13 total posts
Brian Krebs: The Obscurest Epoch is Today
""History is much decried; it is a tissue of errors, we are told, no doubt correctly; and rival historians expose each other's blunders with gratification. Yet the worst historian has a clearer view of the period he studies than the best of us can hope to form of that in which we live. The obscurest epoch is to-day; and that for a thousand reasons of incohate tendency, conflicting report, and sheer mass and multiplicity of experience; but chiefly, perhaps, by reason of an insidious shifting of landmarks." - Robert Louis Stevenson"
To say that there is a law enforcement manhunt on for the individuals responsible for posting credit report information on public figures and celebrities at the rogue site exposed.su would be a major understatement. I like to think that when that investigation is completed, some of the information I've helped to uncover about those affiliated with the site will come to light. For now, however, I'm content to retrace some of my footwork this past weekend that went into tracking individuals who may have been responsible for attacking my site and SWATing my home last Thursday.
I state upfront that the information in this piece is certainly not the whole story (most news reporting is, at best, a snapshot in time, a first rough draft of history). While the clues I've uncovered thus far point to the role of a single individual, this person is likely part of a larger group involved in hacking and SWATing activity.
Continued : https://krebsonsecurity.com/2013/03/the-obscurest-epoch-is-today/#more-19478
Same hacker may have targeted Ars, reporter Krebs, and Wired's Honan
Details on the denial of service attack that targeted Ars Technica
Xbox Live accounts hack performed by attackers that hit Krebs and Honan?
Brian Krebs tells Ars about hacked 911 call that sent SWAT team to his house
Brian Krebs: The World Has No Room For Cowards
Google Serves Up a Half Slice of Pwnium Cash for Pinkie Pie
Depending upon your perspective, the third iteration of Google Pwnium at this year's CanSecWest conference was either a mild failure or a huge success. No researchers were able to come up with a full compromise of the Chrome OS, the target in this year's contest, but Google said this week that it did receive a partial qualifying entry from one researcher and awarded him $40,000 for his efforts.
Google first ran the Pwnium contest at last year's CanSecWest conference and received a pair of winning entries, each of which qualified for a $60,000 reward. That contest focused on the Chrome browser. This time around Google was interested in bugs in its Chrome OS, which runs on Chromebook laptops. The company was offering more than $3 million in possible rewards for new vulnerabilities in the oeprating system.
By the end of the contest two weeks ago, Google hadn't received any full winning entries. However, an anonymous researcher known as Pinkie Pie, who had submitted winning entries in each of the previous two Pwnium contests, including one at Hack in the Box last fall, was working on an exploit when time ran out. He demonstrated a partial exploit that worked on several bugs he had discovered, so Google's security team decided to give him a partial payout for his efforts.
Continued : https://threatpost.com/en_us/blogs/google-serves-half-slice-pwnium-cash-pinkie-pie-031913
Also: ChromeOS was unreliably exploited at Pwnium 2013
Massive Chameleon botnet steals $6M a month from advertisers
Web traffic analytics firm spider.io has discovered a massive botnet that emulates human visitors in order to earn its master(s) over $6 million per month from online advertisers.
"Chameleon is a sophisticated botnet," the researchers shared. "Bots generate click traces indicative of normal users. Bots also generate client-side events indicative of normal user engagement. They click on ad impressions with an average click-through rate of 0.02%; and they surprisingly generate mouse traces across 11% of ad impressions."
The company has been tracking the botnet since last December, searching for specific patterns typical of this bot activity, such as crashing and restarting regularly, targeting a specific cluster of 202 websites, simulating the visitation of a number of web pages across a number of websites, and so on.
Continued : http://www.net-security.org/secworld.php?id=14620
Chameleons, botnets and click fraud
Chameleon botnet steals millions from advertisers with fake mouseclicks
Chameleon botnet grabbed $6m A MONTH from online ad-slingers
Exposed Devices Used as Botnet to Scan Internet
A controversial Internet scanning project has come under fire for illegally accessing and running code on remote machines. The Internet Census 2012 project, revealed Sunday in a post to Seclists.org, discovered 420,000 embedded devices accessible using default credentials. The unnamed researcher behind the project then used the devices as a botnet to scan most of the IPv4 address space.
Although the researcher said in a paper that no changes were made to any of the devices and all were returned to their original state after a reboot, the project is drawing the ire of the security community.
"While the Internet Census 2012 provides interesting data, the way it was collated is highly illegal in most countries," said Mark Schloesser, security researcher at Rapid7 in a statement. "Using insecure configurations and default passwords to gain access to remote devices and run code on them is unethical, and taking precautions to not interfere with any normal operation of the devices being used doesn't make it OK."
Rapid7 CSO and Metasploit creator HD Moore's Critical.io project is a similar large-scale scan of the Internet looking for vulnerabilities in equipment provided by ISPs to customers. Out of this legitimate data-collection project came the exposure of serious Universal Plug and Play (UPnP) vulnerabilities affecting 50 million systems.
Continued : https://threatpost.com/en_us/blogs/exposed-devices-used-botnet-scan-internet-032013
Botnet uses hacked devices to scan the internet
Researcher sets up illegal 420,000 node botnet for IPv4 internet ma
High-End Digital Cameras can Forward Pictures to Attackers
From Bitdefenders' "HOTforSecurity" blog:
High-end DSLR cameras come with a multitude of features for sharing pictures, but do they really reveal the contents only to their owners? According to security researchers Daniel Mende and Pascal Turbing, digital cameras such as the Canon EOS 1DX can be manipulated to take pictures and upload them without the user's explicit consent.
This particular camera model comes with a built-in server called WFT (Wireless File Transmitter) that can be accessed via a regular browser. It allows the user to control "major functions of the camera," such as getting preview pictures, taking pictures and downloading them on a location the camera has access to.
Access to the server is conditioned by a combination of usernames and password, but its implementation is far from secure.
"On the first visit the web server asks for the credentials configured on the camera via HTTP Basic Auth. The Basic Auth is only performed once and a session id is used afterwards," reads the report. "Now one could complain about not using HTTPS and the authentication being HTTP Basic and not Digest, so a Man-in-the-Middle can sniff either the credentials or the used session id. But in reality its worse, you don't need to be in the data stream, as the session id is just 4 bytes long and containing hex characters." This means that an attacker can get in by brute-forcing 65536 different ids.
Continued : http://www.hotforsecurity.com/blog/high-end-digital-cameras-can-forward-pictures-to-attackers-5696.html
Meet the men who spy on women through their webcams
"The Remote Administration Tool is the revolver of the Internet's Wild West."
"See! That **** keeps popping up on my ******* computer!" says a blond woman as she leans back on a couch, bottle-feeding a baby on her lap.
The woman is visible from thousands of miles away on a hacker's computer. The hacker has infected her machine with a remote administration tool (RAT) that gives him access to the woman's screen, to her webcam, to her files, to her microphone. He watches her and the baby through a small control window open on his Windows PC, then he decides to have a little fun. He enters a series of shock and pornographic websites and watches them appear on the woman's computer.
The woman is startled. "Did it scare you?" she asks someone off camera. A young man steps into the webcam frame. "Yes," he says. Both stare at the computer in horrified fascination. A picture of old naked men appears in their Web browser, then vanishes as a McAfee security product blocks a "dangerous site."
"I think someone hacked into our computer," says the young man.
Far away, the hacker opens his "Fun Manager" control panel, which provides a host of tools for messing with his RAT victims. He can hide their Windows "Start" button or the taskbar or the clock or the desktop, badly confusing many casual Windows users. He can have their computer speak to them. Instead, he settles for popping open the remote computer's optical drive.
Continued : http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-on-women-through-their-webcams/
Hat tip to R. Proffitt!
Android Malware Spams Victim's Contacts
From the Symantec Security Response Blog:
SMS messages attempting to lure Android device owners to download an app that supposedly allows the camera on the device to see through clothes are circulating in Japan. This type of spam is usually sent by the malware authors themselves, but in this case the authors have developed an app to send the spam messages by SMS to phone numbers stored in the device's Contacts. This allows the recipients of the spam to be tricked easier because the invitation to download the app is coming from someone they know rather than from an unknown sender. If a friend is recommending an app, why would you not at least try it out, right? [Screenshot]
The site where the link takes the user to introduces an app called Infrared X-Ray that supposedly allows the user to see through clothes when viewed through the device's camera and of course also allows pictures to be taken. [Screenshot]
Once the app is executed, details stored in the device's Contacts are uploaded to a predetermined server. Not surprisingly, the app does not work as per advertised and a picture of man holding up his middle finger stating that the victim is a pervert is displayed. [Screenshot]
Continued : http://www.symantec.com/connect/blogs/android-malware-spams-victim-s-contacts
The end of MSN Messenger, the beginning of attacks
From the Kaspersky Labs Weblog:
Microsoft recently announced the shutdown of its popular IM client MSN Messenger, which will be replaced by Skype, but its end represents the beginning of malicious attacks posing as the installer of the software. Cybercriminals already started to use this fact in their attacks, registering malicious domains, buying sponsored links on search engines, tricking users to download and install a malware masquerade as the MSN installer.
MSN Messenger is still very popular in several countries; Microsoft informed that the service has more than 100 million users worldwide, approximately 30.5 million of them in Brazil. As an escalated migration of all users is planned, it's getting harder to find the installer of the program and this is the window of opportunity exploited by Brazilian cybercriminals aiming to infect users looking for the software.
In a simple search on Google for "MSN messenger" the first result displayed is sponsored link of a malicious domain aiming to distribute the fake installer, which is actually a Trojan banker: [Screenshot]
Continued : http://www.securelist.com/en/blog/208194178/The_end_of_MSN_Messenger_the_beginning_of_attacks
Dubious Developers Cash In On Candy Crush
From the Trendlabs Security Intelligence Blog:
As expected, shady developers are now taking advantage of Candy Crush, one of the hottest gaming apps in both social networks and Android.
Recently, Candy Crush grabbed the top spot from FarmVille 2 as the most popular gaming app on Facebook. This boost in popularity, however, has its perils. In particular, Candy Crush's popularity made it the perfect target for dubious developers and cybercriminals who want to lure and profit from fans of the game - similar to what happened with other popular mobile apps and games like Instagram, Bad Piggies, and Temple Run in the past.
In a development that surprised no one, we discovered fake Candy Crush apps online, proving that cybercriminals are indeed hoping to capitalize on the game's current trending status. These apps contain code for the Leadbolt and Airpush ad networks; apps containing said code were some of the most prevalent found last year. (We detect these as ANDROIDOS_LEADBLT.HRY and ANDROIDOS_AIRPUSH.HRXV.) [Screenshot]
Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/dubious-developers-cash-in-on-candy-crush/
Android Banking Trojans Target Italy and Thailand
From McAfee Labs Blog:
A very profitable line for mobile malware developers is Android banking Trojans, which infect phones and steal passwords and other data when victims log onto their online bank accounts. One recent trend is Android malware that attacks users in specific countries, such as South Korea and India. We have already seen this type of malware posing as mobile applications from banks in Spain and Portugal. Now a new threat distributed via phishing links targets users of banks in Italy and Thailand using the following icons: [Screenshot]
When the malware runs, it asks the user to input a password and confirm it. If the passwords do not match, the app will show an error message: [Screenshot]
However, unlike Android/FakeToken, this malware does not send the password to the attacker via the Internet or SMS. Instead, it sends an SMS to a specific number in Russia with the text "Ya TuT " ("I am here," in Russian) or "init" the first time that the application is executed. If the passwords match, the application shows the traditional fake security token seen in other families of Android banking Trojans: [Screenshot]
UK Metropolitan Police Warns Elderly Citizens About Courier.
Today, March 20, has been appointed by the UK Metropolitan Police Service (MPS) as the Courier Fraud Awareness Day. Activities are being carried out to raise awareness regarding these scams which, in two years' time, have made over 2,200 victims, most of which elderly citizens.
Since January 2011, authorities have arrested 130 fraudsters and have charged 93. Two of them, brothers, have been sentenced to over 10 years in prison after stealing almost 250,000 GPB ($390,000 / 292.000 EUR) from over 200 victims.
So how do these scams work?
The fraudster calls up the victims pretending to be from the police, the bank or the Serious Fraud Office. He tells them that their bank accounts have been compromised and informs them that their payment cards must be collected.
To make everything more legitimate-sounding, the crooks instruct the victim to hang up and call the police or the bank to verify everything. However, the caller doesn't hang up the phone so, after the victim dials the number of the legitimate organization, he/she is talking to the same fraudster.
Continued : http://news.softpedia.com/news/UK-Metropolitan-Police-Warns-Elderly-Citizens-About-Courier-Fraud-338941.shtml