Saturday, February 06, 2010

Zeus Attack Spoofs NSA, Targets .GOV and .MIL

Brian Krebs:

Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.

According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.

The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was, which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.

The e-mails urge recipients to download a copy of a report named “2020 Project.” Another variant is spoofed to make it look like the e-mail from The true sender, as pulled from information in the e-mail header, is

More here.

Friday, February 05, 2010

FBI Wants Records Kept of Web Sites Visited

Declan McCullagh writes on C|Net News:

The FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years, a requirement that law enforcement believes could help it in investigations of child pornography and other serious crimes.

FBI Director Robert Mueller supports storing Internet users' "origin and destination information," a bureau attorney said at a federal task force meeting on Thursday.

As far back as a 2006 speech, Mueller had called for data retention on the part of Internet providers, and emphasized the point two years later when explicitly asking Congress to enact a law making it mandatory. But it had not been clear before that the FBI was asking companies to begin to keep logs of what Web sites are visited, which few if any currently do.

The FBI is not alone in renewing its push for data retention. As CNET reported earlier this week, a survey of state computer crime investigators found them to be nearly unanimous in supporting the idea. Matt Dunn, an Immigration and Customs Enforcement agent in the Department of Homeland Security, also expressed support for the idea during the task force meeting.

More here.

Mozilla Confirms Infected Firefox Add-Ons Slipped Through Security

Gregg Keizer writes on ComputerWorld:

Mozilla confirmed late Thursday that it failed to detect malware in a pair of Firefox add-ons, which may have infected up to 4,600 users.

The add-ons have been removed from Firefox's official add-on download site.

According to an entry on the Mozilla Add-ons blog, Sothink Web Video Downloader 4.0 and all versions of Master Filer were infected with Trojan horses designed to hijack Windows PCs. Both add-ons were in the "experimental" area of Firefox's add-on download site, where newer extensions remain until they undergo a public review process. To install experimental add-ons, Firefox users must view and accept an additional warning.

Master Filer was downloaded about 600 times in the five months ending Jan. 25, when it was pulled from the site. Sothink Web Video Downloader 4.0 was downloaded approximately 4,000 times between February and May 2008. The most up-to-date version of the latter, which captures streaming videos in a variety of formats, is 5.7.

More here.

Thursday, February 04, 2010

Mark Fiore: Newly-Frugal Guy Tackles the Deficit

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

Wednesday, February 03, 2010

IBM ISS Researcher Exposes Holes In Cisco's Internet Surveillance Architecture

Kelly Jackson Higgins writes on Dark Reading:

Black Hat DC 2010 -- An IBM ISS researcher here today revealed major security holes in a little-known wiretapping architecture for IP networks created by Cisco Systems for law enforcement. The weaknesses could result in an attacker interfering with legal surveillance or performing some unauthorized surveillance of his own.

Tom Cross, manager of X-Force Research at IBM ISS, says he first discovered the Cisco Architecture for Lawful Intercept in IP Networks, which was published as an IETF RFC in 2004, four years ago. The document, also known as IETF RFC 3924, is based on the lawful intercept architecture used by the European Telecommunications Standards Institute, and is implemented in Cisco's edge and switch routers -- the 7600, 10000, 12000, and AS5000 series products. Cross says other vendors also have deployed the architecture within their network devices.

Cross says an alleged criminal could discover that he was under law enforcement's surveillance using the current architecture, allowing him to manipulate or corrupt the information collected or to use the surveillance information for nefarious purposes.

More here.

Google to Enlist NSA to Help It Ward Off Cyber Attacks

Ellen Nakashima writes on The Washington Post:

The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity.

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.

Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications. The sources said the deal does not mean the NSA will be viewing users' searches or e-mail accounts or that Google will be sharing proprietary data.

More here.

Hackers Try to Steal $150,000 from United Way

Brian Krebs:

Hackers broke into computer systems at a Massachusetts chapter of the United Way last month and attempted to make off with more than $150,000 from one of the nation’s largest charities.

Patricia Latimore, chief financial officer at the United Way of Massachusetts Bay and Merrimac Valley, said unknown attackers tried to initiate a number of bogus financial transfers out of the organization’s bank account, but that the United Way was able to work with its bank to block or reverse the unauthorized transfers.

“We were able to pretty much capture things as they were happening,” Latimore said. “Fortunately, we saw it on the day that it occurred.”

The intruders attempted to send more than $110,000 in unauthorized payroll transfers to at least a dozen individuals across the United States who had no prior business with the United Way chapter. At least one large wire transfer was attempted, for nearly $40,000, to a 32-year-old man in New York.

More here.

Security Researcher: Versign Fails to Take Action Against Malicious Sites

Jaikumar Vijayan writes on ComputerWorld:

A security researcher is accusing Verisign Inc. of not acting fast enough to take down several dozen sites that he says are known to be spewing malware.

The sites are all in the .com and .net domains and were registered by domain name registrars in Russia and Turkey said Andrew Fried, CEO of security consultancy Deteque and a former senior special agent with the U.S Department of the Treasury.

The sites first surfaced on February 1, and have been pushing out a new Russian exploit kit called JustExploit that takes advantage of Java bugs to infect computers, Fried said.

The domain name registrars in Russia and Turkey, which registered the sites, have so long done nothing to deregister them though they have been notified about the problem by security researchers who monitor malicious activity on the Internet, Fried said.

More here.

U.S. Police Want Backdoor to Web Users' Private Data

Declan McCullagh writes on C|Net News:

Anyone with an e-mail account likely knows that police can peek inside it if they have a paper search warrant.

But cybercrime investigators are frustrated by the speed of traditional methods of faxing, mailing, or e-mailing companies these documents. They're pushing for the creation of a national Web interface linking police computers with those of Internet and e-mail providers so requests can be sent and received electronically.

CNET has reviewed a survey scheduled to be released at a federal task force meeting on Thursday, which says that law enforcement agencies are virtually unanimous in calling for such an interface to be created. Eighty-nine percent of police surveyed, it says, want to be able to "exchange legal process requests and responses to legal process" through an encrypted, police-only "nationwide computer network."

The survey, according to two people with knowledge of the situation, is part of a broader push from law enforcement agencies to alter the ground rules of online investigations. Other components include renewed calls for laws requiring Internet companies to store data about their users for up to five years and increased pressure on companies to respond to police inquiries in hours instead of days.

More here.

Hackers Steal Millions in Carbon Credits

Kim Zetter writes on Threat Level:

That’s exactly what hackers went after last week when they obtained unauthorized access to online accounts where companies maintain their carbon credits, according to the German newspaper Der Spiegel.

The hackers launched a targeted phishing attack against employees of numerous companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. The workers were told that their companies needed to re-register their accounts with the Authority, where carbon credits and transactions are recorded.

When workers entered their credentials into a bogus web page linked in the e-mail, the hackers were able to hi-jack the credentials to access the companies’ Trading Authority accounts and transfer their carbon credits to two other accounts controlled by the hackers.

The scheme has produced a robust market for the trade of credits. More than 8 million tons of CO2 emissions worth $130 billion were traded in Europe last year.

More here.

Tuesday, February 02, 2010

Oracle Hacker Gets The Last Word

Andy Greenberg writes on

In 2001, Larry Ellison brashly proclaimed in a keynote speech at the computing conference Comdex that his database software was "unbreakable." David Litchfield has devoted the last nine years to making the Oracle chief executive regret that marketing stunt.

At the Black Hat security conference Tuesday afternoon, Litchfield unveiled a new bug in Oracle's 11G database software, a critical, unpatched vulnerability that would allow a hacker to take control of an Oracle database and access or modify information at any security level. "Anything that God can do on that database, you can do," Litchfield told Forbes in an interview following his talk.

The attack that Litchfield laid out for Black Hat's audience of hackers and cybersecurity researchers exploits a combination of flaws in Oracle's software. Two sections of code within the company's database application--one that allows data to be moved between servers and another that allows management of Oracle's implementation of java--are left open to any user, rather than only to privileged administrators. Those vulnerable subroutines each have their own simple flaws that allow the user to gain complete access to the database's contents.

Litchfield says he warned Oracle about the flaws in November, but they haven't been patched. Oracle didn't immediately respond to a request for comment.

More here.

Cyber Crime Checks Into The Hotel Industry

Andy Greenberg writes on

Over the past year America's hotels have had some uninvited guests: a wave of increasingly sophisticated invasions by organized cybercriminals.

That's one finding of a report that cybersecurity researcher Nicholas Percoco plans to present Tuesday at the Black Hat security conference in Arlington, Va. His data shows a spike in hacking incidents that successfully targeted hotels and resorts, what Percoco describes as relatively unprotected sources of thousands or even millions of credit card account details.

Percoco, who works as a security auditor and data breach investigator for the security firm Trustwave, plans to outline the results of around 1,900 audits and 200 breach investigations that his company performed over the last year. The central anomaly in that data: While only 3% of the audits Trustwave performed proactively for companies were commissioned by the hospitality industry, hotels and resorts were victims in 38% of investigations following successful cybercriminal attacks. That's a new phenomenon for Trustwave, whose hospitality breach investigations were "practically nonexistent" in 2008, says Percoco.

More here.

Study: 73% Use Bank Password Everywhere

Bob Sullivan writes on the MSNBC "Red Tape Chronicles" Blog:

For years computer security experts have been preaching that users should never share the same password across their connected lives -- at online banking sites, at Amazon, on their Web mail services, even on their cell phones.

Apparently, most people ignore that advice.

A new study by security firm Trusteer found that 73 percent of Web users take their online banking password and use it at other Web sites. And about half of all consumers utilize the same password and user name at online banking sites and other sites.

"I must say I was very surprised,” said Amit Klein, chief technology officer of Trusteer. “It is surprisingly sad that such a large portion of users use their banking credentials at other sites. ... It exposes those users to attacks that would otherwise be impossible. I thought that people would take banking credentials more seriously, but it turns out that in this digital age, this is not the reality."

More here.

U.S. Intelligence Chief: Attacks on Google 'Wake-Up Call'

Via Reuters.

Recent cyber attacks on Google are a "wake-up call" and neither the U.S. government nor the private sector can fully protect the American cyber infrastructure, the director of U.S. national intelligence said on Tuesday.

"Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication," Dennis Blair said in prepared testimony for a Senate intelligence committee hearing.

Google, the world's top Internet search engine, said last month it would not abide by Beijing-mandated censorship of its Chinese-language search engine and might quit the Chinese market entirely because of cyber attacks from China.

Blair said the Chinese military's "aggressive cyber activities" pose challenges to neighbors.

More here.

UK: Conficker Cause of Greater Manchester Police Disconnection

Via The H Security.

The Greater Manchester Police (GMP) have disconnected themselves from the Police National Computer (PNC) after an outbreak of the Conficker worm. According to a BBC report, the outbreak was identified on the GMP computer systems on Friday, 29th of January, and quickly spread through the force. Experts at the GMP took the decision to disconnect the GMP from the PNC to prevent further infestation.

Police officers in Manchester are currently calling neighbouring regional police forces to carry out name and vehicle checks on their behalf. Assistant Chief Constable Dave Thompson said "A team of experts is now working on removing the virus, and will not reconnect until we are sure there is no further threat". Thompson said it was unclear how the GMP computer systems were infected, but that they were investigating the issue and taking steps to prevent a re-occurrence.

More here.

Monday, February 01, 2010

Botnet Sends Fake SSL Pings to CIA, PayPal, Others

Elinor Mills writes on C|Net News:

In attempt to hide the location of its command-and-control server, the Pushdo botnet has been instructing its infected zombie computers to send fake SSL (Secure Sockets Layer) connections to major Web sites, a botnet expert said on Monday.

The strange traffic targeting the Web sites--including sites for the CIA, FBI, PayPal, Yahoo, and Twitter, according to a list at the Shadow Server Foundation--was not enough to cause any outages or slowdowns, said Joe Stewart, director of malware research at SecureWorks.

Site owners "would just see weird connections that don't seem to make sense," he said. "They look like they're trying to start an SSL handshake, but it comes in malformed and doesn't ever send anything after that first handshake attempt."

More here.

Sunday, January 31, 2010

MI5 Cites Chinese Spying on Brit Business

Via UPI.

China is running a massive program to spy on British business executives and hack into their computers, leaked intelligence documents indicate.

A report written by the British spy agency MI5 and leaked to The Sunday Times of London asserts that undercover Chinese intelligence officers have bugged and burglarized China offices of British executives and have used sexual entrapment to lure them into compromising situations in which they can be blackmailed for commercial secrets.

The MI5 document also reportedly alleges that People's Liberation Army and Ministry of Public Security agents have approached British businessmen at trade fairs to offer them "gifts" and "lavish hospitality," in which they are given cameras and computer memory sticks implanted with malicious software to provide remote access to their computers.

The Sunday Times reported that M15 report, written by its Center for the Protection of National Infrastructure, contends the situation "represents one of the most significant espionage threats to the U.K."