18 total posts
Researchers To Demonstrate New Attack That Exploits HTTP
Issuing very slooowwww HTTP POST connections results in major denial-of-service attack on Web-based servers and can build "agentless" botnet.
A flaw in the HTTP protocol leaves the door open for attackers to wage a new form of distributed denial-of-service (DDoS) attack that floods Web servers with very slow HTTP "POST" traffic.
Researchers next week at the OWASP 2010 Application Security Conference will demonstrate the new attack, showing how online gaming could be used as a way to recruit bots in an "agentless" botnet that executes this slow HTTP POST DDoS attack. The bot does the bidding of the botnet without getting infected with bot malware.
Researcher Wong Onn Chee, who first discovered the attack in 2009 with a team of researchers in Singapore, says HTTP is "broken" and leaves all Web-based servers or systems with a Web interface vulnerable to this form of attack. "We believe that the fix is in the actual protocol as it is broken by design and affects everyone globally and anything using a Web application. This talk is very sensitive and should be highlighted for U.S. critical infrastructure," Onn Chee says of his upcoming presentation. "If it has a Web interface, we can knock it down [with this attack]: think SSL VPN and other critical systems accessed with a Web browser that you need to connect to by posting information."
He and Tom Brennan, a security researcher with Proactive Risk, at OWASP will present the research on the attack and solicit input on how to mitigate it.
Sony BMG rootkit scandal: 5 years later
The revelation 5 years ago that Sony BMG was planting a secret rootkit onto its music customers' Windows PCs in the name of anti-piracy is seen now as one of the all-time significant events in IT security history.
"Sony rootkit was one of the seminal moments in malware history," says Mikko Hypponen, chief research officer at Helsinki, Finland-based security company F-Secure. "Not only did it bring rootkits into public knowledge, it also gave a good lesson to media companies on how not to do their DRM [digital rights management] solutions."
Turkey lifts YouTube ban after more than 2 years
Turkey said Saturday that it was lifting a ban on YouTube more than two years after it blocked access to the site because of videos deemed insulting to the country's founder.
Transport Minister Binali Yildirim, who is in charge of Internet issues, said the government has been in touch with Google, which owns YouTube. There was no longer any reason to ban the video-sharing site, he said, as the offending videos had been removed.
"In the end, common sense prevailed. The reasons for the YouTube ban do not exist anymore," Yildirim said.
"The ban has been removed," Yildirim said on NTV television. "But we didn't get here easily, we have been through a lot in the process. I hope that they have also learned from this experience and the same thing will not happen again. YouTube will hopefully carry out its organization in Turkey within the limits of law in the future."
Turkey's telecommunications authority banned access to YouTube in May 2008 after users complained that some videos insulted Mustafa Kemal Ataturk, who founded the country in 1923. It is a crime in Turkey to insult Ataturk. The country has implemented reforms as part of a bid to join the European Union, but still faces questions about its record on free expression.
Yes, you need anti-virus on your Mac .. and now it's free
Sophos has today announced the world's first free business-strength anti-virus program for Macs.
In a pretty exciting move, we're making a version of our Mac anti-virus product (used by big companies around the world) available for free download to home consumers.
That means your home Macs can be protected automatically in-the-background with the latest anti-virus protection, checking every program you run, every file you download, every USB stick you insert, completely free. Is there a catch you're wondering? Well, nope! There isn't!
I'm really pleased about this, because I love Macs. Back at Cluley Towers we only use Macs at home - they're great for messing around with family photographs, making movies, storing music, the list goes on..
Graham Cluley's post continued @ Sophos Naked Security Blog
Also : Sophos debuts freebie anti-virus scanner for Macs
Fast start of DNSSEC with .net and .com
At the end of last week, US company VeriSign announced the roll-out schedule for the authentication of.com and .net zones. From the 9th of December, .net domains are to be authenticated via keys that are based on the new DNSSEC (Domain Name System Security Extensions) protocol and stored in the Domain Name System (DNS). Responses that don't originate from the server that was authorised for a domain will be detected when signatures are validated.
Signatures for .net domains have been available since the 29th of October, but they cannot be validated yet. Signatures for the .com zone are to follow in March; users will be able to protect their own .com domains with DNSSEC signatures shortly afterwards. This is mainly designed to prevent future cache-poisoning attacks.
Lookout Mobile Security Extends Support to AndroidSmartphone
"The applications Privacy Advisor feature allows users to scan every app they download."
Cloud-based smartphone security software developer Lookout Mobile Security announced Lookout Premium for Android, which includes updated security and privacy features for added smartphone protection. Lookout Premium now offers visibility into, and control of, personal information that smartphone apps access with the new Privacy Advisor. Lookout Premium will be available for all Android users on Nov. 16 for $2.99 per month or $29.99 annually, with a 30-day free trial.
With Privacy Advisor, users can scan every app they download and view a list of apps that can access their private data, such as identity information, location, and messages. Additionally, consumers can view app reports on the capabilities of these applications on their phone. Consumers can download Lookout from the Android market via Lookout's Web site.
Also : Lookout launches fee-based mobile security service
Spontaneous worldwide reboot of Check Point appliances
On the 30th October at 24:00 GMT (UTC), Check Point security appliances UTM-1 Edge and Safe @ Office generated a number of reports of a worldwide spontaneous reboot. It took several minutes until connections, such as VPN connections, were re-established.
The event reportedly had nothing to do with the time change. According to Checkpoint, an internal counter was responsible for the reboot, which takes place every 13.6 years. Checkpoint says that it does not expected this to be a re-occurring issue within the lifetime of current products.
However, users who may have set the wrong date in the appliance, could still be victims of the effect. There have been complaints in various forums that Check Point took several days to respond to the problem.
Compromised Websites Use Java Flaws, Hit Japanese Users
A major attack has hit Japanese users, affecting more than 100 corporate clients. These users visited compromised sites that were used to serve malware via malicious Java files.
As of this writing, we are still looking into this attack although we are releasing information about it in order to warn users of the potential threat.
Here is how this attack progresses:
1. Users view the legitimate site, which has been compromised by the addition of malicious scripting code.
2. This malicious scripting code redirects users to certain malicious sites.
3. These malicious sites host JAVA_AGENT.P and JAVA_AGENT.O, which use Java vulnerabilities to download and run files.
4. TROJ_DLOAD.SMAB is downloaded, which downloads TROJ_DLOAD.SMAD, which in turn downloads TROJ_DROPPER.OMJ.
5. TROJ_DROPPER.OMJ drops TROJ_EXEDOT.SMA.
6. TROJ_EXEDOT.SMA checks and reports to certain URLs if certain processes are running on the system. It also attempts to download and execute more malicious files (the sites it attempts to download files from are now offline).
Continued @ TrendLabs Malware Blog
The unvarnished truth about unsecured Wi-Fi
Chances are you don't leave your front door unlocked. And you shouldn't leave your Wi-Fi network unsecured either.
Many of you may have heard this before, but many still seem to not be doing anything about it. You should. Here's why. With a $50 wireless antenna and the right software a criminal hacker located outside your building as far as a mile away can capture passwords, e-mail messages, and any other data being transmitted over your network, and even decrypt data that is supposedly protected. [Screenshot]
Someone could also join the network and launch attacks on your computer and any other devices using the network at that time. If file sharing has been left on or the personal firewall is misconfigured it's relatively easy to access the computer via an open Wi-Fi network. Someone could upload an executable program to a file on your hard drive that steals data or just leaves a back door for future access. And if you are using the network to connect to a corporate network through a VPN (virtual private network) an attacker can get into the corporate system too.
"The most dangerous thing is a direct attack," Don Bailey, a security consultant at iSec Partners who is also an expert on telecommunications snooping, told CNET. "The threat is not only that your traffic can be sniffed, but that an attacker can get access to all your data and connections on your computer, even those supposedly secured by SSL (Secure Sockets Layer) and TLS (Transport Layer Security) encryption."
Google seems to classify self as potentially malign
Casual observers may have concluded that Google has defined a portion of its own search page as potentially malign this morning.
In reality, the warning that users visiting a particular page might become exposed to drive-by download attacks involved blogspot.com, linked to the serving of content from a hacker-controlled domain. A screenshot of the snafu was captured by security researcher Mikko Hypp?nen of F-Secure here.
"The warning about google.com was shown by the browser when accessing a page on Blogspot by clicking a link in Google search results," Hypp?nen told El Reg. "The problem was on blogspot.com, not on google.com - it just looked that way."
Verisign Offers $1 Promo For Its Trust Seals
One-day promotion offered on Nov. 3 to help SMBs promote consumer confidence in their e-commerce sites.
To help companies provide websites that customers can feel safe to browse and to buy from, VeriSign is having a one-day-only sale of its new VeriSign Trust seals, all day Wednesday, November 3, as part of a pre-holiday promotion campaign aimed at small business owners.
According to VeriSign, "The VeriSign Trust seal shows the world that VeriSign has confirmed your identity and your site has passed the VeriSign malware scan."
A year's worth of service for a VeriSign Trust seal normally sells for $299. During the "Dollar Day" sale, which will run from 12:01AM PST to 11:59PM -- "from midnight to midnight," said Tim Callan, head of marketing for VeriSign trust services at Symantec -- VeriSign is offering a $298 discount on one year's worth of Trust seal.
Available since April 2010, the VeriSign Trust seal is an alternative to the company's older seal. "The 'VeriSign Secured' circle-and-check VeriSign Seal has historically been yoked to our VeriSign SSL certificate, which meant that you had to be using VeriSign SSL Certificates to get a seal," said Callan.
"But many small businesses outsource their shopping cart to a third party like Yahoo or eBay, where they can't get SSL," said Callan. These third-party shopping carts are typically secured with SSL on their own, as indicated by the URL starting with HTTPS or SHTTP. "This means that credible businesses are penalized for being too small. So we are creating a standalone version of the seal. Businesses have to be secure, and have their identify confirmed... but they don't have to be using SSL."
The cost of a regular VeriSign Trust seal including the SSL Certificate is $399/year.
Blackbelt dares hackers to beat Android security app
Putting its money where its mouth is, mobile insecurity company Blackbelt is offering an HTC Desire HD to the hacker that can crack its Mobile Antitheft product or just give it some good feedback.
Blackbelt is so confident of its new product for Android phones that it will give away the HTC handset prize to the hacker that provides the best feedback, after they have failed to crack the software.
The software is said by Blackbelt to protect against malware, spyware and trojans. It scans the handset, has automatic updating and locks the phone and alerts up to three different phone numbers if there is a change of SIM card.
Would be hackers can register for the competition at Blackbelt's website.
"Entrants must break into the Antitheft-installed devices, which will be hosted online by Perfecto Mobile, and recover several pieces of information in order to prove that they have cracked the lock," says Blackbelt.
OpenDNS Announces October 2010 PhishTank Findings
OpenDNS today announced October 2010 statistics for PhishTank.com, the free community Web site where anyone can submit, verify, track and share phishing data. During the month of October, the PhishTank community voted nearly 50,000 times on almost 14,500 suspected phishes. Social gaming site Zynga surged to the number six position on the list, just a month after entering the top ten most targeted brands list for the first time.
Included among the top most spoofed brands this month is PayPal, with more than 6,400 valid phishes. Other frequently spoofed brands include the Internal Revenue Service, Facebook, and HSBC. These companies are frequent targets of online scammers, and have been for years. With Zynga's popularity -- more than 215 million people play a Zynga game each month -- it's no surprise the company's social games have caught the eye of phishing websites as well.
OpenDNS is the world's largest, fastest-growing DNS service. PhishTank is the only consumer-friendly, anti-phishing effort that publicly shares timely phishing data.
Highlights from the October 2010 PhishTank statistics include:
Total number of votes by the PhishTank community: 50,079
Total number of unique, suspected phishing scams reported: 8,468
Country hosting the most phishing sites: United States
Percentage of phishing sites hosted in United States: 49
Median time it took for the PhishTank community to verify phishes: 3 hours, 53 minutes
For more detailed information about PhishTank's October statistics, including the full list of most spoofed brands, please visit:
Adobe Accelerates Patch Schedule for Critical Flash Bug
Adobe has moved up the release date for the patch for the critical bug in Adobe Flash Player revealed last week, and now plans to have a fix ready on Thursday. The company still plans to patch Reader two weeks from now.
The vulnerability in Flash also exists in Reader and researchers said last week that attackers had already begun exploiting the bug in Reader by the time that Adobe acknowledged the problem and published an advisory. At the time of the initial advisory, Adobe officials said they planned to release a patch for Flash on Nov. 9 and for Reader on Nov. 15.
On Tuesday, the company updated its guidance, saying that the patch for Flash on Windows, Mac, Linux and Solaris will be pushed out on Thursday, Nov. 4, and that the fix for Flash on Android will still be published Nov. 9. The schedule for the Reader patch remains the same.
Also see: Unpatched Critical Flash Player Vulnerability Possibly
Firesheep not evil, says snooping tool's maker
"He blasts Microsoft for tagging packet sniffer as malware"
The security researcher who created the Firesheep snooping tool defended his work today, saying it's no one's business what software people run on their computers.
He also criticized Microsoft for adding detection of Firesheep to its antivirus software, calling the Redmond, Wash. company's move "censorship."
Eric Butler, the Seattle-based Web applications developer who released Firesheep more than a week ago, took to his blog Tuesday to counter claims that the tool, or more precisely, using the tool, is unethical and perhaps illegal.
Firesheep, which was released Oct. 24 and has been downloaded nearly 550,000 times since, is an add-on to Mozilla's Firefox browser that identifies users on an open network -- such as a coffee shop's public Wi-Fi hot spot - who are visiting an unsecured Web site. A double-click in Firesheep gives its handler instant access to the accounts of others accessing Twitter and Facebook, among numerous other popular Web destinations.
Your Money or Your Business
New fees levied by financial institutions are likely to push many small businesses into banking online, whether or not they are aware of and prepared for the types of sophisticated cyber attacks that have cost organizations tens of millions of dollars in recent months.
On the way home from the store last week I caught a Public Radio/Marketplace story in which the radio show interviewed a small business owner who was nudged into banking online after discovering a $9.99 fee had been added to her business banking account for the privilege of continuing to receive paper statements each month.
The angle of the story was the unfairness of the new fees, considering the estimated 12 million people in the United States who have no or only slow access to the Internet. In the following snippet from that program, Marketplace's David Brancaccio interviewed a woman from Northern New Hampshire:
Hackers tap SCADA vuln search engine
A search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering, the US Computer Emergency Readiness Team has warned.
The year-old site known as Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. As white-hat hacker and Errata Security CEO Robert Graham explains, the search engine can also be used to identify systems with known vulnerabilities.
According to the Industrial Control Systems division of US CERT, that's exactly what some people are doing to discover poorly configured SCADA gear.