Monthly Archives: December 2009

Phishers prefer Paypal, Visa, eBay and Amex

0
Posted by Tech Paranoia on December 30, 2009 – 12:00 pm
Filed under Privacy
Tagged as

Compared to the first half of 2009, the amount of phishing messages has remained relatively unchanged, although phishers have switched their focus to institutions that could bring them the most profit in the shortest timeframe. This is one of the results of BitDefender’s malware and spam survey.

Primary targets are PayPal, Visa and eBay, followed by HSBC, American Express and Abbey Bank. Ally Bank and Bank of America rank last with a little over one percent of the total amount of phishing messages. These messages mostly target English-speaking computer users who are using the services of at least one of the institutions previously mentioned.

BitDefender Labs found that most web 2.0 phishing attempts in the first half of 2009 relied on social engineering schemes and speculated user naivety. The Twitter Porn Name scam is a good example. Users were invited to reveal their first pet name, as well as the first street on which they lived. These names are usually employed as backup/security questions. An e-crook possessing a person’s username along with these “clues” can easily retrieve a password that he or she can later employ to access the account and send spam, access transactions, or use the account in whatever way necessary to make a profit, including demanding a ransom for release of the hijacked account.

“2009 witnessed a wide range of security threats aiming at both end-users and at corporate networks,” Vâlceanu commented. “Extra caution and a highly-rated antimalware solution with antispam, antiphishing and antimalware modules are a must-have for anyone surfing the web in 2010.”

Source: Help Net Security

Twitter bans obvious passwords

0
Posted by Tech Paranoia on December 30, 2009 – 11:00 am
Filed under Security
Tagged as ,

Twitter has decided that when signing up for a new account or changing your password, you can no longer use a password on a list of the most commonly used passwords. This is a great security measure that will protect users from themselves, and hopefully raise the awareness of the necessity for strong passwords.

Full list after the jump.

Read More »

DECAF no stunt developer says – DECAF 2 launched

0
Posted by Tech Paranoia on December 30, 2009 – 10:30 am
Filed under Software
Tagged as

DECAF has returned, and COFEE is not the only forensic set that it will monitor. After the first version of DECAF was pulled on December 18, with a notice that it was all a “stunt” and anyone who downloaded the software discovered it wasn’t working. Now it’s back, with new features, and an explanation as to why it was really pulled. Legal fears.

First, DECAF was not fake, the tool worked. Still, the mass media ran wild, and the big focus was not on the tool, but how, “hackers are helping criminals”. The sad thing is most of the articles were written by some who never bothered to test DECAF in the first place.

One notable podcast, Cyberspeak, went so far as to ask that DECAF be taken down because “it is gaining more attention, not from law enforcement, but from the bad guys.”

A few days later, DECAF was gone. The site explained that, “We hope that as you realize this was a stunt to raise awareness for security and the need for better forensic tools that you would reconsider cutting corners on corporate security.”

Last night, DECAF was released, and in a statement the real reason for the removal of version one was made public.

“We originally pulled the app because of legal pressure. With DECAF v1 originally set out to restrict forensic extractions made by Microsoft COFEE, it raised major concerns with its ethical nature and potential hazard to the disruption of criminal investigations…,” the statement explained.

“We used the words “publicity stunt” because when we pulled DECAF v1 offline and disabled the applications, we had a lot of media attention. We decided to use that channel to raise awareness for better security and more privacy tools.”

Read more: The Tech Herald

MS now dismisses IIS zero-day bug reports

0
Posted by Tech Paranoia on December 30, 2009 – 10:00 am
Filed under exploit
Tagged as , ,

Microsoft has dismissed reports that there’s an unpatched critical flaw in the latest version of its webserver software.

The software giant accepts there is an “inconsistency” in how IIS 6 handles semicolons in URLs . But it denies that this lends itself to hacking attacks, contrary to claims by security researchers shortly before Xmas. Redmond said fears that the bug allows hackers to circumvent content filtering software in order to upload and execute code on an IIS server are misplaced.

This scenario would only work if IIS web servers were set up to allow both “write” and “execute” privileges from the same directory, something that would make a system vulnerable in the first place and isn’t established even in default configurations, Microsoft states. The software giant has promised to make changes to purge the inconsistent behaviour from IIS 6.

Microsoft’s nothing-to-worry-about-please-move-along advisory, which helpfully provides links to best practice web server security guidelines, can be found here.

Source: The Register

As attacks increase, U.S. struggles to recruit computer security experts

0
Posted by Tech Paranoia on December 30, 2009 – 9:00 am
Filed under Security
Tagged as

The federal government is struggling to fill a growing demand for skilled computer-security workers, from technicians to policymakers, at a time when network attacks are rising in frequency and sophistication.

Demand is so intense that it has sparked a bidding war among agencies and contractors for a small pool of special talent: skilled technicians with security clearances. Their scarcity is driving up salaries, depriving agencies of skills, and in some cases affecting project quality, industry officials said.

The crunch hits as the Pentagon is attempting to staff a new Cyber Command to fuse offensive and defensive computer-security missions and the Department of Homeland Security plans to expand its own “cyber” force by up to 1,000 people in the next three years. Even President Obama struggled to fill one critical position: Seven months after Obama pledged to name a national cyber-adviser, the White House announced Tuesday that Howard Schmidt, a former Bush administration official and Microsoft chief security officer, will lead the nation’s efforts to better protect its critical computer networks.

The lack of trained defenders for these networks is leading to serious gaps in protection and significant losses of intelligence, national security experts said. The Government Accountability Office told a Senate panel in November that the number of scans, probes and attacks reported to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team has more than tripled, from 5,500 in 2006 to 16,840 in 2008.

Full Article: The Washington Post

Top 10 Sexy Infosec Geeks of 2009

0
Posted by Tech Paranoia on December 29, 2009 – 12:00 pm
Filed under Security
Tagged as

Chaordic Mind has a top 10 list of the sexiest infosec geeks of 2009.

Top 10 Sexy Infosec Geeks of 2009

Secret code protecting cellphone calls cracked

0
Posted by Tech Paranoia on December 29, 2009 – 11:00 am
Filed under Voice
Tagged as , , ,

Cryptographers have moved closer to their goal of eavesdropping on cellphone conversations after cracking the secret code used to prevent the interception of radio signals as they travel between handsets and mobile operators’ base stations.

The code is designed to prevent the interception of phone calls by forcing mobile phones and base stations to rapidly change radio frequencies over a spectrum of 80 channels. Without knowing the precise sequence, would-be eavesdroppers can assemble only tiny fragments of a conversation.

At a hacker conference in Berlin that runs through Wednesday, the cryptographers said they’ve cracked the algorithm that determines the random channel hopping and have devised a practical means to capture entire calls using equipment that costs about $4,000. At the heart of the crack is open-source software for computer-controlled radios that makes the frequency changes at precisely the same time, and in the same order, that the cellphone and base station do.

“We now know this is possible,” said Karsten Nohl, a 28-year-old cryptographer and one of the members of an open-source project out to prove that GSM, the technical standard used by about 80 percent of the mobile market, can’t be counted on to keep calls private. The attack “is practical, and there are real vulnerabilities that people are exploiting.”

A spokeswoman for the GSM Association, which represents 800 operators in 219 countries, said officials hadn’t yet seen the research.

“GSM networks use encryption technology to make it difficult for criminals to intercept and eavesdrop on calls,” she wrote in an email. “Reports of an imminent GSM eavesdropping capability are common.”

The channel-hopping crack comes as the collective is completing the compilation of a rainbow table that allows them to decrypt calls as they happen. The table works because GSM encryption uses A5/1, a decades-old algorithm with known weaknesses. The table – a 2-terabyte list of known results that allows cryptographers to deduce the unique key that encrypts a given conversation – was developed by volunteers around the globe using giant clusters of computers and gaming consoles.

Source: The Register

Microsoft confirms IIS hole

0
Posted by Tech Paranoia on December 29, 2009 – 10:00 am
Filed under Software
Tagged as , ,

Microsoft has confirmed the security hole in its IIS web server, but hasn’t disclosed which versions of the product are affected. According to the finder of the “semi-colon bug”, versions up to and including version 6 are vulnerable. The hole allows attackers, for instance, to camouflage executable ASP files as harmless JPEG files and upload malicious code to a server.

Microsoft’s Security Response Center (MSRC) says it is investigating the vulnerability and has so far not found evidence of any attackers actively exploiting the hole to compromise a server. According to the vendor, the required conditions present an obstacle for successful attacks: Attackers must have authenticated themselves on a server and possess read as well as upload privileges to a directory which, in turn, must allow the execution of code.

Although these conditions are not present in any standard installation, opinions about the risk levels vary considerably. Security firm Secunia considers the vulnerability a moderate threat. The Internet Storm Center has rated the problem critical and recommends that affected users take additional security precautions until a patch becomes available. An 8 basic rules plan compiled by the ISC is to assist with this task. In its first response to the vulnerability, Microsoft also suggested several links to instructions on how to ensure server security.

Source: The H Online

UltraDNS suffers attack, Amazon affected

0
Posted by Tech Paranoia on December 29, 2009 – 9:00 am
Filed under Hacks
Tagged as ,

Domain-name service (DNS) provider UltraDNS was targeted with a denial-of-service attack two days before Christmas, leaving some last-minute shoppers reportedly unable to connect to major retailers such as Amazon and Wal-Mart for a brief period.

Around 4:45 pm PT, UltraDNS noticed “an abnormal spike in queries,” which it identified as a denial-of-service (DoS) attack, Allen Goldberg, vice president of corporate communications at Neustar — UltraDNS’s parent company — said in a statement. The attack only affected Web surfers in the Northern California area and lasted less than an hour, the company stated.

The attack caused connectivity issues with Amazon and its Web services, according to media reports.

The attack is the second in as many weeks that targeted a critical piece of the Internet’s infrastructure, the domain name system (DNS). The week before Christmas, Twitter suffered an outage after an attacker with access to the company’s DNS account changed its settings, rerouting visitors to a defacement page.

Source: Security Focus

Microsoft IIS vuln leaves users open to remote attack

0
Posted by Tech Paranoia on December 24, 2009 – 8:02 pm
Filed under Zero Day
Tagged as , ,

A researcher has identified a vulnerability in the most recent version of Microsoft’s Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver.

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension “.asp.” By appending “;.jpg” or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it “highly critical,” vulnerability tracker Secunia classified it as “less critical,” which is only the second notch on its five-tier severity rating scale.

“Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as ‘.asp,’ ‘.cer,’ ‘.asa’ and so on,” Dalili wrote. “Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.”

Secunia didn’t explain how it arrived at its assessment, but it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6.

A Microsoft spokeswoman said company researchers are investigating the report. They are not aware of attacks targeting the reported vulnerability, she said.

In the absence of any official guidance, webmasters who want to workaround the potential problem should make sure that upload directories don’t have execute permissions. And web developers should ensure their applications never accept the user’s input as a file name.

Source: The Register