12 total posts
The Amnesty International UK website was compromised to..
The Amnesty International UK website was compromised to serve Gh0st RAT
From the Websense Security Labs Blog:
Between May 8 and 9, 2012, the Websense ThreatSeeker Network detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in 2010, we reported another injection of an Amnesty International website, this time the Hong Kong site.
In the most recent case, we noticed that the exploit vector used was the same Java exploit (detailed in CVE-2012-0507) that has been used worldwide, and which has become somewhat infamous as the cause of the recent massive Mac OS X infection with Flashback.
The following is a screen shot of the detected code injection: [Screenshot]
In the screen shot, we can see the similarities between this injection and the INSS injection we reported last week. This clearly shows the use of the Metasploit framework and the precise name of the Java class used. In addition, the associated JAR file is a well-known vector exploit for the CVE-2012-0507, as shown below:
Continued : http://community.websense.com/blogs/securitylabs/archive/2012/05/11/amnesty-international-uk-compromised.aspx
Amnesty International's UK website served up Gh0st RAT for two days
Amnesty International UK Site Hijacked, Serves Ghost RAT
Amnesty UK website hacked to serve lethal Gh0st RAT Trojan
UNC-Charlotte Data Breaches Expose 350,000 SSN's & Much More
Confidential data, including bank account and Social Security numbers for some 350,000 University of North Carolina-Charlotte students, staff and faculty, were accidentally exposed -- some for almost 15 years -- due to a system misconfiguration and incorrect access settings that made electronic data publicly available.
The school on Wednesday released a statement on an investigation it launched in February after staff discovered the data breach. The investigation revealed two separate incidents exposed data such as names, addresses, Social Security numbers and financial account information provided during university transactions.
One incident involved misconfigurations and incorrect access settings made during a general university system upgrade that left data stored on the university's H: drive exposed on the Internet from Nov. 9, 2011 to Jan. 31, 2012.
The second involved improperly stored sensitive data belonging to the school's College of Engineering that allowed for unauthorized access from 1997 until February 2012.
Continued : http://threatpost.com/en_us/blogs/unc-charlotte-data-breaches-expose-350000-social-security-numbers-and-much-more-051012
Also: UNC Charlotte: 350,000 SSNs Exposed in Decade-long Data Breach
Opera 11.64 closes critical code execution hole
Version 11.64 of the Opera web browser has been released, closing a critical hole that could have been exploited by attackers to inject malicious code into a victim's system. According to the company, some undisclosed formulations of URLs caused the browser to allocate the incorrect amount of memory for storing the address. When the program attempted to store the address, unrelated memory could have been overwritten with an attacker's data, resulting in a crash and the execution of arbitrary code.
Non-security-related fixes include correcting an issue that prevented some secure pages, such as PayPal and eBay, from loading, and problems when using the AMD loader from the Dojo Toolkit. A full list of the fixes and improvements in the update can be found in the Windows, Mac and UNIX change logs. Version 11.64 of Opera is available to download for Windows, Mac OS X, Linux, FreeBSD and Solaris.
Continued : http://www.h-online.com/security/news/item/Opera-11-64-closes-critical-code-execution-hole-1573877.html
Malware Masquerades as Flash Player for Android
From TrendLabs Malware Blog:
Last month, we have seen cybercriminals use the popularity of apps like Instagram and Angry Birds Space to deliver malware on Android phones. This time, we spotted the same social engineering tactic using Adobe's name.
[Screenshot: Website Hosting Fake Adobe Flash Player]
This webpage is also found to be hosted on Russian domains, similar to the fake Instagram and Angry Birds Space apps that we previously reported. To further entice users into downloading the fake Adobe Flash Player app, the text on the webpage claims that it is fully compatible with any Android OS version: [Screenshot]
When users opt to download and install the said fake app, the site connects to another URL to download malicious .APK file, which Trend Micro detects as ANDROIDOS_BOXER.A. ANDROIDOS_BOXER.A is a premium service abuser, which means it sends messages to premium numbers without the user's permission, thus leading to unwanted charges. This type of Android malware is just one of the types we were able to identify in our infographic, A Snapshot of Android Threats.
Continued : http://blog.trendmicro.com/malware-masquerades-as-flash-player-for-android/
FBI: Updates Over Public 'Net Access = Bad Idea
The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.
From the FBI's advisory:
"Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available."
The warning is a good opportunity to revisit some wireless safety tips I've doled out over the years. Avoid updating software while you're using networks that are untrusted and public, whether they are wired or wireless. This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.
Continued : http://krebsonsecurity.com/2012/05/fbi-updates-over-public-net-access-bad-idea/
Related to: FBI issues warning on hotel Internet connections
FixMeStick: USB device for removing malware
FixMeStick has launched the first ever, consumer-ready USB device for removing viruses from infected PCs.
The principles of the FixMeStick are not new to security IT professionals: multiple anti-virus engines increase the number of detectable viruses, and clean external scanning devices prevent viruses from hiding or from interfering with their removal. But, for the first time, FixMeStick has built these principles into a ready-to-go USB device.
"This is about enabling everyone to rid their machines of malware," says co-founder Marty Algire. "And it will help people continue to enjoy their computers and the Internet."
The FixMeStick costs $49.99 for an unlimited number of uses on three PCs per year. Renewals can be purchased for $24.99 annually.
The FixMeStick is powered by three of the biggest names in anti-virus software: Kaspersky Lab, Sophos, and GFI.
Continued : http://www.net-security.org/malware_news.php?id=2104
FixMeStick Launches USB Device For Removing Computer Viruses
FixMeStick, Malware-Remover USB Stick (Video)
From the FixMeStick Blog: Why We Built the FixMeStick
New .secure Internet Domain On Tap
" 'Safe neighborhood' top-level domain will require SSL, DNSSEC, and other security measures for websites"
A new top-level domain (TLD) in the works for the Internet will bake security in from the outset: The .secure domain will require fully encrypted HTTPS sessions and a comprehensive vetting process for websites and their operators. If the new domain takes off, it could shift the way Web domains are secured.
It's basically a "safe neighborhood" on the Net, its creators say, and is one of the first next-generation TLDs to emerge from the new Internet Corporation for Assigned Names and Numbers (ICANN) program that opens up the TLDs beyond the 21 existing global domains that include .com, .org, .net, and .edu. Artemis Internet Inc., a wholly owned subsidiary of NCC Group plc, has applied with ICANN for the new .secure domain in the competition for thousands of new TLDs aimed at better classifying companies and people by industry, interest, or location.
"'Effortless security' is our tagline," says Alex Stamos, CTO at Artemis. "Right now, when you go to .com, you have to look for five different visual clues to figure out what's going on" security-wise, Stamos says. "If you type .secure, you're telling the server or organization that you want to communicate with that you want to be safe and expect them to be as safe as possible. All of that security stuff is taken care of for you."
Continued : http://www.darkreading.com/authentication/167901072/security/security-management/240000187/new-i-secure-i-internet-domain-on-tap.html
CERT Warns On Critical Hole In SCADA Software By Italian..
.. Firm Progea
The U.S. Department of Homeland Security issued a bulletin on Thursday warning readers about a previously undisclosed, critical vulnerability in Movicon 11, a product used to manage critical infrastructure including the manufacturing, energy and water sectors.
DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) posted an advisory on May 10 that warned customers of Progea Srl that a memory corruption vulnerability in the Movicon Human Machine Interface (HMI) software could allow a remote attacker to knock Movicon devices offline using a specially crafted HTTP POST request sent to the Movicon OPC server component. Progea has issued a fix for the problem, which affects Movicon devices running Versions of the Movicon software up to and including version 11.3, ICS-CERT said in its advisory.
The vulnerability was discovered and reported by Dillon Beresford, a SCADA and ICS researcher who works for IXIA. If left unpatched, the vulnerability would allow a remote attacker to force the Movicon server to read in invalid memory address, crashing the device. However, the vulnerability of actual devices deployed in the field will depend on environmental factors at each customer site. ICS-CERT urged Progea customers to assess their vulnerability to attack.
Continued : http://threatpost.com/en_us/blogs/cert-warns-critical-hole-scada-software-italian-firm-progea-051112
See Vulnerabilities & Fixes: Movicon OPC Server HTTP Post Denial of Service Vulnerability
Mother's Day a Lure for Fake Gift Offers
From the McAfee Labs Blog:
Mother's Day is normally celebrated by people to express their love for their mothers. We sometimes buy them special gifts such as watches, antiques, greeting cards, or flowers. Spammers also celebrate Mother's Day, but with a different goal in mind.
As always, spammers like to take advantage of special occasions and festivals. Currently we see a trend in spam mails offering fake Rolex watches as the perfect gift on Mother's Day. Should you buy one of these fake watches for your mother, or for anyone? Not from these people. Watch out for these emails and don't click on the links in them.
Here are several common subject lines for Mother's Day spam:
• Make your mother happy
• Mother's day stock
• Mother's Day inventory
• All about MOM
Continued : http://blogs.mcafee.com/mcafee-labs/mothers-day-a-lure-for-fake-gift-offers
Anonymous takes on Putin's Russian Kremlin
Cyber activists associated with the Anonymous collective temporarily downed President Vladimir Putin's web site on Wednesday.??
The activists said they were protesting the controversial renewal of Putin's presidential term for yet another six years, which has sparked a wave of demonstrations in Moscow's city streets.?
The Kremlin's Internet security division responded to the above-mentioned pwnage by telling Reuters: "All the relevant departments are taking the necessary measures to counteract (such) attacks.?
"This is routine work. There is always some external influence. Today we are witnessing a splash of activity (by the attackers) ... (But) they failed to achieve their goal."
In other Anonymous related news, the Pirate Bay has gone on record as criticizing Anonymous for taking down the Virgin Media website over its blocking of the Pirate Bay file sharing site, as per a recent order from the U.K. High Court .
"We do NOT encourage these actions. We believe in the open and free Internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us," The Pirate Bay wrote on its Facebook page.??
Continued : http://www.tgdaily.com/security-features/63303-anonymous-takes-on-putins-russian-kremlin
Also: Anonymous takes the Kremlin offline in Putin protest
IC3 2011 Internet Crime Report Released
FBI Press Release:
"More Than 300,000 Complaints of Online Criminal Activity Reported in 2011"
The Internet Crime Complaint Center (IC3) today released the 2011 Internet Crime Report—an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million. As more Internet crimes are reported, IC3 can better assist law enforcement in the apprehension and prosecution of those responsible for perpetrating Internet crime.
In 2011, IC3 received and processed, on average, more than 26,000 complaints per month. The most common complaints received in 2011 included FBI-related scams—schemes in which a criminal poses as the FBI to defraud victims—identity theft, and advance-fee fraud. The report also lists states with the top complaints, and provides loss and complaint statistics organized by state. It describes complaints by type, demographics, and state.
"This report is a testament to the work we do every day at IC3, which is ensuring our system is used to alert authorities of suspected criminal and civil violations," said National White Collar Crime (NW3C) Center Director Don Brackman. "Each year we work to provide information that can link individuals and groups to these crimes for better outcomes and prosecution of cases."
Continued : http://www.fbi.gov/news/pressrel/press-releases/ic3-2011-internet-crime-report-released
Report: 2011 Internet Crime Report (pdf)