exploits

Hackers hit over 200,000 sites

Judi Hasson — Sat, 04 Oct 2008 14:28:35 -0400

More than 200,000 websites have been invaded by criminal gangs that have acquired administrative log-in credentials and have used the compromised domains to attack unsuspecting users' PCs. Ian Amit, director of security research at Aladdin Knowledge Systems Inc., told Computerworld.com that he found and infiltrated a server belonging to a longtime customer of Neosploit, a hacker tool kit used by cybercriminals to launch exploits against browsers and popular web software such as Apple's QuickTime and Adobe Systems' Adobe Reader.

Amit said he uncovered logs showing that two or three hacker groups had contributed to a massive pool of website usernames and passwords. "We have counted more than 208,000 unique site credentials on the server and over 80,000 had been modified with malicious content," he said.

He added that the server-based application that validated the credentials, and then modified the sites, was completely automated. Also, Amit said, access to that application was restricted to about six or seven IP addresses, making it clear that that access was intended only for the use of the criminals using the server.

For more on these hacker activities:For more:
- see this Computerworld.com article

Who's responsible for spam and malware?

Judi Hasson — Fri, 05 Sep 2008 21:17:38 -0400

Traditionally, the debate over Internet security has involved the battle between the industry that seeks to protect companies and individuals from intruders, and the companies that make their profit selling botnets and developing new exploits. New reports from HostExploit and Knujon, however, focus on the registrars and ISPs that actually provide hosting to the black hats; they explore the various connections between the organizations.

Ars Technica said that HostExploit's report looks at the U.S.-based ISP Atrivo, and the company's "alleged willingness to ally itself with (or, at least deliberately overlook) ongoing criminal enterprises.'' The Knujon inquiry delves into the relationship between the Indian-based Directi Group and its affiliates.

For more on this security subject:
- check out this Ars Technica article

Researcher to demonstrate chip-specific attack code

Paul Mah — Tue, 15 Jul 2008 07:52:08 -0400

Security researcher Kris Kaspersky plans to demonstrate how processor bugs can be leveraged to remotely attack a computer with nothing more than JavaScript or TCP/IP packets. The scary thing here is that these attacks can succeed regardless of the operating system that the target computer is running. Scheduled to take place at the Hack In The Box (HITB) Security Conference, to be held in Kuala Lumpur in October, the demonstration will take place against fully patched operating systems ranging from the various Windows variant to Linux and even BSD. In addition, Kaspersky noted that the possibility exists with the Mac OS as well.

To read up more on this new hardware specific attack vector:
- check out this InfoWorld article

Phishers get nabbed

Thu, 22 May 2008 06:59:59 -0400

Thirty-eight people in the U.S. and Romania have been charged in two federal indictments, alleging they used a complicated Internet phishing scheme to steal thousands of credit and debit card numbers, and then tap into bank ATMs to obtain cash.

The targets were both individuals and hundreds of financial institutions, a reminder to CIOs and their IT departments to remain vigilant and to make sure employees know the risks and do not respond to bogus emails seeking personal or company information.

In the indictments coming out of California and Connecticut, federal authorities said schemes were run by individuals with ties to organized crime, and targeted banks and other companies including Citibank, Capital One and PayPal.

For more on these indictments:
- see this pcworld.com article

New ways to steal data

Thu, 22 May 2008 06:59:58 -0400

Every time a security expert devises a new way to protect computer users from hackers, there is always someone who finds a way around the defense.

University researchers recently developed two new techniques for stealing data from computers that rely on some unlikely hacking tools: cameras and telescopes. While most security research focuses on the attacking software and hardware inside the PC, this "side-channel" research looks at the physical environment.

At the University of California, Santa Barbara, researchers have worked out a way to analyze a video of hands typing on a keyboard in order to guess what was being written. At Saarland University in Germany, researchers have read computer screens from their tiny reflections on everyday objects such as glasses, teapots, and even the human eye.

To get more details:
- see this InfoWorld.com article

For more tech articles from the FierceCIO network:
> Firefox 3 RC1 now available. Article
> Former Cisco engineers ready 'firewall killer.' Article
> Exclusive cell phone deals challenged. Article

WGA changes coming in Vista SP1

Tue, 26 Feb 2008 06:59:57 -0500

You'd be hard-pressed to find anyone in IT who likes Microsoft's Windows Genuine Advantage program. So most will be glad to hear that the company is planning to make changes to the anti-piracy tool yet again, with the introduction of Windows Vista SP1 in March. While the company plans to disable two of the most common product activation exploits with SP1, the biggest news is that the "punishment" for systems suspected of running a pirated copy of Windows is being toned down just a bit. Instead of "Reduced Functionality Mode," SP1 systems will be forced into a notifications-based mode that will change the desktop background and remind the user to activate Windows every hour. These are minor annoyances compared to Reduced Functionality Mode and should come as welcome news, given the large number of legitimate Windows systems that seem to have been misdiagnosed by WGA in the past.

For more on the coming changes:
- see this Ars Technica article

Microsoft releases new security APIs

Fri, 01 Feb 2008 06:59:56 -0500

Windows Vista SP1 and Windows XP SP3 might almost be upon us but that doesn't mean that Microsoft doesn't have a few surprises up its sleeve with regard to the service packs. To wit, the company has announced that new security-related APIs will be made available with the service packs, making it easier for developers to plug into the Data Execution Prevention (DEP) technology that's built-into Windows. DEP is designed to prevent certain types of exploits, like common buffer overflow attacks, by blocking the attack code from being executed in a machine's memory. With the new APIs, it should be easier for developers to take advantage of DEP protection in the applications that they build. "We can now allow the application to be protected, even if the developer is using an old version of [Active Template Library]," said Michael Howard, principal security program manager at Microsoft. "DEP is a good defense, and we want to make it easier for developers to use it."

For more on the new APIs:
- see this ComputerWorld article

Microsoft: Vista more secure than Linux, Mac

Thu, 24 Jan 2008 06:59:59 -0500

Microsoft--like most tech companies--is known to toot its own horn from time to time. So it comes as no surprise to see yet another security study out of Redmond looking to debunk the idea that Windows Vista is insecure. Insecure? Far from it--Vista is the most secure major OS on the market, if you ask Microsoft. And how, you might ask, did they arrive at this conclusion? Well, it looks like they put together a handy little graph that compares the number of vulnerabilities found during the first year of release to the number of vulnerabilities fixed during that year, for four different operating systems: Windows XP, Vista, OS X 10.4, Ubuntu 6.06 and Red Hat RHEL4. According to the data, Vista had the fewest number of vulnerabilities and the highest ratio of vulnerabilities to fixes. In another chart, data is collected on the number of security updates, patches and weeks with at least one patch. And once again, Vista sweeps all three categories with the lowest score.

So what do you say, folks, is Vista the most secure OS around? If you ask me, despite all the charts and graphs, this is all still pretty subjective. After all, the vulnerabilities and fixes are boiled down to raw numbers without any comment on the nature of the vulnerabilities, whether or not an exploit was actually produced and circulated, the amount of time elapsed between the discovery of a vulnerability and the patch, etc. What do you think, readers, does Vista deserve all the kudos? Let us know in the comments.

For the full scoop:
- see Microsoft security strategy director Jeff Jones' blog entry

Critical Quicktime bug hits Windows

Mon, 26 Nov 2007 06:59:59 -0500

In the age of iTunes and Safari on Windows, Quicktime is just about as common a piece of software as any you'll find on the average Windows PC. That's why it's troublesome that a previously unknown Quicktime flaw has become public, leaving countless Windows XP and Vista users open to attack. According to security research firm Secunia, the latest "extremely critical" vulnerability "can be exploited by malicious people to compromise a user's system." An exploit is apparently making the rounds as we speak and has been confirmed to affect Quicktime version 7.3. No word yet from Apple, so keep your fingers crossed for a patch sooner rather than later.

For more on the bug:
- see this ZDnet blog entry

ALSO NOTED: A smartphone secure enough for the NSA; TIFF exploits for iPhone released;

Thu, 18 Oct 2007 06:59:51 -0400

> Major labels want to sell music on flash drives. Article
> TIFF exploits for iPhone released. Article
> Western Digital breaks a record for hard drive density. Article
> Intel to cut 2,000 more jobs. Article
> Toshiba develops a circular LCD display. Article
> Dell gains back a little marketshare. Article

And Finally... A secure smartphone fit for the NSA. Article