Spyware, Viruses, & Security forum


NEWS - May 29, 2013

Critical Ruby on Rails bug exploited in wild, hacked servers join botnet

"Attackers' success shows many servers still aren't patched. Is yours?"

Attackers are exploiting an extremely critical vulnerability in the Ruby on Rails framework to commandeer servers and make them part of a malicious network of hacked machines, a security researcher said.

Ars first warned of the threat in early January, shortly after Rails maintainers issued a patch for the vulnerability. Ars warned at the time that the vulnerability gave attackers the ability to remotely execute malicious code on underlying servers. Criminals' success in exploiting the bug to make vulnerable machines join a botnet suggests that many server administrators still haven't installed the critical update more than four months after it was issued.

Servers that have been exploited are infected with software that caused them to join an Internet Relay Chat (IRC) channel on one of at least two servers, security researcher Jeff Jarmoc said in a post published Tuesday to his personal website. Attackers can force servers to download and execute malicious code and join new IRC channels from there. The channels required no authentication to be accessed, making it possible for competing attackers to infiltrate the chat room and take control of the compromised servers. IRC-based botnets harken back to the earlier days of computer crime because they made it easy for "script kiddies," or relatively unskilled hackers, to control huge numbers of infected machines in lock step, using a handful of pre-programmed commands.

Continued : http://arstechnica.com/security/2013/05/critical-ruby-on-rails-bug-exploited-in-wild-hacked-servers-join-botnet/

Ruby on Rails Exploit Builds IRC Botnet of Compromised Servers
Hackers exploit Ruby on Rails vulnerability to compromise servers, create botnet
Attack wave on Ruby on Rails
Ruby on Rails bug is being exploited in the wild, researcher warns
Discussion is locked
You are posting a reply to: NEWS - May 29, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - May 29, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
U.S. Government Seizes LibertyReserve .com

In reply to: NEWS - May 29, 2013

U.S. Government Seizes LibertyReserve .com

U.S. federal law enforcement agencies on Tuesday announced the closure and seizure of Liberty Reserve, an online, virtual currency that the U.S. government alleges acted as "a financial hub of the cyber-crime world" and processed more more than $6 billion in criminal proceeds over the past seven years.

The news comes four days after libertyreserve .com inexplicably went offline and newspapers in Costa Rica began reporting the arrest in Spain of the company's founder Arthur Budovsky, 39-year-old Ukrainian native who moved to Costa Rica to start the business.

According to an indictment (PDF) filed in the U.S. District Court for the Southern District of New York, Budovsky and five alleged co-conspirators designed and operated Liberty Reserve as "a financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking."

Continued : http://krebsonsecurity.com/2013/05/u-s-government-seizes-libertyreserve-com/

Liberty Reserve Founder Indicted on $6 Billion Money-Laundering Charges
Liberty Reserve laundered $6 billion through illegal transactions
Collapse -
Anonymous Hacktivist Jeremy Hammond Pleads Guilty

In reply to: NEWS - May 29, 2013

Anonymous Hacktivist Jeremy Hammond Pleads Guilty to Stratfor Attack

At a time when the word "hacktivist" is routinely used to describe random brigands and petty vandals, Jeremy Hammond stands out as the real deal. In 2004 he urged DefCon attendees to target Republican National Convention delegates for "electronic civil disobedience." In 2006 he was sentenced to two years federal for hacking the website of a right-wing group. In between he reportedly picked up a handful of minor arrests for real-world civil disobedience, including at least one drum-banging protest.

Today, the 28-year-old Chicagoan pleaded guilty to conspiring in the keystone attack of the short-lived Lulzsec/AntiSec era, a damaging December 2011 intrusion into the servers of the private intelligence firm Strategic Forecasting, Inc. The Stratfor hack compromised 60,000 credit card numbers, some of which were promptly loaded up with $700,000 in fraudulent charges. Also stolen were 5 million email messages, which have been trickling out of WikiLeaks ever since.

As with his previous adventures, Hammond's motives in the Stratfor attack were purely non-profit.

Continued : http://www.wired.com/threatlevel/2013/05/hammond-plea/

Anonymous hacker Jeremy Hammond pleads guilty
Anonymous member pleads guilty to Stratfor hack
Accused Hacker Pleads Guilty to US Charges
Collapse -
Certificate pinning - first for websites, now for software?

In reply to: NEWS - May 29, 2013

You may have heard of certificate pinning.

Very simply put, it's a funky name for a sort of "allowlist" of digital certificates. It is intended to supplement (or even to supplant) the chain of trust on which normal digital certificates, such as those used for HTTPS, rely. [Screenshot]

We've explained the chain of trust before in varying levels of detail, but the concept is straightforward for securing traffic such as web browsing:

1. You send out a site certificate that is a public key people can use to encrypt traffic to your site, combined with a digital signature that identifies it as yours.

But the name in a certificate is just a text string typed in when it was created, so anyone can make a certificate that says it's yours. How do people know it is yours? Here's how:

Continued: http://nakedsecurity.sophos.com/2013/05/28/certificate-pinning-first-for-websites-now-for-software/

Collapse -
PayPal to Fix XSS Flaw, But No Reward For Researcher

In reply to: NEWS - May 29, 2013

PayPal is in the process of fixing the cross-site scripting flaw on its Web site that was disclosed last week. The teenage researcher who found and disclosed the bug said Wednesday that PayPal security officials told him that someone else had reported the same vulnerability to them earlier and they're trying to patch it now.

Robert Kugler, a 17-year-old German student, posted a message on the Full Disclosure mailing list on May 24 disclosing the XSS vulnerability on several of PayPal's Web sites. He included a screen shot of the bug being exploited and said that he had reported the flaw to PayPal, a subsidiary of eBay, which runs a bug reward program for security researchers. Kugler said that he got a response from PayPal's security team informing him that he was below the minimum age of 18 to qualify for the reward program, so he posted the information on Full Disclosure instead.

The bug report drew quite a bit of media attention, as did PayPal's assertion that Kugler didn't qualify for its reward program. There isn't any stated age requirement in the guidelines for PayPal's reward program, but in its email to Kugler, the company's security team said that he was too young for the program. In a later email, which Kugler posted to the mailing list Wednesday, the security team reiterated that Kugler was too young, but also said that another researcher had reported the same XSS vulnerability to them before he did, which would have disqualified him for the reward in any case.

Continued : http://threatpost.com/paypal-to-fix-xss-flaw-but-no-reward-for-researcher/

Collapse -
PayPal refuses to pay bug-finding teen

In reply to: PayPal to Fix XSS Flaw, But No Reward For Researcher

German student Robert Kugler, 17, says he found a bug on PayPal's site.

Being a good netizen, he responsibly disclosed the bug by contributing it to PayPal's Bug Bounty Program.

PayPal's response was twofold: First, somebody else already found the cross-site scripting (XSS) flaw, the company said.

Secondly, 'thanks, but no thanks, kiddo - you would have been too young to participate anyway'.

PayPal, did you irk a budding security researcher?

It certainly seems so, as Kugler's next step was to do what is universally accepted in the security industry as irresponsible - he publicly disclosed the bug.

Kugler's remark, from his May 24 full disclosure posting:

"I don't want to allege PayPal a kind of bug bounty cost saving, but it's not the best idea when you're interested in motivated security researchers ..."

PayPal emailed this statement in defense of its actions to TechWeek Europe:

Continued : http://nakedsecurity.sophos.com/2013/05/29/paypal-refuses-to-pay-bug-finding-teen/

Related: PayPal vulnerable to cross-site scripting again

Collapse -
AusCERT: It's not the fault of "stupid users"

In reply to: NEWS - May 29, 2013

AusCERT on the Internet Census: It's not the fault of "stupid users"

When three careless default settings are present at the same time, criminals often enjoy easy access to devices and industrial control systems. This is what the Australian Computer Response Team (AusCERT) found in one of its most recent analyses of previously undisclosed data relating to the Internet Census 2012. For the analysis, which was presented at the AusCERT conference last week, the creator of the census gave AusCERT nine terabytes of data, including information on 1.2 million identifiable devices that could be infected with the Carna botnet, which made it possible to scan all of the IPv4 address space. [Screenshot]

AusCERT found that Carna exploits careless default configurations. The botnet infected devices are directly accessible through the internet, provide telnet access on port 23 without a firewall, and use default login data such as admin:admin, admin:password or root:password. It was easy to identify the devices in question from the output of the ifconfig command. AusCERT emphasised the fact that the devices are this vulnerable is down to the manufacturers and that it was not the fault of "stupid" users.

Continued: http://www.h-online.com/security/news/item/AusCERT-on-the-Internet-Census-It-s-not-the-fault-of-stupid-users-1871386.html

Related: Carna Botnet Analysis Renders Scary Numbers on Vulnerable Devices
Collapse -
Can mobile malware be activated via sensors?

In reply to: NEWS - May 29, 2013

Can mobile malware be activated via sensors available on current mobile devices, and receive commands through out-of-band communication methods? If you ask a group of researchers from the University of Alabama at Birmingham and the Polytechnic Institute of NYU, the answer is yes.

To prove their theory, they have created and tested proof-of-concept Android apps that received command and control trigger messages from a distance of 55 feet indoors and 45 feet outdoors, sent by using only low-end PC speakers with minimal amplification and low-volume.

In theory, such a signal can be incorporated into TV or radio programs, background music services, Internet TV program and even musical greeting cards, and the signal is received even if the device is located in a user's pocket.

Continued : http://www.net-security.org/malware_news.php?id=2507

Collapse -
Face recognition API for Google Glass to be released

In reply to: NEWS - May 29, 2013

... this week

An API that will enable developers to program facial recognition into Google Glass apps is due to be released this week by Lambda Labs, a San Francisco startup.

Company co-founder Stephen Balaban said that the API will be available to any interested developer, according to TechCrunch's Sarah Perez.

TechCrunch says that Lambda Labs' facial recognition API went into beta last year and is now in use by 1,000 developers, including several major international firms.

The API is now seeing 5 million calls per month and is growing at 15 percent month-over-month, Perez writes, with Lambda Labs now on the brink of releasing a version of the API that will recognize faces and objects in Google Glass apps.

Continued: http://nakedsecurity.sophos.com/2013/05/29/face-recognition-api-for-google-glass-to-be-released-this-week/
Collapse -
Seriously? USA to legalize rootkits, spyware, ransomware and

In reply to: NEWS - May 29, 2013

...trojans to combat piracy?

From the Emsisoft Blog:

By now most users will already be familiar with ransomware, either because they have been affected by it themselves at some point or because they have seen it on a friend's PC. Ransomware usually refers to a special category of malware that essentially tries to hold a user's computer and files hostage and demands payment of a ransom in exchange for returning control of the computer back to the user. The general method of operation so far has been to simply confront the user with fictitious legal accusations. However there is a slight chance that in the not so distant future these accusations may no longer be fabricated.

Just a few days ago the "Commission on the Theft of American Intellectual Property" released their 84-page report (pdf). Amidst a large amount of rather naive ideas there is one idea that strikes us as particularly insane: The report proposes the use of malware to determine whether or not you are pirating intellectual property and if you are, to lock your computer and holds all your files hostage until you call the police and confess to your crime:

Continued: http://blog.emsisoft.com/2013/05/27/seriously-usa-to-legalize-rootkits-spyware-ransomware-and-trojans-to-combat-piracy/
Collapse -
Moore, Oklahoma tornado charitable organization scams

In reply to: NEWS - May 29, 2013

Moore, Oklahoma tornado charitable organization scams, malware, and phishing

Adrien de Beaupré @ the SANS ISC Diary:

I find it sad that in times when people are facing disaster, many have died, others missing, and the survivors facing having lost everything that there are scumbags who will try to take advantage. Be very wary of any charity that is raising funds for victims of any disaster, particularly one that has not been around for very long. There are many legit charities, I would recommend sticking to ones you are already familiar with. The American Red Cross for example has been around for a long time, does amazing work, and is always in need of funding. They are just one example of a well established charity that does good work and is already involved in helping out in Moore, Oklahoma.

Routine monitoring of newly registered domain names shows a number of brand new ones that have words like Oklahoma, Moore, tornado, recovery, help, assistance, and similar. I am certain that a number are registered by well meaning people, however I am equally sure that many are fake or scams. It does not take long for any recent newsworthy topic to be the subject line of phishing, malware, and scammers.

Another handler remarked that the new trend seems to be crowd funding, hopefully the money raised will make its way to the charity where it belongs.


Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Sublime suburban chariot

High on style and technology, the 2019 Volvo XC90 is an incredibly satisfying everyday crossover.