Famous Security Experts' Sites Hacked

Here's a discouraging piece of news for anyone who's put security professionals Dan Kaminsky and Kevin Mitnick on a pedestal: both men's sites were hacked in apparent coordination with the start of the Black Hat security conference.

The hackers left behind notes indicating that they were trying to humiliate and discredit their targets, accusing them of getting by more on reputation and hype than skill. It's unclear how the hackers carried out their attacks, but they did share some evidence of their success, and Kaminsky seems to have been the hardest hit.

Following the attacks, a file containing all sorts of confidential info was made public, and Dan Goodin reports, "The file posted on security mailing lists claimed to have obtained more than four years' worth of data from Kaminsky, and as proof, it offered a smattering of emails, instant messages, and other communications that laid out sensitive research work and intimate personal conversations."

Also, "multiple passwords Kaminsky used and back-end configurations for Kaminsky's website" were shared, and the site's been offline ever since as a result.

Read more here

Google Safe Browsing Feature Could Compromise Privacy

Researcher RSnake has discovered that Google's anti-malware and anti-phishing features for Chrome and Firefox tracks information about user's browsing habits

Google basically stores a cookie on the user's computer that can be used to track him or her, he says. And the cookie can be used to identify the IP addresses he or she visits, for instance. Hansen says Google logs that data for anti-distributed denial-of-service (DDoS) purposes.

"In Chrome, every five hours it phones home" to check for the current version and"sends a payload including machine ID and user ID," says RSnake.

The only way to protect your privacy from this, he says, is to turn off the anti-phishing and anti-malware options. "The bummer is you're turning off a great service," he says. "It protects you from malware" and other threats, he says.

The good news, he says, is that Google only retains the data for two weeks, and then stores it in aggregate form. "But having this IP address, this cookie, and this timestamp is enough information to decloak someone for a [hacking] incident they did two years ago," he says. "So if you use Firefox or Chrome, you should know the risks" of the Safe Browsing feature, he says.

Read here for detailed article.

Next Gen IT Security 2009 Conference

Event: Next Gen IT Security 2009
Date: 18 August-19 August 2009
Location: Singapore
Organizer: Marcus Evans
Homepage: http://www.marcusevans.com

Marcus Evans’ ‘Next Gen IT Security’ conference will keep IT security professionals to keep up-to-date on their knowledge in the latest threats, new practices and continuous improvement strategies in the industry to maintain a competitive edge in the market.

This conference highlights the participation of representatives from international companies such as OWASP Singapore (Singapore), Royal Bank of Scotland (Singapore), Citco Funds (Singapore), SingHealth (Singapore), Creative Technology (Singapore), Bank of America (Singapore), JPMorgan Chase Bank (Singapore), Nokia Siemens Networks (Singapore), Hong Kong Police Force (Hong Kong), CBH Group, Dell Inc. (Global Business Center), Affin Bank (Malaysia), British Telecommunications, Professional Information Security Association (PISA), Allergan (India), Acmamall.com, Bank Muamalat (Malaysia), Carsem and among others.

For further event details and event brochure, kindly contact Ms. Catherine Foo here.

What is a browser?

If a major piece of your security strategy revolves around employee training, the following video might be a major setback. Many security pros pride themselves on the amount of training they give their employees. But I wonder, is it all for naught?

A Google employee took a camera and microphone onto the streets of New York City to find out if non-techies knew what a browser is and the results were astounding. Less than 8% of those interviewed knew. And these guys don’t reside in an assisted living facility or a 55 and over community. Many of them could have Facebook accounts and even Twitter handles.

After watching the video, I wonder, how would I begin a security training program if many of my employees don’t know what a browser is?

Phishing sounds like a foreign language and malware sounds like a bad word. Maybe the next generation will have a better understanding. But how long can we wait?

Koobface Turns the Other Cheek

Twitter's in the news again.

There has been many reports of yet another variant of Koobface doing the rounds through Twitter. The tweets doing the rounds contain the following messages:

• My home video :)
• Watch my new private video! LOL :)
• michaeljackson' testament on youtube

Looking around for some of the hacked twitter accounts, I found a few unfortunate souls whose accounts have been hijacked to spread this malware.

Here's one example I have found below. Some of the TinyURLs are pointing to the AdultFriendFinder Web site; the one below is not responding but appears to be active.

Other URLs are directing users to a fake video Web site that contains the usual Codec-type social engineering trick to lure users into downloading and running the file.

Symantec detects this as W32.Koobface.C. The threat that it drops is detected as Antivirus2008. Given the redirects chosen by the attacker and also the threat that it drops, clearly the makers of Koobface are in the business of making money.

Twitter has taken action and suspended accounts that have been infected.

To prevent your computer from becoming infected, be wary when clicking any links you receive in a tweet, even from your friends as this worm uses social engineering techniques in an attempt to infect your computer; that is once a user is infected it will send links to their followers and hence the link comes from someone you know.

Make sure that you also regularly update your anti-virus security software to catch the latest threats. Alternatively, you can check back here regularly for new updates. =)

Source

BlackBerry update bursting with spyware

This may not be applicable to Singapore's BB users, but still, it highlights the potential vulnerabilities of Blackberry.

An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life.

Read on

First Zero-Day Exploit Released For Firefox 3.5

Patch is in the works, exploit code and Metasploit attack module are released.

The race is on: Mozilla is scrambling to finish a patch for a now-public bug in its Firefox 3.5 browser, while exploit code is circulating and Metasploit has released a new module for the attack.

The vulnerability, which was initially discovered by Mozilla last week in the Firefox 3.5 Just-in-Time (JIT) JavaScript compiler, is considered "critical" in that it can be used to execute malicious code, according to Mozilla. A researcher posted his attack code on mil0rm on Monday. The flaw lets an attacker infect the machine of a victim duped into visiting a malicious Web page.

Disabling JIT in the JavaScript engine is one way to protect against such an attack, but that's only a temporary solution because without JIT, Firefox's performance decreases, Mozilla warned in its blog. Another option is to run Firefox in Safe Mode, which disables the JIT, or to use the NoScript add-on for Firefox.

Here's how to disable JIT in JavaScript, according to Mozilla:

1. Enter about:config in the browser's location bar.
2. Type jit in the Filter box at the top of the config editor.

3. Double-click the line containing javascript.options.jit.content -- setting the value to "false."

After a patch for the bug is issued and applied, users have to reinstate JIT:

1. Enter about:config in the browser's location bar. Type jit in the Filter box at the top of the config editor.
2. Double-click the line containing javascript.options.jit.content -- setting the value to "true."

Mozilla says it will push out a Firefox update "as soon as the fix is completed and tested."

Secunia, meanwhile, says the flaw, if exploited, can cause memory corruption due to an error in processing JavaScript code-handling

'Anti-Sec' Group Hacks Popular Image Site, Demands Changes In Security Research

ImageShack, one of the Web's largest image hosts, was attacked over the weekend by a group called "Anti-Sec," which is demanding changes to the security industry's practice of full disclosure of vulnerabilities.

According to a report, the group replaced many of ImageShack's hosted images with its own manifesto, which states, in part:

"The security industry uses full disclosure to profit and develop scare tactics to convince people into buying their firewalls, anti-virus software, and auditing services...if whitehats were truly about security, this stuff would not be published...

"...Our battle is that of the removal of full-disclosure for the purpose of making it harder for the security industry to exploit its consequences. It is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, companies, and individuals, full disclosure will be abandoned and the security industry will reform.

"How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all supporters of full disclosure and the security industry in its present form. If you own a security blog, an exploit publication Website or you distribute any exploits...'you are a target and you will be rm'd. Only a matter of time.'

"This isn't like before. This time, everyone and everything is getting owned."

Another report states that the hackers were able to send email to ImageShack customers using the addresses that the site, itself, has registered for those users.

While security forums today were abuzz with discussion about the group's allegation that full disclosure is detrimental to security, researchers generally said they weren't sure how serious the group's threat is or exactly how the hack occurred.

A screen cap of the defaced website here.

Origins of Google Chrome logo

Ever wondered how the Google Chrome logo came about?

Sober worm returns and uses social engineering techniques

PandaLabs has recorded the appearance of a new variant of the Sober worm, Sober.Y, which spreads using social engineering techniques in emails sent in English or German.

The worm uses two types of mail to propagate: Firstly, an email in English with the subject "Your new password," which tries to make users think it is notification of a change of password, asking them to check the data in an attached file, pword_change.zip.

Secondly, an email written in German claiming to contain a photograph of old school friends in the file KlassenFoto.zip. Both compressed files contain the executable PW_Klass.Pic.packed-bitmap.exe, which is a copy of the worm itself.

If the file is run, a false CRC error is displayed, even though the action has already started. The worm collects email addresses from files with certain extensions on the compromised computer, and sends itself out to them in the emails described above using its own SMTP engine. It will only use the German version of the email if the addresses end in .de (Germany), .ch (Switzerland), .at (Austria), or .li (Lichtenstein).

Even though the number of incidents recorded is low, this worm has significant propagation potential.

Microsoft Warns Of IE Vulnerability

Microsoft has issued a security advisory about a privately reported vulnerability in its Video ActiveX Control.

The company says that users running IE6 or IE7 on Windows XP and Windows Server 2003 are at risk for attacks, but Windows Vista and Server 2008 and those running IE8 are not at risk.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user," Microsoft said in its advisory. "We are aware of attacks attempting to exploit the vulnerability."

Microsoft said it is working with its partners to provide information they can use to provide broader protections to customers. "Microsoft is currently working to develop a security update for Windows to address this vulnerability," the company said.

Microsoft is recommending users remove support for ActiveX Video Control until a fix is in place.

"When the ActiveX control is used in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code," the Redmond, Washington-based company said.

Attackers can exploit the vulnerability when Internet users visit websites with malicious code. Unsuspecting users may receive emails requesting they visit malicious websites.

"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft said.

iPhone Crashing Bug Could Lead To Serious Exploit

Exploiting a bug in the way iPhones parse SMS messages, the principal analyst at Independent Security Evaluators has demonstrated how to crash a part of the phone that allows him to temporarily disconnect the device from the network.

He’s still trying to figure out if the vulnerability will allow him to remotely execute code, a feat that would allow attackers to do much more nefarious things, including sending malicious commands to monitor the phone’s location or turn on its microphone so it becomes a remote bugging device.

“I can definitely make the thing crash,” Miller said. “I have still to determine whether it’s actually exploitable or not. This thing has the potential to be really serious, but I’m still looking at it and Apple is still looking at it.”

Miller presented his findings at the SyScan conference in Singapore on Thursday and plans to offer additional details later this month at the Black Hat security conference in Las Vegas. Researcher Collin Mulliner was also instrumental in discovering the bug, Miller said.

If the vulnerability turns out to be exploitable, it would be significant because there are few measures iPhone users can take to prevent an attack, said Dino Dai Zovi, a security researcher. Dai Zovi has yet to see technical details behind the vulnerability, but he has already experienced its effects last week.

While the two were speaking on a land line, Miller told Dai Zovi he found a new bug in the iPhone and, as a demonstration, instructed him to look at his own Apple handset. The display bore the words “No service.” (The outage caused by Miller’s proof of concept was only temporary).

“My reaction was that this has the potential to be a very serious vulnerability and likely the worst that has affected the iPhone to date,” Dai Zovi told The Register. “I was very surprised that he had a vulnerability that was trig
able with just an SMS message.”

Dai Zovi and several other iPhone experts said there is no way to prevent the iPhone from receiving SMS messages. While AT&T allows users to block text messages and multimedia messages sent as emails, there is no way to block all SMS messages. No comments were made by Apple so far.

New Firefox 3.5

Mozilla just released a new version of their popular web browser Firefox. Besides the bug fixes and general improvements, Firefox 3.5 incorporates two new security and privacy features for end users.

Private Browsing
Need to use someone else's computer? Switch on Private Browsing mode and nothing will be recorded about your session, including cookies, history, and any other potentially private information.

Better privacy controls
The Privacy preference pane has been completely redesigned to offer users more control over their private information. Users can choose to retain or discard anything including history information, cookies, downloads, and form field information.

In addition, users can specify whether or not to include history and/or bookmarks in the location bar's automated suggestions, so you can keep private web addresses from popping up unexpectedly while typing in the location bar.