a fact that Arrington's event is hardly the only such event... because I got invited to a different one (also tomorrow, though at a different time and location and organized by a different group) and have a ticket on my desk for the show.
As a guess, perhaps Marvel is upset that Arrington made his an open invite system. The other showings I'm aware of are all private invite-only showings. But, even if that's true, it's rather ridiculous for Marvel to be complaining, and this is giving the company a ton of totally unnecessary bad press for an event that was generating plenty of enthusiasm and excitement for the movie. It appears to be yet another case where a lawyer is complaining because he can, and not because it's a good business move. As of right now, AMC Theatres, which sold Arrington the tickets, is standing behind the showing, and hopefully someone higher up at Marvel is figuring out what a ridiculous move this is, and will apologize by morning.
How Do You Enforce An EULA On Malware?
"... Most EULAs are backed up via the power of copyright law, but that obviously doesn't work in this case. So how are the malware authors enforcing it? In typical organized crime fashion: with threats to destroy everything else you've got. Specifically, if it catches anyone violating the terms, it promises to send their botnet code to various antispyware companies -- effectively handing over the location of their secret hideout to the malware police..."
Mailbot.f (a.k.a “Kraken”) gets stealthier - Update
Tuesday April 29, 2008 at 10:26 am CST
Over the past week, Mailbot.f (a.k.a “Kraken”) was thoroughly studied and reverse engineered by various security researchers. As mentioned in my previous blog, we focused mainly towards the network behavior of the bot and observed a few interesting things.
After the bot installs on a victim machine, it attempts to contact mx.google.com via TCP destination port 25 (SMTP) 3 times. This looks to be a network connectivity test by the bot. If this test fails, the bot does not send out any spam at a later stage. (Note that the bot does not use mx.google.com to spam). Next, the bot downloads the front page of 3 different popular web sites (mostly news sites), such as nytimes.com, cbsnews.com, news.com, cnn.com, reuters.com, msn.com, google.com, etc. We have not observed the use of these web pages in the spam sent out by this bot, however.
Declassified NSA Document Reveals the Secret History of TEMPEST
