Microsoft Security Essentials FAILS latest AV-Test

AV-Test.org is a German publisher of comparative reviews on a slew of antivirus products. They review all types of antivirus and security suite products, and the tests are very beneficial to customers and for companies. Their reviews are published bi-monthly.

The latest review shows that Microsoft Security Essentials was the only one who did not make the cut for an award. They failed to make certification during the latest review. Now, it is unclear on whether Microsoft’s Anti-Malware Team was stressed of working double on the super-improved Windows Defender for Windows 8, or if malware has just been too troublesome.

Microsoft Security Essentials is, according to Opswat’s September 2012 market share report, used by almost 14 percent of the security market worldwide. That is a lot compared to the number of antivirus product vendors available, which is over 50 vendors. It is highly difficult to maintain antivirus software during the current industry, because hackers and cybercriminals are much more numerous than the amount of security researchers and developers there are to counteract the attacks.

Many antivirus companies have employed new tactics to have robot schemes set up to do malware research on its own, rather than hire a lot of security researchers. By doing so, the antivirus company would have the risk of dealing with a lot of false positives. Some have led to believe this is the uprising trouble in companies like AVG, ESET, or Kaspersky – those of whom have seen a rise in false positives in the past couple of years.

Latest round of AV tests:

• Home users
• Corporate users

More Romanian Hackers Causing Trouble: Credit Cards Stolen

A gang of Romanian hackers has been busted by the Australian Federal Police (AFP) for robbing around 500,000 credit card numbers from Australia. According to reports, 200 some Romanian cops broke through 36 different locations, detaining 16 people, and arresting seven of those 16.

The alleged charges include the information, in which, around 500,000 credit card numbers were stolen, racking up charges averaging $1,000 each out of about 30,000 of them. However, the total stolen money totaled up to over $30 million. Not exactly a good thing during the holiday season, no doubt.

The credit card numbers were allegedly stolen through means of Remote Desktop Protocol (RDP), which is a means for accessing computers via remote connection. It allows anybody, including attackers, to login/hack to an unsuspecting PC, and take control of it.

They also had the opportunity, and probably did so, was to hack point-of-sale systems in small businesses, and hijack credit card numbers there, as well. This is assumed, anyway.

It is unclear whether the hackers worked jointly in the cloud, or did their own operations separately. However, what is true is that a bust has happened, and now damage control can begin.

The investigation, titled Operation Lino, began in 2011. It was mainly started because of hearsay of suspicious credit card transactions. Probably enough to raise suspicion, no doubt.

The AFP may be triumphant now, but they better keep searching and make sure everyone’s caught, and also help clean up the damages caused by this incidence.

 

Syria Gets Bite from Cyberwar: Internet is Down

The Syrian civil war continues now, and at its peak so far now, with cyberwar becoming involved. However, this is more of an internal cyberwar, security experts assume. It is believed the regime behind the Syrian government is removing IP blocks (basically shutting down access to the Internet), to either; A. Punish the people (unlikely); or, B. Protect the government servers and other host servers from a potential (threatened) cyberattack. It is believed to be B.

As of 5:26 am ET this morning, Renesys (organization who monitors the Internet around the world) reported the downtime for Syrian’s IP blocks, which they note only five or so IP blocks just outside of Syria are still on. The few open IP blocks are believed to be home to cybercriminals, who in May of this year targeted Syria in a Skype encyption hoax.

All of the telecommunications in Syria appear to be suspended for Internet usage, as the Renesys organization has done traceroutes with no results turning up. Some have believed the loss of Deutsche Telekom, a telecommunications network for area countries, has a little to do with some of the outages incurred recently.

Other experts have believed that the Syrian Regime is planning something a bit harsh, and may be preventing the information from the country from leaking across the Internet. This may have implications that they are protecting themselves from cyberwar, or they are planning to engage a cyberwar against opposing countries.

It is unknown for many details at this time, but many activists have been tortured, arrested, etc. It would be no surprise if Syrian Regime has cut off Internet access for this reason.

Many Cybercriminals Hack/Deface International Homepages of Google, Yahoo, MSN

As of recent problems lighting up with PKNIC vulnerability (PKNIC is the Pakistani (.PK) domain name registry), allowed hackers from Turkey to hack into the Pakistani versions of Google, Yahoo, and MSN, plus nearly 300 other webpages. The Turkish hackers also defaced the Pakistani Google homepage. Now, if that isn’t bad enough, an Algerian hacker decides to deface Google and Yahoo in the Romanian versions.

For the Pakistani .PK domain registry, a vulnerability in SQL could allow for injection to exploit it. Therefore, that’s exactly what happened when Turkish hackers hacked into somewhere near 300 .PK domains and defaced at least Google’s .PK site, and maybe a few others. Apparently, during this even, some users were redirected to a webpage showing two penguins and the slogan “Pakistan Downed”.

Screenshot of Romanian defacement page for Google & Yahoo

For the defacement of the Romanian versions of Google and Yahoo (.RO), an Algerian hacker changed the DNS records of those search pages for the sites to a recently hacked server in the Netherlands. It is likely changed DNS records, or some have stated a DNS poisoning attack is also possible.

It is contested on whether the same hacker(s) did both jobs, or if this was two different parties that coincidentally did the same type of work at the same time.

Due to the (once again) uprising of conflict in the Middle East, newer digital attacks are likely, also. It is no surprise to see these issues light up again.

If the attackers had other malicious intents, these hacks could have been worse!

LulzSec Hacker Sentenced 30 Years to Life for Alleged Crimes

Jeremy Hammond is in really big trouble. Or, perhaps, the government is just trying to “scare the (expletive) out of him,” in the words of Kevin Mitnick, formerly known as the world’s “most-wanted hacker” and now a security consultant.

Either way, a potential sentence of 30 years to life for alleged hacking crimes is probably enough to get the attention of most 27-year-olds. And that is what U.S. District Judge Loretta Preska told Hammond last week that he could face if he is convicted on all counts.

Hammond, much better known in the world of hactivism by various online aliases including “Anarchaos,” “sup_g,” “burn,” “yohoho,” “POW,” “tylerknowsthis,” and “crediblethreat,” has been held without bail since his arrest in March on charges connected with last year’s hacking of Strategic Forecasting, or Stratfor, an Austin, Texas-based international intelligence broker, by AntiSec, an offshoot of LulzSec, which is in turn an offshoot of the hacktivist collective Anonymous.

The three-count federal indictment, brought in the Southern District of New York, charged him with conspiracy to commit computer hacking, computer hacking and conspiracy to commit access device fraud.

More specifically, the government alleges that starting last December, Hammond and others from AntiSec stole information from about 860,000 Stratfor subscribers, including emails, account information, and data from about 60,000 credit cards. The government alleges that he published some of that information online, and used some of the stolen credit card data to run up at least $700,000 in unauthorized charges.

Source information and more information on CSO

Related articles

• LulzSec hacker faces 30 years to life (dokmz.wordpress.com)

Say hello to Firefox 17 – Right on Time – 2365 bugs fixed, OS X Leopard Support Dropped

Security never takes a holiday, unlike most other industries in the world. Proof is from spam email, vulnerability updates, etc. right on the same week of the holidays. Thankfully, most of us will have some time with our families. But, the point here is, is that Firefox 17.0 has been officially released, right on schedule!

The technical side of things, or the biggest change in this version is HTTPS enforcement as described:

Mozilla has engineered new “rules” to enforce HTTPS for certain websites. Mozilla calls the new technology, to be included in Firefox 17 (currently in BETA), HTTP Strict Transport Security (HSTS). It is a technology mechanism that shall force certain websites to engage HTTPS connection with the browser, as long as it matches the security certificate presented.

In other words, it gives the ability to Firefox to read SSL certificates, and check to be sure they are legitimate. Once it’s verified, and matched, it will force the site loaded to be in HTTPS, even if the browser receives a HTTP request.

“When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security,” Mozilla claims.

Now, there are also a ton of bugs that were fixed in this release. Mozilla patched 2365 bugs in this version…16 bundles involving things like the normal memory corruption or buffer overflow, CSS to HTML inject for Style Inspector, and various image rendering issues (security-wise).

Firefox should automatically prompt you, install the update and then prompt you, or you can check for the update via Firefox tab > Help > About Firefox > Check for updates. If a manual download and install it needed, simply go to http://www.getfirefox.com

Once you install Firefox, it will ask to restart your browser. Please allow it to do so, in order for it to finish updating and get you secure and well on your way in the dangers of the Internet. Especially safety is a concern as we head in to the holiday shopping day, Cyber Monday, next week. Get updated now!

Image courtesy of Mozilla, shown in About Firefox.

New iFrame Rootkit on Linux – Read the dirty details

Linux users and developers alike can expect some trouble with a new rootkit on the move. This time, it’s working as an iFrame attack on HTTP servers. The sample itself is pretty dynamic overall, and has the ability to infect Linux successfully AND hide its presence on the system.

The attack is characteristic of a drive-by download scenario, in which the rootkit attempts to attack an HTTP server through iFrame-related injections. Now for the dirty details…

• Attempts to ‘call’ modules in the file system by using set_http_injection_conf, start_get_command_web_injection_from_server_thread, cs:start_get_command_web_injection_from_server_value, hide_folder_and_files, hide_process_init, etc.
• It currently works on Debian Squeezy kernel version 2.6.32-5-amd64  (at least it matches).
• Unstripped coding size is 500K.
• Some functions are not fully working, so some have assumed it is in development stages or not fully complete.
• Adds startup entry to /etc/rc.local script: insmod /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko
• Uses one of two methods to retrieve kernel symbols to /.kallsyms_tmp:
  /bin/bash -c cat /proc/kallsyms > /.kallsyms_tmp
/bin/bash -c cat /boot/System.map-`uname -r` > /.kallsyms_tmp
• Other than that, it does a good job trying to hide files/folders/processes/etc.
• The inject mechanism is neatly designed as a PHP script, which is pretty common for contemporary injections.
• Substitutes the TCP building functions by tcp_sendmsg to its own function.
• Once the C&C callback is done on the command server, the command server sends back malicious code specific for the situation.
• Probably being used in cybercrime operations rather than just targeted attacks.
• A Russia-based attacker is likely. Experts are not revealing any names, and seCURE Connexion has no information sadly.
• This was discovered on Seclists’s Full Disclosure Mailing List.

Want a Rolex? Let me have your ID first! (Case study)

Of course, holidays for the US and even other parts of the world light up big time (no pun intended), this time of year. Rolex spam rolls out by attackers, and they want your identity.

They’ll say they give you a Rolex watch, one the of most expensive timepieces sold on the watch market. This is for their own little Black Friday sale. What do they want, though? Your credit card, and other personal information!

Screenshot of email:

From: Designer Watches by LR (could be random, too)
To: {random}
Subject: Start Black Friday today
Message body:
BLACK FRIDAY EVERY DAY UNTIL NOVEMBER 23RD!

The best quality watch replicas on PLANET EARTH!
The lowest priced high-end watches on the PLANET!

www(dot)LRblackfridaytoday(dot)com

BLACK FRIDAY HAS STARTED!
Black Friday every day until November 23!
All items reduced by 25-50% as of TODAY.

Over 25,000 exact watch-copies have been reduced until Friday November 23rd.
There plenty of time to get the watch of your dreams but we recommend doing it as soon as possible.
This will ensure INSTOCK availability and fast delivery.

NOTE: BLACK FRIDAY PRICES ARE AVAILABLE ON INSTOCK ITEMS ONLY!
Currently every watch model is INSTOCK and ready to ship within 1 hour.

THESE ARE NOT CHEAP CHINA STOCK KNOCK-OFFS:

These are hand crafted high-end watch-copies.
These are made using identical parts and materials.
These are tested inside and out to be identical.
There is no difference between our watch-copies and the originals!

www(dot)LRblackfridaytoday(dot)com

 

Their main website is blacklisted. It’s also hosted on a network blacklisted by Google SafeBrowsing  and SURBL.

More Apps Slip Through Google Play; Today it’s Apple’s Products?

The title of this article is a question, because somebody decided to take Apple’s apps and put them on Google Play. Was it Apple? Nope. Apple wouldn’t offer their full-size applications for a mobile device, and definitely not $4.99.

AndroidAuthority reports about this small mess. Here’s a screenshot from AndroidAuthority:

 

Although the Google Play team did take down the apps a few hours later, much damage was already done apparently. It’s very obvious that Google’s team did not take a good look at the apps. What does that tell you? They may not be holding to their promises of reviewing apps, they let in viruses and trojans all the time…etc.

If you want to be free from viruses, the best way would be to protect yourself with Kaspersky Mobile Security – download now.

Anonymous Claims Leak of 3000 Donors for Israel

Hacktivist group Anonymous today claimed to have leaked the personal information — including home address, phone numbers, and email addresses — of over 3,000 individuals who are said to have donated to pro-Israel group, Unity Coalition for Israel.

This move comes after they attacked over 650 Israeli sites on November 17th, wiping their databases and leaking the usernames and passwords found within. Clearly, Anonymous is gearing up for an extended campaign against Israel as its conflict with Hamas heats up.

The file on Pastebin is extensive, and we haven’t had time to process it in full, but there appears to be personal information for at least one incumbent US Senator listed, Daniel Inouye of Hawaii, who fought the Nazis in World War II and has developed a close relationship with Israel as a politician.

 

Read more on NextWeb