Says DPRK sympathizers could be behind ‘righteous’ act
The devastating cyberattack on Sony Pictures that rendered most of the movie studio’s computers unusable for over a week and left the hackers behind the attack in possession of copious amounts of sensitive data is currently being probed by both forensic experts hired by the company and the FBI. Although the identity of the perpetrators has yet to be established, many believe there is plenty of circumstantial evidence that points to a North Korean hand. Perhaps fed up with all the incriminatory rumors, the Democratic People’s Republic of Korea (DPRK) on Sunday dismissed all talk of its involvement in the attack on Sony in its own inimitable style.
Good news, Twitter junkies, it's now safe to return to your normal 140-character microblogging about whatever's on your mind without fear of falling prey to a nasty XSS attack that was running rampant yesterday.
"The exploit is fully patched," Twitter announced in a status update early this morning.
Prior to the patch, a flaw existed that allowed messages to pop-up and third-party websites to open just by moving your cursor over a link. The mischievous mouseover bug was widely being exploited, redirecting visitors of hacked accounts to hardcore porn sites. It was also being used to "auto-tweet" more mouseover links, affecting thousands of Twitter users before Twitter plugged the gaping security hole.
Stop whatever it is you're doing and visit your router manufacturer's website. Once there, drill down to the firmware section and bookmark that page, and then get in the habit of checking it regularly. The reason? Millions of routers are about to become extinct (sort of).
At this year's Black Hat security conference in Las Vegas, one of the items on the agenda is "How to Hack Millions of Routers," an alarming keynote in which Craig Heffner, a researcher with security firm Seismic, plans to release a software tool he says is capable of cracking half of all routers in existence.
This isn't a new technique, but an altered version of "DNS rebinding," something that has been talked about for more than a decade.
"There have been plenty of patches over the years, but this still hasn't really been fixed," Heffner says.
In short, the hack exploits part of the Domain Name System (DNS) so that when an unsuspecting visitor surfs to a compromised site, their browser ends up hijacked, giving the attacker access to their router settings. Browser makers have already patched earlier versions of this attack, but according to Heffner, it's all for naught.
"The way that [those patches] are circumvented is actually fairly well known," Heffner explains. "It just hasn't been put together like this before."
More info here, including a small sample of routers Heffner has demonstrated this attack on.
Soccer fans around the world are eagerly waiting for the 2010 FIFA World Cup to kick off. Soccer's marquee event will virtually transform host nation South Africa into the mecca for the sport's impassioned followers around the world. Like with any other major world event or cataclysm, the internet's dark alleys are filled with people ready to tax the outpouring of human emotion during the World Cup. It is likely that some of their nefarious plans are already afoot, even though there is a fair bit to go before the start of the event.
Symantec recently discovered a “targeted attack” that quite clearly tries to exploit the mounting soccer fever. Thankfully, the attack was thwarted before it could cause any damage. The attackers tried to drop their malicious payload using an email message ostensibly sent by a legitimate African Safari organiser, Greenlife. To the untrained eye, the sender had attached a “highly informative World Cup Travel Guide” with the message. But in reality the attached file was a modified variant of the real Greenlife's actual PDF guide. The actual PDF document was first debased with malicious code to exploit a recently patched vulnerability in Adobe Reader before being forwarded as an attachment.
“The patch for this critical rated vulnerability was released by Adobe on February 16, 2010. Since then we have observed a large number of targeted attacks attempting to exploit this vulnerability. Proof-of-Concept exploit code is available in the Internet which is contributing to the large number of observed attacks,” Daren Lewis, a Symantec employee wrote on the MessageLabs Intelligence blog.
Targeted attacks are known to be precise and less spammy. For instance, Symantec only has to deal with less than 100 such attacks every day, despite it blocking around 500,000 malicious emails per day. Such attacks usually target organizations, with people at the top of the pecking order more likely to be attacked first. This way the attackers can gain access to a pretty large chunk of that organization's sensitive information. In this case, the malicious email was sent to a person only identified as “a user in a major international organisation that brings together governments from all over the world.”
China's leading search engine Baidu has pinned the entire blame for the recent attack on its site on American domain registrar Register.com. The hackers, who identified themselves as the Iranian Cyber Army, had disrupted Baidu's services for hours on January 12. They diverted all traffic meant for Baidu.com – the Chinese site (Baidu.cn) wasn't affected – to a page maintained by them.
Baidu has wasted little time in slamming Register.com with a lawsuit for "gross negligence" on the latter's part. It said in a statement that the registrar's negligence abetted the attack on its site. But the domain registrar believes that Baidu has no case against it and its suit is without merit.
"Register.com takes cyber-terrorism very seriously and we are working closely with federal law enforcement officials who are investigating this crime as well as the recent similar attacks on Twitter and Google," a spokesperson for Register.com said. The same group that hacked Baidu had also attacked Twitter last month.
As if there weren't already enough infected websites floating around in cyberspace, security researchers are warning of a new mass injection attack that has already compromised more than 130,000 Internet destinations since the attacks first began in late November.
Researchers say the nasty code is a rogue IFrame being used to exploit visitors and inject their PCs with a banking trojan.
"The injected IFrame loads the first stage of malicious content from 318x.com. A series of IFrames and code redirections (invisible to the user) then ensues, culminating in a rather curious methoed for managing the final payload," explains mary Landesman, serior security researcher at Web security company ScanSafe, now part of Cisco.
Landesman says the redirects are used to determine the potential victim's web browser, Flash Player version, and other details. Using that information, only exploits relevant to that person's setup are used.
Mid-sized businesses are finding themselves in a precarious position as of late. Forced to cut back spending because of the ongoing recession, many firms are spending less on security, but at the same time, cyber attacks are on the rise, according to a McAfee report released today.
McAfee surveyed 900 mid-sized businesses around the globe with workforces ranging from 51 to 1,000 employees, and more than half of them reported an increase in security breaches over the past 12 months. The United States, along with India, ranked at the top of the charts with 63 percent of organizations noting an increase in attacks, and only China was higher at 68 percent.
But what's most frightening is how many of those same organizations think they're only a single serious security breach away from being put out of business. Of those surveyed in the U.S., 71 percent said it's a real possibility, yet IT budgets have either dropped or remained the same.
"An organization's level of worry and awareness about increasing threats has not overcome the downward pressure on budgets and resources," said Darrell Rodenbaugh, senior vice president of global midmarket for McAfee, in a statement. "But this creates a vicious cycle of breach and repair that costs far more than prevention."
While most companies note that a single attack could do them in, McAfee notes that most businesses may underestimate the risk. Over 90 percent of those surveyed felt they're protected from cybercriminals and aren't in as much danger as larger businesses.
Last month, a hacker calling himself Hacker Croll infiltrated an administrator's email account who works for Twitter, gaining access to the employee's Google Apps account, where Twitter shares spreadsheets and documents outlining business ideas and various financial details, said Biz Stone, a Twitter co-founder.
After doing so, the hacker sent all sorts of confidential documents to a pair of news blogs: TechCrunch and Korben. While the breach and subsequent sharing of information might have been embarrassing for Twitter, analysts say the attack highlights the bigger problem of people using the same password for ever site they visit.
According to security firm Sophos, 40 percent of Internet users use the same password for every website. And with so many personal details floating around social networking sites, it makes it that much easier for hackers to breach someone's account.
"A lot of the Twitter users are much living their lives in public," said Chris King, director of product marketing at Palo Alto Networks, which creates firewalls. "If you broadcast all your details about what your dog's name is and what hour hometown is, it's not that hard to figure out a password."
This won't come as a surprise to power users, but to avoid being hacked, use strong passwords that combine letters and numbers, change your passwords often, and don't use the same password for every site you visit.
Google has confirmed that the error messages people received on Thursday when searching for details of Michael Jackson’s death, was initially perceived as an attack. Searches between 2:45 and 3:15pm were returned with "We're sorry, but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now."
The error messages lasted for about 25 minutes on Thursday, just long enough for Google to confirm what was actually going on. The search giant noted that the amount of traffic it saw on this topic was unprecedented, as millions around the world scrambled for accurate information, seemingly all at once. Yahoo has also confirmed that it hit an all-time record for unique visitors with over 16.4 million following the story. This blows away the previous record held by the Obama election day, with a paltry 15.1 million uniques.
The outpouring of sympathy online has been astonishing, and I’m sure Google will learn its lesson on this one.
After Obama’s website, black hats have now managed to sow the seeds of deceit in Google video search results. Security firm Trend Micro has discovered that that about 400,000 queries trigger Google Video search results that “have a single redirection point, and one that eventually leads to malware download and execution.” The black hats have been able to manipulate search results to their advantage using simple SEO techniques. For this purpose, they have reserved several domains and populated them with keywords.
According to Trend Micro, the malware executable, dubbed WORM_AQPLAY.A, proliferates using removable and network drives. The malware executable is disguised as an Adobe Flash installer. The malware only prompts the user to download the malicious Flash installer when he reaches one of the malefic video websites being run by the black hats.