Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Saturday, December 11, 2010
Tuesday, August 10, 2010
After 30 days, many AV vendors cannot detect known attacks
Cyveillance testing finds AV vendors detect on average less than 19% of malware attacks
Even after 30 days, many AV vendors cannot detect known attacks, making it critical for enterprises to take a more proactive approach to online security in order to minimize the potential for infection.
http://www.cyveillance.com/web/news/press_rel/2010/2010-08-04.asp
Friday, July 23, 2010
Chinese Hack 101
Let me introduce three basic terminologies as they are commonly used in various China hacking forums:
肉雞 (Chicken) - It means machine trojaned with malware and backdoor.
網頁掛馬/挂马 (Injected iframe) - it is about injected iframe with malicious code in web page.
免杀 (Prevented to be killed) - It means a software is with anti-debugging technique.
攻击 - Attack
I simply captured a piece of attack service advertisement from a Chinese blog (URL:http://tieba.baidu.com/f?z=650017145&ct=335544320&lm=0&sc=0&rn=30&tn=bai...). You could feel free to translate it via Google translator:
免杀制作,网马挂马 入侵挂马 QQ空间挂马 视频传播木马
-> Anti-debugging, inject malicious iframe, trojans for QQ messenger, spreading trojan via video media.
Thursday, April 15, 2010
Military asserts right to return cyber attacks
The U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown, the director of the National Security Agency told Congress.
he U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown, the director of the National Security Agency told Congress.
Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.
For more info check http://bit.ly/cH8wsn and http://bit.ly/bzo2TX
Wednesday, February 3, 2010
Questions pile up concerning the death of Hakimullah Mehsud
Reports continue to circulate claiming that Hakimullah Mehsud, the current leader of the Pakistani Taliban (Tehrik-i-Taliban Pakistan), is dead after suffering wounds from a mid-January drone strike. Several Pakistani officials have claimed that Mehsud had died sometime at the end of January based on "word of mouth" (aka HUMINT) confirmation, according to a report today from ABC News. However, US intelligence officials have yet to confirm the EKIA reports and the TTP was quick to issue a statement denying the death of their leader. According to Bill Roggio at the Long War Journal, reports of Mehsud's death are premature. Hakimullah's spokesman (Azam Tariq) issued a statement saying, "Hakimullah is alive and safe." Additionally, one of Mehsud's subordinate commanders, and a potential successor, (Qari Hussein Mehsud) called the Pakistani press to issue a similar statement.
For further background on Mehsud and the key role he plays within TTP, check out JD's excellent profile here and this article from the CTC Sentinel.
If in fact the reports are true, we are likely to see another potential struggle over who would take over leadership of the TTP (similar to the reported infighting that occurred after the August 2009 death of the former TTP leader, Baitullah Mehsud). The top three contenders to assume the key role include:
- Wali-ur-Rehman, the young deputy leader who functions as the group's operational commander
- Qari Hussein, who oversees the suicide bomb program and is Hakimullah's cousin
- Saeed Khan Mamozai, a local commander from Orakzai tribal agency
Saturday, January 2, 2010
Cybercrooks stalk small businesses that bank online
From a usa today article comes a cybercrime trend I have been talking and working on for more than a year.
Several developments make this new form of fraud irresistible for cybercriminals. In a race to win more online business customers, many banks offer high limits on ACH and wire transfers, even though their systems lack modern technologies for detecting fraud, says Terry Austin, CEO of security firm Guardian Analytics.
"Many banks rely heavily on their online channels but fail to implement the necessary protections," says Austin. "Cybercriminals are capitalizing on this opportunity."
Meanwhile, stealthy, malicious programs borne by corrupted Web links lurk everywhere on the Internet: in e-mails, social-network postings, online ads, even search query results. Click on a tainted link, and you could get infected by a cyber-robber's banking Trojan. Hundreds of new banking Trojan variants appear on the Internet every day. The number should top 200,000 in 2009, up from 194,000 in 2008, according to PandaLabs.
The likelihood of any ordinary person getting his or her PC infected by a banking Trojan is so great that Gartner's Litan tells acquaintances who run small businesses to switch from commercial online accounts to an individual consumer account.
That's because consumer-protection laws require banks to fully reimburse individual account holders who report fraudulent activity in a timely manner. However, banks have taken to invoking the Uniform Commercial Code — a standardized set of business rules that have been adopted by most states — when dealing with fraud affecting business account holders. Article 4A of the UCC has been interpreted to absolve a bank of liability in cases where an agreed-upon security procedure is in place and a theft occurs that can be traced to a compromised PC controlled by the business customer.
"It's time for small business to wake up and understand the true risk of online banking," says Litan. "If the bank thinks you were negligent, they do not have any obligation to pay you back."
The Western Beaver County School District in Pennsylvania, for one, is testing this stance. It is suing ESB Bank for executing 74 unauthorized cash transfers totaling $704,610 over four days during Christmas break a year ago. Court records show cash moved into 42 receiving accounts in several states and Puerto Rico. The bank retrieved $263,413 but did not recover $441,197.
ESB's attorney, Joseph DiMenno, says the bank is confident it will be "fully exonerated" but declined to discuss the lawsuit in detail. In a court filing, the bank denied any liability and said the district's "failure to secure and protect" its computers and network were to blame for any damages.
"They were able to reverse some of the transfers, but for others, the money apparently was already gone," says the district's attorney, Brian Simmons, of the Pittsburgh law firm Buchanan Ingersoll & Rooney. "We're not entirely sure who ended up with the funds. But the school district would like its money back."
So, too, would officials in
The banking industry acknowledges that online banking is risky and is doing all it can to address those risks without impairing development of electronic banking, says Doug Johnson, senior risk management adviser at the American Bankers Association. He says small businesses should heed the ABA's advice to use a dedicated PC for online banking.
"The fraudulent transactions represent a very small portion of the millions of safe and successful ACH transactions conducted daily by businesses across the country," says Johnson.
The ABA's position is that each bank sets its own policy for how much liability to assign to business account holders when unauthorized transfers occur. In general, "Banks urge business customers to be aware of their responsibility to keep computers used for online banking free of malicious programs," Johnson says.
Meanwhile, cyber-robbers continue to orchestrate online heists of increasing sophistication. Getting the money out is not easy; it requires careful planning and meticulous coordination. According to interviews with law enforcement officials and security researchers, here's how a typical theft unfolds:
First, a researcher spends some time on
Randy Vanderhoof counts himself lucky. The executive director of Smart Card Alliance, a Princeton Junction, N.J., non-profit advocacy group, moved quickly when he noticed suspicious wire transfers from the group's
A rising swarm of cyber-robberies targeting small firms, local governments, school districts, churches and non-profits has prompted an extraordinary warning. The
and the
are advising small and midsize businesses that conduct financial transactions over the Internet to dedicate a separate PC used exclusively for online banking.
The reason: Cybergangs have inundated the Internet with "banking Trojans" — malicious programs that enable them to surreptitiously access and manipulate online accounts. A dedicated PC that's never used for e-mail or Web browsing is much less likely to encounter a banking Trojan.
And the bad guys are stepping up ways to get them onto PCs at small organizations. They then use the Trojans to manipulate two distinctive, decades-old banking technologies: Automated Clearing House (ACH) transfers and wire transfers.
ACH and wire transfers remain at the financial nerve center of most businesses. ACH transfers typically take two days to complete and are widely used to deposit salaries, pay suppliers and receive payments from customers. Wire transfers usually come into play to move larger sums in near-real time.
"Criminals go where the money is," says Avivah Litan, banking security analyst at
And the bad guys are stepping up ways to get them onto PCs at small organizations. They then use the Trojans to manipulate two distinctive, decades-old banking technologies: Automated Clearing House (ACH) transfers and wire transfers.
ACH and wire transfers remain at the financial nerve center of most businesses. ACH transfers typically take two days to complete and are widely used to deposit salaries, pay suppliers and receive payments from customers. Wire transfers usually come into play to move larger sums in near-real time.
"Criminals go where the money is," says Avivah Litan, banking security analyst at
, a technology consulting firm. "The reason they're going here is the controls are antiquated, and a smart program can often get the money out."
Internet-enabled ACH and wire transfer fraud have become so acute that the FBI, which is usually reticent to discuss bank losses or even acknowledge ongoing cases, has gone public about the scale of the attacks to bring attention to the problem. The FBI, the Federal Deposit Insurance Corp. and the
have all issued warnings in the past two months.
The FBI says it has investigated more than 200 cases, mostly in 2008 and 2009, in which cyber-robbers executed fraudulent transfers totaling about $100 million — and successfully made off with $40 million.
The victims are mostly small to midsize organizations using online bank accounts supplied by local community banks and credit unions, FBI analysis shows. "The bad guys are still out there breaking into customers' computers," says Steven Chabinsky, deputy assistant director of the FBI's Cyber Division.
Banking and tech security experts say many more cases of ACH and wire transfer fraud are going unreported mainly because the attacks are new and there are no laws setting forth the rights of online business account holders, the way consumer-rights laws protect accounts held by individuals. The result: Many cases end in civil disputes in which small businesses often lose.
"Our nation's legislators are not doing their job in affording the same protections for business account holders that they do for consumer account holders," says Litan.
The FBI says it has investigated more than 200 cases, mostly in 2008 and 2009, in which cyber-robbers executed fraudulent transfers totaling about $100 million — and successfully made off with $40 million.
The victims are mostly small to midsize organizations using online bank accounts supplied by local community banks and credit unions, FBI analysis shows. "The bad guys are still out there breaking into customers' computers," says Steven Chabinsky, deputy assistant director of the FBI's Cyber Division.
Banking and tech security experts say many more cases of ACH and wire transfer fraud are going unreported mainly because the attacks are new and there are no laws setting forth the rights of online business account holders, the way consumer-rights laws protect accounts held by individuals. The result: Many cases end in civil disputes in which small businesses often lose.
"Our nation's legislators are not doing their job in affording the same protections for business account holders that they do for consumer account holders," says Litan.
Risky business
Several developments make this new form of fraud irresistible for cybercriminals. In a race to win more online business customers, many banks offer high limits on ACH and wire transfers, even though their systems lack modern technologies for detecting fraud, says Terry Austin, CEO of security firm Guardian Analytics.
"Many banks rely heavily on their online channels but fail to implement the necessary protections," says Austin. "Cybercriminals are capitalizing on this opportunity."
Meanwhile, stealthy, malicious programs borne by corrupted Web links lurk everywhere on the Internet: in e-mails, social-network postings, online ads, even search query results. Click on a tainted link, and you could get infected by a cyber-robber's banking Trojan. Hundreds of new banking Trojan variants appear on the Internet every day. The number should top 200,000 in 2009, up from 194,000 in 2008, according to PandaLabs.
The likelihood of any ordinary person getting his or her PC infected by a banking Trojan is so great that Gartner's Litan tells acquaintances who run small businesses to switch from commercial online accounts to an individual consumer account.
That's because consumer-protection laws require banks to fully reimburse individual account holders who report fraudulent activity in a timely manner. However, banks have taken to invoking the Uniform Commercial Code — a standardized set of business rules that have been adopted by most states — when dealing with fraud affecting business account holders. Article 4A of the UCC has been interpreted to absolve a bank of liability in cases where an agreed-upon security procedure is in place and a theft occurs that can be traced to a compromised PC controlled by the business customer.
"It's time for small business to wake up and understand the true risk of online banking," says Litan. "If the bank thinks you were negligent, they do not have any obligation to pay you back."
The Western Beaver County School District in Pennsylvania, for one, is testing this stance. It is suing ESB Bank for executing 74 unauthorized cash transfers totaling $704,610 over four days during Christmas break a year ago. Court records show cash moved into 42 receiving accounts in several states and Puerto Rico. The bank retrieved $263,413 but did not recover $441,197.
ESB's attorney, Joseph DiMenno, says the bank is confident it will be "fully exonerated" but declined to discuss the lawsuit in detail. In a court filing, the bank denied any liability and said the district's "failure to secure and protect" its computers and network were to blame for any damages.
"They were able to reverse some of the transfers, but for others, the money apparently was already gone," says the district's attorney, Brian Simmons, of the Pittsburgh law firm Buchanan Ingersoll & Rooney. "We're not entirely sure who ended up with the funds. But the school district would like its money back."
So, too, would officials in
County, Ky. Over seven days in June, unauthorized transfers totaling $415,989 were moved out of the payroll account the county kept at First Federal Savings Bank of Elizabethtown. In a resolution authorizing a lawsuit against First Federal, county officials noted that "$105,813.06 of the people's money" had been recovered, while "$310,176.11 remains in the hands of the thieves throughout the country and abroad."
Gregory Schreacke, the bank's president, said in an interview that Bullitt County's "net loss" was actually $299,684. He said the bank stands by its decision not to make the county whole.
"No, we are not going to give it back," says Schreacke. "The county's network did not have an effective firewall, its virus protection software was woefully out of date and the county's treasurer and (chief) executive did not follow internal controls that would have prevented the unauthorized transfers."
The county's attorney, Larry Zielke, says First Federal should have stopped payroll transfers to other states and countries, something Bullitt County, population 75,000, never does. "Customers shouldn't have to protect the banks," says Zielke. "Banks should protect their customers."
Banking analyst Litan says it is unrealistic for the banking industry to promote Internet banking as safe based on the expectation that account holders will continually secure their PCs against cyberintrusions. "Banks should at least put a large disclaimer on their home Web pages advising customers that they bank online at their own risk," she says.
Indeed, any organization that cannot survive a sudden five- or six-figure loss should consider shunning Internet banking altogether, says Amrit Williams, chief technical officer of security firm BigFix. "Online is a very dangerous place for any small organization to be right now," he says. "The guidance for most of them should be, 'Don't bank online unless you absolutely have to.' It is too risky, and there are too few controls to support you if you fall prey to a malicious incident."
Gregory Schreacke, the bank's president, said in an interview that Bullitt County's "net loss" was actually $299,684. He said the bank stands by its decision not to make the county whole.
"No, we are not going to give it back," says Schreacke. "The county's network did not have an effective firewall, its virus protection software was woefully out of date and the county's treasurer and (chief) executive did not follow internal controls that would have prevented the unauthorized transfers."
The county's attorney, Larry Zielke, says First Federal should have stopped payroll transfers to other states and countries, something Bullitt County, population 75,000, never does. "Customers shouldn't have to protect the banks," says Zielke. "Banks should protect their customers."
Banking analyst Litan says it is unrealistic for the banking industry to promote Internet banking as safe based on the expectation that account holders will continually secure their PCs against cyberintrusions. "Banks should at least put a large disclaimer on their home Web pages advising customers that they bank online at their own risk," she says.
Indeed, any organization that cannot survive a sudden five- or six-figure loss should consider shunning Internet banking altogether, says Amrit Williams, chief technical officer of security firm BigFix. "Online is a very dangerous place for any small organization to be right now," he says. "The guidance for most of them should be, 'Don't bank online unless you absolutely have to.' It is too risky, and there are too few controls to support you if you fall prey to a malicious incident."
Getting the cash
The banking industry acknowledges that online banking is risky and is doing all it can to address those risks without impairing development of electronic banking, says Doug Johnson, senior risk management adviser at the American Bankers Association. He says small businesses should heed the ABA's advice to use a dedicated PC for online banking.
"The fraudulent transactions represent a very small portion of the millions of safe and successful ACH transactions conducted daily by businesses across the country," says Johnson.
The ABA's position is that each bank sets its own policy for how much liability to assign to business account holders when unauthorized transfers occur. In general, "Banks urge business customers to be aware of their responsibility to keep computers used for online banking free of malicious programs," Johnson says.
Meanwhile, cyber-robbers continue to orchestrate online heists of increasing sophistication. Getting the money out is not easy; it requires careful planning and meticulous coordination. According to interviews with law enforcement officials and security researchers, here's how a typical theft unfolds:
First, a researcher spends some time on
locating the public Web pages of small businesses, local agencies and smaller organizations in the habit of posting names — and sometimes e-mail addresses — of a comptroller or a senior executive. Next, a graphic designer crafts an official-looking message purporting to come from the IRS or a shipping company addressed to the targeted employee. This is what's known as "spear phishing," a ruse to get the employee to click on a tainted Web link. Clicking on the link swiftly and silently installs a banking Trojan.
One spear-phishing template in wide circulation purports to come from the target's own tech department, says Amit Klein, CTO of security firm Trusteer. It instructs the recipient to click on a link to ensure continued access to the company's Outlook e-mail system. "It's well-crafted and very effective," says Klein.
Banking Trojans can be simplistic. One common variety readily for sale on the Internet installs keystroke loggers that record banking account log-ons typed by the PC user. The robber later uses the log-on to access the account. Others are intricate, crafted to defeat the single-use PIN codes, smart cards, security certificates and biometric scanners some banks require for ACH transfers and wire transfers.
One such Trojan discovered by Trusteer set up a special chat channel to alert the attacker whenever the victim began to type in a key-fob-issued PIN code, which remains valid for 60 seconds. Acting quickly, the robber would then log on and set up a transfer, undetected, while the employee carried on other banking transactions.
"The problem is growing, and the sophistication is increasing," Klein says.
One spear-phishing template in wide circulation purports to come from the target's own tech department, says Amit Klein, CTO of security firm Trusteer. It instructs the recipient to click on a link to ensure continued access to the company's Outlook e-mail system. "It's well-crafted and very effective," says Klein.
Banking Trojans can be simplistic. One common variety readily for sale on the Internet installs keystroke loggers that record banking account log-ons typed by the PC user. The robber later uses the log-on to access the account. Others are intricate, crafted to defeat the single-use PIN codes, smart cards, security certificates and biometric scanners some banks require for ACH transfers and wire transfers.
One such Trojan discovered by Trusteer set up a special chat channel to alert the attacker whenever the victim began to type in a key-fob-issued PIN code, which remains valid for 60 seconds. Acting quickly, the robber would then log on and set up a transfer, undetected, while the employee carried on other banking transactions.
"The problem is growing, and the sophistication is increasing," Klein says.
Micropayments
Randy Vanderhoof counts himself lucky. The executive director of Smart Card Alliance, a Princeton Junction, N.J., non-profit advocacy group, moved quickly when he noticed suspicious wire transfers from the group's
online banking account in July.
The first two transfers were two micropayments, for 95 cents and 31 cents, that went to the same account at
The first two transfers were two micropayments, for 95 cents and 31 cents, that went to the same account at
, an online-only bank. That was followed two days later by a transfer of $25,000 into the ING account, followed by three more transfers for $25,000 and one of $24,800 in the ensuing four days, one transfer a day.
Vanderhoof alerted Bank of America quickly enough for it to recover all of the transfers. He figures the micropayments were tests and that the subsequent big transfers indicate that the robber was being frustrated in attempts to convert the deposits into cash.
He figures ING probably had the account under surveillance. But he doesn't know because he says the banks did not satisfy his requests for a detailed explanation. ING declined to comment. Bank of America follows industry practice of not discussing customer cases, says spokeswoman Tara Burke. The bank takes security seriously and offers customers a wide array of security tools and services, she says.
Vanderhoof closed the breached account and opened a new one, begrudgingly agreeing to pay Bank of America $125 more a month in fees for a service that permits transfers only from pre-approved parties. The service recently has blocked unapproved transfers of 12 cents, 25 cents and 38 cents.
He concludes would-be cyber-robbers have obtained the log-on details to the new account and are testing whether the bank will make unauthorized transfers.
"Our account is still out there, still getting hit with these probe transfers," he says. "I guess the only thing the bad guys haven't figured out is that they're not on our approved list."
Vanderhoof alerted Bank of America quickly enough for it to recover all of the transfers. He figures the micropayments were tests and that the subsequent big transfers indicate that the robber was being frustrated in attempts to convert the deposits into cash.
He figures ING probably had the account under surveillance. But he doesn't know because he says the banks did not satisfy his requests for a detailed explanation. ING declined to comment. Bank of America follows industry practice of not discussing customer cases, says spokeswoman Tara Burke. The bank takes security seriously and offers customers a wide array of security tools and services, she says.
Vanderhoof closed the breached account and opened a new one, begrudgingly agreeing to pay Bank of America $125 more a month in fees for a service that permits transfers only from pre-approved parties. The service recently has blocked unapproved transfers of 12 cents, 25 cents and 38 cents.
He concludes would-be cyber-robbers have obtained the log-on details to the new account and are testing whether the bank will make unauthorized transfers.
"Our account is still out there, still getting hit with these probe transfers," he says. "I guess the only thing the bad guys haven't figured out is that they're not on our approved list."
Friday, December 11, 2009
Bank Login-Stealing Botnet Found Hiding in Amazon Cloud
We've all heard security researchers flail about the vulnerabilities of cloud computing; well, here's some interesting news.
Black-hat hackers got into an unnamed website hosted on Amazon's servers then proceeded to install an illegal command and control infrastructure. Named America's number one most wanted botnet, Zeus was discovered on Amazon's Elastic Compute Cloud (EC2) by security researchers yesterday.
The Zeus Trojan is a keylogger designed to steal data such as login credentials, account numbers and credit card information. It creates fake HTML forms on banking login pages to allow hackers to steal user data. This particular botnet has been linked to around $100 million in bank fraud in 2009.
Although we don't yet have details on exactly how the website in question was hacked, we have learned that the software has been removed from the Amazon cloud. This incident is the first example of malware being found on AWS' infrastructure.
As we were warned by black hats in April this year, cloud computing carries certain risks and opportunities for exploitation. Our own Sarah Perez wrote:
In another part of the Sensepost presentation, they looked specifically at vulnerabilities of Amazon's Web Services. To start off, they detailed the process involved in setting up a new instance on EC2... While Amazon has provided 47 machine images they built themselves, the remaining 2721 images were build by other EC2 users. Can you really believe that all of these images were built securely? Basically, the template directory is just a big archive of user-generated content. And you know what user-gen content is like... risky.
As John Pescatore told the Financial Times, "The security of these cloud-based infrastructure services is like Windows in 1999. It's being widely used and nothing tremendously bad has happened yet. But it's just in early stages of getting exposed to the Internet, and you know bad things are coming."
Will hackers continue to employ web services to carry out their schemes in 2010? Twitter, Facebook, Google Apps, and now Amazon Web Services have all been used for evil this year. How can websites, corporations, and end users be smarter about online security to avoid personal and financial loss next year? Let us know what you think in the comments.
Black-hat hackers got into an unnamed website hosted on Amazon's servers then proceeded to install an illegal command and control infrastructure. Named America's number one most wanted botnet, Zeus was discovered on Amazon's Elastic Compute Cloud (EC2) by security researchers yesterday.
The Zeus Trojan is a keylogger designed to steal data such as login credentials, account numbers and credit card information. It creates fake HTML forms on banking login pages to allow hackers to steal user data. This particular botnet has been linked to around $100 million in bank fraud in 2009.
Although we don't yet have details on exactly how the website in question was hacked, we have learned that the software has been removed from the Amazon cloud. This incident is the first example of malware being found on AWS' infrastructure.
As we were warned by black hats in April this year, cloud computing carries certain risks and opportunities for exploitation. Our own Sarah Perez wrote:
In another part of the Sensepost presentation, they looked specifically at vulnerabilities of Amazon's Web Services. To start off, they detailed the process involved in setting up a new instance on EC2... While Amazon has provided 47 machine images they built themselves, the remaining 2721 images were build by other EC2 users. Can you really believe that all of these images were built securely? Basically, the template directory is just a big archive of user-generated content. And you know what user-gen content is like... risky.
As John Pescatore told the Financial Times, "The security of these cloud-based infrastructure services is like Windows in 1999. It's being widely used and nothing tremendously bad has happened yet. But it's just in early stages of getting exposed to the Internet, and you know bad things are coming."
Will hackers continue to employ web services to carry out their schemes in 2010? Twitter, Facebook, Google Apps, and now Amazon Web Services have all been used for evil this year. How can websites, corporations, and end users be smarter about online security to avoid personal and financial loss next year? Let us know what you think in the comments.
Wednesday, December 2, 2009
A telco busted once again giving our rights away
Seems like Sprint Nextel has provided law enforcement agencies with its customers' (GPS) location information over 8 million times between September 2008 and October 2009. This disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officer.
Check out the blog posting
Check out the blog posting
. Excellent work by
Christopher Soghoian
Monday, November 23, 2009
Reversing JavaScript Shellcode: A Step By Step How-To
With more and more exploits being written in JavaScript,
, there is a need to be able to reverse exploits written in JavaScript beyond de-obfuscation. I spent some time this weekend searching Google for a simple way to reverse JavaScript shellcode to assembly. I know people do it all the time. It's hardly rocket science. Yet, I didn't find any good walk-throughs on how to do this. So I thought I'd write one.
Head on over to http://pmelson.blogspot.com/2009/11/reversing-javascript-shellcode-step-by.html for this great artcle.
Head on over to http://pmelson.blogspot.com/2009/11/reversing-javascript-shellcode-step-by.html for this great artcle.
Dark For 36 Hours: Burlington’s Web Gambit
Leaving online shoppers out in the cold with no warnings or explanations (or coats, if that's what they wanted to buy), Burlington Coat Factory took its Web site offline all day Wednesday (Nov. 18)—plus about 12 hours split between Tuesday and Thursday—for a planned outage as the $3.5 billion clothing retailer performed an extensive hardware and database upgrade.
In what a senior company official conceded was an oversight, the 430-store, New Jersey-based chain failed to publish any ahead-of-time advisories before yanking its E-Commerce site's plug in the wee hours. Nor did it post much in the way of an explanatory statement during the long downtime period that followed. "The messaging on the site could clearly have been better," Burlington Coat Factory Supervisor of Web Development Jack Follansbee said. "It was an omission. We should have done something (a status page) a little more customized."
In what a senior company official conceded was an oversight, the 430-store, New Jersey-based chain failed to publish any ahead-of-time advisories before yanking its E-Commerce site's plug in the wee hours. Nor did it post much in the way of an explanatory statement during the long downtime period that followed. "The messaging on the site could clearly have been better," Burlington Coat Factory Supervisor of Web Development Jack Follansbee said. "It was an omission. We should have done something (a status page) a little more customized."
Thursday, September 24, 2009
NetTeller Attacks Increase
We at digitalImpostors have noticed a dramitic increase in the targeting of small to medium business and their mid-sozed banks trough the security defects in a popular banking applicaiton, NetTeller. Some of us who have worked forensics cases see the same security holes being attacked for over 10 month period.
We will soon be putting out a white paper on the specific details as soon as we feel law enforcement has made some headway into these attakcs.
One thing we can say, this is from your typical Wetern European countries. There is some evidence which points to the same criminal organizations which were involved in some large compromises, for which a certain Floridian snitch is currently being held.
More to come.
We will soon be putting out a white paper on the specific details as soon as we feel law enforcement has made some headway into these attakcs.
One thing we can say, this is from your typical Wetern European countries. There is some evidence which points to the same criminal organizations which were involved in some large compromises, for which a certain Floridian snitch is currently being held.
More to come.
Real-time hackers beating two-factor security
An incident in which a US construction firm lost $447 000 in a matter of minutes - despite using two-factor authentication when accessing the company bank account - has highlighted the dangers of `piggy-back' malware which can run in parallel, stealing data and using it alongside the legitimate user.
Previous incarnations of piggy-back malware have simply harvested user credentials for later access by hackers, but the fact that financial services are increasingly using two-factor authentication means that hackers are now being attracted to real-time parallel hacking of legitimate data sessions.
According to the
According to the
, an account manager at Ferma, a Californian construction firm, accessed his firm's bank account online using a one-time transaction authentication number.
Unknown to the manager, his data session was hacked in real time and - despite the security of the session - the hackers piggy-backed their session on his, and siphoned off $447 000.
The interception of the data session using a trojan infection has potentially severe repercussions for the use of two-factor authentication devices by a growing number of electronic banking service users, as despite the data session being authenticated, it is still hackable in real time.
MIT Technology Review newswire quotes Sam Curry, vice president of product marketing with RSA Security - which produces the SecurID two-factor authentication device used by many third-party companies - as saying that, whilst one-time password technology and other additional security measures can raise the bar against attackers, it will not keep them out forever.
"Companies should be very leery of both prophecies of doom, like the death of a technology, and rosy visions of security", he said.
"Everything is breakable", Curry concluded.
Unknown to the manager, his data session was hacked in real time and - despite the security of the session - the hackers piggy-backed their session on his, and siphoned off $447 000.
The interception of the data session using a trojan infection has potentially severe repercussions for the use of two-factor authentication devices by a growing number of electronic banking service users, as despite the data session being authenticated, it is still hackable in real time.
MIT Technology Review newswire quotes Sam Curry, vice president of product marketing with RSA Security - which produces the SecurID two-factor authentication device used by many third-party companies - as saying that, whilst one-time password technology and other additional security measures can raise the bar against attackers, it will not keep them out forever.
"Companies should be very leery of both prophecies of doom, like the death of a technology, and rosy visions of security", he said.
"Everything is breakable", Curry concluded.
Wednesday, September 23, 2009
How does an ISP shut down 500,000 bot-infected machines?
From our friends at Sunbelt:
he Internet Engineering Task Force has released a draft of its document "Recommendations for the Remediation of Bots in ISP Networks" (Text
)
This is one of those important routine things with the potential to fix a big problem that nobody is really writing about. ISPs are in the position to do something about botnets, but the process is a lot more complicated than you might think.
The IETF’s draft lists detection methods for finding bot-infected machines, including:
-- analysis of specific network and/or application traffic flows (such as traffic to an email server),
-- analysis of aggregate network and/or application traffic data,
-- data feeds received from other ISPs and organizations (such as lists of the ISP's IP addresses which have been reported to have sent spam),
-- feedback from the ISP's customers or other Internet users
They note that scanning their IP space for unpatched and vulnerable hosts could help reduce the risks of bot infections, but port scanning could leave network services hung. Also, firewalls and host-based intrusion detection could interpret the scans as precursors to attacks.
Notifying owners of infected machines is another huge can of worms. E-mail notices could end up in the spam bucket, ignored or could be spoofed by botnet operators for further social engineering. Ground mail and phone calls are expensive and very time consuming given the millions of bot-infected machines in the country.
It SEEMS like ISPs could just shut off infected machines and let the owners figure it out in their own sweet time. Considering that some people might have telephone service only through a voice-over-IP network, shutting off their ability to make 911 calls could be fatal. It also could be a business-fatal legal liability for the ISP.
The draft says a possible solution to the shutdown and notification quandary is the “walled garden.”
“Placing a user in a walled garden is another approach that ISPs may take to notify users. A walled garden refers to an environment that controls the information and services that a subscriber is allowed to utilize and what network access permissions are granted. This is an effective technique because it could be able to block all communication between the bot and the command-and-control channel, which may impair the ability of a bot to disrupt or block attempts to notify the user.
“While in many cases the user is almost guaranteed to view the notification message and take any appropriate remediation actions, this approach can pose other challenges. For example, it is not always the case that a user is actively using a computer that uses a web browser or which has a web browser actively running on it.
”In one example, a user could be playing a game online, via the use of a dedicated, Internet-connected game console. In another example, the user may not be using a computer with a web browser when they are placed in the walled garden and may instead be in the course of a telephone conversation, or may be expecting to receive a call, using a Voice Over IP (VoIP) device of some type. As a result, the ISP may feel the need to maintain a potentially lengthy white list of domains which are not subject to the typical restrictions of a walled garden, which could well prove to be an onerous task, from an operational perspective.”
The Australian Internet Industry Association is working on similar guidelines (Text
This is one of those important routine things with the potential to fix a big problem that nobody is really writing about. ISPs are in the position to do something about botnets, but the process is a lot more complicated than you might think.
The IETF’s draft lists detection methods for finding bot-infected machines, including:
-- analysis of specific network and/or application traffic flows (such as traffic to an email server),
-- analysis of aggregate network and/or application traffic data,
-- data feeds received from other ISPs and organizations (such as lists of the ISP's IP addresses which have been reported to have sent spam),
-- feedback from the ISP's customers or other Internet users
They note that scanning their IP space for unpatched and vulnerable hosts could help reduce the risks of bot infections, but port scanning could leave network services hung. Also, firewalls and host-based intrusion detection could interpret the scans as precursors to attacks.
Notifying owners of infected machines is another huge can of worms. E-mail notices could end up in the spam bucket, ignored or could be spoofed by botnet operators for further social engineering. Ground mail and phone calls are expensive and very time consuming given the millions of bot-infected machines in the country.
It SEEMS like ISPs could just shut off infected machines and let the owners figure it out in their own sweet time. Considering that some people might have telephone service only through a voice-over-IP network, shutting off their ability to make 911 calls could be fatal. It also could be a business-fatal legal liability for the ISP.
The draft says a possible solution to the shutdown and notification quandary is the “walled garden.”
“Placing a user in a walled garden is another approach that ISPs may take to notify users. A walled garden refers to an environment that controls the information and services that a subscriber is allowed to utilize and what network access permissions are granted. This is an effective technique because it could be able to block all communication between the bot and the command-and-control channel, which may impair the ability of a bot to disrupt or block attempts to notify the user.
“While in many cases the user is almost guaranteed to view the notification message and take any appropriate remediation actions, this approach can pose other challenges. For example, it is not always the case that a user is actively using a computer that uses a web browser or which has a web browser actively running on it.
”In one example, a user could be playing a game online, via the use of a dedicated, Internet-connected game console. In another example, the user may not be using a computer with a web browser when they are placed in the walled garden and may instead be in the course of a telephone conversation, or may be expecting to receive a call, using a Voice Over IP (VoIP) device of some type. As a result, the ISP may feel the need to maintain a potentially lengthy white list of domains which are not subject to the typical restrictions of a walled garden, which could well prove to be an onerous task, from an operational perspective.”
The Australian Internet Industry Association is working on similar guidelines (Text
)
Credit card fraud might have played role in financing Mumbai terror attacks, expert suggests
ndian authorities have recovered $1,200 and several credit cards from a backpack carried by one of the terrorists
who assailed ten targets in Mumbai, killing at least 172 people and injuring hundreds of others, according to press
reports. The presence of the cards might signal that credit card fraud helped fund the terror attacks, Dennis Lormel,
an anti-money laundering consultant who once led the Federal Bureau of Investigation’s anti-terrorist financing unit,
told Complinet.
The credit cards in question reportedly were issued by Citibank, HSBC, ICICI Bank, Axis Bank, HDFC Bank and
State Bank of Mauritius.
“I’m interested in the potential credit card fraud as a funding source and operational support mechanism,” Lormel
said.
For Lormel, the possible link between credit card fraud and the Mumbai terrorist attacks is more than a fleeting
interest. He has long feared that terrorists are becoming increasingly adept at generating funds through such illicit
schemes; he recently wrote a white paper in which he dubbed credit card fraud a “growth industry” for terrorists.
“There is no empirical statistical data establishing the nexus between credit card exploitation and terrorism, but
there are ample anecdotal case studies demonstrating how extensively terrorists rely on credit card information in
furtherance of their heinous activities,” Lormel wrote in his paper.
Alternative funding sources
Lormel added that a previous Complinet article examining how the Mumbai attacks might have been funded
“presents interesting and viable possible funding sources.”
“It’s highly likely hawalas were used. Wealthy individual donors and charities could be funding sources, as pointed
out. It will be interesting to determine if drugs and other criminal activities contributed. Likewise, the nexus between
Dawood Ibrahim and the attack should be one of the highest investigative priorities,” he said.
“The attack itself will play out to be inexpensive. The overall operation will be much costlier when you factor in the
training and subsistence of the attackers and their logistical support element.”
Still, Lormel conceded that it may be some time before authorities can say with any degree of certainty how the
murderous rampage was funded.
“It’s too early to understand the scope of the funding for the attacks,” he said.
Subscribe to:
Comments (Atom)
