The hackers – who appeared to be based in China – had unfettered access to the former telecommunications giant as far back as 2000, according to Brian Shields, a former Nortel employee who launched an internal investigation of the attacks, the Wall Street Journal reports. They “had access to everything”, Shields told the Journal. “They had plenty of time. All they had to do was figure out what they wanted.”

Source

A decade ago, the Chinese were stepping up their internet attacks as a way to steal patented technology, insider information, industrial sabotage, and research theft. Here it appears we had a company that knew of the espionage yet did nothing to fix it, repair it, nor notify anyone of the issue. It again reflects a common belief I’ve had for a long time that the only one that will protect your security is you.

There are somethings you don’t put on the internet. If you don’t put them there, you can’t have the data stolen…or at least not from you. Things you put on the internet that could have repercussions, you do other ways than sending in the clear.

It would no hacker any good to seek access to my computer for financial info. None resides on it. They can search all they want, nothing is there in personal records. You won’t find tax data, credit card data, passwords to accounts, nothing personal like emails to family, simply I use this computer for internet surfing and that makes it not secure. Because it sees the internet, nothing will ever go on it allowing anyone access to my financial data.

On the business front, lots of things have happened with the Chinese and security. It has become known that the Chinese seek insider info on all things. No traveler to China can expect to bring a cell phone or laptop computer and have it survive the trip without being infected once it is used. That is just simply too many incidents for it not to have the permission and blessing of the Chinese government.

Today all business reps that go to China are admonished by the home office not to bring a cell phone they use regularly, nor a laptop. Either buy one there and destroy it before coming home for the cell phone or wipe the laptop completely and weigh it coming and going from China. All cell phones and laptops to carry with out to be wiped before going and after returning without connection to the company intranets.

The US Chamber of Commerce in 2010 found that they had been infiltrated so thoroughly that the thermostat and printer was connecting to Chinese IPs, on their network.

The Chamber’s network is now believed to be secure. After analyzing how the hackers were gaining access to information, the Chamber spent 36 hours over one weekend destroying computers and dramatically improving its security. The timing on the overhaul was planned after the Chamber discovered the hackers kept regular working hours and did not work on weekends.

Source

When hacking and espionage reach these levels of penetration, with this amount of massive invasive infections to travelers, it’s not by accident. It’s a government sponsored and carried out program, reaching all levels of tourism and business in it’s scope.

Source: frugaldad.com

A “worrying number” of Facebook users are sharing a link to a malware-laden fake CNN news page reporting the U.S. has attacked Iran and Saudi Arabia, security firm Sophos said Friday.

If users who follow the link then click to play what purports to be video coverage of the attack, they are prompted to update their Adobe Flash player with a pop-up window that looks very much like the real thing. Those who accept the prompt unwittingly install malware on their computers.

Source

Malware writers go where the crowds are. It’s always been so and one reason why Linux has far less to worry about than Windows. Microsoft has been slowly tightening the security of the OS. Not to where nothing can get in but making it ever harder for malware to get a foot hold. The user has to ok the installation.

They’ve been getting better at social engineering the appealing hook to get you to click on the link or do an update.

I am surprised that Adobe Flash is still the weak link. For years now, Adobe seems to continually win the most vulnerable software to hack. I know at one time they tried to address this but it looks as if it’s been left to the users to get around it by oking such installs.

Then too, I’m still amazed that the computing public hasn’t learned to be doubtful of strange installs. Being a sucker has had a big part in helping malware spread.

I no longer use Adobe’s PDF reader. It’s too subject to the next attack. Flash is usually disabled by noscript and I’m not a big fan of allowing it to run. Just because I miss something in a flash movie isn’t the end of the world. You just have to know how to say no.

The scam to say you have malware and here’s where you pay to get rid of it, seems industry wide. Even the legal antivirus businesses try to use this but instead they will use very broad definitions of what defines malware in the trial version. They always tend to find something even if you ran a antivirus just before installing the trial version.

Well, I guess you live and learn but sometimes learning can be painful to the wallet.

 The eleven Research Team has issued a warning about a new and particularly dangerous e-mail-borne method to infect PCs with viruses and Trojans. This driveby spam automatically downloads malware when the e-mail is opened in the e-mail client. Previous malware e-mails required the user to click on a link or open an attachment for the PC to be infected. The new generation of e-mail-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware when the e-mail is opened. This is similar to so-called driveby downloads which infect a PC by opening an infected Website in the browser. Driveby spam eliminates the detour via attachments or links in the e-mail and also affects cautious users which would never open an unknown attachment or link.

In short, they say that simply by viewing an HTML email, a malicious JavaScript code is executed and leads to an Exploit Kit webpage. They post also an image with a window of Mozilla Thunderbird email client presumably executing the malicious JavaScript and displaying:

Loading…Please Wait….

These are the notorious words that are displayed also when a user reach a webpage containing Phoenix Exploit Kit and the threat posed by opening such an email in these conditions is obvious, the main question is what and when the email clients allow JavaScript code to be executed. By default, in Thunderbird email client JavaScript support is disabled so for this attack to be successful, the user must enable JavaScript voluntarily. Because the risks are well-known, I don’t know many Thunderbird users with JavaScript enabled, in fact I know none, so the chances to be infected running a default Thunderbird installation are not small but ZERO.

Ok, but how about Microsoft Outlook email client? It executes by default JavaScript codes embedded in the emails? I made a little study on Outlook versions, it seems that Outlook 98, Outlook 2000 and Outlook 2003 used Internet Explorer engine for rendering HTML emails while the recent versions, Outlook 2007 and Outlook 2010 use Microsoft Word for rendering HTML emails. It’s interesting that, searching on the Internet I’ve found strong campaigns against using Microsoft Word as HTML emails rendering engine, veritable calls to arms for example take a look please at fixoutlook.org or Microsoft Breaks HTML Email Rendering in Outlook 2007 or Microsoft to ignore web standards in Outlook 2010 – enough is enough.

The complains I have read are basically about restricting the user’s ability to create beautiful emails and use of “smart art” in Outlook 2007 and 2010 with Word as HTML rendering engine. Well, to tell you the truth, all these complains, viewed in terms of emails security, make me smile.

The complains make me smile because there is a law: the safest emails are the plain-text emails.

No allowed embedded images that makes possible user’s tracking and encourages the spam, if a spammer send you an email containing a 1×1 pixel image and you view it, the spammer will know that somebody actually opened the email and read it and will send dozens of spam emails in return.

No active content enabled whatsoever, allowing JavaScript and iFrames in emails is asking for troubles.

For  Outlook security, Microsoft made a beneficial step switching from Internet Explorer HTML render engine to Microsoft Word, no very beautiful emails but more secure.

To end, theoretically it is possible to insert a malicious JavaScript code in an HTML email and that JavaScript to be executed in the victim’s computer leading to a computer infection, but not probable in real life, unless someone is stupid enough to enable JavaScript for his email client; simply there is not reason to do that.

Keep safe !

A botnet that was crippled by Microsoft and Kaspersky Lab last September is spamming once again and experts have no recourse to stop it.

Source

Kelihos was never big compared to a lot of the botnets. Despite it’s size, it was extremely active. Spam and malware go hand in hand. Much of it is infected links in email which is the easiest way to infect the individual computer user.

The hard way that provides more computers for the bot-herder is injecting a web site. Not just any website will do. Google and most search engines, carry a list of known infection sites to block or refuse to connect to. That list is updated regularly. Most of them aren’t reputable sites to begin with and lack certificates, making them easier to identify. Certifications were covered in an earlier article here at Security on steroids.

The valuable site to inject, is the one with a good reputation. Inserting an i Frame of no size, makes it invisible to the eye but not to the computer. So getting a piece of internet real estate is essential to those plans.

Every time someone shows up, the i Frame redirects the computer for an adjacent web stream unknown to the user. It will then download and install the root kit for the bot. Once that is done for all practical purposes it is invisible to the user and to most malware hunters. After the installation, updates can be done at any time through the command and control servers. The bot-herder then has control of the computer without the knowledge of the owner.

Spam prevention is a major headache. In 2011, in the US alone the total estimated spam traffic for the year was around 7 trillion messages. The estimated costs vary between 1/2 million and 3 1/2 million depending on which country and source you refer to.

It also seems that spam grows with time. The first year a company has to deal with spam, it might only be 10 a day. By the third year that has rising exponentially to an estimated 1000 a day according to on line sources.

Bill Gates had one solution to spam, charge for an email, like you would a stamp on a letter. The cost doesn’t have to be big but it does have to have a cost. For those that send a few emails a week, you wouldn’t notice the cost really. For those sending out 1000′s of emails a day, the cost would be quite heavy. The main problem with putting that into service is that most individual users have no idea their computer is infected. Receiving an email bill for a $1000 would be a serious shock.

Spam economics work out because of the low delivery costs. If 7 to 10 reply out of a 1000, that will pay for itself and give some profit.

My cure would not work for businesses. I no longer use email to any degree and thereby save all sorts of time in not dealing with spam. When I must use an email, it is usually a one time usage address.

But even if a fake email is so well designed that is able to lure an unconscious user to click a link, the browsers or antivirus software have protection mechanisms in place as URL reputation for example, blocking the user to navigate to a known malicious domain. The method used by hackers to avoid this inconvenient detection, is to hack a website with a good reputation and serve the malicious webpages from there.

This was what happened a few days ago, when a lot of WordPress-based websites running the obsolete 3.2.1 version and two exploitable plug-ins(Spam Free and UPM Polls), were hacked using SQL injection and malicious files with random names(osgik.htm, agoku.htm, kaxyv.htm and so on), uploaded in wp-content/uploads WordPress folder. Then the hacker’s campaign goes further by sending bulk emails which contain links to the malicious HTML web page previously uploaded. Finally, this page contains obfuscated code which runs a hidden iFrame, so while the user see only these words “You are redirecting….Loading…Please wait…), the iFrame is connecting in the background to Phoenix Exploit Kit hosted in a Russian domain called horoshovsebudet.net.

Phoenix Exploit Kit is very effective, able to exploits vulnerabilities  Microsoft Internet Explorer, Adobe PDF, Flash and Oracle Java including the most recent vulnerability, Java Rhino vulnerability, which allows a Java Applet to run arbitrary Java code outside the sandbox with full privileges. Further, if the exploit kit discovers a vulnerability, use it to deliver its payload which can be any type of malware, very often being used info stealers.

Until now, it seems that more than four hundred WordPress websites were compromised using the above mentioned vulnerabilities.

The conclusions speak for themselves:

•  Never open attachments or click links in emails received from untrusted or unknown sources;
• Check regularly to see if there are updates for your WordPress version and used plug-ins and update them if it’s the case;

Sources:

 http://labs.m86security.com/2012/01/massive-compromise-of-wordpress-based-sites-but-‘everything-will-be-fine’/

 http://community.websense.com/blogs/securitylabs/pages/phoenix-exploit-s-kit.aspx

 http://schierlm.users.sourceforge.net/CVE-2011-3544.html

 http://labs.m86security.com/2011/12/prevalent-exploit-kits-updated-with-a-new-java-exploit/

 http://community.websense.com/blogs/securitylabs/archive/2012/01/26/phoenix-phoenix-i-need-help.aspx

Keep safe !

Affected Windows operating systems components are as follows:

Windows Media Library and DirectShow components:

•  Windows XP Service Pack 3
• Windows XP Media Center Edition 2005 Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems Service Pack 2

Only DirectShow component:

•  Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows Media Center TV Pack for Windows Vista (32 and 64-bit editions) is also affected by this vulnerability.

Trend Micro security researchers already found this vulnerability used by the hackers to upload and execute a credentials stealer trojan in the infected computers. This malware serves to steal only credentials related to certain Korean online game sites but of course more nefarious and diversified uses can be expected in the near future.

How the attack works? The user navigates unknowingly to a web page whose HTML source contains malicious code, identified as HTML_EXPLT.QYUA by Trend Micro security vendor. This HTML code calls another malicious component, a specially crafted MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA. You know already that the MIDI file component is used to trigger the Windows Media vulnerability while the malicious JavaScript is used to decode the shell code embedded in HTML_EXPLT.QYUA.

The decrypted shell code in its turn downloads from a site, decrypts and executes a malware,  TROJ_DLOAD.QYUA which uses two components: RTKT_MDIEXP.QYUA used for its rootkit capabilities able to hide its presence on the infected system and TSPY_ONLING.KREA, the main payload used to steal the credentials for that Korean online game site as I said above. It’s a typical drive-by download attack where no user interaction is needed to succeed, other than visiting a malicious web site. The stolen credentials are sent to the attacker Command&Control server.

Online Korean game? No big deal you could say. This vulnerability it’s a big deal for its immense potential it can represent for the hackers and maybe the next malware exploiting this vulnerability will be related to your online banking credentials and not Korean games.

Therefore, it’s advised for all the Windows users to immediately patch(update) their systems, if they have not already done so, visiting this address: http://technet.microsoft.com/en-us/security/bulletin/ms12-004

Sources:

http://technet.microsoft.com/en-us/security/bulletin/ms12-004

http://blog.trendmicro.com/malware-leveraging-midi-remote-code-execution-vulnerability-found/

Keep safe !

Symantec has identified multiple publisher IDs on the Android Market that are being used to push out Android.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device.

Source

What started out as a way to provide a cheaper phone is now becoming a headache. Licensing is a heavy hitter in the cost of a phone. Manufactures pay serious money to use propitiatory software by Apple or Microsoft. Using Android, a derivative of Linux sourcing, provides FLOSS software. The headache with it is that the changes in OSS must be posted to the public for it’s use. This means anyone with a programmer’s background understanding Linux can also research it’s weaknesses.

Android has taken the smart phone market by storm because it’s cost conscious. This is not to put down on any of the other makers, they all have their fanboys. But the market always looks at costs when it comes time to pay the merchant for the goods. This is a problem for the official Android Marketplace where you buy your apps at. So far 13 apps have been identified with this malware. That’s somewhere between 1 million and 5 million downloads. There’s a handy chart of publisher/app name/type at the source and if you have bought and downloaded any apps from the Android App Store it might be a smart move to go check it out for your own piece of mind.

Now this is not the first time around with malware in the official store and not just with Android. No doubt more will be discovered. The problem with OSS is the securing the OS, since by it’s nature the source code is exposed. At some point they will get serious with locking the phones down before it costs them too much business.

The talk presented the findings of “Project Basecamp,” a volunteer-led security audit of leading programmable logic controllers (PLCs). The audit found that decrepit hardware, buggy software and pitiful or nonexistent security features make thousands of PLCs vulnerable to trivial attacks by external hackers that could cause PLC devices to crash or run malicious code.

Source

This opens a whole new field of malware attack area of opportunity. It’s been coming for a long time with claims surfacing of possible hacker attacks into infrastructure that could literally effect your way of life.

To start out with, SCADA (Supervisory Control and Data Acquisition) and it’s hand in hand component PLC (Programmable Logic Controllers) are obsolete telephone technology. The telephony no longer uses them but now industry does. It’s been one of the main ways to eliminate jobs. People are no longer needed to monitor and adjust equipment on site at the component. The SCADA does that monitoring and adjusting and can be done from any where in the world or at multiple sites, including on site. It has a second appealing part in the elimination of physical panel boards and components used to operate industrial processes and changing them is a much lower expense, than altering a physical control board. It’s pretty much all virtual.

You have remote sensors that could check pressures, temperatures, levels, or tolerances. You have a SCADA rack consisting of PLC racks of plug in units that the remote sensors connect to, and you have the Programmable Logic Unit that carries the ladder logic circuits for the PLCs in the rack. All of these are hooked to a computer as a human/computer interface, where the operator interacts with the programming/GUI.

Instead of needing people at 10 different stations (which could be feet or miles apart) you have one operator at the computer checking all the data as overseer, while the logic circuits look for out of tolerance conditions. As long as no out of tolerance conditions occur, everything functions as it should. If out of tolerance conditions occur, depending on severity, either human interaction or automatic functions trigger to bypass or shutdown mechanical systems.

In addition, you could have an engineer concerned with over all plant functioning and quarterly data gathering for efficiency look at the processes in the regional central office, perhaps several states or even countries away from where the data is collected at. He too could have control with human/computer interface tied in.

So why is all this important? Well, if you live in the modern world, you get your electricity from a fairly modern power plant. That plant is very likely wired to the gills with SCADA/PLC controls. If you receive city water, that too is under the same set up. If you get city or natural gas to your residence, again, you are most likely receiving it from such a setup. You drive the roads today, very similar operations control entire red light operations through out the city for traffic control to ensure the traffic moves as smoothly as possible. Food, such as milk processing, oil platforms and refineries are included in this adaptation to SCADA/PLC. The manufacturing and service centers across the first world nations are now pretty much all wired up this way. It’s just another way of saying the entire infrastructure of major cities and manufacturing are now becoming interactive.

While all the corporations have jumped on the bandwagon of labor saving operations, security hasn’t followed suit. I am sure you have all heard of the Stuxnet worm and it’s attack on Iranian centrifuges doing nuclear enrichment concentrations. That’s all done with the same sort of setup for control and monitoring. Security for the SCADA/PLC systems are near non-existent for buffer overflows. Once in, an overflow will give access provided you have everything you need to break security and reprogram. Of course it isn’t as easy as just talking about it. There is a lot of data you have to have before hand. But if you have it, the way is open for access. The Stuxnet worm has shown the way to enter the systems. In the next few coming years, hackers will be studying these methods of access, just like they did the spyware/datamining efforts to learn how to infect computers by you just showing up at a site. The Stuxnet worm opened the door.

The testing of SCADA/PLC for basic security by a security team came back with this report.

“It’s a blood bath mostly,” said Wightman of Digital Bond. “Many of these devices lack basic security features.”

You will be hearing more of these issues in the coming years. This is just the skin off the tip of the iceberg, not the heart of the matter.

The indictment was filed in The United States District Court for The Eastern District of Virginia, Alexandria Division. Dotcom and three other members were arrested Thursday, January 19 in Auckland, New Zealand and Megaupload Ltd. and its children websites caused more than half a billion dollars in harm to copyright owners and generated more than $175 million in criminal proceeds, according to the authorities. Megaupload Ltd. earned more than $110 million over five years in membership fees and other payments via a PayPal account. Megaupload Ltd. is already engaged in a legal fight with Universal Music Group about a video uploaded to youtube.com , where UMG simply requested the video to be taken down by Youtube under a private agreement that the company says exists between it and YouTube. The UMG lawyer Kelly Klaus sent a letter to Youtube stating that UMG has the right to take down videos on Youtube  “Not limited to copyright infringement” only. Of course Youtube refuse them and stated for Arstechnica:  “Our partners do not have the right to take down videos from YouTube unless they own the rights to them or they are live performances controlled through exclusive agreements with their artists, which is why we reinstated it.”. The controversed video continues to be online.

We won’t discuss here if the charges are founded, why the New Zealand authorities arrested so quickly Non-American citizens at the FBI recommandation or other legal aspects.

You can see here on youtube:  First video: Megaupload founder Kim Dotcom appears in court

Somehow expected, a Megaupload successor, in reality a fake Megaupload website appears  on the Internet. I’m expecting to see many more in the near future.

Several hours ago a tweet of @ YourAnonNews Twitter user announced that Megaupload is back under a different address: http://megavideo.bz. To visit this page is needed to ignore the Opera browser security warning:

 Fraud Warning

This site has been reported as fraudulent. Exchanging sensitive or confidential information with this site could put you at risk for identity theft and/or financial fraud.
Opera Software strongly discourages visiting this page.

How the page looks like?

megaupload.bz

It’s at least curious if not a paradox why the page states that there is not yet a domain name but the website responds requesting http://megavideo.bz which is clearly a domain name. What the website does? Not very much but it tracks the visitors, you can see in the source page how an image 1×1 pixel is accessed from http://nht-2.extreme-dm.com host to track the visitors:

source_page

And the browser request:

browser request

http://www.extreme-dm.com is redirecting to http://extremetracking.com/ which is used to collect informations about websites visitors.

The IP used by the “successor” megaupload website (megavideo.bz or 109.236.83.66) is located in Netherlands (customer.worldstream.nl). It is rated as Suspicious by http://urlquery.net, a scanning&deobfuscating websites service. Here is the analysis report at Anubis:

http://anubis.iseclab.org/?action=result&task_id=179d0ec959aa04f148d8957b8fe8312b7&format=txt

anubis report

My advice is to stay away from this website, for me it seems fake, anyone can make a clone with megaupload.com website look and claims that: “Megaupload.com is back!”. And who is feeling comfortable knowing that his visit is tracked down?

Keep safe !