18 total posts
Stuxnet worm rampaging through Iran: IT official
The Stuxnet worm is mutating and wreaking further havoc on computerised industrial equipment in Iran where about 30,000 IP addresses have already been infected, IRNA news agency reported on Monday.
"The attack is still ongoing and new versions of this virus are spreading," Hamid Alipour, deputy head of Iran's Information Technology Company, was quoted as saying by IRNA, Iran's official news agency.
Stuxnet, which was publicly identified in June, was tailored for Siemens supervisory control and data acquisition, or SCADA, systems commonly used to manage water supplies, oil rigs, power plants and other industrial facilities.
The self-replicating malware has been found lurking on Siemens systems mostly in India, Indonesia and Pakistan, but the heaviest infiltration appears to be in Iran, according to researchers.
The hackers, who enjoyed "huge investments" from a series of foreign countries or organisations, designed the worm to exploit five different security vulnerabilities, Alipour said while insisting that Stuxnet was not a "normal" worm.
He said his company had begun the cleanup process at Iran's "sensitive centres and organisations," the report said.
Continued : http://news.yahoo.com/s/afp/20100927/tc_afp/iranitcomputersecurityenergystuxnet
Also : Iran confirms Stuxnet cyber attack
Another Twitter hole opened and closed
Over the weekend another Twitter hole opened up when postings appeared, one saying "W T F" and including a link and the other proclaiming a preference for a certain sexual activity with goats. People who clicked on the link through the Twitter web front end found themselves looking at a blank page, but in the background, two hidden frames posted to Twitter on their behalf proclaiming the same preference and sending the same link to their followers. Twitter "fixed the exploit" within hours and removed offending tweets.
The problem in this case is that Twitter allows sites to include IFRAMES which can be hidden on a page. These can perform a GET operation to update the status of the user's Twitter account. An early analysis pointed the blame at the IFRAMES and GET issue making Twitter vulnerable to CSRF (Cross Site Request Forgery) attacks. The code itself was hosted on pastehtml.com which offers free anonymous web-hosting. The attack itself did nothing except add it's tweets to the users timeline.
As Posted : http://www.h-online.com/security/news/item/Another-Twitter-hole-opened-and-closed-1096619.html
Also : W T F worm makes Twitterers declare goat lust
Spam Affialite Program Spamit.com to Close
Spamit, a closely guarded affiliate program that for years has paid some of the world?s top spammers to promote counterfeit pharmacy Web sites, now says that it will close up shop at the end of September.
Spamit administrators blamed the impending closure on increased public attention to its program, which interacted with affiliates via several sites bearing the spamit brand, including spamit.com, spamit.biz, and spamdot.biz. [Screenshot]
The program?s homepage was replaced with the follow message (pictured above) a few days ago:
'Because of the numerous negative events happened last year and the risen attention to our affiliate program we?ve decided to stop accepting the traffic from 1.10.2010 [Oct. 1, 2010]. We find the decision the most appropriate in this situation. It provides avoiding the sudden work stop which leads to the program collapse and not paying your profit.
In our case the whole profit will be paid normally. All possible frauds are excluded. Please transfer your traffic to other affiliate programs till 1.10.2010.
Thank you for your cooperation! We appreciate your trust very much!'
Dmitry Samosseiko, senior manager of SophosLabs Canada, wrote last year in his excellent Partnerka paper (PDF) that Spamit affiliates are thought to responsible for managing some of the world?s most disruptive, infectious and sophisticated collections of hacked PCs or ?botnets,? including Storm, Waledec and potentially Conficker.
Continued : http://krebsonsecurity.com/2010/09/spam-affialite-program-spamit-com-to-close/
Zeus botnets' Achilles' Heel makes infiltration easy
"C&C hijacking comes to the unwashed masses"
A security researcher has discovered a potentially crippling vulnerability in one of the most widely used botnet toolkits, a finding that makes it easy for blackhats and whitehats alike to take control of huge networks of infected PCs.
The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique.
That means the bug could make takedowns by law enforcement and rival crime gangs significantly easier, said Billy Rios, the researcher who discovered the defect and has written a simple program to exploit it.
?Once you run the C&C take-over script, you can read and write anything you want to the C&C,? he told The Register. ?You could plant a backdoor in the C&C, steal all the data, destroy the C&C, or take it over. Because you have access to the C&C, you'll also have access to the botmaster's C&C username and password hashes. You'll also have access to the cleartext database username and password supporting the C&C.?
Continued : http://www.theregister.co.uk/2010/09/27/zeus_botnet_hijacking/
Comcast Hackers Get 18-Month Prison Sentences
"Two men are sentenced to more than a year in prison for redirecting traffic from Comcast.net to sites under their control."
Two men accused of hacking the Comcast Website were sentenced Sept. 24 to 18 months in prison.
The Department of Justice said in a news release, "Christopher Allen Lewis, aka 'EBK,' 20, of Newark, Del., and Michael Paul Nebel, aka 'Slacker,' 28, of Kalamazoo, Mich.," had previously pleaded guilty to charges of "conspiring to disrupt service at [Comcast's] www.comcast.net Website on May 28 and 29, 2008." The statement continued:
"Lewis, Nebel and co-defendant James Robert Black, Jr., aka 'Defiant,' were associated with the hacker group Kryogeniks. On May 28, 2008 ... [the group] used their hacking skills to redirect all traffic destined for the www.comcast.net Website to Websites that they had established. As a result, Comcast customers trying to read their e-mail or listen to their voice mail were sent to a Website where they found a message that read, 'KRYOGENIKS Defiant and EBK RoXed COMCAST sHouTz to VIRUS Warlock elul21 coll1er seven.'
Continued : http://www.eweek.com/c/a/Security/Comcast-Hackers-Handed-18month-Prison-Sentence-614132/
Also : Men sentenced to prison for Comcast hijack
XSS Worm Hits Orkut
A cross-site scripting vulnerability was exploited Saturday on Orkut to launch a fast-spreading worm that auto-posted a rogue message reading "Bom Sabado" on people's scrapbooks.
"Bom Sabado" means "Good Saturday" in Portuguese, which led some people to assume that the worm originated in Brazil, where Orkut has a significantly large user base.
The attack was extremely viral and affected almost 10% of all Orkut users, 70% of which are from India or Brazil. The social network has over 52 million users.
Google fixed the underlying vulnerability in a matter of hours. "[?] We've contained the "Bom Sabado" virus and have identified the bug that allowed this and have fixed it. We're currently working on restoring the affected profiles," a Google employee named Doree announced on the Orkut Help forum.
Continued : http://news.softpedia.com/news/XSS-Worm-Hits-Orkut-158198.shtml
Personality test spreads across Twitter
Has one of your Twitter friends invited you to take a personality test this weekend? [Screenshot]
A typical message might have read something like:
Just took the personality test on Twitter <link> #personality test
There certainly seem to have been plenty of Twitter users posting up this message in the last few hours, so what's behind it?
Well, if you click on the link you get taken to a website called Intelligent Elite, which describes itself as "a platform that allows intelligent people to find intelligent friends, intelligent love, and intelligent business partners" and claims to be connected with Mensa.
Of course, you may not be interested in searching for new love with a brainiac. But, in short, the site lures you in via a personality test - with the intention of signing you up to become a member. Hmm - remind you of any group in particular?
Well, this personality test may not be connected with Scientology, but you may soon find yourself trying to recruit other members as we'll soon see.
Clicking on the link takes you to cartoon of an Einstein-lookalike, encouraging you to take the personality test.
Continued @ Graham Cluley's Blog : http://www.sophos.com/blogs/gc/g/2010/09/26/personality-test-spreads-twitter/
Free malicious PDF analysis e-book
Didier Stevens, the hacker who became a synonym for malicious PDFs, released a free e-book (zip). It's a chapter he wrote as co-author of a malware analysis book.
For more information on malicious PDF files, view the video below that we made with Didier at last year's BruCON security conference:
Continued (with 9.25 minute video) here : http://www.net-security.org/secworld.php?id=9913
USB drive identifies and extracts data, leaving no footprint
Harris Corporation introduced a highly customizable USB thumb drive that quickly extracts targeted data from computers. The device ? called BlackJack ? is designed for military, intelligence, and law enforcement cyber security missions, where speed, stealth and accuracy are paramount considerations.
The BlackJack device boots in less than three seconds. It automatically scans and copies data by prioritizing search criteria and securely partitions search results for analysis. Unlike other search devices, it has LED indicators that immediately alert to the presence or absence of targeted data, so users can be certain whether they have indeed located and extracted information of interest.
Continued : http://www.net-security.org/secworld.php?id=9915
Spamhaus Releases The Spamhaus Whitelist
The Spamhaus Project has released a whitelist called the Spamhaus Whitelist. Long awaited in the industry, the Spamhaus Whitelist allows internet mail servers to separate incoming email traffic into 3 categories: Good, Bad and Unknown, allowing mail server operators to block known bad email traffic, let known good email traffic pass safely, and heavily filter unknown email sources.
It is intended for email from qualified corporations such as banks, accounting firms, law firms, airlines; from medical centers & government agencies, and transactional email from automated billing systems, ecommerce servers, online banking and booking systems. The Spamhaus Whitelist is designed to enable special and priority handling by email servers of important email from senders who are known to be extremely unlikely to ever send spam.
The benefit is better, faster and infinitely safer spam filtering. For email recipients, the Spamhaus Whitelist heralds an end to many messages wrongly marked as spam by scoring systems, content filters, local "blacklists" or poor filtering choices. For email senders, it will mean a large reduction to important mail being delayed, lost in junk folders or wrongly classified as spam.
For transactional email, such as ecommerce systems, banking, airline booking, mail from medical centers, judiciary or government departments, the Spamhaus Whitelist will mean email can arrive no matter how heavily filtered the receiver's mailbox is.
Continued : http://www.spamhaus.org/news.lasso?article=662
Full information on the Spamhaus Whitelist : http://www.spamhauswhitelist.com
ZeuS attacks mobiles in bank SMS bypass scam
"Flicks two fingers to two factor authentication"
Security researchers have warned that cybercrooks might be able to compromise online bank accounts even in cases where banks use SMS messages to authorise transactions.
The approach relies on first compromising a targeted user's computer using a variant of the ZeuS banking Trojan before infecting the same user's smartphone. Thereafter it would be possible to initiate a transaction and authorise it following the receipt of an SMS message to a second compromised device.
The so-called ZeuS Mitmo (man-in-the-mobile) attack is explained in a blog post by David Barroso, of S21sec e-crime. The approach first relies on tricking a user into getting infected by Zeus on the desktop, perhaps via use of a targeted email that points to a booby-trapped website or contains an infected attachment. Thereafter a user's login credentials are captured next time the mark logs into an online banking site.
The malware then generates a fake dialog box that attempts to trick the victim into disclosing the number and manufacturer of his or her mobile phone. This phone would then be sent a fake security certificate, which is actually a malicious banking Trojan tailored to the target's smartphone (this can be either Symbian or BlackBerry).
Continued : http://www.theregister.co.uk/2010/09/27/zeus_mobile_malware/
Also : New ZeuS Component Targets Mobile Phones
Attacks MPAA's UK Law Firm Lead to Data Leaks, Lawsuit
A UK Law firm that has aggressively pursued cases against illegal file sharing on behalf of the Motion Picture Association of America (MPAA) and Recording Industry Association of America (RIAA) now finds itself in the cross hairs of both hackers and and privacy activists.
The firm was the subject of distributed denial of service attacks orchestrated by the online prank group 4chan last week - part of a larger action against the Web sites of the MPAA, RIAA and an anti-piracy technology company, according to a report by torrentfreak.com. That attack prompted a feisty response in published reports from Andrew Crossley, a principal at the firm, after the firm was able to restore its Web site. That response, in turn, led to further attacks and the publication, over the weekend, of what appear to be personal and company e-mails from ACS. Those e-mail expose embarrassing personal correspondence, as well as personal details on UK residents who ACS was pursuing for illegal download activities and what appear to be disturbing insights into ACS's pursuit of them on behalf of clients like the MPAA.
Crossley did not immediately respond to a request for comment.
Torrents of the e-mail archives and stolen fax messages were published on the Pirate Bay, a file sharing hub, and on the Web. Due to heavy traffic, Threatpost.com was not able to view the files to confirm their authenticity. According to published reports, however, they include both Crossley's personal e-mail and those of the firm and individual employees. The amount of e-mail stolen ranges from a month to several months.
Continued : http://threatpost.com/en_us/blogs/attacks-mpaas-uk-law-firm-lead-data-leaks-lawsuit-092710
Also : Anti-piracy lawyers' email database leaked after hack
Prior Posts :
Second piracy threat lawyers withstand DDoS attack
Law Firm Attacked as 4Chan DDoS Campaign Continues
Vodafone plugs security vulnerability on UK service web site
Until this weekend, it was possible, using a simple trick, to access customer e-mail addresses and telephone numbers from the UK mobile operator's web site. The site displayed customers' private e-mail addresses after clicking on the 'forgot password' button on the account login screen. Further mouse work allowed access to mobile numbers. To view user details, users merely needed to guess a user name or read one off the forums.
The security vulnerability came to light as a result of a posting on Wednesday by user johnnytruant on the Vodafone forums. Vodafone customers then spent two days complaining on the forum that the password reminder service should have been taken down until the problem could be fixed. Instead, Vodafone representatives merely posted to the forum that they were urgently looking into the issue.
Continued : http://www.h-online.com/security/news/item/Vodafone-plugs-security-vulnerability-on-UK-service-web-site-1096775.html
Also : Vodafone fixes hole in customer site after data exposed
Microsoft Hotmail Security Enhancements Coming
"Microsoft said it is delivering security changes to Hotmail users this week, including new user identity proofs and detection capabilities meant to thwart account hijacking."
Microsoft has begun rolling out new security features for Hotmail users today centered around preventing and detecting account compromises.
The changes, which Microsoft first discussed with eWEEK in May, will take about a week to roll out to all users, Dan Lewis, senior product manager for Windows Live Hotmail, told eWEEK. Once they arrive, the changes will include both new proofs for user authentication as well as detection capabilities meant to identify hijacked accounts.
In the area of proofs, users will be able to add a ?Trusted PC? to associate with their Hotmail account. If an account is compromised, all a victim needs to do to reclaim their account is to login from their trusted machine.
Cell phones can be used as proofs as well, with Microsoft sending a code via SMS message to allow users to reset their passwords.
?Account proofs are like a spare key to your account,? Lewis said. ?If you set them up in advance, in the unlikely event that you forget your password or someone hijacks your account you can use them to ?prove? that you are the rightful owner and kick out the hijacker.?
Continued : http://www.eweek.com/c/a/Security/Microsoft-Hotmail-Security-Enhancements-Coming-313851/
Execs see value in Web 2.0 but worry about security
A McAfee survey of more than 1,000 business executives across 17 countries has found that Web 2.0 technologies can increase employee productivity and generate revenue. But half of the business executives expressed fears over the security risks that come from social media, blogging, Web mail, and content-sharing tools.
Released Monday, the "Web 2.0: A Complex Balancing Act" (PDF) report was commissioned by security software maker McAfee and authored by faculty at Purdue University to study the benefits and risks of Web 2.0 technologies in the business world.
The study showed that three out of four companies surveyed use Web 2.0 for different business reasons, including IT, sales and marketing, customer relations, advertising, and human resources. Most companies see the potential to drive new sales as the key motivator, while others say that Web 2.0 tools have boosted productivity and created more effective marketing strategies. [Screenshot]
But companies are worried about specific threats from the use of Web 2.0 tools, including malicious software, viruses, overexposure of information, and spyware. And some of those fears have already been borne out.
Continued : http://news.cnet.com/8301-1009_3-20017667-83.html
Also : 50% of firms worried about security of Web 2.0 tools
Microsoft to Release Emergency Patch For ASP.NET Bug
Microsoft on Tuesday will release an emergency out-of-band patch for the ASP.NET padding oracle attack that was disclosed earlier this month. The patch will only be available on the company's Download Center for the time being, however.
The company is taking the step of releasing an emergency fix for the bug because of the seriousness of the vulnerability--which potentially affects millions of Web applications--and the fact that there are attacks ongoing against it already. The patch will fix the flaw in all versions of the .NET framework.
"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," Microsoft security official Dave Forstrom said in a blog post on the emergency patch.
"The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately. We strongly encourage these customers to visit the Download Center, download the update, test it in their environment and deploy it as soon as possible."
Microsoft plans to release the ASP.NET patch through Windows Update and Windows Server Update within the next week.
Continued : http://threatpost.com/en_us/blogs/microsoft-release-emergency-patch-aspnet-bug-092710
Also " Microsoft to issue ASP.net patch out of cycle on Tuesday
Phishing the Apple Store
In September 2010, Symantec observed a phishing Web site that spoofed the Apple brand by mimicking the ?My Apple? Web site of the Apple Store. The legitimate Apple Store Web site provides customers with latest Apple news, software updates, and information on Apple products and services.
The phishing site prompted customers to update their profile information , purportedly so that they may continue to receive updates and news from Apple. The heading of the page stated ?Complete the fields below, then click the Continue button to save?. The sensitive information requested was the Apple ID, password, customer?s name, credit card CVV number, and contact details. After the required information was entered and the ?Continue? button was clicked, the phishing site returned an error message stating ?Your session has timed out after a period of inactivity. Please return to the Store Menu to continue shopping?. The phishing site then redirected the victim to the legitimate Apple Store Web site which created the illusion that a common error had occurred. This way, the victim may not notice that the information had already been given to the phishing site; the fraudster would have successfully stolen their information for financial gain. [Screenshot]
The phishing site was hosted on a free Web-hosting site located on servers based in Canada. Although the domain name was a free Web-hosting domain, the phishing URL may appear to be legitimate at first glance due to the use of certain keywords that make the phishing URL resemble the legitimate URL. Below is an example:
Continued : http://www.symantec.com/connect/blogs/phishing-apple-store