12 total posts
Microsoft Responds to Critics Over Botnet Bruhaha
Microsoft's most recent anti-botnet campaign — a legal sneak attack against dozens of ZeuS botnets — seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations.
Since Microsoft announced Operation B71, I've heard from several researchers who said they were furious at the company for publishing data on a group of hackers thought to be behind a major of the ZeuS botnet activity — specifically those targeting small to mid-sized organizations that are getting robbed via cyber heists. The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members).
At the time, nobody I'd heard from with complaints about the action wanted to speak on the record. Then, late last week, Fox IT, a Dutch security firm, published a lengthy blog post blasting Microsoft's actions as "irresponsible," and accusing the company of putting its desire for a public relations campaign ahead of its relationship with the security industry.
Continued : http://krebsonsecurity.com/2012/04/microsoft-responds-to-critics-over-botnet-bruhaha/
Related: Controversy Erupts Over Microsoft's Recent Takedown Of A Zeus Botnet
'Farmer's Market' International Online Drug Ring Busted
.. 15 Arrested
A sophisticated online drug marketplace that sold everything from marijuana to mescaline to some 3,000 people around the world has been cracked with the arrests of 15 people in several countries, U.S. authorities announced Monday.
An indictment unsealed in federal court in Los Angeles claims eight men ran "The Farmer's Market," which allowed suppliers of drugs - including LSD, Ecstasy and ketamine - to anonymously sell their wares online. They hooked up with buyers in 34 countries and accepted various forms of payment, including cash, Western Union and PayPal transactions, the indictment claims.
From 2007 to 2009 alone, the marketplace processed more than 5,000 orders for drugs valued at more than $1 million, federal officials contended. It began operations as far back as March 2006, authorities said.
The market "provided a controlled substances storefront, order forms, online forums, customer service, and payment methods for the different sources of supply" and charged the suppliers a commission based upon the value of the order, according to a statement from the U.S. attorney's office in Los Angeles.
Operators of Online Drug Ring Arrested in Global Sweep
8 Suspects Arrested in Online Drug Market Sting
Members of TOR-Based Online Drug Market Arrested
Google Sends Notifications to 20,000 Hacked Site Owners
"Is your site doing weird redirects? We just sent a 'your site might be hacked' message to 20K sites," read a tweet posted by Matt Cutts, the head of the webspam team at Google, yesterday.
So, you may be wondering what Google has to do with website security and what they mean when they say weird redirects.
Search Engine Land informs that in many cases website owners and administrators are not aware that their assets have been compromised, mainly because the sites identified by Google as being overtaken only redirect visitors who access them from the search engine.
Since owners and admins rarely go to their sites from search engines, they're unaware of the malicious operations that take place.
Regarding the systems used by Google to scan and block potentially infected websites, the company's support page reveals the following:
This identification is based in part on guidelines set by StopBadware.org. Google uses its own criteria, procedures, and tools to identify sites that host or distribute badware. In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.....
Continued : http://news.softpedia.com/news/Google-Sends-Notifications-to-20-000-Hacked-Site-Owners-264803.shtml
Google-backed research fights review spam
University of Illinois at Chicago researchers are taking aim at fake reviews, which they say can seriously damage online businesses.
In particular, the Google-backed study is designed to seek out organized groups of comment fraudsters, and automate the process of identifying and shutting them down.
Fake reviewers can have devastating affects on a variety of Internet-dependent businesses, but with the emergence of user-reviewed social-style operations like Yelp and TripAdvisor, both positive (to promote a business) and negative (to damage a competitor) frauds are becoming endemic.
For the affected business, the researchers say, weeding out the fakes is expensive: while it's not hard for a human to identify a fraud, the process is labour-intensive.
In their paper (pdf), authored by the university's Bing Liu and Arjun Mukherjee, along with Google's Natalie Glance, the researchers present an algorithm called GSRank which they hope can be deployed against review fraud.
Continued : http://www.theregister.co.uk/2012/04/17/seeing_through_sockpuppets/
Spam Leads to Exploits and Fake AV on Twitter
From the GFI Labs Blog:
There's been a couple of rather nasty spam runs taking place on Twitter over the last few days. Heres an example of a rogue URL being spread at the weekend: [Screenshot: Fake AV Spam]
The link in question - fuuut(dot)tk, was being sent by both compromised accounts and spambots. Anybody visiting the link would find themselves redirected to detectoptimizersupervision(dot)info where a piece of Fake AV was just dying to introduce itself:
[Screenshot] - [Screenshot]
The file above had a detection rate on VirusTotal of 3/42, and we caught it as Trojan.Win32.Fakeav.tri (v). A member of the FakeVimes family, the sites involved in this one would be replaced every three to six hours.
Today things continue to take a turn for the worse with all new spam links spreading on Twitter, which we have of course reported. Example:
Continued : http://www.gfi.com/blog/spam-leads-to-exploits-and-fake-av-on-twitter/
Bogus "Account limit exceeded" emails targeting Yahoo users
Fake Yahoo email notifications are hitting inboxes and urging users to verify their account because it has "exceeded its limit", Hoax-Slayer warns.
The message is accompanied by a veiled threat of account suspension within 24 hours aimed at making users panic and raise the likelihood of them following the offered link.
Unfortunately for those who did, the link leads to a fake Yahoo login page, and all login credentials inputed and submitted in it are now in the hands of the phishers who created the page, ready to be used to hijack the users' accounts.
These accounts can be used for a variety of malicious schemes, the most benign of which is the sending of spam. Other options are to bombard the users' contacts with links leading to malware or with fake pleas for money due to an unforeseen and difficult situation.
Here comes the "Zahlungspflichtig bestellen" button
From the avast! Blog:
Germany leads EU in unpronounceable consumer protection
Germany has become the first country to enact a new EU law to protect online consumers against new types of fraud. One visible change will be a "Zahlungspflichtig bestellen" button on internet sites which translates into "order with an obligation to pay" button. [Screenshot: Button]
The law is designed to combat internet "subscription traps", sites that lure consumers with a free offer but actually sign them up for a service where the real costs are hidden and conditions can be misleading if not fraudulent. By late 2012, customers at German ecommerce sites will have to click a button labeled "zahlungspflichtig bestellen" to complete their online purchases instead of the current "anmeldung" (registration) button.
The "Button Law" adopted by the German Bundestag is a result from EU Directive 2011/83/EU on consumer rights. And, it might be used as a model for the other EU countries to copy as the 2013 deadline on the consumer rights Directive approaches. Since Germany is the largest economy in the European Union, this new law might just have a knock-on impact on consumer rights that goes outside of the country's borders.
According to Jana Pattynova, a partner at the Prague office of Pierstone, an international law firm, pointed out that along with the new button, potential customers will get information on three basic points:
Continued : https://blog.avast.com/2012/04/17/here-comes-the-zahlungspflichtig-bestellen-button/
Google faces WHOPPING FTC fine for Safari privacy gaffe
Google is reportedly going to be slapped with a bigger regulatory fine than the meagre one handed down to it from the US Federal Communications Commission (FCC) late last week.
According to Mercury News, which cites anonymous sources familiar with the confabs between the Federal Trade Commission (FTC) and Google, the search giant is expected to be hit with a larger penalty over its bypassing of the default privacy settings of Apple's Safari browser.
The FTC - which is the Stateside consumer watchdog - could issue that fine within the next 30 days, the newspaper reported.
Its chums over at US communications regulator, the FCC, fined Google $25,000 last week for failing to aid its investigation into the company's "accidental" Street View fleet's Wi-Fi payload data slurp-fest.
But, significantly, the same probe failed to find that Google's actions had been unlawful because the data it collected was not encrypted.
As heavily documented in these pages, Google has been undergoing intense scrutiny of its business practices on both sides of the Atlantic for some time now.
Continued : http://www.theregister.co.uk/2012/04/17/google_ftc_fine_safari_privacy_gaffe/
FTC official: Sharing on social sites 'can't be forced'
Recent enforcement actions against Facebook and Google show the Federal Trade Commission (FTC) is on track to safeguard consumer privacy in the era of social networking, an agency official said Tuesday.
While FTC commissioner Julie Brill acknowledged the networking sites are changing how people get information and interact, she said it's important to remember that participation "can't be forced."
It's a "basic principle of the playroom," Brill said at a Broadband Breakfast Club event.
Brill pointed to a "trifecta" of enforcement actions the FTC has taken against Facebook, Google and Twitter as evidence the agency is moving aggressively to protect privacy. In the cases of Facebook and Google, the actions resulted in consent decrees that she said will be in place for two decades to ensure the companies only share and delete information with users' consent.
The FTC penalized Facebook for changing its terms of service to make public user information that had previously been private. Google's problems arose from the launch of the Buzz social network, a service that was scrapped after it created confusion for users about what information was shared and how one opted out.
Continued : http://thehill.com/blogs/hillicon-valley/technology/221911-ftc-official-sharing-on-social-sites-cant-be-forced
Related: FTC flexes muscles, warns that sharing can't be 'forced' on social websites
Search Engine Security for Google Chrome
From the Zscaler ThreatLab Blog:
Google Chrome has recently added an API to modify HTTP headers. This in turns, made it possible to port Zscaler's Search Engine Security add-on from Firefox and Firefox Mobile to Google Chrome. [Screenshot]
Most hijacked websites used for Blackhat SEO check the Referer header and the User-Agent, to decide whether to redirect the visitor to a harmless spam page or to a malicious domain (Fake AV page, Blackhole exploit kit, etc.). By modifying these 2 headers when the user leaves a Google, Bing or Yahoo! search, Search Engine Security fools the hijacked site into thinking that the visitor is not a real user and therefore avoids redirection to the malicious content. [Screenshot]
All the work is done in the background, so it can be tricky to understand exactly what happens, or even if the add-on is working. We have therefore added a small note on the Google/Bing/Yahoo! search result pages to show you whether Search Engine Security is on (default settings) or off (disabled in the options): Zscaler SES on or Zscaler SES off.
Continued : http://research.zscaler.com/2012/04/search-engine-security-for-google.html
Iranian Bank Accounts Hacked: A Cyber Warfare Hypothesis
The story that I desire to report on seems it could be the plot of a movie. Khosrow Zarefarid, an Iranian software manager, found security vulnerabilities in Iran's banking system and tried to inform the management of the affected banks by preparing a detailed report.
As usual the bank's managers ignored the alert, so the Iranian expert decided to demonstrate the risk related to the discovered vulnerability, moving from theory to action.
He hacked 3 million bank accounts belonging to at least 22 different banks to support his study. Zarefarid's intellectual honesty is admirable, as he limited his actions to hacking systems, stealing anything from the accounts. He simply exploited the vulnerability by retrieving account details of around 3 million individuals, including card numbers and related PINs.
Zarefarid works at Eniak, which operates the Interbank Information Transfer Network System (Shetab), an electronic banking clearance and automated payments system used in Iran. Eniak is a leader in providing payment systems in Iran for point of sale, a crucial sector in the banking world and also manufacturing.
What is really seriuos is that on occasion of his first alert, the expert provided details on the security flaw and also on 1000 bank accounts, but he was ignored, and for this reason Zarefarid decided to make public the vulnerability.
Continued : http://www.infosecisland.com/blogview/21033-Iranian-Bank-Accounts-Hacked-A-Cyber-Warfare-Hypothesis.html
Iranian Takes Credit For POS Hack That Spills Three Million Bank Accounts
3 million bank accounts hacked in Iran