Archive | November 2012

Microsoft Security Essentials FAILS latest AV-Test is mse-blockedthreat-screenshota German publisher of comparative reviews on a slew of antivirus products. They review all types of antivirus and security suite products, and the tests are very beneficial to customers and for companies. Their reviews are published bi-monthly.

The latest review shows that Microsoft Security Essentials was the only one who did not make the cut for an award. They failed to make certification during the latest review. Now, it is unclear on whether Microsoft’s Anti-Malware Team was stressed of working double on the super-improved Windows Defender for Windows 8, or if malware has just been too troublesome.

Microsoft Security Essentials is, according to Opswat’s September 2012 market share report, used by almost 14 percent of the security market worldwide. That is a lot compared to the number of antivirus product vendors available, which is over 50 vendors. It is highly difficult to maintain antivirus software during the current industry, because hackers and cybercriminals are much more numerous than the amount of security researchers and developers there are to counteract the attacks.

Many antivirus companies have employed new tactics to have robot schemes set up to do malware research on its own, rather than hire a lot of security researchers. By doing so, the antivirus company would have the risk of dealing with a lot of false positives. Some have led to believe this is the uprising trouble in companies like AVG, ESET, or Kaspersky – those of whom have seen a rise in false positives in the past couple of years.

Latest round of AV tests:

More Romanian Hackers Causing Trouble: Credit Cards Stolen

A gang of Romanian hackers has been busted by the Australian Federal Police (AFP) for robbing around 500,000 credit card numbers from Australia. According to reports, 200 some Romanian cops broke through 36 different locations, detaining 16 people, and arresting seven of those 16.

The alleged charges include the information, in which, around 500,000 credit card numbers were stolen, racking up charges averaging $1,000 each out of about 30,000 of them. However, the total stolen money totaled up to over $30 million. Not exactly a good thing during the holiday season, no doubt.

The credit card numbers were allegedly stolen through means of Remote Desktop Protocol (RDP), which is a means for accessing computers via remote connection. It allows anybody, including attackers, to login/hack to an unsuspecting PC, and take control of it.

They also had the opportunity, and probably did so, was to hack point-of-sale systems in small businesses, and hijack credit card numbers there, as well. This is assumed, anyway.

It is unclear whether the hackers worked jointly in the cloud, or did their own operations separately. However, what is true is that a bust has happened, and now damage control can begin.

The investigation, titled Operation Lino, began in 2011. It was mainly started because of hearsay of suspicious credit card transactions. Probably enough to raise suspicion, no doubt.

The AFP may be triumphant now, but they better keep searching and make sure everyone’s caught, and also help clean up the damages caused by this incidence.


Syria Gets Bite from Cyberwar: Internet is Down

The Syrian civil war continues now, and at its peak so far now, with cyberwar becoming involved. However, this is more of an internal cyberwar, security experts assume. It is believed the regime behind the Syrian government is removing IP blocks (basically shutting down access to the Internet), to either; A. Punish the people (unlikely); or, B. Protect the government servers and other host servers from a potential (threatened) cyberattack. It is believed to be B.

As of 5:26 am ET this morning, Renesys (organization who monitors the Internet around the world) reported the downtime for Syrian’s IP blocks, which they note only five or so IP blocks just outside of Syria are still on. The few open IP blocks are believed to be home to cybercriminals, who in May of this year targeted Syria in a Skype encyption hoax.

All of the telecommunications in Syria appear to be suspended for Internet usage, as the Renesys organization has done traceroutes with no results turning up. Some have believed the loss of Deutsche Telekom, a telecommunications network for area countries, has a little to do with some of the outages incurred recently.

Other experts have believed that the Syrian Regime is planning something a bit harsh, and may be preventing the information from the country from leaking across the Internet. This may have implications that they are protecting themselves from cyberwar, or they are planning to engage a cyberwar against opposing countries.

It is unknown for many details at this time, but many activists have been tortured, arrested, etc. It would be no surprise if Syrian Regime has cut off Internet access for this reason.

Many Cybercriminals Hack/Deface International Homepages of Google, Yahoo, MSN

As of recent problems lighting up with PKNIC vulnerability (PKNIC is the Pakistani (.PK) domain name registry), allowed hackers from Turkey to hack into the Pakistani versions of Google, Yahoo, and MSN, plus nearly 300 other webpages. The Turkish hackers also defaced the Pakistani Google homepage. Now, if that isn’t bad enough, an Algerian hacker decides to deface Google and Yahoo in the Romanian versions.

For the Pakistani .PK domain registry, a vulnerability in SQL could allow for injection to exploit it. Therefore, that’s exactly what happened when Turkish hackers hacked into somewhere near 300 .PK domains and defaced at least Google’s .PK site, and maybe a few others. Apparently, during this even, some users were redirected to a webpage showing two penguins and the slogan “Pakistan Downed”.

Defacement pages of Google/Yahoo

Screenshot of Romanian defacement page for Google & Yahoo

For the defacement of the Romanian versions of Google and Yahoo (.RO), an Algerian hacker changed the DNS records of those search pages for the sites to a recently hacked server in the Netherlands. It is likely changed DNS records, or some have stated a DNS poisoning attack is also possible.

It is contested on whether the same hacker(s) did both jobs, or if this was two different parties that coincidentally did the same type of work at the same time.

Due to the (once again) uprising of conflict in the Middle East, newer digital attacks are likely, also. It is no surprise to see these issues light up again.

If the attackers had other malicious intents, these hacks could have been worse!

LulzSec Hacker Sentenced 30 Years to Life for Alleged Crimes

Jeremy Hammond is in really big trouble. Or, perhaps, the government is just trying to “scare the (expletive) out of him,” in the words of Kevin Mitnick, formerly known as the world’s “most-wanted hacker” and now a security consultant.

Either way, a potential sentence of 30 years to life for alleged hacking crimes is probably enough to get the attention of most 27-year-olds. And that is what U.S. District Judge Loretta Preska told Hammond last week that he could face if he is convicted on all counts.

Hammond, much better known in the world of hactivism by various online aliases including “Anarchaos,” “sup_g,” “burn,” “yohoho,” “POW,” “tylerknowsthis,” and “crediblethreat,” has been held without bail since his arrest in March on charges connected with last year’s hacking of Strategic Forecasting, or Stratfor, an Austin, Texas-based international intelligence broker, by AntiSec, an offshoot of LulzSec, which is in turn an offshoot of the hacktivist collective Anonymous.

The three-count federal indictment, brought in the Southern District of New York, charged him with conspiracy to commit computer hacking, computer hacking and conspiracy to commit access device fraud.

More specifically, the government alleges that starting last December, Hammond and others from AntiSec stole information from about 860,000 Stratfor subscribers, including emails, account information, and data from about 60,000 credit cards. The government alleges that he published some of that information online, and used some of the stolen credit card data to run up at least $700,000 in unauthorized charges.

Source information and more information on CSO

Say hello to Firefox 17 – Right on Time – 2365 bugs fixed, OS X Leopard Support Dropped

Security never takes a holiday, unlike most other industries in the world. Proof is from spam email, vulnerability updates, etc. right on the same week of the holidays. Thankfully, most of us will have some time with our families. But, the point here is, is that Firefox 17.0 has been officially released, right on schedule!

The technical side of things, or the biggest change in this version is HTTPS enforcement as described:

Mozilla has engineered new “rules” to enforce HTTPS for certain websites. Mozilla calls the new technology, to be included in Firefox 17 (currently in BETA), HTTP Strict Transport Security (HSTS). It is a technology mechanism that shall force certain websites to engage HTTPS connection with the browser, as long as it matches the security certificate presented.

In other words, it gives the ability to Firefox to read SSL certificates, and check to be sure they are legitimate. Once it’s verified, and matched, it will force the site loaded to be in HTTPS, even if the browser receives a HTTP request.

“When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security,” Mozilla claims.

Now, there are also a ton of bugs that were fixed in this release. Mozilla patched 2365 bugs in this version…16 bundles involving things like the normal memory corruption or buffer overflow, CSS to HTML inject for Style Inspector, and various image rendering issues (security-wise).

Firefox should automatically prompt you, install the update and then prompt you, or you can check for the update via Firefox tab > Help > About Firefox > Check for updates. If a manual download and install it needed, simply go to

Once you install Firefox, it will ask to restart your browser. Please allow it to do so, in order for it to finish updating and get you secure and well on your way in the dangers of the Internet. Especially safety is a concern as we head in to the holiday shopping day, Cyber Monday, next week. Get updated now!

Image courtesy of Mozilla, shown in About Firefox.

New iFrame Rootkit on Linux – Read the dirty details

Linux users and developers alike can expect some trouble with a new rootkit on the move. This time, it’s working as an iFrame attack on HTTP servers. The sample itself is pretty dynamic overall, and has the ability to infect Linux successfully AND hide its presence on the system.

The attack is characteristic of a drive-by download scenario, in which the rootkit attempts to attack an HTTP server through iFrame-related injections. Now for the dirty details…

  • Attempts to ‘call’ modules in the file system by using set_http_injection_conf, start_get_command_web_injection_from_server_thread, cs:start_get_command_web_injection_from_server_value, hide_folder_and_files, hide_process_init, etc.
  • It currently works on Debian Squeezy kernel version 2.6.32-5-amd64  (at least it matches).
  • Unstripped coding size is 500K.
  • Some functions are not fully working, so some have assumed it is in development stages or not fully complete.
  • Adds startup entry to /etc/rc.local script: insmod /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko
  • Uses one of two methods to retrieve kernel symbols to /.kallsyms_tmp:
    /bin/bash -c cat /proc/kallsyms > /.kallsyms_tmp
    /bin/bash -c cat /boot/`uname -r` > /.kallsyms_tmp
  • Other than that, it does a good job trying to hide files/folders/processes/etc.
  • The inject mechanism is neatly designed as a PHP script, which is pretty common for contemporary injections.
  • Substitutes the TCP building functions by tcp_sendmsg to its own function.
  • Once the C&C callback is done on the command server, the command server sends back malicious code specific for the situation.
  • Probably being used in cybercrime operations rather than just targeted attacks.
  • A Russia-based attacker is likely. Experts are not revealing any names, and seCURE Connexion has no information sadly.
  • This was discovered on Seclists’s Full Disclosure Mailing List.
%d bloggers like this: