Archive | July 2012

TeaMp0isoN Member that Hacked Tony Blair Sentenced

TeaMp0isoN member, Junaid Hussain, 18, of Birmingham, was accused and plead guilty to hacking in the Gmail account of British Prime Minister Tony Blair.

According to ThreatPost, the attack that Hussain admitted to being involved with was a breach of the email account of one of Blair’s former advisers. Hussain, who used the handle “TriCk”, pleaded guilty in early July to the attack and was sentenced Tuesday in England to six months in prison for the attack. He was arrested in April.

According to Sophos’s Naked Security, members of the TeaMp0isoN hacking gang then published the hacked information online, sparking security fears about the safety of the former Prime Minister, his friends and associates.

Message posted by Team Poison

A time in prison at the start of your adult life is no easy undertaking. Hope the young lad learned his lesson.

DEF CON Adventures 2012 Explored

DEF CON Logo from

Many fun adventures occurred at DEF CON this year, with many interesting new things going on.

Here is the brief summary:

  • Man’s cell phone battery catches fire, explodes in his back pocket.
  • Private phone network created called “NinjaTel”.
  • Possible crack of PPTP encryption found.
  • National Security Agency (NSA) director visited.
  • Hacker explores the world of warranties.

Man’s cell phone battery catches fire, explodes in his back pocket

Credit: Elinor Mills, CNET – Click Image to News Article

Private phone network created called “NinjaTel”

NinjaTel phone network is part of a new initiative by hackers. They were giving them away at DEF CON to good contributors. Probably used as a play phone for hackers. Apparently, the initiative is based on a large unencrypted GSM network with a large open base transceiver station. With approximately 600 customized Android phones on the market, the phones are filled with silly apps and other apps that can help hackers.

Possible crack of PPTP encryption found

Tools were developed at the conference to crack PPTP encryption. Encryption specialist Moxie Marlinspike showed off his usual handiwork.

According to CNET, the tools crack WPA2 (Wi-Fi Protected Access) and VPN passwords used by corporations and organizations running networks that are protected by the PPTP (Point-to-Point Tunneling Protocol), which uses MS-CHAPv2 for authentication.

As for hacking warranties, read more here.

And that’s a wrap for this year’s DEF CON. Kudos!

Rakshasa Case Study: Really Undetectable?

By Jay Pfoutz

Apparently, the new showy security threat is Rakshasa… At Black Hat Las Vegas, this new security technique was unveiled.

This new malware by researcher Jonathan Brossard is apparently ‘impossible to disinfect’.

Now, FIRST OF ALL!! – Anything created with man’s hands can be destroyed. I’d like to see this opinion last: undetectable, can’t be disinfected, etc.

The paper on Rakshasa can be found here. It describes a hardware backdoor. Unbeknownst to this artist researcher, companies like Kaspersky or ESET have already begun to craft hardware antivirus drivers. So, this backdoor hardware malware scheme is a bit late, but maybe just in time, too.

Will it be used? Who knows. That’s the scary part!

It is realistically a BIOSkit, a rootkit that infects the BIOS of the computer. What’s wrong with this…? It can be easily disinfected by flashing all of the devices of the computer, which apparently would be infected.

However, this malware has not been tested in an enterprise-based beta, which means just because it worked on a couple of machines does not mean it would work on any other computer. Impressive? Yes! But, not at all scary, yet.

What makes me more shocked, is that people will actually believe that this malware will not be able to be disinfected. But, this is the turnaround: it can be! This is nothing more than a BIOSkit, and we have seen BIOSkits removed in our leagues many times.

But, then again, people commonly believe rootkits are impossible to be removed too. Look…we proved them wrong!

By inflicting code signing for BIOS, just like all other hardware driver signing, can easily keep it blocked. Also, if BitLocker evolves in Windows 8 and further technologies, it could easily secure the OS. Also, things like device encryption, could be taken to a new level.

This is not a new vulnerability, and Brossard agrees.

I’m sure we’ll have more on this story as it develops in the future. Stay tuned to seCURE Connexion!

Blackhole Malware on Twitter: “It’s you on photo?”

Common Twitter scams have been highlighted over time by many security organizations. Please take note of the intro below, and then see the full investigation by Sophos:

If you are a Twitter user please be very cautious of clicking on links that claim you are pictured in an online photo.

Thousands of malicious links are being spammed out, targeting innocent users of the micro-blogging network.

The links point to Russian webpages that ultimately attempt to infect your Windows PC using the notorious Blackhole exploit kit.

Read more on Sophos Blog
Kaspersky Lab E-Store

Java Flaws Becoming Serious Issue

Java exploitation has been a problem for years. Many of the issues encountered with Java exploitation are usually because versions are out-of-date.

Web-exploit-toolkits are used by attackers to attempt exploits at common vulnerable plugins, including Java, Adobe Flash Player, and Adobe Reader.

“As the Advanced Malware Analysts administrator/group owner, I see a lot of issues with people not updating Java, Flash Player, and Reader. These attack vectors were used 5 or so years ago, up until today. Still a complete problem. Problem is, people do not use great tools like Secunia PSI or the auto-update feature in each of the plugins’ control panels,” says Jay Pfoutz – administrator and group owner of the Advanced Malware Analysts. The Advanced Malware Analysts are a group of malware analysts whom volunteer on tech support forums across the web to assist in malware removal for free.

Exploitation frequently happens when people fail to update their plugins in a timely manner. Java plugin problems lately have increased because attackers are now targeting Java a lot more.

Here is how to check for the latest updates for Java (should be done weekly):

  • If using Mozilla Firefox, Plugin Check is the easiest way.
  • Click Start, navigate to Control Panel. Look for Java in the list, and double-click on that. Click the “Update” tab, and then click the “Check for Updates Automatically” check box if you want Java to search for updates automatically. Select how you want Java to notify you about available updates. Or you can hit the Update Now button. More info here
  • Verify Java Version Online

By doing this, you are ensuring prevention from malware exploitation. However, it won’t be enough. Please download and install the following also:

Payment Terminal Vulnerabilities Identified by Black Hats

Three widely deployed payment terminals have identified vulnerabilities:


[EMV] cards have malicious code written on their chips that gets executed when they get inserted into the terminals’ smart card readers.

The researchers used this method to install a racing game on one of the three test devices during their demonstration and played it using its PIN pad and display.

For the second device, the researchers used the same method to install a Trojan program designed to record card numbers and PINs. The recorded information was then extracted by inserting a different rogue card into the payment terminal.

The third payment terminal, which is popular in the U.S., is more sophisticated than the other two devices. It has a touchscreen to facilitate signature-based payments, a smart card reader, a SIM card to communicate over mobile networks, support for contactless payments, an USB port, an Ethernet port and an administration interface that can be accessed both locally and remotely.

Read more on this at Computer World

Symantec’s New Chairman: Steve Bennett

Symantec (NASDAQ:SYMC) today announced that Enrique Salem, president and chief executive officer (CEO), has stepped down effective immediately and Symantec’s board of directors has appointed Steve Bennett president and chief executive officer, in addition to his continued role as chairman of the board.

About Steve Bennett

Steve Bennett joined Symantec’s board of directors in February 2010 and became chairman in 2011. Bennett previously led Intuit serving as president and chief executive officer from 2000 to 2007. At Intuit, Bennett combined the company’s historic innovative and customer-driven expertise with strategic and operational rigor. Intuit revenue grew to $2.7 billion in fiscal 2007 from less than $1 billion in fiscal 2000. Under Bennett’s leadership Intuit grew its existing businesses while simultaneously expanding into new markets, such as online banking and healthcare.

Read more on the Press Release from Symantec

Mitt Romney to Ban Porn?

Mitt Romney has taken on a view to potentially ban ‘as much porn as he can’ in a new tactic that will not bring him much popularity.

According to The Daily Caller, Romney’s foreign and legal policy director, Alex Wong, personally assured former Justice Department porn prosecutors Patrick Truman and Bob Flores, that a Presidential Romney would go after porn peddlers with a pitchfork. “Wong assured us that Romney is very concerned with this, and that if he’s elected these laws will be enforced,” Trueman told The Daily Caller. ”They promised to vigorously enforce federal adult obscenity laws.”

The Utah Attorney General’s website states interesting data:

“Many people believe material must be legal if it is available in their community such as at a store, on television or on the radio. This belief is false. The mere fact that the material is available does not mean it is legal, but law enforcement cannot seize suspected pornographic material without a court order… Citizen complaints are crucial for prosecutions to occur.”

The apparent collapse of porn, especially in British countries, is continuing in different parts around the world.

How to Remove Windows Active Guard

This new similar rogue antivirus program released recently from the FakeVimes family:

Windows Active Guard

Four previous ones of similar kinds: Windows Virtual Firewall and Windows Premium DefenderWindows Home Patron and Windows Security Renewal

Serial code to try:  0W000-000B0-00T00-E0020

Windows Active Guard

Screenshot of Windows Active Guard (click to enlarge)

How to remove this rogue

STEP 1 – First tasks

  • It is possible that this rogue prevents you from downloading anything, so please transfer any files necessary to remove this infection from a clean computer, using a flash/usb storage drive, CD/DVD, etc.
  • If it becomes impossible to remove this rogue or follow any steps below, immediately skip to STEP 4
  • Please download and run RKill.Download mirror 1 – Download mirror 2 – Download mirror 3
    • Save it to your Desktop.
    • Double click the RKill desktop icon.
    • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
    • Please post its log in your next reply.
    • After it has run successfully, delete RKill.

    Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until after STEP 3.

STEP 2 – Clean rogue files

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

STEP 3 – Malwarebytes’ Anti-Malware

Please download Malwarebytes Anti-Malware from
Alternate link:

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select “Perform Quick Scan“, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.

STEP 4 – Infection gone?

Check to see if the infection is gone.

If the infection is not gone, then please do the following:

If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

New Android Security App X-Ray Scans for Vulnerabilities

Mobile security has become a major concern both for consumers and for enterprises worried about the integrity of their sensitive data. Part of that worry centers on the security of the apps on mobile devices, something that’s largely unknowable in a lot of cases right now. Duo Security today is releasing a new app called X-Ray that scans Android devices for known vulnerabilities and alerts users to which ones remain unpatched.

X-Ray doesn’t look for malicious apps, as some existing security scanners do, but instead searches for a set of known vulnerabilities in the core Android operating system, some of which have been used in the wild by malware and attackers. Many of the bugs are still unpatched on Android devices sold by the major carriers, and the average, non-technical user likely has little idea that the vulnerabilities exist or what can be done with them.

Read more on ThreatPost

%d bloggers like this: