This text is replaced by the Flash movie.

Cyber Security News

ISC

January 30, 2013
Trojan preys on victims fearful of missing a FedEx delivery Researchers are noticing an uptick in trojan-laced spam designed to look like it is a delivery receipt from FedEx. Symantec's Shunichi Imano said in a Tuesday blog post that the security company is witnessing a rise in the spread of Smoaler, an information-stealing trojan first detected in 2011. The malware makes its way to victims through emails that appear to be from FedEx. The emails read, â€œDear Customer, your parcel has arrived at the post officeâ€¦ Our courier was unable to deliver the parcel to you.â€ The recipient is then directed to go to their nearest FedEx location to claim their package, after following a link to print their receipt. Instead, victims that follow the link download a zip file, called â€œPostalReceipt.zip,â€ which contains the malicious executable. Symantec can confirm that the spam was sent at least three days last week â€“ on Monday, Friday and Saturday, Imano said. â€œAll the fake FedEx emails delivering this malware are almost identical except for the order numbers and the website the zip file is hosted on,â€ Imano wrote. â€œOne sign of laziness, or perhaps an oversight on the part of the malware author, is a consistent order date." read more..

January 30, 2013
Mozilla to automatically block virtually all plug-ins in Firefox Mozilla yesterday announced it would automatically disable all plug-ins in Firefox except the latest version of Adobe's Flash Player, citing security and stability reasons for the move. The feature, called "click-to-play," has been part of Firefox since version 17, which launched last November, but Mozilla will restrict plug-ins even further going forward. By default, click-to-play bars plug-in play, but users can override the block by clicking any grayed-out content area on a Web page. The technique has become popular as browser makers try to keep users safe from a rising tide of exploits that leverage bugs in plug-ins, particularly the Java browser plug-in. Previously, Firefox's click-to-play only kicked in for those plug-ins that Mozilla determined were unsafe or seriously out of date. (The company posts a list of those plug-ins here.) As of Tuesday, Firefox also blocked versions 10.2.x and older of Flash Player, the first step toward the goal of barring virtually all plug-ins. read more..

January 29, 2013
UPnP networking flaw puts millions of PCs at risk Common bugs in networking systems are placing PCs, printers and storage devices at risk, according to security researchers. According to the security team at Rapid7, technology used worldwide in both routers and standard networking equipment is making it possible for hackers to potentially infiltrate approximately 40 million to 50 million devices worldwide. The vulnerability lies in the standard known as Universal Plug and Play (UPnP). This standard set of networking protocols allows devices such as PCs, printers and Wi-Fi access points to communicate and discover each other's presence. After discovery, devices can be connected through a network in order to share files, printing capability and the Internet. read more..

January 29, 2013
iOS 6.1 Fixes 27 Vulnerabilities iOS 6.1, an update to the operating system Apple released yesterday for iPhones, iPads ,and iPod Touches, contains 27 security vulnerability updates, 20 of them remote code execution bugs in the WebKit browser engine. The vulnerability disclosure for the WebKit update attributes the bugs to "[m]ultiple memory corruption issues," which have been fixed. Thirteen of the 20 WebKit bugs were reported by "Abhishek Arya (Inferno) of the Google Chrome Security Team." The WebKit browser engine is used in many popular Web browsers, including Safari, Google Chrome, and the new Web browser in BlackBerry 10. WebKit vulnerabilities are patched in different browsers on different schedules. One of the bugs fixed in iOS 6.1, CVE-2012-3606, was fixed in iTunes in September 2012. read more..

January 29, 2013
Service Providers In The DDoS, APT Bull's Eye Nearly half of service providers this year were hit with multi-layered DDoS attacks that use both network traffic-overload and application-layer tactics, up from around 27 percent last year, according to the newly published Arbor Networks Annual Worldwide Infrastructure Security Report report. One-fifth also have discovered bot infections within their own enterprise networks, raising concerns about cyberespionage campaigns targeting them. Among the other big threats they experienced this year were bots in their service provider networks (36 percent); APTs in their networks (15 percent); malicious insiders (11 percent); industrial espionage or data exfiltration (2 percent). But distributed denial-of-service attacks remain the biggest problem for service providers: 76 percent say their customers were hit with DDoS attacks; 54 percent experienced DDoS attacks on services such as DNS and email; 52 percent suffered DDoS attacks on their network infrastructure; and 43 percent experienced outages due to DDoS attacks. And more than 60 percent suffered outages due to misconfigurations or other mishaps. read more..

January 29, 2013
DoD to use connections to stay ahead of cyber threats The Department of Defense (DoD) maintains one of the largest computer networks in the world. The network follows DoD personnel across the globe collecting, transferring, and processing information in forms as diverse as data warehouses, in-the-field mobile devices, and mission computers on board F-18â€™s. This network is also constantly changing in size and shape as new missions are undertaken and new technology is deployed. In military terms, this means the cyber terrain of the DoD network is constantly shifting. Traditional approaches to protecting networks involve static cyber firewalls around the network perimeter and patching any discovered holes. A DARPA release reports that DARPA researchers seek a new approach, one that relies on knowing the cyber terrain within the network and understanding how information across the enterprise is connected to find actions associated with an attack buried under or within all the normal data. DARPAâ€™s new Cyber Targeted-Attack Analyzer program will attempt automatically to correlate all of a networkâ€™s disparate data sources â€” even those that are as large and complex as those within the DoD â€” to understand how information is connected as the network grows, shifts and changes. Once all of the data sources are correlated, the program will attempt to integrate them on a network to allow the defenders to understand the connections â€” like injecting a contrasting smoke into the air to see how it flows. The third phase of the program also seeks to build tools that use this information for cyber defense of the network. read more..

January 28, 2013
Pentagon to boost Cyber Command fivefold, report says Cyberattacks and data breaches are becoming a common occurrence worldwide. When it takes little more than a script kiddie or a downloadable toolkit to cause havoc in corporate systems -- or even transform a governmental Web site into a game of Asteroids as part of a protest, governments are in serious trouble unless they begin to invest more in the future of their digital defense. When Anonymous recently took down the U.S. Sentencing Commission's Web site through code distributed by the hacktivist collective for "Operation Last Resort," ussc.gov was transformed much to the amusement of many -- but it underscored a serious problem. If, with collective ease, political hackers can take down a Web site by not just instigating a denial-of-service attack (DoS) but mocking a government through creating a shooting game and distributing files, what will the next level be? This outcome is something governments not only have to avoid, but be prepared for. The Pentagon currently only has 900 members within its cybersecurity force, but that is about to change. read more..

January 25, 2013
New year, new cyber bill introduced by lawmakers Lawmakers are again trying to pass cyber security legislation that would formalize cooperation among businesses and the federal government to help better defend the nation's critical infrastructure. On Wednesday, a group of seven Democratic senators, led by John Rockefeller IV, D-W.Va., introduced the Cybersecurity and American Cyber Competitiveness Act of 2013. The bill has been referred to committee for discussion and amendments before it returns to the Senate floor for a vote. The language in the measure has not yet been firmed up, but it is expected to create mechanisms for threat information sharing, workforce development, risk assessment and identity theft prevention. In November, the Senate struck down another largely Democratic-backed security bill, the Cybersecurity Act of 2012, in a 51-47 vote. read more..

January 25, 2013
WordPress Fixes 37 Bugs with Latest Update WordPress pushed out version 3.5.1 of its open source blogging platform yesterday, fixing 37 bugs including several cross-site scripting (XSS) errors and a vulnerability that could have allowed an attacker to expose information and compromise an unpatched site. Until yesterday, the aforementioned vulnerability, discovered by security researchers Gennady Kovshenin and Ryan Dewhurst, affected all versions of the platform. This particular problem could be exploited with a server-side request forgery (SSRF) attack and remote port scanning using pingbacks. Essentially, if left unpatched, an attacker could have forced a server into sending packets of information from the attacker to another server, even if it was behind a firewall. The update also fixes the following XSS errors: â€¢Two instances of cross-site scripting via shortcodes and post content. â€¢A XSS vulnerability in the external library Plupload. A post on the companyâ€™s blog by WordPressâ€™ lead developer Andrew Nacin describes the update in full while a further breakdown of all the changes can be found here. read more..

January 25, 2013
GitHub Search Down After Some Credentials and Crypto Keys Exposed GitHubâ€™s search capability remains dark Friday after it was discovered that the code-sharing siteâ€™s search feature could be used to dredge up passwords, private crypto keys, and other credentials developers use in their projects. GitHub is a popular collaboration site for open source software developers, who store and share code with other developers. A message on the GitHub status page read today: â€œSearch remains unavailable. The cluster is recovering slowly and we continue to monitor its progress. Well provide further updates as they become available.â€ GitHub released the new search functionality on Wednesday; new searches now return results that include private repository code. â€œUnder the hood is an Elastic Search cluster that live-indexes your code as you push it up to GitHub. Search results will be returned from public and private repositories that you have access to,â€ the site says. â€œTo ensure better relevancy, we're being conservative in what we add to the search index. Repository forks will not be searchable unless the fork has more stars than the parent repository, for example.â€ read more..

January 25, 2013
Corporations bring a 'knife to a gun fight' amid cyberattacks Corporations are increasingly under fire from the rapidly rising threat of distributed denial-of-service (DDoS) attacks, according to new research from security firm Radware. The study notes that DDoS attacks on corporations rose 170 percent in 2012 over the previous year. After analyzing data from a number of security breaches and responses from 179 participating firms, Radware said that many corporations can be compared to "someone who brings a knife to a gun fight." In other words, businesses are attempting to protect themselves from cyberattacks but often fail because they are unprepared. A number of trends point toward a critical blind spot: few businesses have the resources or protection in place to withstand long-term, drawn-out cyberattacks, which is a key element that many hackers exploit. Avi Chesla, chief technology officer at Radware, said the security firm has studied hundreds of DoS/DDoS attacks and found that "attacks lasting more than one week have doubled in frequency during 2012." One of the top cyberattack trends documented in 2012 is the use of compromised servers to launch botnets in denial-of-service attacks. Being able to use different servers in various locations has lifted many limitations of the single-server campaign, and a huge amount of traffic can be directed to a site to overload and close it quickly. In addition, the use of multiple servers available 24/7 not only facilities the use of command-and-control centers but improves the reliability of such attacks. The security firm expects this method to grow in popularity over the next year. In terms of damage, complexity and force, Radware said, 58 percent of server-based botnet DoS attacks in 2012 scored 7 out of 10 points for complexity, compared with 23 percent in 2011. Seventy percent achieved a complexity rating of 3 or higher, whereas 30 percent were given that score in 2011. In addition, financial services and e-commerce sites that rely on HTTPS are a concern due to encrypted layer attacks. Hackers now often use encrypted layers to launch application-level and SSL attacks that can remain undetected until it's too late to rectify the problem. Finally, Radware said, the spawning of "do it yourself" sites that assist anyone with minimal coding and hacking skills to take on a corporation is reaching the commodity level. These hacking-for-hire and free kits can result in someone paying little more than $10 for a ransomware attacking tool, which in turn means that hacking is no longer just for pros. read more..

January 25, 2013
Oracle's Java security head says the company will 'fix Java,' communicate better Oracle's head of Java security is promising the vendor will "fix" issues with the widely used programming language, as well as improve its outreach efforts to community members, following a spate of high-profile vulnerabilities. "The plan for Java security is really simple," said Java security lead Milton Smith during a conference call this week with Java user group leaders. "It's to get Java fixed up, number one, and then number two, to communicate our efforts widely. We really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy. We have to fix Java." Oracle has been coming under fire recently from experts over what they say is an inability to properly patch vulnerabilities in Java. Recently, the U.S. Department of Homeland Security even urged users to disable Java in their browsers. Most Java vulnerabilities of late have been at the browser level, according to Smith. "That's really the biggest target now." read more..

January 25, 2013
What can happen within a cyberterrorist attack to the electrical grid of a country? SCADA systems constitute a major challenge in the implementation of information security management systems, since they involve a new spectrum of risks which, if materialized, can cause incalculable losses to the population in terms of money and even human lifes. What kind of impact are we talking about? As I have described in previous diaries, the electrical system is controlled by SCADA systems, which manages the three core subsystems: read more..

January 25, 2013
Vulnerability Scans via Search Engines (Request for Logs) We had a reader this week submit the following web log to us: GET /geography/slide.php?image_name=Free+gay+black+movies&slide_file= script%E2%84%91_id=0+union+select+0x3f736372aca074200372 HTTP/1.1 The request, as you can probably tell, is an attempt to detect SQL Injection and likely XSS vulnerabilities. As such, it isn't really all that special. What makes this more interesting is the fact that it came from Microsoft's Bing search engine. Not only the user agent matched, but also the source IP address. User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.html) Client IP Address: 157.55.52.58 This technique of using search engines to proxy vulnerability scans has been mentioned in the past. For example, Google's translate service has been used to proxy requests. Also, "Google Hacking", which refers to specially crafted Google searches to find vulnerabilities are quite common. read more..

January 24, 2013
'Cyber 9/11' may be on horizon, Homeland Security chief warns The head of Homeland Security announced today that she believes a "cyber 9/11" could happen "imminently," according to Reuters. If such an event were to occur it could cripple the country -- taking down the power grid, water infrastructure, transportation networks, and financial networks. "We shouldn't wait until there is a 9/11 in the cyber world," Homeland Security Secretary Janet Napolitano said during a talk at the Wilson Center think tank today, according to Reuters. "There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage." Napolitano was referring to the possibility of Congress passing cybersecurity legislation. Several elected officials have been working to get a cybersecurity law passed for years, but have repeatedly run into road blocks. Sen. Joseph Lieberman spent years fighting unsuccessfully for a so-called Internet kill switch that would grant the president vast power over private networks during a "national cyberemergency." Currently, he is working to get Senate to pass a more modest version of his proposal. By the same token, President Obama also signed an executive order last July that could give the government control over the Internet in an emergency. read more..

January 24, 2013
U.S. is home to greatest number of botnet servers, says McAfee The United States is responsible for the highest number of botnet servers in the world, according to new data from McAfee. A map and a list of major countries posted by McAfee yesterday show the greatest concentration of botnet servers to be in the U.S., with 631. That's more than two and a half times higher than the second country on the list -- the British Virgin Islands with 237. The Netherlands took third place with 154 servers, followed by Russia with 125, Germany with 95, and Korea with 81. Among the Top 10, Canada fared the best with only 38 servers listed. A botnet describes a group of computers that have been compromised by malware. As such, these computers, or zombies, can be controlled by cybercriminals to send out spam, viruses, and even distributed denial-of-service attacks to other computers. The criminals use command and control, or C&C, servers to issue commands to the unsuspecting computers in the botnet. read more..

January 24, 2013
SCADA Security 2.0 Second installment in an occasional series on SCADA security No one disputes that there's a dire need for major change in addressing serious gaping security holes in SCADA/industrial control systems (ICS) today. Frustrated with the inertia associated with blatantly insecure SCADA/ICS systems in production at power plants and other sensitive operations in the U.S. and around the globe, security experts are now rethinking how to fix the SCADA/ICS security problem. Among the strategies under consideration are bug bounty programs for SCADA vendors, and a more proactive and prescriptive role by government officials in the U.S. Patching, they say, is a short-term solution to a much bigger problem of products that by design are insecure. And with only 10- to 20 percent of customers applying the patches, it can be an exercise in futility in many cases. Security researchers at the S4x13 SCADA conference in Miami last week showed how easily they found some of the most basic security bugs in these systems, prompting discussion on new tactics for securing these systems. read more..

January 24, 2013
Backdoor accounts found in networking and security appliances from Barracuda Networks A variety of networking and security appliances from Barracuda Networks contain backdoor accounts that could allow attackers to log in remotely over SSH (Secure Shell) and gain administrative, or root, access on the devices. The backdoor accounts were discovered by security researchers from Austria-based security firm SEC Consult. These accounts are not documented, they cannot be removed and can be accessed over SSH, they said in a security advisory published Thursday. Furthermore, the appliances are configured by default to accept SSH connections from certain ranges of public IP addresses. Some servers located in those IP ranges are owned by Barracuda Networks, but others are owned by third-party organizations and individuals. An attacker who compromises any server from the whitelisted IP ranges can gain administrative rights on Barracuda Networks appliances connected to the Internet by using the backdoor accounts, the SEC Consult researchers warned. read more..

January 24, 2013
DARPA seeking to grow DoD cyber defense The innovation and research arm of the Department of Defense (DoD) is standing up a new program designed to take a more integrated approach to negating attacks impacting military networks and intelligence. The Defense Advanced Research Projects Agency (DARPA) announced Tuesday that its â€œCyber Targeted-Attack Analyzerâ€ program would examine data sources across DoD's entire network to help the government better identify threats to national security. â€œTraditional approaches to protecting networks involve static cyber firewalls around the network perimeter and patching any discovered holes,â€ said a release from the agency. â€œDARPA researchers seek a new approach, one that relies on knowing the cyber terrain within the network and understanding how information across the enterprise is connected to find actions associated with an attack buried under or within all the normal data.â€ read more..

January 23, 2013
3 charged in malware scheme targeting bank accounts U.S. authorities have charged three foreign nationals with creating and distributing a virus that allowed thieves to steal tens of millions of dollars from victims' bank accounts. The three are accused of creating the Trojan virus Gozi, which infected more than 1 million computers worldwide and 40,000 in the United States, including computers belonging to NASA, according to court documents unsealed today by U.S. Attorney Preet Bharara in Manhattan. Nikita Kuzmin, 25, Deniss Calovskis, 27, and Mihai Ionut Paunescu, 28, are accused of creating "one of the most financially destructive computer viruses in history." The malware installed itself on computers after users clicked on an apparently benign PDF file embedded in an e-mail, allowing the cybercriminals to siphon user names, passwords, and other security information used to hijack online bank accounts, prosecutors alleged. read more..

January 23, 2013
Using Metasploit for Patch Sanity Checks Including link to Process Hacker, thanks to the readers for pointing out this oversight! http://processhacker.sourceforge.net/ Introduction Earlier last week a reader wrote in and asked us if the patch for MS13-008 [1] [2] had worked. To do a comprehensive patch validation could take a significant amount of time however there are a couple of things you can do to get a quick sanity check. I use Metasploit when doing patch sanity checks. Also, with a Virtual Machine you can take snapshots at various stages of patching. In this case my system is configured for VMWare Fusion Version 5.0.2 (900491) [4] and using Metasploit. Instructions for install of Metasploit exist all over the Internet so we will not reproduce that here. A great install for OS X Mountain Lion can be found here [5] however I avoid the Java component. read more..

January 23, 2013
Feds reveal Gozi trojan creator, fraud conspiracy Three Eastern Europeans have been indicted on charges they helped orchestrate a bank fraud conspiracy that affected tens of thousands of victims, according to court documents unsealed in New York. On Wednesday, federal prosecutors announced that Nikita Kuzmin, 25, of Russia, the alleged creator of Gozi, a sophisticated trojan that preys on targeted banking customers to steal their login credentials and other private information, admitted to the hacking and fraud charges. He was arrested in the United States in November 2010 and pleaded guilty six months later. Meanwhile, indictments were unsealed against Deniss Calovskis, 27, also known as â€œMiami,â€ who allegedly wrote parts of Gozi's code and was arrested in November in Latvia, and Mihai Paunescu, 28, who used the online alias â€œVirus." He was arrested last month in Romania. read more..

January 23, 2013
DARPA Seeking Help With Targeted Attack Analysis The networks of government agencies and the military are under constant attack from a variety of sources, and the U.S., like most other countries, relies on those networks to not just run daily operations, but to support missions around the world. In the face of those attacks, the Department of Defense's advanced research group, DARPA, is looking for new technologies that can collect and analyze massive amounts of network data and enable security teams to get quick reads on attacks happening across a broad, department-level network. DARPA has taken on a major role in recent years in the search for new technologies to defend the country's own networks and to help the U.S. military conduct offensive cyber operations. Last month, for example, the agency announced that it was looking for research proposals to help shore up the military's cyberwar capabilities. Known as Plan X, the DARPA initiative is designed to develop and deploy an entirely new set of technologies. â€œSpecifically excluded is research that primarily results in evolutionary improvements to the existing state of practice," the agency's announcement said. read more..

January 23, 2013
SCADA Password-Cracking Tool For Siemens S7 PLCs Released A Russian security researcher has unleashed a brute-force password-cracking tool that can capture passwords for Siemens S7 programmable logic controllers (PLC), which run machinery in power plants and manufacturing sites. Sergey Gordeychik, a researcher with Positive Technologies, last week at the S4 2013 conference in Miami released the proof-of-concept tool that brute-force hacks the challenge-response information from a TCP/IP traffic exchange. The tool demonstrates how an attacker on an adjacent network could grab credentials for the PLCs simply by brute-force hacking for passwords. S7 is the protocol used for communicating among engineering systems, SCADA, HMI, and PLC equipment, and can be password-protected. "We wrote two brute-force authentications for S7," Gordeychik says. Siemens was the target of much of the vulnerability research at last week's conference, where another researcher also demonstrated how to intercept S7-400 PLC passwords. Erik Johansson, an independent consultant and researcher at the Royal Institute of Technology in Sweden, demonstrated how unpatched S7 systems are susceptible to attack and control by an unauthorized user who grabs their passwords. Siemens described the flaw as a security "weakness in the programming and configuration client software authentication method" that the S7 employs. read more..

Contact Us

905 764 3246

Contact us right up front

Let us assist you to plan and budget for your next audit. ERE Security helps you find and eliminate your security risks. Contact us and we'll help you choose the right audit.