InfoSec News

Security is very old in most respects, yet very young in others. As a corporate discipline, security unfortunately languished for years in the basement.
 
Businesses are eyeing a transition to Microsoft Windows 7, and with a wealth of security features that are part of it, it's worth figuring out the good and bad about each of them, says Gartner analyst Neil MacDonald, who notes in some cases, third-party security products might be the better fit.
 
The federal government will work to free up 500MHz of wireless spectrum for commercial and unlicensed uses over the next decade, an adviser to President Obama said.
 
SoftLayer aims to let customers pay for only what they need with a new infrastructure-as-a-service pricing model it calls Build Your Own Cloud.
 
Google's Matthew Papakipos, the engineering director who started and led the project to create the Chrome operating system, has been hired away by Facebook.
 
IBM, Cisco, Google and Salesforce all aim to beat Microsoft SharePoint 2010 at the high-stakes enterprise social networking game - and have recently made some smart plays. Here's a look at how the rivals currently stack up.
 
Security professionals must advise decision makers not to embark on new cloud computing projects without considering the security implications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Cloud computing - Security - Computer security - Business - Consultants
 

IT security must influence cloud computing decisions
SearchSecurity.com
I'm not sure why infosec's finest have suddenly become so enamored with the cloud. There's certainly more overall optimism than I've seen in some time, ...

and more »
 
A study finds that mobile social networks are giving data about users' physical locations to tracking sites and other social networking services.
 
Customers vote with their feet, every day, at every stage of the transaction. Unfortunately, most companies' CRM systems can't hear what customers are saying, or measure what they are requesting.
 
Microsoft took another shot at Google today as it touted the support it provides for Office 2010.
 
Solid-state drive manufacturers plan to begin selling their consumer SSD products in brick-and-mortar stores, indicating that everyday users might be ready to use flash-based products as replacements for or supplements to traditional hard drives.
 
We've told you before how to restore a minimized window, or open a new one, from OS X's application switcher (which appears when you hit Command-Tab). (The short version: Press Command-Tab until the application you want is highlighted. Then, while still holding down the Command key, press and hold the Option key.) However, depending on the application, that trick may not work if an application has more than two windows minimized. MacOSXHints.com reader tegholm found a way around that problem:
 
Speculation is spreading around the Web that Google is building a site that could be a Facebook-killer.
 
The U.S. Supreme Court has struck down one part of the controversial Sarbanes-Oxley Act, ruling Monday that Congress overstepped its authority when establishing an investigatory panel focused on enforcing the eight-year-old law.
 
Apple's iPhone 4 costs about $171 to build, a Wall Street analyst said today, giving the new device a profit margin of more than 61%.
 
SAP officials outline plans for its new 'River" cloud-computing platform, which is set host its first application next month.
 
The U.S. Supreme Court on Monday ducked the question of whether the U.S. Patent and Trademark Office should continue to issue software patents in a ruling that strikes down a business-method patent.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In response to my iMovie for iPhone review, one Mr. Lizard posed this question:
 
Apple and its carrier partners sold 1.7 million iPhone 4s in the first three days of the new smartphone's availability.
 
President Obama is expected to allow more unused spectrum to be auctioned off to boost wireless broadband capacity.
 
CSO Publisher Bob Bragdon on Facebook's obligation to create clear policies and reasonable enforcement controls.
 
Joseph Blough Jr. plans to upgrade his hard drive. How does he move Windows, his applications, and his files to their new, larger home?
 
Apple iPhone hits the stores, Google wins its copyright war
 
Google's encrypted search engine, launched in May, has moved to a new Web address that isn't as convenient as its original one but that gives organizations the option to block the site for their users without locking them out of other Google services.
 
Pakistan has blocked 17 Web sites and is closely monitoring seven other sites and search engines for content considered offensive and blasphemous, according to a spokesman for the country's telecommunications regulator.
 
Sprint and Verizon Wireless today each introduced smartphones built by Samsung.
 
The astronauts of Space Shuttle mission STS-131 are delighted by the response to their extra-terrestrial Twitter messages, they said Monday.
 
Prices of DRAM, the main memory chips used in personal computers, fell for the first time in over a year in June as companies increased production and PC vendors toughened their stance on further price increases.
 
Here are 8 business models for balancing openness with revenue
 
Just three days after adding crash protection to Firefox, Mozilla rushed out another release on Friday because people playing Farmville complained that their browser was shutting down the Facebook game.
 
Software-visualization tools help ensure that developers don't miss key user requirements, IT executives say.
 
InfoSec News: Call for Chapter Proposals: Forwarded from: George Yee <gmyee (at) sce.carleton.ca>
Dear Colleague,
Greetings! I would like to invite you to submit a chapter proposal to a new book I am editing, entitled "Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards", if this [...]
 
InfoSec News: Hackers fleece online poker players: http://joongangdaily.joins.com/article/view.asp?aid=2922391
JoongAng Daily June 28, 2010
Police arrested 33 hackers who used a 'distribution of denial of service' program to cheat online poker players out of 55 million won ($45,265) from last November through May. [...]
 
InfoSec News: Best defense against hackers: Know your enemy: http://gcn.com/articles/2010/06/28/cybereye-know-your-enemy.aspx
By William Jackson GCN.com June 28, 2010
With networks under seemingly constant attack by increasingly sophisticated hackers who worm their way through the tiniest cracks in our defenses, it's easy to fall into the habit of thinking about them as super villains capable of anything.
That is a mistake, says National Security Agency analyst Tony Sager. Although we should not underestimate our enemies, we should not overestimate them either.
"If you treat the bad guy as a wizard, you will never be able to counter his magic," Sager said. "You need to understand his tradecraft to defend against him."
Sager, who heads the Vulnerability Analysis and Operations Group in NSA's Information Assurance Directorate, has spent more than 30 years studying the bad guys and their techniques. He knows what their capabilities are and what the capabilities are for countering them.
[...]
 
InfoSec News: Linux Advisory Watch: June 25th, 2010: +----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 25th, 2010 Volume 11, Number 26 | | | [...]
 
InfoSec News: Government to fight cyber crime: http://www.timeslive.co.za/local/article517667.ece/Government-to-fight-cyber-crime
By Sapa Times LIVE June 24, 2010
There are processes in place to deal with cyber security in South Africa, says the communications department.
One of these was a Computer Security Incident Response Team (CSIRT), the department's chief director of cyber security Jabu Radebe told delegates at a cyber security conference in Midrand.
The conference was attended by government officials and members of the business fraternity.
A draft policy on cyber security was gazetted on February 19 by Communications Minister Siphiwe Nyanda.
[...]
 
After months of anticipation, the iPhone 4 has finally arrived -- and it was worth every second of the wait. In fact, columnist Michael deAgonia believes it's as groundbreaking as the original iPhone was in 2007.
 
Couple of days ago, a fellow handler Joel sent an obfuscated PHP script he acquired. Having a PHP script that is 100KB+ and pretty heavily obfuscated definitely sounds like something I'm interested in, so with couple of extra days I decided to give it some time. At that point in time I did not know that I'm looking at the master PHP script (albeit an old version) that is being used by the RogueAV guys.
I managed to acquire the very latest version of the script that is being used at the moment which provided me with some unique insight into how their operations work. So, I will publish a series of diaries analyzing various parts in the script in next couple of days/weeks (depending on feedback/free time etc). Let's get to work.
First step: poison search engines
If you have been following campaigns by the RogueAV guys you probably noticed that they very quickly poison search engines with the latest events/keywords. The poisoning part is, of course, completely automated and partially done by the script I will talk about.
The scripts that are used are almost exclusively set on compromised web sites. They are mainly interested in web sites running Apache with PHP, of course. It looks like in many cases they are abusing incorrect installations or known vulnerabilities such as open TinyMCE editors. In any case, their goal is to install couple of PHP scripts on those compromised servers. The scripts will allow them to setup poisoning campaigns, offer redirections to other sites serving RogueAV, but at the same time to also conceal their activities as much as possible since they don't want the real owner to find out that his site has been compromised.
This means that the attackers modify the web site, but in such a way that the web site continues to operate normally, unless special parameters/keywords are used! So there are probably thousands of such compromised web sites which the attackers are not using at the moment. Since the scripts allow automatic updates they can use them at any time and configure for a specific campaign in a matter of seconds.
The following figure shows how the SEO part works, with steps described below. While I was researching this I was in contact with some colleagues in CA who posted an article about this back in January (great work by them!) with analysis similar to mine, but the script I analyzed is the latest version used at the moment. You can read CA's article here.




This is what is happening:

In first step, the master CC server(s) use Google Trends to collect keywords that are currently hot (interesting).
The master CC server(s) now use various methods to spam links to compromised sites containing specially crafted parameters with such keywords.
Now search engine crawlers either find spammed links or just crawl the compromised web sites again (in which case they get a bit different response I will cover that in the next diary).
When the crawler accesses a compromised web site, the master script immediately contacts the CC server and asks what to return to the crawler. The CC server creates a web page in real time containing a lot of references to the asked keyword, as well as links to other compromised web sites!
The custom web page is returned to the crawler and cached locally.

In step 2, besides spammed links, search engine crawlers will also visit compromised web sites. Now an interesting thing happens that helps poison the results: when the script detects a visit from a search engine crawler, but without the required poisoned parameters, the PHP script by the attackers will return the original requested web page, but with concatenated links to other compromised web sites that it has in the local database. This local database can be updated automatically through an interface on the PHP script so the attackers can update the database constantly as well.
Here we can see such a web page requested first time normally (normal user agent, main index.html requested) and second time pretending to be a search engine crawler. Notice the difference in size of the returned file:
$ ls -l index.html*

-rw-rw-r-- 1 nobody nobody 38383 Jun 26 12:53 index.html-normal

-rw-rw-r-- 1 nobody nobody 95703 Jun 26 14:47 index.html-crawler
And this is what gets appended in raw HTML:




(compromised sites deliberately removed as they are still live).
By doing this they are getting all compromised sites linked to each other, hopefully increasing their rating with various search engines. See the style setup as display:none? This makes sure that if someone renders this web page through a browser that the inserted links will be invisible. They are not invisible to a crawler, of course.
Redirecting to RogueAV
Now, after all this poisoning, if a normal user (plain user agent) accesses the web site directly, he will just get the same cached web page that the crawler got. However, if the web site is accessed by clicking the link that appeared as a search result in any search engine (Google, Yahoo, Bing ...), such a request will have a corresponding referrer set and the script will redirect the user to another web site that will serve (you guessed it) RogueAV, as shown in the figure below:




This time they are trying to get the user to install it by displaying an ActiveX error.
With this I will end with the first diary. In the next diary I'll go deeper into analyzing interesting details found in the script (will be posted on Thursday).
If you would like me to go into more details with anything let us know through our contact form.
--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Jun 27

Forwarded from: George Yee <gmyee (at) sce.carleton.ca>

Dear Colleague,

Greetings! I would like to invite you to submit a chapter proposal to a
new book I am editing, entitled "Privacy Protection Measures and
Technologies in Business Organizations: Aspects and Standards", if this
topic lies within your area of work. Please see the Call for Chapter
Proposals below. Thank you for your consideration, and I look forward to...
 

Posted by InfoSec News on Jun 27

http://joongangdaily.joins.com/article/view.asp?aid=2922391

JoongAng Daily
June 28, 2010

Police arrested 33 hackers who used a 'distribution of denial of
service' program to cheat online poker players out of 55 million won
($45,265) from last November through May.

The hackers, led by 30-year-old Yu and 29-year-old Kim, were booked
without detention on charges of gaining illegal profits.

The Cyber Terror Response Center in Gyeonggi said the...
 

Posted by InfoSec News on Jun 27

http://gcn.com/articles/2010/06/28/cybereye-know-your-enemy.aspx

By William Jackson
GCN.com
June 28, 2010

With networks under seemingly constant attack by increasingly
sophisticated hackers who worm their way through the tiniest cracks in
our defenses, it's easy to fall into the habit of thinking about them as
super villains capable of anything.

That is a mistake, says National Security Agency analyst Tony Sager.
Although we should not...
 

Posted by InfoSec News on Jun 27

+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| June 25th, 2010 Volume 11, Number 26 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity...
 

Posted by InfoSec News on Jun 27

http://www.timeslive.co.za/local/article517667.ece/Government-to-fight-cyber-crime

By Sapa
Times LIVE
June 24, 2010

There are processes in place to deal with cyber security in South
Africa, says the communications department.

One of these was a Computer Security Incident Response Team (CSIRT), the
department's chief director of cyber security Jabu Radebe told delegates
at a cyber security conference in Midrand.

The conference was...
 
The U.S. Federal Trade Commission has disrupted a long-running online scam that allowed offshore fraudsters to steal millions of dollars from U.S. consumers -- often by taking just pennies at a time.
 

Internet Storm Center Infocon Status