Information Security News
The recent leak of source code for a powerful piece of bank-fraud malware may spawn a surge of advanced botnet attacks carried out by copycat hackers who previously didn't have the skill to pull off such feats, security researchers warned.
Carberp, as the botnet-creation toolkit is known, previously sold in underground crime forums for as much as $40,000 a license. In the last week, source code for the crimeware began circulating online for free and can now be acquired by many people who have a few hours to poke around. While the leak is a boon for researchers who want to know as much as possible about the inner workings of sophisticated malware, it also comes with a dark side: it isn't that hard for malware newcomers to get their hands on the 1.88 GB package of code.
"In short, it does not take a genius to get a copy of the leaked source code, which makes this whole thing dangerous," Christopher Elisan, principal malware scientist in security firm RSA's FirstWatch department, wrote in a blog post published Friday. "Any script kiddie, who probably does not understand the technology, can use this which may result in dire consequences. It's like handing a bazooka to a child."
This week, you've joined us for the liveblogs and heard the many different announcements from Microsoft's Build developer conference. We got an extensive hands-on look at the new features in Windows 8.1 and its many interface changes. We also touched on Windows' new out-of-the-box 3D printing capabilities and took a stroll through the vastly improved Windows Store. After all that, we perused the miniature show floor, which was mostly a showcase of some of the latest Windows products. Take a peek.
Amid a new wave of attacks hitting government and media networks in South Korea, researchers have uncovered yet another piece of malware that destroys sensitive hard drive data and renders computers unusable.
Trojan.Korhigh, as the new wiper program is called by security firm Symantec, contains the same kind of functionality that simultaneously shut down the networks of a half-dozen banks and broadcasters in March. Like the earlier Jojka malware, Korhigh can permanently destroy stored data and overwrite a hard drive's master boot record, which contains information required for computers to reboot.
Korhigh accepts several commands that allow attackers to inflict additional damage. One "switch" changes passwords on compromised computers to "highanon2013" according to a blog post published Thursday by Symantec. Another wipes specific types of files, including those that end in .gif, .php, .dll, and 21 other extensions. Korhigh's discovery on Thursday came a day after Symantec researchers said they had identified the hacking group responsible for the March attacks. The newly identified DarkSeoul group is also responsible for a new wave of attacks that hit South Korea on Tuesday and were timed to coincide with the 63rd anniversary of the state of the Korean War.
Few Internet frustrations are so familiar as the password restriction. After creating a few (dozen) logins for all our Web presences, the use of symbols, mixed cases, and numbers seems less like a security measure and more like a torture device when it comes to remembering a complex password on a little-used site. But at least that variety of characters keeps you safe, right? As it turns out, there is some contrary research that supports both how frustrating these restrictions are and suggests it’s possible that the positive effect of complexity rules on security may not be as great as long length requirements.
Let's preface this with a reminder: the conventional wisdom is that complexity trumps length every time, and this notion is overwhelmingly true. Every security expert will tell you that “Supercalifragilistic” is less secure than “gj7B!!!bhrdc.” Few password creation schemes will render any password uncrackable, but in general, length does less to guard against crackability than complexity.
A password is not immune from cracking simply by virtue of being long—44,991 passwords recovered from a dump of LinkedIn hashes last year were 16 characters or more. The research we describe below refers specifically to the effects of restrictions placed by administrators on password construction on their crackability. By no means does it suggest that a long password is, by default, more secure than a complex one.
Posted by InfoSec News on Jun 28http://arstechnica.com/security/2013/06/attackers-sign-malware-using-crypto-certificate-stolen-from-opera-software/
Posted by InfoSec News on Jun 28http://www.infosecnews.org/researcher-to-demo-spy-phone-at-black-hat-las-vegas-2013/
Posted by InfoSec News on Jun 28https://www.computerworld.com/s/article/9240406/Cisco_fixes_serious_vulnerabilities_in_email_Web_and_content_security_appliances
Posted by InfoSec News on Jun 28http://cfp.hackinthebox.org/
Posted by InfoSec News on Jun 28http://www.nextgov.com/cybersecurity/2013/06/nsa-networks-might-have-been-missing-anti-leak-technology/65708/