Information Security News
It's payback time for the group that knocked the Sony PlayStation and Microsoft Xbox networks offline in December. First came the report Friday morning that a UK man was arrested in connection with the distributed denial-of-service attacks, making him at least the second person to be detained in an ongoing investigation. Now comes word the customer database Lizard Squad members maintained as part of their DDoS-for-hire service has been breached, spilling details on more than 14,241 users.
But the comeuppance doesn't end there. According to KrebsOnSecurity reporter Brian Krebs, who broke the story about the compromised database, all registered names and passwords were stored in plaintext. The cache shows that customers deposited $11,000 in bitcoins to pay for attacks on thousands of Internet addresses. The information will no doubt prove interesting to members of rival gangs and law enforcement agencies around the world.
The database was tied to LizardStresser[dot]ru, a so-called stresser or boot service ostensibly available to test a website's resistance to attacks. In the vast majority of cases, they're nothing more than fronts for DDoS services. According to Krebs, the December attacks on the PlayStation and Xbox networks were designed to be advertisements promoting the service. Given the breach that has now leaked potentially sensitive customer information that was left woefully unprotected, it's safe to assume any buzz in underground markets surrounding the LizardStresser service is over.
Mobile dating apps have revolutionized the pursuit of love and sex by allowing people not only to find like-minded mates but to identify those who are literally right next door, or even in the same bar, at any given time. That convenience is a double-edge sword, warn researchers. To prove their point, they exploited weaknesses in Grindr, a dating app with more than five million monthly users, to identify users and construct detailed histories of their movements.
The proof-of-concept attack worked because of weaknesses identified five months ago by an anonymous post on Pastebin. Even after researchers from security firm Synack independently confirmed the privacy threat, Grindr officials have allowed it to remain for users in all but a handful of countries where being gay is illegal. As a result, geographic locations of Grindr users in the US and most other places can be tracked down to the very park bench where they happen to be having lunch or bar where they're drinking and monitored almost continuously, according to research scheduled to be presented Saturday at the Shmoocon security conference in Washington, DC.
Grindr officials declined to comment for this post beyond what they said in posts here and here published more than four months ago. As noted, Grindr developers modified the app to disable location tracking in Russia, Egypt, Saudi Arabia, Nigeria, Liberia, Sudan, Zimbabwe, and any other place with anti-gay laws. Grindr also locked down the app so that location information is available only to people who have set up an account. The changes did nothing to prevent the Synack researchers from setting up a free account and tracking the detailed movements of several fellow users who volunteered to participate in the experiment.
by Peter Bright
Google's security researchers have published another pair of Windows security flaws that Microsoft hasn't got a fix for, continuing the disagreement between the companies about when and how to disclose security bugs.
The first bug affects Windows 7 only and results in minor information disclosure. Microsoft says, and Google agrees, that this does not meet the threshold for a fix. Windows 8 and up don't suffer the same issue.
The second bug is more significant. In certain situations, Windows doesn't properly check the user identity when performing cryptographic operations, which results in certain shared data not being properly encrypted. Microsoft has developed a fix for this bug, and it was originally scheduled for release this past Tuesday. However, the company discovered a compatibility issue late in testing, and so the fix has been pushed to February.
It has been 12 years since the SQL Slammer worm plagued the Interwebs .. come to think of it, that was also in January. But thats not the point :). Today, twelve years later, there are amazingly still infected Slammer drones out there, and if you are running a Honeypot on udp/1434, I promise you wont have to wait all that long until an ancient piece of malware history comes a-knockin.
Odds are that Shellshock exploits wont have the same stamina, primarily because the Shellshock attack is not self-contained wormy in one packet, but rather usually pushed by previously Shellshocked bots that scan for targets. But it still looks like Shellshock scanning and bot-pushing will now be background noise for the foreseeable future, because there is a surprising number of systems out there that remain vulnerable. Systems that our sensors then pick up as being part of a Shellbot army. Investigating one of these bots recently, I discovered that it was a Slackware installation from 2007 and appeared to be a remote weather sensor, complete with webcam that showed the (sadly, very green) ski slope below. I managed to track down the owner, a hotel in Switzerland, who were unaware that their weather station contained a computer. If our DShield logs are any indication, there are A LOT of these devices (and hotels, etc ..) out there.
Here is what you can do to help." />
The address in the red box - 76.12.A.B in this case - is from where you are being scanned. This does not mean that the originator is evil. Most likely, it is just another weather station or deep fryer where the owner is unaware. So if you contact them, be gentle, and prepared to explain a lot :)
The address in the blue box - 91.142.C.D in this case - is from where the bot code is being pulled. This is most commonly a hacked web server, or a throwaway free website hosting account. In this case, you can locate the hoster via Whois, and make use of their Abuse contact address to let them know. If you include a log snippet like shown above, most hosters will respond and take the bot code down.
A third thing that you can do is download the bot code (carefully :) to your machine, by going to http://91.142.C.D/img.txt in this case. I am not a lawyer (so dont take my word for it) but since the activity is clearly malicious, and since your computer was instructed by the scanning bot to download this code, I would say that doing so on your own is okay. The bot code itself is not very interesting, but the ones weve seen so far are usually written in Perl, and contain a hard-coded IP address used for the CommandControl. Again, you can determine the hoster of that CC address via Whois, and let them know.
The latter two measures will though leave the original victim infected and vulnerable. So .. if you have the time and patience, and it looks like the scanning host is in a residential or small business address range (think DSL), then it might be worthwhile to try and contact the original victim (76.12.A.B above), and enlighten them about all the unexpected things in life that contain a computer these days.
Another word of caution: Obviously, a bot that is scanning you for the presence of Shellshock is most likely vulnerable to Shellshock itself, and missing a plethora of other patches. You might be tempted to poke back at the system, and use the Shellshock conduit on your own to determine what is inside. Doing so though is hacking, and illegal. Owners of hacked systems do not appreciate getting hacked once more by researchers, no matter how allegedly well-intentioned the researcher is. For the hotel weather station that I mention above, I used a passive combination of reverse DNS, Google, archive.org, Netcraft and Whois to determine what it was, and whom to contact.(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Robert Lemos
For anyone who has freaked out when an antivirus alert popped up on their screen and spent time researching it only to find out it was a false alarm, a recent survey will hit home.
A survey of information-technology professionals published on Friday found that the average large organization has to sift through nearly 17,000 malware alerts each week to find the 19 percent that are considered reliable. The efforts at triage waste employees’ time—to the tune of a total estimated annual productivity loss of $1.3 million per organization. In the end, security professionals only have time to investigate four percent of the warnings, according to the survey conducted by the market researcher Ponemon Institute.
The survey results show the problems posed by security software that alerts for any potential threat, says Brian Foster, chief technology officer of network-security firm Damballa, the sponsor of the research.
Is Blackhat the Greatest Hacking Movie Ever? Hackers Think So
Many info-sec specialists will tell you how much they like Sneakers—the 1992 film with Robert Redford, Sidney Poitier, Dan Ackroyd, Ben Kingsley, and River Phoenix—but few films have so closely hewed to info-sec reality as Mann's new movie, fashioned ...
Posted by InfoSec News on Jan 16http://www.infosecnews.org/nasdaq-vulnerable-to-xss/
Posted by InfoSec News on Jan 16http://www.eweek.com/security/effective-computer-security-means-covering-all-your-bases.html
Posted by InfoSec News on Jan 16http://pagesix.com/2015/01/15/caa-calls-party-foul-on-tina-and-amys-sony-hack-jokes/
Posted by InfoSec News on Jan 16http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/
Posted by InfoSec News on Jan 16http://www.theguardian.com/us-news/2015/jan/15/-sp-secret-us-cybersecurity-report-encryption-protect-data-cameron-paris-attacks