Polymorphic injection attack targets WordPress blogs. Security researchers have identified a sophisticated mass injection attack that uses polymorphic obfuscation and so far has targeted WordPress blogs at a U.S.-based hosting provider. According to a principal virus researcher at Sophos, the attacks began in the middle of November, and they all seem to affect Web sites running the popular blogging platform. Successful infection will result in one or several .php files being dropped on the Web server in multiple WordPress directories. However, despite the .php extension, these rogue files actually contain malicious JavaScript code obfuscated with a technique that makes every one unique. In the security world this is known as polymorphic code and is used to evade antivirus software and intrusion detection systems. The second step of the attack is to inject code in legit .js files used by WordPress, like the jQuery library, with the purpose of loading the .php files along with them. Finally, when the obfuscated JavaScript makes it onto the pages parsed by the visitors' browsers, it generates a hidden element. This element is meant to load malicious content from remote servers in an attempt to infect computers with malware.
Source: http://news.softpedia.com/news/Polymorphic-Injection-Attack-Targets-%20WordPress-Blogs-169953.shtml
Monday, December 6, 2010
Beware! New Facebook Scam
Murder video scam circulating on Facebook. Facebook scammers are luring users into signing up for premium rate services with promises of a video showing a guy killing his roommate after playing Black Ops. The new spam messages, which, according to security researchers from GFI Software are rapidly spreading on the social networking site, read: "TODAY ONE GUY KILLED HER ROOM MATE WHILE PLAYING A BLACK OPS GAME IN NETWORK. LIVE DEATH VIDEO CAUGHT ON CAMERA" Black Ops refers to "Call of Duty: Black Ops," the seventh installment in the Call of Duty game series, which was just released. This, of course, is just a lure and there is no video of any killing. Clicking on the picture as instructed prompts a permissions request dialog from a rogue Facebook app called "Shock news." The application wants access to post on people's walls. Allowing it to do this will cause users to unknowingly send spam from their accounts. The app prompt is followed by a so called "human authentication" test, which requires people to take an IQ quiz that tries to sign them up for a $9.99 per month SMS service.
Source: http://news.softpedia.com/news/Murder-Video-Scam-Circulating-on- Facebook-169699.shtml
Source: http://news.softpedia.com/news/Murder-Video-Scam-Circulating-on- Facebook-169699.shtml
Friday, November 12, 2010
Beware of how you use search engines
Google SERP’s show malicious URL links. Cybercrooks continue to abuse the Web, boosting their ability to produce search engine optimization (SEO) poisoning so individuals using search engines such as Google increasingly are ending up with choices that are dangerous malware-laden URL links on the Search Engine Results Page (SERP). Some 22.4 percent of Google searches done since June 2010 produced malicious URLs, typically leading to fake antivirus sites or malware-laden downloads as part of the top 100 search results, according to the Websense 2010 Threat Report published November 9. That is in comparison to 13.7 percent of Google searches having that outcome in the latter half of 2009, said the Websense senior manager of security research.
The rising level of SEO poisoning, also known as “Black Hat SEO,” shows that cybercriminals “are fine-tuning their activities and getting better at this,” he said, adding that although search engines such as Google work hard to try and stymie the Black Hat SEO effect, the trend is evident. The irony is that when it comes to getting infected by malware, the chances of that are now less risky at porn and adult content sites, historically viewed as a high source of malware (now at 21.8 percent) than just searching for less scandalous topics, such as news, IT, and entertainment.
Source: http://news.techworld.com/security/3248172/
The rising level of SEO poisoning, also known as “Black Hat SEO,” shows that cybercriminals “are fine-tuning their activities and getting better at this,” he said, adding that although search engines such as Google work hard to try and stymie the Black Hat SEO effect, the trend is evident. The irony is that when it comes to getting infected by malware, the chances of that are now less risky at porn and adult content sites, historically viewed as a high source of malware (now at 21.8 percent) than just searching for less scandalous topics, such as news, IT, and entertainment.
Source: http://news.techworld.com/security/3248172/
Phishing Attacks Up
Researchers see real-time phishing jump. Real-time phishing attacks that cheat two-factor authentication are on the rise around the globe as phishers adapt to the latest barriers put in their way, according to a team of researchers. Researchers at Trusteer November 9 said 30 percent of all attacks during the past two-and-a-half months against Web sites using two-factor authentication have been real-time, man-in-the-middle (MITM) methods that allow attackers to bypass this stronger authentication.
The data comes from a sampling of thousands of phishing attacks. Phishing attacks typically are static, so they are mostly rendered powerless when a bank uses two-factor authentication, such as one-time passwords. That is because the attacker may be able to capture the first level of credentials, but they are not able to easily capture and use OTPs, which quickly expire. So phishers are adapting their attacks to find ways around stronger authentication, and security experts said it was only a matter of time until they routinely started cheating banks and other transactional sites’ two-factor authentication.
This type of real-time MITM attack has been isolated and rare thus far, experts saod. Trusteer researchers have spotted these attacks in South Africa, Europe, and now in the United States, the firm’s CEO said. And while these attacks are not a new concept, this is the first time his team has seen them in such high numbers, he said.
Source: http://www.darkreading.com/authentication/security/attacks/showArticle.jhtml?articleI D=228200550
The data comes from a sampling of thousands of phishing attacks. Phishing attacks typically are static, so they are mostly rendered powerless when a bank uses two-factor authentication, such as one-time passwords. That is because the attacker may be able to capture the first level of credentials, but they are not able to easily capture and use OTPs, which quickly expire. So phishers are adapting their attacks to find ways around stronger authentication, and security experts said it was only a matter of time until they routinely started cheating banks and other transactional sites’ two-factor authentication.
This type of real-time MITM attack has been isolated and rare thus far, experts saod. Trusteer researchers have spotted these attacks in South Africa, Europe, and now in the United States, the firm’s CEO said. And while these attacks are not a new concept, this is the first time his team has seen them in such high numbers, he said.
Source: http://www.darkreading.com/authentication/security/attacks/showArticle.jhtml?articleI D=228200550
Mac Bug Found
Researchers sound alarm over critical Mac OS X bug. Security researchers November 9 warned that Apple’s OS X contains a critical vulnerability that attackers could use to hijack Macs running the older Leopard version of the operating system. Although Leopard was supplanted by the new Snow Leopard operating system more than 1 year ago, the older version still accounts for about a third of all installations of Mac OS X.
The bug is a variation of one Apple patched last August in iOS. The flaw was used to “jailbreak” iOS 4 devices, and it could also be exploited to plant malware or commandeer an iPhone, iPad, or iPod Touch. According to Core Security Technologies, which issued an advisory November 8, Apple has wrapped up work on a patch.
Source: http://www.computerworld.com/s/article/9195680/Researchers_sound_alarm_over_crit%20ical_Mac_OS_X_bug
The bug is a variation of one Apple patched last August in iOS. The flaw was used to “jailbreak” iOS 4 devices, and it could also be exploited to plant malware or commandeer an iPhone, iPad, or iPod Touch. According to Core Security Technologies, which issued an advisory November 8, Apple has wrapped up work on a patch.
Source: http://www.computerworld.com/s/article/9195680/Researchers_sound_alarm_over_crit%20ical_Mac_OS_X_bug
Microsoft Patches.. but skips Mac versions of software
Microsoft patches critical Outlook drive-by bug. Microsoft November 9 patched 11 vulnerabilities, including one in Office that hackers will quickly exploit to launch drive-by attacks, security experts said. As expected, Microsoft did not ship a fix for the flaw in Internet Explorer (IE) that criminals are using to hijack Windows PCs. Of the 11 flaws addressed in three separate updates, only one was pegged as “critical,” Microsoft’s top ranking in its four-step scoring system.
The remaining 10 were all marked “important,” the second-highest rating. “The one that gives me the heebie-jeebies this month is the Office update,” said the director of security operations at nCircle Security. “The RTF vulnerability can be triggered simply by viewing a message in Outlook, so all you have to do is receive a [malicious] message. Then the game is over.” He was referring to MS10-087, a fivepatch update for Office XP, 2003, 2007 and 2010 on Windows, and Office for Mac 2004, 2008 and 2011.
The only critical bug this month is in the RTF (rich text format) parser within Outlook, the e-mail client packaged with Office. “The vulnerability could be exploited when the specially crafted RTF e-mail message is previewed or opened in Outlook,” Microsoft’s advisory stated. Both Office 2007 and Office 2010, Microsoft’s two newest suites, can be exploited using drive-by attacks launched against Outlook. Today’s patch was the first critical update for Office 2010, which launched only in June 2010.
Microsoft forgets to patch Mac Office 2004, 2008. Microsoft November 9 revealed four vulnerabilities in the Mac version of its Office suite, but then failed to produce patches for the 2004 and 2008 editions. Office for Mac 2011, which launched October 26, was the only version updated as part of Microsoft’s monthly Patch November 9. Microsoft did not explain the omission of Office for Mac 2004 and Office for Mac 2008 patches, or say when it would ship updates for those editions.
According to that bulletin, Office for Mac contains four vulnerabilities, all rated “important,” the second-highest threat ranking in Microsoft’s four-step scoring system. Microsoft confirmed that each bug could be used by attackers to infect a Mac with malware by labeling them with the phrase “remote code execution.” Along with a fifth bug, the same four flaws were patched November 9 in all still-supported versions of Office for Windows.
Source: http://www.computerworld.com/s/article/9195719/Microsoft_patches_critical_Outlook%20_drive_by_bug
Source: http://www.computerworld.com/s/article/9195819/Microsoft_forgets_to_patch_Mac_O%20ffice_2004_2008
The remaining 10 were all marked “important,” the second-highest rating. “The one that gives me the heebie-jeebies this month is the Office update,” said the director of security operations at nCircle Security. “The RTF vulnerability can be triggered simply by viewing a message in Outlook, so all you have to do is receive a [malicious] message. Then the game is over.” He was referring to MS10-087, a fivepatch update for Office XP, 2003, 2007 and 2010 on Windows, and Office for Mac 2004, 2008 and 2011.
The only critical bug this month is in the RTF (rich text format) parser within Outlook, the e-mail client packaged with Office. “The vulnerability could be exploited when the specially crafted RTF e-mail message is previewed or opened in Outlook,” Microsoft’s advisory stated. Both Office 2007 and Office 2010, Microsoft’s two newest suites, can be exploited using drive-by attacks launched against Outlook. Today’s patch was the first critical update for Office 2010, which launched only in June 2010.
Microsoft forgets to patch Mac Office 2004, 2008. Microsoft November 9 revealed four vulnerabilities in the Mac version of its Office suite, but then failed to produce patches for the 2004 and 2008 editions. Office for Mac 2011, which launched October 26, was the only version updated as part of Microsoft’s monthly Patch November 9. Microsoft did not explain the omission of Office for Mac 2004 and Office for Mac 2008 patches, or say when it would ship updates for those editions.
According to that bulletin, Office for Mac contains four vulnerabilities, all rated “important,” the second-highest threat ranking in Microsoft’s four-step scoring system. Microsoft confirmed that each bug could be used by attackers to infect a Mac with malware by labeling them with the phrase “remote code execution.” Along with a fifth bug, the same four flaws were patched November 9 in all still-supported versions of Office for Windows.
Source: http://www.computerworld.com/s/article/9195719/Microsoft_patches_critical_Outlook%20_drive_by_bug
Source: http://www.computerworld.com/s/article/9195819/Microsoft_forgets_to_patch_Mac_O%20ffice_2004_2008
Wednesday, November 10, 2010
New Adobe Reader Flaw
Adobe investigating new Reader flaw. Adobe is warning users about another new vulnerability in its Reader application that causes the software to crash and could possibly lead to remote code execution as well. The new Reader bug was disclosed November 4 on the Full Disclosure mailing list and Adobe security officials said that they are investigating the problem and looking into a potential fix. The bug can be used to cause a denial-of-service condition on vulnerable machines, Adobe said. However, one of the new security measures that the company introduced earlier this year can be used to help protect against attacks on the flaw. Adobe’s JavaScript Blacklist Framework is designed to prevent malicious APIs from running, and Adobe said that the tool can be used to stop attacks on the new Reader vulnerability. IT staffs must enable and populate the blacklist manually, and Adobe has explicit instructions in its advisory on how to do that. Adobe patches Reader on a regular quarterly schedule, and the last release was October 5, which was 1 week earlier than scheduled. It is not clear whether Adobe would release a patch for this latest Reader bug before the next scheduled update.
Source: http://threatpost.com/en_us/blogs/adobe-investigating-new-reader-flaw-110510
Source: http://threatpost.com/en_us/blogs/adobe-investigating-new-reader-flaw-110510
iPhone Can Make Calls WITHOUT Your Knowledge
iPhone’s Safari dials calls without warning, says security expert. A security researcher is asserting that Apple has made a poor security decision by allowing its Safari browser to honor requests from thirdparty applications to perform actions such as making a phone call without warning a user. Safari, like other browsers, can launch other applications to handle certain URL protocols. These might be in clickable links, or in embedded iframes. An iframe containing a URL with a telephone number, for example, will cause Safari to ask if the user wants to make a phone call to that particular number, wrote a security researcher, on the SANS Application Security Street Fighter blog.
Users can tap a button to make or cancel the call. But the researcher found that behavior changes in some cases. For example, if a user has Skype installed and stays logged into the application, Safari does not give an alert when it encounters a Skype URL in an iframe, and immediately starts a Skype call, he said. The researcher said he contacted Apple. The company said thirdparty applications should be coded to ask permission before performing a transaction. But in the current arrangement, third-party applications can only ask for authorization after a person has been “yanked” out of Safari and the application has been fully launched. “A solution to this issue is for Apple to allow third-party applications an option register their URL schemes with strings for Safari to prompt and authorize prior to launching the external application,” he wrote.
Source: http://www.computerworld.com/s/article/9195578/iPhone_s_Safari_dials_calls_withou t_warning_says_security_expert
Users can tap a button to make or cancel the call. But the researcher found that behavior changes in some cases. For example, if a user has Skype installed and stays logged into the application, Safari does not give an alert when it encounters a Skype URL in an iframe, and immediately starts a Skype call, he said. The researcher said he contacted Apple. The company said thirdparty applications should be coded to ask permission before performing a transaction. But in the current arrangement, third-party applications can only ask for authorization after a person has been “yanked” out of Safari and the application has been fully launched. “A solution to this issue is for Apple to allow third-party applications an option register their URL schemes with strings for Safari to prompt and authorize prior to launching the external application,” he wrote.
Source: http://www.computerworld.com/s/article/9195578/iPhone_s_Safari_dials_calls_withou t_warning_says_security_expert
Tuesday, November 9, 2010
FCC warns of looming wireless spectrum shortage.
Mobile data traffic in the United States will be 35 times higher in 2014 than it was in 2009, leading to a massive wireless spectrum shortage if the government fails to make more available, the Federal Communications Commission (FCC) said in a paper released October 2010. About 42 percent of U.S. mobile customers now own a smartphone, up from 16 percent 3 years ago, and between the first quarter of 2009 and the second quarter of 2010, data use per mobile line grew by 450 percent, the paper said.
The FCC expects smartphone use — and a corresponding increase in mobile data use — to continue to skyrocket, the FCC Chairman said. "If we don’t act to update our spectrum policies for the 21st century, we’re going to run into a wall — a spectrum crunch — that will stifle American innovation and economic growth and cost us the opportunity to lead the world in mobile communications," he warned. In a national broadband plan released in March 2010, the FCC called for 300 MHz of spectrum to be made available for mobile broadband uses in the next 5 years, and an additional 200 MHz in the subsequent 5 years.
Much of that spectrum would come from bands now controlled by the FCC or other government agencies, but 120 MHz would come from spectrum now owned but unused by U.S. television stations. Under the broadband plan, the stations would give back unused spectrum in exchange for part of the profits when the spectrum is sold at auction. The FCC would need congressional approval to hold these so-called incentive auctions.
Source: http://www.computerworld.com/s/article/352502/FCC_Wireless_Spectrum_Shortage_Looms?taxonomyId=70
The FCC expects smartphone use — and a corresponding increase in mobile data use — to continue to skyrocket, the FCC Chairman said. "If we don’t act to update our spectrum policies for the 21st century, we’re going to run into a wall — a spectrum crunch — that will stifle American innovation and economic growth and cost us the opportunity to lead the world in mobile communications," he warned. In a national broadband plan released in March 2010, the FCC called for 300 MHz of spectrum to be made available for mobile broadband uses in the next 5 years, and an additional 200 MHz in the subsequent 5 years.
Much of that spectrum would come from bands now controlled by the FCC or other government agencies, but 120 MHz would come from spectrum now owned but unused by U.S. television stations. Under the broadband plan, the stations would give back unused spectrum in exchange for part of the profits when the spectrum is sold at auction. The FCC would need congressional approval to hold these so-called incentive auctions.
Source: http://www.computerworld.com/s/article/352502/FCC_Wireless_Spectrum_Shortage_Looms?taxonomyId=70
Danger to IE users climbs as hacker kit adds exploit
An exploit of an unpatched Internet Explorer vulnerability has been added to a popular crimeware kit, a move that will likely push Microsoft to fix the flaw with an emergency update, a security researcher said November 7. Microsoft has warned users of its IE6, IE7, and IE8 browsers that hackers were already exploiting a vulnerability in the programs by tricking them into visiting malicious or compromised Web sites. Once at such sites, users were subjected to "drive-by" attacks that required no action by them to succeed.
Symantec was the first to report the IE bug to Microsoft after the antivirus vendor captured spam posing as hotel reservation notifications sent to select individuals within several organizations. On November 7, the chief research officer of AVG Technologies said an exploit for the newest IE flaw had been added to the Eleonore attack kit, one of several readily-available toolkits that criminals plant on hacked Web sites to hijack visiting machines, often using browser-based attacks.
Microsoft has promised to patch the vulnerability, but said the threat didn’t warrant an "out-of-band" update, the company’s term for a fix outside the usual monthly Patch Tuesday schedule. Microsoft will deliver three security updates November 9, but will not fix the IE bug then. Microsoft has urged IE users to enable DEP, or data execution prevention, for IE7, use IE8 or IE9, or run one of its automated "Fix-it" tools to add a custom CSS template to their browsers as protection until a patch is available.
Source: http://www.computerworld.com/s/article/9195380/Danger_to_IE_users_climbs_as_hacker_kit_adds_exploit
Symantec was the first to report the IE bug to Microsoft after the antivirus vendor captured spam posing as hotel reservation notifications sent to select individuals within several organizations. On November 7, the chief research officer of AVG Technologies said an exploit for the newest IE flaw had been added to the Eleonore attack kit, one of several readily-available toolkits that criminals plant on hacked Web sites to hijack visiting machines, often using browser-based attacks.
Microsoft has promised to patch the vulnerability, but said the threat didn’t warrant an "out-of-band" update, the company’s term for a fix outside the usual monthly Patch Tuesday schedule. Microsoft will deliver three security updates November 9, but will not fix the IE bug then. Microsoft has urged IE users to enable DEP, or data execution prevention, for IE7, use IE8 or IE9, or run one of its automated "Fix-it" tools to add a custom CSS template to their browsers as protection until a patch is available.
Source: http://www.computerworld.com/s/article/9195380/Danger_to_IE_users_climbs_as_hacker_kit_adds_exploit
Tools Now Available To Detect Firesheep
Zscaler develops free tool to detect Firesheep snooping. A security company has developed a free Firefox add-on that warns when someone on the same network is using Firesheep, a tool that has raised alarm over how it simplifies an attack against a long-known weakness in Internet security. Firesheep, which was unveiled at the ToorCon security conference in San Diego October 2010, collects session information that is stored in a Web browser's cookie.
The session information is easily collected if transmitted back and forth between a user's computer and an unencrypted Wi-Fi router while a person is logged into a Web service such as Facebook. While most Web sites encrypt the traffic transmitted when logging into a Web site, indicated by the padlock on browsers, many then revert to passing unencrypted information during the rest of the session, a weakness security analysts have warned of for years, particularly for users of public open Wi-Fi networks. Firesheep identifies that unencrypted traffic and allows an interloper to “hijack” the session, or log into a Web site as the victim, with just a few clicks.
The style of attack has been possible for a long time, but because of its simple design, Firesheep has given less-sophisticated users a powerful hacking tool. Zscaler's The Blacksheep add-on, however, will detect when someone on the same network is using Firesheep, allowing its users to make a more informed security decision about their behavior while on an open Wi-Fi network, for example.
Source: http://www.computerworld.com/s/article/9195398/Zscaler_develops_free_tool_to_dete ct_Firesheep_snooping
The session information is easily collected if transmitted back and forth between a user's computer and an unencrypted Wi-Fi router while a person is logged into a Web service such as Facebook. While most Web sites encrypt the traffic transmitted when logging into a Web site, indicated by the padlock on browsers, many then revert to passing unencrypted information during the rest of the session, a weakness security analysts have warned of for years, particularly for users of public open Wi-Fi networks. Firesheep identifies that unencrypted traffic and allows an interloper to “hijack” the session, or log into a Web site as the victim, with just a few clicks.
The style of attack has been possible for a long time, but because of its simple design, Firesheep has given less-sophisticated users a powerful hacking tool. Zscaler's The Blacksheep add-on, however, will detect when someone on the same network is using Firesheep, allowing its users to make a more informed security decision about their behavior while on an open Wi-Fi network, for example.
Source: http://www.computerworld.com/s/article/9195398/Zscaler_develops_free_tool_to_dete ct_Firesheep_snooping
Monday, November 8, 2010
Intuit Web Hosting Attack
Attack cause Intuit Web-hosting service outage. Intuit’s Web-hosting service for small businesses remained inaccessible for several hours November 4 - possibly due to a denial-of-service (DOS) attack, a customer service representative told CNET. The Web hosting service, at Intuit’s Web site, had been out at least 2 hours and would hopefully be back up by the end of the business day, the customer service rep said. Asked if it could be the result of a DOS attack, she said: “It’s looking like an attack.” Intuit spokespeople could not immediately confirm what the phone rep said, but said the sites were back up. However, checks by CNET employees on the West Coast and East Coast found the site was still down late in the afternoon November 4. Other Intuit sites remained accessible.
Source: http://news.cnet.com/8301-27080_3-20021862-245.html
Source: http://news.cnet.com/8301-27080_3-20021862-245.html
Researcher releases Web-based Android attack
A computer security researcher released code November 4 that could be used to attack some versions of Google’s Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.
It was disclosed November 4 at the HouSecCon conference in Houston by a security researcher with Alert Logic. The researcher said he has written code that allows him to run a simple command line shell in Android when the victim visits a Web site that contains his attack code.
The bug used in the attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. “We’re aware of an issue in WebKit that could potentially impact only old versions of the Android browser,” a Google spokesman confirmed in an e-mail. “The issue does not affect Android 2.2 or later versions.” Version 2.2 runs on 36.2% of Android phones, Google says. Older phones such as the G1 and HTC Droid Eris, which may not get the updated software, could be at risk from this attack. Android 2.2 is found on phones such as the Droid and the HTC EVO 4.
Source: http://www.computerworld.com/s/article/9195058/Researcher_releases_Web_based_A%20ndroid_attack
It was disclosed November 4 at the HouSecCon conference in Houston by a security researcher with Alert Logic. The researcher said he has written code that allows him to run a simple command line shell in Android when the victim visits a Web site that contains his attack code.
The bug used in the attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. “We’re aware of an issue in WebKit that could potentially impact only old versions of the Android browser,” a Google spokesman confirmed in an e-mail. “The issue does not affect Android 2.2 or later versions.” Version 2.2 runs on 36.2% of Android phones, Google says. Older phones such as the G1 and HTC Droid Eris, which may not get the updated software, could be at risk from this attack. Android 2.2 is found on phones such as the Droid and the HTC EVO 4.
Source: http://www.computerworld.com/s/article/9195058/Researcher_releases_Web_based_A%20ndroid_attack
Facebook and Twitter Fail Security Report Card
Facebook and Twitter flunk security report card. Digital Society, a self-professed security think tank, has given failing security grades to both Twitter and Facebook. Both sites are vulnerable to attacks that can give someone partial or full control over one’s account, the group claimed. According to Digital Society, the main problem with Facebook and Twitter is that neither site allows full Secure Sockets Layer (SSL) protection.
Both sites create unencrypted sessions for the user by default. Although the actual logins are encrypted, they’re not authenticated - which means one cannot pull up security information in one’s browser to verify the sites’ identities. Even if a user forces a secure session by going to the main sites for Twitter and Facebook, the sites still have links to non-secure parts of the site and JavaScript code that transmit authentication cookies without SSL, Digital Society found.
These are not new concerns, but the news fits hand-in-hand with the release of FireSheep, a FireFox add-on that lets people with limited technical knowledge hijack other people’s Web accounts over unencrypted Wi-Fi networks. Digital Society’s report card essentially spells out what an attacker using FireSheep or another packetsniffing program could accomplish. In Facebook, for instance, an attacker can gain access to every part of an account except username and password, allowing the attacker to send status updates and read private messages.
Source: http://www.computerworld.com/s/article/9195021/Facebook_and_Twitter_Flunk_Security_Report_Card
Both sites create unencrypted sessions for the user by default. Although the actual logins are encrypted, they’re not authenticated - which means one cannot pull up security information in one’s browser to verify the sites’ identities. Even if a user forces a secure session by going to the main sites for Twitter and Facebook, the sites still have links to non-secure parts of the site and JavaScript code that transmit authentication cookies without SSL, Digital Society found.
These are not new concerns, but the news fits hand-in-hand with the release of FireSheep, a FireFox add-on that lets people with limited technical knowledge hijack other people’s Web accounts over unencrypted Wi-Fi networks. Digital Society’s report card essentially spells out what an attacker using FireSheep or another packetsniffing program could accomplish. In Facebook, for instance, an attacker can gain access to every part of an account except username and password, allowing the attacker to send status updates and read private messages.
Source: http://www.computerworld.com/s/article/9195021/Facebook_and_Twitter_Flunk_Security_Report_Card
Friday, November 5, 2010
DDOS Attacks Take Out Asian Nation
DDoS attacks take out Asian nation. Myanmar was severed from the Internet November 2 following more than 10 days of distributed denial of service (DDoS) attacks that culminated in a massive data flood that overwhelmed the Southeast Asian country’s infrastructure, a researcher said. The DDoS assault directed as much as 15 Gbps of junk data to Myanmar’s main internet provider, more than 15 times bigger than the 2007 attack that brought some official Estonian Web sites to their knees, said a researcher at Arbor Networks. It was evenly distributed throughout Myanmar’s 20 or so providers and included multiple variations, including TCP SYN, and RST. “While DDoS against e-commerce and commercial sites are common (hundreds per day), large-scale geo-politically motivated attacks - especially ones targeting an entire country - remain rare with a few notable exceptions,” he wrote, referring to the Georgia attacks, which coincided with the country’s armed conflict with Russia. “At 10-15 Gbps, the Myanmar [DDoS attack] is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS.”
Source: http://www.theregister.co.uk/2010/11/03/myanmar_ddos_attacks
Source: http://www.theregister.co.uk/2010/11/03/myanmar_ddos_attacks
US Copyright Office Attacked
Anonymous attacks the United States Copyright Office. After hitting riaa.org during the weekend of October 30 and 31, Anonymous members have turned their attention towards the U.S. Copyright Office and are coordinating a distributed denial of service (DDoS) attack against its Web site. On September 28, Anonymous began a DDoS campaign dubbed Operation Payback against the entertainment industry and anti-piracy organizations. It started after an Indian company called Aiplex Software openly admitted to attacking Torrent sites that failed to respond to takedown notifications sent on behalf of movie studios. So far, the group’s targets have included music and film industry associations, law firms involved in copyright litigation, record labels and even artists, who were vocal against Internet piracy. It was not immediately clear if there is any specific reason why copyright.gov has become the main target, except for the organization’s mission to protect copyrights.
Source: http://news.softpedia.com/news/Anonymous-Attacks-the-United-States-%20Copyright-Office-164623.shtml
Source: http://news.softpedia.com/news/Anonymous-Attacks-the-United-States-%20Copyright-Office-164623.shtml
Another IT Manger Goes To Prison
Former IT manager sent to prison for hacking employer. A former IT manager for a law firm in Tampa, Florida, has been sentenced to 18 months in prison for committing computer intrusions causing damage of at least $120,000. The court also ordered the convict to pay restitution of $120,000 to Consuegra Law Firm. He will also be placed on supervised release for 3 years after completing his sentence.
The convict pleaded guilty to the charge August 19. According to court documents, CLF fired him August 13, 2009, for deleting files off a computer belonging to the human resources manager. The deletions happened after the convict had been counseled by his managers for unacceptable behavior.
On at least four different occasions, he accessed CFL’s computers by unauthorized means and destroyed and deleted data on the company servers. He also disabled operating systems and deleted CFL’s e-mail accounts and other records. FBI agents interviewed the convict November 24, 2009, and after first denying any involvement, he admitted to accessing an open wireless network from his home using his computer to access the CLF computer servers.
Source: http://www.thenewnewinternet.com/2010/11/04/former-it-manager-sent-toprison-%20for-hacking-employer/
The convict pleaded guilty to the charge August 19. According to court documents, CLF fired him August 13, 2009, for deleting files off a computer belonging to the human resources manager. The deletions happened after the convict had been counseled by his managers for unacceptable behavior.
On at least four different occasions, he accessed CFL’s computers by unauthorized means and destroyed and deleted data on the company servers. He also disabled operating systems and deleted CFL’s e-mail accounts and other records. FBI agents interviewed the convict November 24, 2009, and after first denying any involvement, he admitted to accessing an open wireless network from his home using his computer to access the CLF computer servers.
Source: http://www.thenewnewinternet.com/2010/11/04/former-it-manager-sent-toprison-%20for-hacking-employer/
Zero Day Affects Three Versions of IE
Zero-day flaw affects three versions of Internet Explorer, as Microsoft warns of activity in the wild. Microsoft has issued an advisory about a zero-day flaw in three versions of Internet Explorer. It said the vulnerability is present in versions 6,7 and 8 of Explorer and could allow remote code execution. It is currently investigating public reports around it. Microsoft said the vulnerability exists due to an invalid flag reference within Internet Explorer, and under certain conditions it is possible for the invalid flag reference to be accessed after an object is deleted.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page, which is used to exploit this vulnerability and in addition, compromised Web sites and ones that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. The CTO of Qualys, said: “Data Execution Prevention (DEP), a security feature first implemented in 2005, currently prevents the exploit from executing successfully. IE8 users have DEP enabled by default and are protected and according to Microsoft, only a single Web site was found to host the exploit, but others are soon expected. Upgrading to IE8 with DEP is highly recommended.”
Source: http://www.scmagazineuk.com/zero-day-flaw-affects-three-versions-ofinternet-%20explorer-as-microsoft-warns-of-activity-in-the-wild/article/190131/
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page, which is used to exploit this vulnerability and in addition, compromised Web sites and ones that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. The CTO of Qualys, said: “Data Execution Prevention (DEP), a security feature first implemented in 2005, currently prevents the exploit from executing successfully. IE8 users have DEP enabled by default and are protected and according to Microsoft, only a single Web site was found to host the exploit, but others are soon expected. Upgrading to IE8 with DEP is highly recommended.”
Source: http://www.scmagazineuk.com/zero-day-flaw-affects-three-versions-ofinternet-%20explorer-as-microsoft-warns-of-activity-in-the-wild/article/190131/
Thursday, November 4, 2010
GoDaddy Websites Under Siege
Websites hosted at Go Daddy under siege in mass injection attacks. Security researchers warn that Web sites hosted at Go Daddy have been targeted in mass injection attacks, that add rogue code to their pages and direct visitors to scareware.
This is the third wave of attacks in recent weeks affecting Websites hosted by the company. “As of 4 a..m. Pacific, November 3, we’ve received various reports of another related outbreak of exploited sites on GoDaddy,” researchers from Web integrity monitoring vendor Sucuri Security warn. The compromised sites get base64-encoded code added to all of their php files. When parsed, this code injects rogue JavaScript content into the resulting page. In addition to hitting Go Daddy, these attackers launched similar campaigns against other hosting companies around October 21.
Many of the external domains used in the attacks are registered under the name of Hilary Kneber, an alias associated with many cybercriminal operations, including the notorious ZeuS banking trojan. The malicious JavaScript code forces visitors’ browsers to load additional scripts from external domains, which in turn redirects them to pages displaying fake antivirus scans and pushing scareware.
Despite these attacks beginning the weekend of October 30 and 31, some of the rogue domains are still up and serving scareware. Sucuri has created a free clean-up script, which affected Web masters can download and execute.
Source: http://news.softpedia.com/news/Websites-Hosted-at-GoDaddy-Under-Siege-in-%20Mass-Injection-Attacks-164536.shtml
This is the third wave of attacks in recent weeks affecting Websites hosted by the company. “As of 4 a..m. Pacific, November 3, we’ve received various reports of another related outbreak of exploited sites on GoDaddy,” researchers from Web integrity monitoring vendor Sucuri Security warn. The compromised sites get base64-encoded code added to all of their php files. When parsed, this code injects rogue JavaScript content into the resulting page. In addition to hitting Go Daddy, these attackers launched similar campaigns against other hosting companies around October 21.
Many of the external domains used in the attacks are registered under the name of Hilary Kneber, an alias associated with many cybercriminal operations, including the notorious ZeuS banking trojan. The malicious JavaScript code forces visitors’ browsers to load additional scripts from external domains, which in turn redirects them to pages displaying fake antivirus scans and pushing scareware.
Despite these attacks beginning the weekend of October 30 and 31, some of the rogue domains are still up and serving scareware. Sucuri has created a free clean-up script, which affected Web masters can download and execute.
Source: http://news.softpedia.com/news/Websites-Hosted-at-GoDaddy-Under-Siege-in-%20Mass-Injection-Attacks-164536.shtml
Phishing Scam is Targeting Military Families
A new phishing scam is taking aim at members of the U.S. military and their families, using unsolicited e-mails purportedly from United States Automobile Association (USAA), one of the nation’s largest financial services and insurance companies, to trick people into divulging their personal information to identity thieves.
USAA and the Navy Federal Credit Union in May were hit by a similar phishing scam that also attempted to extract Social Security numbers, credit card numbers, birth dates and other information used to either pilfer bank accounts or steal unsuspecting users’ identities. This time around, according to an advisory on security software maker AppRiver’s Web site, the con artists are sending a slew of unsolicited e-mails with subject titles, such as “USAA Notification” or “Urgent Message for USAA customer” in the hope of getting just a small fraction of a percentage of recipients to click on a link embedded in the missive.
According to the Anti-Phishing Working Group, a consortium of Web retailing, software, security and financial firms, more than 126,000 fake Web sites designed solely to steal users’ personal information were discovered in the first half of this year alone.
Source: http://www.esecurityplanet.com/features/article.php/3911141/Phishing-Scam-%20Targets-Military-Families.htm
USAA and the Navy Federal Credit Union in May were hit by a similar phishing scam that also attempted to extract Social Security numbers, credit card numbers, birth dates and other information used to either pilfer bank accounts or steal unsuspecting users’ identities. This time around, according to an advisory on security software maker AppRiver’s Web site, the con artists are sending a slew of unsolicited e-mails with subject titles, such as “USAA Notification” or “Urgent Message for USAA customer” in the hope of getting just a small fraction of a percentage of recipients to click on a link embedded in the missive.
According to the Anti-Phishing Working Group, a consortium of Web retailing, software, security and financial firms, more than 126,000 fake Web sites designed solely to steal users’ personal information were discovered in the first half of this year alone.
Source: http://www.esecurityplanet.com/features/article.php/3911141/Phishing-Scam-%20Targets-Military-Families.htm
Hackers tap SCADA
A search engine that indexes servers and other Internet devices is helping hackers to find industrial control systems that are vulnerable to tampering, the US Computer Emergency Readiness Team (US CERT) has warned.
The 1-year-old site known as Shodan makes it easy to locate Internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants, and other industrial facilities. As white-hat hacker and Errata Security CEO explained, the search engine can also be used to identify systems with known vulnerabilities. According to the Industrial Control Systems division of US CERT, that is exactly what some people are doing to discover poorly configured SCADA gear. “The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems,” the group wrote in an advisory (PDF) published October 28. “These systems have been found to be readily accessible from the internet and with tools, such as Shodan, the resources required to identify them has been greatly reduced.”
Besides opening up industrial systems to attacks that target unpatched vulnerabilities, the data provided by Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned.
Source: http://www.theregister.co.uk/2010/11/02/scada_search_engine_warning/
The 1-year-old site known as Shodan makes it easy to locate Internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants, and other industrial facilities. As white-hat hacker and Errata Security CEO explained, the search engine can also be used to identify systems with known vulnerabilities. According to the Industrial Control Systems division of US CERT, that is exactly what some people are doing to discover poorly configured SCADA gear. “The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems,” the group wrote in an advisory (PDF) published October 28. “These systems have been found to be readily accessible from the internet and with tools, such as Shodan, the resources required to identify them has been greatly reduced.”
Besides opening up industrial systems to attacks that target unpatched vulnerabilities, the data provided by Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned.
Source: http://www.theregister.co.uk/2010/11/02/scada_search_engine_warning/
Wednesday, November 3, 2010
PCI-DSS in a Nutshell -- Joe Weiss, CISSP
What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card. The PCI-DSS was created by an independent counsel (Payment Card Industry Security Standards Council) originally formed of: Visa International, MasterCard Worldwide, Discover Financial Services, American Express and JCB in 2006, with the goal of managing the evolution of PCI-DSS. It was created in response to a growing number of security breaches in the payment card industry over the last few years.
In a nutshell it is comprehensive list of security standards that establish a process for handling, processing, storing and transmitting credit card data.
PCI-DSS has 12 Core requirements and approximately 250 controls that basically come down to the following 3 items.
1) All merchants must achieve and maintain compliance at all times, regardless of what data is stored. All deadlines have now passed.
2) Certain information cannot be stored, such as CVV2, CVC2 , CID, Magnetic Strip Data or PIN Data.
3) If a cardholder’s personal data such as Name, Credit Card Number, Expiration Date or Service Code is stored (all considered permitted data) there are certain security standards you must comply with.
PCI-DSS Core Requirements
1) Install and maintain a firewall to protect all data.
2) Remove vendor defaults for system passwords.
3) Protect data at rest (stored data).
4) Encrypt the transmission of cardholder data and other sensitive information while it is in transit across public networks.
5) Use anti-virus software and keep definitions and software updated.
6) Develop secure systems and applications.
7) Restrict access to cardholder data to individuals that have a need to know.
8) Assign unique ID’s to each user with computer access.
9) Restrict physical access to areas that contain systems that store cardholder data.
10) Track and monitor all access to all network resources and cardholder data.
11) On a regular basis, test security systems and processes.
12) Maintain a policy that specifically addresses information security.
There are different requirements for business whether they are large or small. Determination of the size of your business is by the number of annual credit card transactions.
Level 1 Merchants process more than 6 million transactions annually including e-commerce and are required to have an on-site PCI Data Security Assessment and quarterly network scans. On-site assessments may be completed internally or by an outside qualified security assessor.
Level 2 Merchants process 1 million to 5,999,999 transactions annually and are required to complete a Self-Assessment and perform quarterly network scans.
Level 3 Merchants process 20,000 to 1,000,000 e-commerce transactions annually and are required to complete a Self-Assessment and perform quarterly network scans.
Level 4 Merchants process less than 20,000 e-commerce transactions annually and all merchants across channel up to 1,000,000 VISA transactions annually and are required to complete an annual self assessment and annual security scans.
Network vulnerability scans are required of all outward facing IP addresses. The self assessment questionnaire mitigates risk from inside the firewall and the scan identifies and mitigates risk from the outside.
Is PCI-DSS Compliance Required by Law?
46 states, the District of Columbia, Puerto Rico and the Virgin Islands have legislation that requires disclosure of data breaches.
Unlike security laws, the PCI Standards are not statutes or regulations enforced directly by the government. PCI rules are imposed and typically enforced contractually through the PCI Contract Chain. The contracts in the contract chain can include indemnification requirements, fines and penalties as well as duties to adhere to specific operating rules related to payment card transactions.
That being said, there is a push to legislatures and industry trade associations to enact a federal law around data security and breach notification. Currently outside of that there are several states that have enacted PCI related laws. Minnesota has the Plastic Card Security Act which opens companies up private lawsuits (does not affect Level 4 merchants). Nevada has the Security of Personal Information Law and the Nevada Senate Bill 227 in which SB 227 Amendment specifically states a requirement to comply with the PCI-DSS. Washington State has a PCI law HB 1149 which amends Washington’s breach notice law. Massachusetts is introducing 201 CMR 17.00 which pulled in important concepts of PCI DSS and does not exclude Level 4 merchants. Several other states have attempted to enact PCI legislation that has either stalled or not passed such as Texas, California, Illinois and Connecticut.
Is there a future for PCI compliance to be called out in a broader scope across the states as a law? Government’s move slowly and PCI compliance is ever evolving as new PCI changes have recently been published. It would be very difficult for legislatures to keep up with the technology as it changes. It is speculated that many more states will adjust the classification of credit card information as personal information and create punitive measures for those that are negligent or have non-existent security measures to protect the data.
So what should a company do when comparing an industry standard against a current law? You must obey the law. You have a contractual requirement to perform the assessment and answer the simulated question “Is it In Place or Not in Place”. You must answer the intent behind that question without violating any local, state or national laws. If you can answer the question without violating any laws then do so. If you cannot meet the requirement or compensating control then write the reason you cannot answer the question insert the compensating control is because of (insert name of law here).
In both instances you would still need to mark the requirement as in place and note the compensating control or law.
Some merchants are frustrated by PCI requirements while others see them as basic security requirements that should already be in place. However being compliant is not optional. Card associations have threatened larger merchants with the imposition of monthly fines until compliance is reached. There could also be the cost of increased processing fees. The most significant threat of non-compliance would be the fines and penalties levied against a merchant if they are found to be non-compliant at the time of a breach.
Who enforces PCI-DSS?
Enforcement of PCI-DSS and any non-compliance penalties are carried out by the individual payment brands and not by the PCI Security Standards Council.
Who is at Risk?
Any business or entity that processes transmits and/or stores any credit card data.
Penalties for Non-Compliance
All the dates have passed for becoming PCI-DSS Compliant with the last deadline passing on December 31, 2007. Businesses can be fined up to $500,000, depending on the size or significance of the breach, and face costly legal action for non-compliance, severe penalties may include the loss of business to further accept or process credit cards. Remediation costs are currently estimated at $90 to $302 per record. Merchants that are currently at level 2, 3 or 4 that fail to comply can have their merchant level raised to level 1. This could be bad for business by inducing additional costs of a more demanding level. In addition the business risks a negative reputation as well as negative publicity which will usually mean lowered customer confidence levels, lawsuits cancelled accounts, fines or insurance claims.
What If My Business Is Breached?
In the event of a security breach you must take the following immediate action
1) Immediately contain and limit the exposure.
2) Alert the necessary parties immediately.
a. Your internal information security group and incident response team.
b. Your merchant bank.
c. Local FBI Office.
d. U.S Secret Service (for compromised Visa Data).
3) Provide all potentially compromised accounts to your merchant bank within 10 business days.
4) Within 3 business days of the reported compromise provide an incident report document to your merchant bank.
There are additional resources which may be available to assist you in the event of a potential compromise, for example VISA has an incident response team which includes a VISA fraud control team and a CISP Team to assist responsible members.
If any VISA member fails to immediately notify VISA of a suspected or confirmed loss or theft of any transaction information the member will be subject to a penalty of $100,000 per incident.
Risks and Costs
As an example, the TJX Companies suffered a huge data breach that started in 2005 when hackers spent 18 months exploiting weak wireless network security outside of TJX owned locations. Over 100 million credit card numbers compromised. TJX estimated the breach cost 118 million. Forrester Research, Inc. estimated it would cost TJX 1.35 billion in total losses after legal fees, call center costs and regulatory fines. AT&T, Chase Card Services, Heartland and others have all been affected by theft of data.
References:
State Security Breach Notification Laws, National Conference of State Legislatures
PCI Security Standards Council
State of Washington House Bill 1149
Nevada Security of Personal Information Law
Minnesota Plastic Card Security Act
Visa Incident Response
Subscribe to:
Posts (Atom)