Thursday, 31 January 2013

New York Times reported that hackers from China had been routing through the paper’s network

In a dramatic announcement late Wednesday, the New York Times reported that hackers from China had been routing through the paper’s network for at least four months, stealing the passwords of reporters in an apparent attempt to identify sources and gather other intelligence about stories related to the family of China’s prime minister.

The hackers breached the network sometime around Sept. 13 and stole the corporate passwords for every Times employee, using them to gain access to the personal computers of 53 employees, according to the report.

The hacking coincided with an investigation the Times published last October that looked into a fortune that the family of China’s Prime Minister Wen Jiabao had amassed. The hackers breached the network while the paper was in the process of concluding its reporting for the investigation.

The hackers broke into the email account of the newspaper’s Shanghai bureau chief, David Barboza, who conducted the investigation, as well as the email account of Jim Yardley, the paper’s South Asia bureau chief in India, who had previously worked out of Beijing.

Executive Editor Jill Abramson said, however, that forensic experts with Mandiant, the computer security firm hired to investigate the breach, found “no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied.”

It’s not the first time that the paper has been hacked. In 1998, a group known as HFG — or H4acking for Girl13z — hacked the paper’s web site to protest the arrest of hacker Kevin Mitnick and accuse Times reporter John Markoff of helping to catch him.

In 2002, former hacker Adrian Lamo, famously hacked the paper’s network after discovering multiple vulnerabilities and accessed a database containing the details of 3,000 contributors to the paper’s op-ed page, among other things.

In 2011, former executive editor of the Times, Bill Keller, hinted that WikiLeaks or someone associated with the group had hacked into the accounts of some of the paper’s staff. During a period of heightened tension between WikiLeaks founder Julian Assange and the paper, which was then a publishing partner of WikiLeaks, the e-mail accounts of at least three people at the Times were apparently hacked. Keller suggested that Assange and WikiLeaks were behind the intrusions but never offered evidence to support this.

In the latest hack, the attackers, in an attempt to hide their tracks, routed their attacks through computers that they hacked at universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as at small companies and internet service providers. They apparently used the same university computers that hackers working for the Chinese military used previously to attack Defense Department contractors.

During the three months they were in the paper’s network, the attackers installed 45 pieces of custom malware, though nearly all of it went undetected. Although the newspaper uses antivirus products made by Symantec, the monitoring software identified and quarantined only one of the attacker’s tools during that time, according to the report.

The attackers increased their activity in late October after the paper published its investigation of the prime minister’s relatives, and were also particularly active the night of the Nov. 6 presidential election.

The paper noted that there were concerns the hackers would try to shut down its publishing system that night, but they turned out to be unwarranted since the attackers apparently showed interest only in the paper’s reporting about the prime minister’s family.

“They could have wreaked havoc on our systems,” said Marc Frons, the Times’s chief information officer said in the report. “But that was not what they were after.”

The Times had been on alert for suspicious activity after learning that Chinese officials had warned that the paper’s reporting would have consequences. The paper asked AT&T, which monitors its network, to be on the lookout for suspicious activity.

After AT&T reported finding such activity, the FBI was notified, and the Times called in Mandiant to investigate. Evidence showed that the hackers installed three backdoors and routed their way through the network for two weeks before uncovering a system containing the computer usernames and hashed passwords for all of the paper’s employees. The hackers apparently cracked a number of passwords to gain entry to employee computers. “They created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server,” the paper revealed.

The intrusion is apparently part of a wider campaign directed by Chinese hackers against western media outlets since 2008. Hackers from China also attempted to hack into the network of Bloomberg News last year after publishing stories about the relatives of China’s vice president.

Mandiant has investigated many of the breaches and found evidence that Chinese hackers had stolen e-mails, contact lists and files from more than 30 journalists and executives working for western media outlets.

Wednesday, 30 January 2013

German Federal Criminal Police to Use Interim Surveillance Software

According to a confidential document that has been leaked to the Internet, the German Federal Criminal Police Office, the Bundeskriminalamt (BKA), has purchased surveillance software that will reportedly be used until the organization's custom surveillance software is ready for use. The software uses a Trojan horse program to record Internet telephony conversations prior to their encryption from the sender or after their decryption on the recipient's device.

Tuesday, 29 January 2013

US host maximum number of botnet servers in the world

US host maximum number of botnet servers in the world
According to new data from McAfee, US is responsible for the highest number of botnet servers in the world. A botnet describes a group of computers that have been compromised by malware. As such, these computers, or zombies, can be controlled by cyber criminals to send out spam, viruses, and even distributed denial-of-service attacks to other computers.

A total of 631 botnet control servers are actually hosted in the Land of the Free, which is hardly surprising as the US is still the Mecca for cheap hosting. The British Virgin Islands ranked second, with 237 servers. The global distribution of active botnet control servers can be seen in image.

SCADA lovers releases password brute-force tool for Siemens S7 PLCs& iOS install priated apps without jailbreak

Two SCADA security researchers Alexander Timorin, Dmitry Sklyarov releases a offline password brute-force tool for Siemens S7 PLCs (programmable logic controllers). ICS-CERT has issued a pdf regrading the issue and availability of the proof-of-concept exploit code on Pastebin. In order to be able to use the tool, an attacker must first capture TCP/IP traffic containing the authentication data in the challenge-response form, and then by using the script, tries out different passwords until it finds a match. The possibility exists that this code may be modified to be used against other vendor products.
Hackers abusing iOS feature to install pirated apps without jailbreak
A new service has found a way to let users install pirated iPhone and iPad apps without the need for an iOS jailbreak. This was made possible by certain Chinese app store-like services. Question is, How ? The features that allow enterprises to deploy their own custom apps have now been abused to deliver pirated apps to users. This is now opening the door for piracy on millions of Apple devices and increase in number of fake, malware apps. The iOS app may try to send out some personal privacy information to external server which creates privacy data leakage problem. Mobile private information leak always starts from installing malicious app on the device, either its iOS or Android. TrendMicro Report on mobile security issues.

SSH Backdoor accounts in multiple Barracuda Products

Firewall, VPN and spam filtering products from Barracuda Networks contains hidden hard coded backdoor ed SSH accounts, that allow any hacker to remotely log in and root access sensitive information.
According to an advisory published by Stefan Viehböck of SEC Consult Vulnerability Lab reported the vulnerabilities in default firewall configuration and default user accounts on the unit. Barracuda were informed of the vulnerabilities at the end of November.
All Barracuda Networks appliances with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are potentially affected i.e Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Web Application Firewall, Barracuda Link Balancer, Barracuda Load Balancer, Barracuda SSL VPN, CudaTel.
Barracuda recommended that all customers immediately update their Barracuda security definitions to v2.0.5, ensure the products' security definitions are set to on, and check that they're using the most recent firmware. In an attempt to limit access to the backdoor, Barracuda added network rules which only allow access to SSH from certain IP addresses.

Hackers targeting Africa Nigeria inclusive a new security threats ....

team ghostshell

The Hacktivist group Team GhostShell today exposes data including 700,000 accounts / records from African universities and businesses during a campaign named ProjectSunRise.

Hacker mention, "GhostShell's new project focuses on Africa, mainly, for the time being, South Africa and to some extent other countries from the continent, such as Algeria, Nigeria, Kenya and Angola."

In this new campaign hackers have targeted a many companies and universities i.e Angola's National Diamond Corporation, Ornico Marketing, Moolmans Africa Mining Corporation, South African Express Petroleum, State University, Kenyan Business Directory, PostNet Internet Services and also PressOffice linked to BidOrBuy which is South Africa's largest online store.

Hacker release Mysql databases dumps of all these sites via pastebin notes. Hackers said, "Companies like Anglo American have decimated our vast natural resources and have paid our local workers next to nothing. In a result of that they have become angry leading to multiple strikes that have crippled our economy. But you must be thinking, strikes mining industries pah! A fast developing country like South Africa should be able to shake that off with all that 1st world investment they are getting! But corrupt politicians from both the ANC and the DA have put the country into a spiralling economic disaster!"

Team Ghostshell also declare that under a new operation #OpSAfrica with Anonymous Group they will fight against corruption and will make all knowledge free and help South Africa out of crime, corruption and poverty.

Before this Team Ghostshell hack and leak 120,000 records from Major Universities Around the Globe and leaked, 2.5 million records from Russian government and 1.6 million accounts from major organisations.

Cyber 9/11 may be on horizon, Homeland Security chief warns

With the possibility of a massive cyberattack hitting the U.S. in the near future, Homeland Security Secretary Janet Napolitano urges the government to pass cybersecurity legislation. Homeland Security Secretary Janet Napolitano warns that a massive cyberattack on the nation's infrastructure could happen "imminently."

The head of Homeland Security announced today that she believes a "cyber 9/11" could happen "imminently," according to Reuters. If such an event were to occur it could cripple the country -- taking down the power grid, water infrastructure, transportation networks, and financial networks.

"We shouldn't wait until there is a 9/11 in the cyber world," Homeland Security Secretary Janet Napolitano said during a talk at the Wilson Center think tank today, according to Reuters. "There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage."

Napolitano was referring to the possibility of Congress passing cybersecurity legislation. Several elected officials have been working to get a cybersecurity law passed for years, but have repeatedly run into road blocks.

Sen. Joseph Lieberman spent years fighting unsuccessfully for a so-called Internet kill switch that would grant the president vast power over private networks during a "national cyberemergency." Currently, he is working to get Senate to pass a more modest version of his proposal. By the same token, President Obama also signed an executive order last July that could give the government control over the Internet in an emergency.Defense Secretary Leon Panetta has also strongly advocated for increased governmental cybersecurity. During his first major policy speech on cybersecurity last October, he echoed previous statements that the United States is facing the possibility of a "cyber-Pearl Harbor" perpetrated by foreign hackers.

"A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11," he said during a speech. "Such a destructive cyber terrorist attack could paralyze the nation."

According to Reuters, Napolitano said today that a massive cyber attack could cause the same amount of damage as last year's Superstorm Sandy, which downed electricity and information networks throughout the Northeastern U.S.

"The clarion call is here and we need to be dealing with this very urgently," Napolitano said. "Attacks are coming all the time. They are coming from different sources, they take different forms. But they are increasing in seriousness and sophistication."

Visa Issues ATM Cash-Out Warning

Card Issuers Alerted to Organized Global Fraud Schemes

Visa has issued an advisory to U.S. payment card issuers, advising them to be on alert for suspected ATM cash-out fraud schemes. Visa could not be reached for comment about the Jan. 10 advisory. But a copy of the advisory was obtained from an executive at a top-tier issuing institution who asked not to be named. The advisory states international law enforcement agencies have determined global ATM cash-out schemes could be on an upswing, based on a recent case involving a limited number of stolen payment cards used to conduct thousands of withdrawals at ATMs in numerous countries over the course of a single weekend.

Card issuers have been asked to increase their monitoring of ATM traffic and report any suspicious activity, especially ATM withdrawals involving prepaid cards.

Meanwhile, FICO Card Alert Service, which analyzes card transactions across a network of 11,000 institutions to detect counterfeit card use, issued an alert to its member banks and credit unions the week of Jan. 14 about ATM cash-outs. In the alert, FICO notes that fraudulent ATM withdrawals in certain northeastern U.S. cities had been identified by law enforcement, and a global connection was suspected.
ATM Cash-outs

ATM cash-out schemes involve a coordinated effort to make withdrawals at multiple ATMs over a short period of time, typically within hours of each other. Fraudsters collect card numbers and PINs over time - either through skimming attacks, network hacks or purchases in underground carding forums - and hold the information until they reach a relatively massive number.

Fraudsters create fake cards with the stolen details and then use the cards at multiple ATMs simultaneously or within a short period of time in an effort to make numerous withdrawals before fraud-detection systems pick up on suspicious activity.

What is a Web Application Penetration Testing?

A penetration test is a method of evaluating the security of a computer system or network by simulating
an attack. A Web Application Penetration Test focuses only on evaluating the security of a web application The process involves an active analysis of the application for any weakness, technical flaws or vulnerabilities. Any security issues that are found will be presentd to the system owner together with an assessment of theor impact and often with a propsal for mitigation or a technical solution.

In a perfect world, we would all learn about preventing hack attacks before they happen. But sometimes the hack happens first and the lessons come second. This is the tale we are talking about today – based, in true Hollywood tradition, on a true story.

The lead in this story is a mid-sized organization – large enough that its website plays an important public role in operations but small enough that the few full-timers are very busy and there is no budget for any dedicated IT staff.

Sunday, 27 January 2013

HP's JetDirect Software Makes Networked Printers Vulnerable

HP's JetDirect Software Makes Networked Printers Vulnerable
Vulnerabilities in Hewlett-Packard's (HP's) JetDirect software could allow attackers to circumvent biometric and other security protections to access partially printed documents and crash all machines running the vulnerable software that are connected to the network. The software is used in internal, external, and embedded print servers from many manufacturers, not just HP. It is designed to manage print requests made through networks.

Stanford Medical Facility Suffers Another Data Security Breach
The Lucile Packard Children's Hospital at Stanford University has notified 57,000 patients that their personal information was compromised after an unencrypted laptop containing the data was stolen from a doctor's car. The theft occurred on January 9, 2013, and was reported to the hospital the following day. The incident is the fourth data security breach involving a Stanford medical facility since January 2010.

Two Sentenced for DDoS Attacks on PayPal and Other Site

Two Sentenced for DDoS Attacks on PayPal and Other Sites
A UK court has sentenced two men to jail for their involvement with the
hacking collective that calls itself Anonymous. Christopher Weatherhead
and Ashley Rhodes received sentences of 18 months and seven months,
respectively, for launching distributed denial-of-service (DDoS)
attacks against a number of sites, including PayPal, MasterCard,
and Visa. Two other men were involved in the attacks: Peter Gibson
received a six-month sentence, suspended for two years. Jake Birchall
will be sentenced on February 1. The convictions in this case are
believed to be the first in the UK for DDoS attacks.

Hardcoded Backdoors in Barracuda Gear
Multiple products from Barracuda have been found to have hardcoded
backdoors that could be exploited to gain access to vulnerable
systems. The backdoor accounts, which can be accessed via the
secure shell (SSH) protocol, allow attackers to log in remotely
and access sensitive information or take control of networks. The
backdoor accounts are protected with weak passwords and cannot be
disabled. The problem was reported to Barracuda in November 2012. There
is a specific set of IP addresses that can access the appliances,
but Barracuda does not own all of those addresses. Barracuda is urging
all users to update their security definitions to version 2.0.5.

Cisco Issues Patches for Vulnerabilities in Wireless LAN Appliances
Vulnerabilities in Cisco wireless LAN appliances could be exploited
to allow remote code execution and trigger denial-of-service
conditions. Cisco has released a fix for the problems and is urging
administrators to patch affected products. In some instances, limiting
SNMP access on wireless controllers can lessen the threat of attacks.

Friday, 25 January 2013

Capstone Turbine Corporation Hacked

The company's Web site was compromised with the same exploit that was recently used at the Council on Foreign Relations. According to security researcher Eric Romang, the same attack used on the Web site for the Council on Foreign Relations (CFR) was also recently used on the Web site for microturbine manufacturer Capstone Turbine Corporation.

"Capstone figures to be a valuable target, Romang said, given its position in the energy community as a producer of microturbine energy products," writes Threatpost's Michael Mimoso. "He found the same malicious html file on the Capstone site as was found residing on the CFR site."

"One interesting aspect is that was also compromised back in September and was used to serve an exploit for a different IE vulnerability that was unpatched at the time," writes Computerworld's Lucian Constantin. "The same attackers might be behind the new IE exploit, Romang said."

Jindrich Kubec, director of threat intelligence at Avast, later wrote that he'd also noted the compromise at in September of 2012. "I wrote to Capstone Turbine on 19th September about the Flash exploit stuff they were hosting," Kubec tweeted. "They never replied. And also not fixed."

Department of Homeland Security Web Site Hacked

WordPress configuration information and database login details were posted online. Hacker group NullCrew recently claimed to have breached the Department of Homeland Security's Study in the States Web site, which provides information on educational opportunities in the U.S. for international students.

"The hackers have published WordPress configuration details, along with other server information and even database login credentials," writes Softpedia's Eduard Kovacs. "They’ve also revealed the exact location of the vulnerability that has allowed them to gain access to the site."

"Considering the DHS is meant to specialize in security, [you have to] wonder why they are using what is clearly [an] exploitable older version of WordPress," Cyber War News reports.

Sophos' Paul Ducklin says this should serve as a reminder to be sure you're updated with the latest security fixes for all back-end components you use, consider running a Web Application Firewall (WAF), and perform regular penetration tests against your own Web properties. "It's not a matter of if, or even of when, you might get attacked," he writes. "If you're inviting inbound Web requests, you're already under attack!"

U.S. Bank Cyber Attacks Attributed to Iranian Government

According to the New York Times, the ongoing denial of service attacks against U.S. banks that have been attributed to a group called the Izz ad-Din al-Qassam Cyber Fighters are actually the work of the Iranian government.

"Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC," UPI reports. "The hackers used distributed denial of service attacks that direct large volumes of traffic to a site until it collapses, thus denying customers access."

"'There is no doubt within the U.S. government that Iran is behind these attacks,' said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington," write The New York Times' Nicole Perlroth and Quentin Hardy. "Mr. Lewis said the amount of traffic flooding American banking sites was 'multiple times' the amount that Russia directed at Estonia in a monthlong online assault in 2007 that nearly crippled the Baltic nation."

"It's understood that the attackers users data centers rather than individual computer-based botnets to attack the banks, and hijacked clouds rather than individual machines," writes ZDNet's Zack Whittaker. "Exactly how the attackers are hijacking data centers 'is still a mystery,' the Times noted, but warned that the hackers were using encrypted DDoS attacks by flooding servers with encryption requests, rather than ordinary data, to slow down networks with fewer requests."

"These attacks on banks show no signs of ceasing," notes CNET News' Dara Kerr. "A December security report by McAfee warned that mass cyberattacks on U.S. banks would continue throughout 2013. The security company also said that 2013 will see a rise in higher-level professional hacking groups that will aim to promote military, religious, political, and 'extreme' campaign attacks."

Wednesday, 23 January 2013

Hacker Hides Malware Code on Cat's Collar

A memory card strapped to the collar contained information on the iesys.exe malware, also known as the 'remote control virus.' In a recent twist that mirrors the the plot of the movie Men In Black, Japanese police have recovered a memory card on the collar of a stray cat that contains clues left by a particularly notorious hacker who claims to have created the "remote control virus."

"On New Year's Day, a string of riddles sent via email to Japanese media outlets eventually led to the cat, who apparently lived on an island near Tokyo," writes's Max Eddy. "The memory card carried by the cat allegedly contained information about iesys.exe, also known as the 'remote control virus,' which is used to take control of infected computers."

"The development is the latest in a bizarre investigation that has previously seen months of threats made against a number of venues -- including a school and a kindergarten attended by grandchildren of Emperor Akihito -- from computers around the country," AFP reports. "The National Police Agency was embarrassed after it emerged that officers had extracted 'confessions' from four people who had nothing to do with sending the threatening messages."

"It turned out that the suspects' computers had indeed been infected with the 'remote control virus,' which let the operator remotely email and post threats from other people's computers, masking the authentic source of the malicious messages," writes Tech News Daily's Ben Weitzenkorn.

The National Police Agency has offered a bounty of 3 million Yen for information leading to the hacker's arrest. "It's the first time that a bounty has been offered for cybercrime in Japan, and it reflects how frustrated the NPA has been in its investigation," writes Wired's Ian Steadman.

Russian Hacker Sentenced to 3 Years in Prison

Vladimir Zdorovenin, 55, of Moscow, Russia, was recently sentenced in Manhattan federal court to three years in prison and a $1 million fine for fraud, identity theft and hacking. Zdorovenin was deported from Switzerland to the U.S. in January of 2012.

"According to the US Department of Justice, the man and his son, Kirill Zdorovenin, are accused of conspiring to steal the personal details, including credit card information, of several US citizens between 2004 and 2005, while residing in Russia," writes Softpedia's Eduard Kovacs.

"The whereabouts of Kirill Zdorovenin are unknown," The Voice of Russia reports. "According to investigators he was the organizer of the 'business.'"

"Prosecutors alleged that the Zdorovenins and unidentified accomplices controlled U.S.-registered companies Sofeco LLC, Pintado LLC and Tallit LL that appeared to be legitimate Internet merchants which sold legitimate goods," writes Bloomberg's Patricia Hurtado. "The defendants both took unauthorized charges on customers' credit cards, prosecutors said. They also got credit card numbers by either buying them from unidentified people who had obtained them illegally or by using computer programs that were surreptitiously installed on victims' computers, the U.S. alleged."

"From his perch halfway across the globe, Vladimir Zdorovenin engaged in a slew of cyber crimes that left multiple victims in the United States," Manhattan U.S. Attorney Preet Bharara said in a statement. "Cybercrime is particularly insidious because there is no need for geographic proximity between perpetrators and their victims, and Zdorovenin’s sentence today should serve as a reminder to others that law enforcement does not require geographic proximity to prosecute these crimes either."

Australian Spies Want to Be Hackers

The Australian Security Intelligence Organization wants permission to hack into suspected terrorists' computers. According to News Limited, the Australian Security Intelligence Organization (ASIO), Australia's spy agency, is seeking authorization to hack into the computers of suspected terrorists.

"The ASIO Act now bans spies from doing anything that 'adds, deletes or alters data or interferes with, interrupts or obstructs the lawful use of the target computer by other persons,'" writes News Limited's Natasha Bita. "But ASIO wants the ban lifted, so Attorney-General Nicola Roxon can issue a warrant for spies to secretly intercept third-party computers to disrupt their target."

In a statement given to News Limited, a spokesman for the Attorney-General's Department said, "The purpose of this power is to allow ASIO to access the computer of suspected terrorists and other security interests. [It would be used] in extremely limited circumstances and only when explicity approved by the Attorney-General through a warrant. Importantly, the warrant would not authorize ASIO to obtain intelligence material from the third party computer."

"The plans are opposed by civil rights organisations and data protection officials," The H Security reports. "The Electronic Frontiers Australia organization has criticised the government for copying the techniques used by cyber-criminals. The Privacy Commissioner for the State of Victoria has complained that the plan is 'extraordinarily broad' and intrudes deep into the basic rights of the third parties involved. He describes the proposed powers as 'characteristic of a police state.'"

Michael Jackson Hackers Sentenced

Looking to reduce IT costs? Learn how to cut expenses without cutting services, plus tactical approaches to controlling costs and cutting power expenses outside of the data center. Download now.
Michael Jackson Hackers Sentenced

The UK's Serious Organized Crime Agency (SOCA) recently announced that hackers James Marks, 27, and James McCormick, 26, both received six-month suspended sentences and were ordered to do 100 hours of unpaid community service work for breaching Sony Music's servers and stealing Michael Jackson songs, including unreleased tracks.

"The hackers, who met through a fan website forum, also downloaded music by artists including Elvis, Beyonce, JLS, Christina Aguilera and Britney Spears," The Telegraph reports. "In total they downloaded around 7,000 files which were completed tracks or the component parts, as well as artwork and videos, SOCA said. Marks and McCormick were arrested in May 2011 after Sony identified the security breach."

"These men stole thousands of copyrighted files belonging to Sony Music," SOCA's Mick Jameson said in a statement. "Our remit is to protect businesses as well as the public, and we will continue to work closely with law enforcement and industry partners to tackle online criminality."

"The pair claimed they only wanted to gather evidence that some Jackson material released after his death didn't actually feature the singer's voice," writes BBC's Jim Taylor. "Sony Music has always denied that vocals on some tracks on the posthumous album 'Michael' were done by another singer. ... Speaking outside court, James Marks said he was sorry for downloading the files but was still determined to prove Michael Jackson didn't sing on some tracks on 'Michael.'"

Hackers Steal $40,000 from Vancouver Island Church

The hackers appear to have gained access to the church's bank account through an employee's home computer. The Nanaimo Daily News reports that hackers recently stole $40,000 from the online bank account of a church on Vancouver Island. "40,000 dollars was taken from Ladysmith First United Church over the holiday season and it was all done by the click of a computer's mouse," writes CTV Vancouver Island's Scott Cunningham. "[The Royal Canadian Mounted Police] say over a 10 day period in late December, six withdrawals from the church’s online account racked up thousands of dollars in losses. Credit Union staff say the Internet hacker gained access to a church employee’s home computer, found vital passwords and went to work."

"Representatives of the church became suspicious over Christmas, and reported the disappearance of funds Dec. 27," writes The Nanaimo Daily News' Darrell Bellaart. "More money went missing after that, and police are working to trace the online footprint of those responsible."

"Somehow their account at one of the local financial institutions was compromised through the Internet," Cpl. Tim Desaulniers of the Royal Candian Mounted Police told Bellaart. "It's very preliminary right now. It looks like it originated down East." "So far, the crime is considered an isolated incident," Bellaart writes.

University of Western Sydney Hacked

The hackers are protesting the university's new iPad initiative, which they call 'nothing more than a marketing gimmick.' Australia's University of Western Sydney (UWS) has acknowledged that a UWS e-mail list was recently breached.

"The list has been shut down and a full investigation is underway," the university said in a statement. "We would like to assure you that this was limited to the email list and that other than an unfortunate amount of spam, your UWS Account is not under any threat. UWS IT Services apologises for the inconvenience caused and will report back with further information following the investigation."

"However, some students have reported receiving 300 spam emails as a result of the incident," writes Softpedia's Eduard Kovacs. "According to Mahmoud Elkhodr, an associate lecturer at the University of Western Sydney, one of the spam emails criticized the university’s iPad Initiative -- a program started by the institution in an effort to support learning and teaching innovations."

College Student Expelled for Uncovering Security Flaw

Ahmed Al-Khabaz came across a vulnerability that exposed students' Social Insurance Numbers, class schedules, home addresses and phone numbers. The National Post's Ethan Cox reports that Ahmed Al-Khabaz, a 20-year-old computer science student at Montreal's Dawson College, was expelled following his discovery of a security flaw that exposed more than 250,000 Quebec college students' personal information.

"Al-Khabaz ... was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as 'sloppy coding' in the widely used Omnivox software which would allow 'anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student,'" Cox writes.

"So Al-Khabaz took the issue to the school's Director of Information Services and Technology," writes Gizmodo's Kyle Wagner. "The meeting went well, and he was told that Skytech, that company that makes the software in question, would get right on it. After not hearing back for a few days, Al-Khabaz decided to check to see if the vulnerability had been patched, using a program called Acunetix. That was a mistake."

"Shortly after, he was contacted by the president of Skytech who accused him of launching a cyberattack against the company," writes Softpedia's Eduard Kovacs. "Skytech told the student that he could go to jail, unless he signed a non-disclosure agreement. The student agreed to sign the non-disclosure agreement, but his problems were far from being over."

"While Skytech saw the probe by Al-Khabaz as the mistake of an overeager student, Dawson College administrators decided to take disciplinary action," writes Ars Technica's Sean Gallagher. "After he was interviewed by the dean of Dawson and his Computer Science program coordinator, the details were brought to a meeting of 15 professors in the school's Computer Science department. By a 14-to-1 vote, they moved to expel him."

Monday, 21 January 2013

RATs - Remote Access Trojans

RATs - Remote Access Trojans - are often used by cyber attackers to maintain a foothold in the infected computers and make them do things unbeknownst to their owners. But, in order to do that and not be spotted, RATs must employ a series of obfuscation techniques.

Take for example the FAKEM RAT variants recently analyzed by Trend Micro researchers: in order to blend in, some try to make their network traffic look like Windows Messenger and Yahoo! Messenger traffic, and others as HTML. Usually delivered via spear phishing emails, once executed the malware copies itself using the into the %System% folder. When contacting and sending information to remote servers, the malicious traffic begins with headers similar to actual Windows Messenger and Yahoo! Messenger traffic. But checking the traffic after it clearly shows its malicious nature.

The communication between the compromised computer and the RAT's controller is also encrypted. The RAT starts with sending out information about the compromised system, and can receive simple codes and commands that make it do things like execute code, go to sleep, execute shell commands, allows the attacker to browse directories, access saved passwords, and more. "Now that popular RATs like Gh0st and PoisonIvy have become well-known and can easily be detected, attackers are looking for methods to blend in with legitimate traffic," the researchers noted .

"While it is possible to distinguish the network traffic FAKEM RAT variants produce for the legitimate protocols they aim to spoof, doing so in the context of a large network may not be not easy. The RAT’s ability to mask the traffic it produces may be enough to provide attackers enough cover to survive longer in a compromised environment."

Security News ...(Banking Trojan spread over skype)

The banking Trojan known as Shylock has been updated with new functionality, including the ability to spread over Skype. The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare's "The Merchant of Venice".
 Shylock is one of the most advanced Trojans currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

According to security researchers from CSIS Security Group, the Skype infection is based on a malicious plugin called msg.gsm and allows the malware to send messages and transfer files, clean messages and transfers from Skype history and even bypass the Skype warning for connecting to servers.

Beside the new ability to spread through Skype, Shylock can also spread through local shares and removable drives. Infection by the Trojan allows hackers to steal cookies, inject HTTP into a website, setup VNC and upload files, among other functions.

The program also bypasses the warning and confirmation request that Skype displays when a third-party program tries to connect and interact with the application.

According to a map showing the distribution of Shylock infections that was published by CSIS, there's a high concentration of victims in the UK. However, there are also many Shylock-infected computers throughout mainland Europe and the US.

Friday, 18 January 2013

Tips on how you can secure your wordpress blog

 A lot of wordpress blogs are hacked, One thing I could really figure out is, most of the people didn’t know what they could control to ensure their blog is not victimized.
Things to understand:

Most of the times when a lot of wordpress blogs are hacked, it is due to a known vulnerability that might have been discovered recently and a few kids taking advantage of being amongst first one to know it. Rest of the times, an entire web hosting server is hacked where almost all the websites on the servers are defaced (hacked). This could be classified into “fault of the hosting company” or “their un-awareness“. In the second scenario, there is not much you can do as if you restore your website with a backup, it is going to be hacked again as the entire server is rooted (gained access to). Best thing to do is “choose your host wisely” :) .
How to save your blog from hackers?
1. Add captchas at all input forms:
One of the most common way to exploit any wordpress blog is by using XSS (cross site scripting) technique. In this technique, the attacker exploits the input forms like comments, searches, logins with a malicious codes to gain access to restricted information i.e. your passwords, your cookies etc.

At the same time, another hacking technique known as “Brute forcing”, which basically means attacker trying all possible dictionary words as your passwords with a tool to check if  any of those work. Adding a captcha ensures that tool’s functionality will break and hence he will not be able to run all the words to match with your password.
2. Get a unique IP address (if affordable):

Trust me, you or I am not Bill Gates! So there is no one who is looking to hack your blog specifically. If your blog is hacked, it is  a part of a massive hacking attack. Most of the massive hacking attacks occur on an IP range of any web hosting server. Having a unique IP that stands up, brightens your chances of not being a part of hundreds of other websites getting hacked. Besides, a unique IP always adds up to SEO efforts.
3. Upgrade, but why?

This point is written everywhere to ensure you upgrade your wordpress to latest version. But do you know why? Whenever any release is published, theres a “change log” attached to it. This change log talks about the issues that were found in last release and how they have been patched. By reading this file, even a newbie hacker can easily understand the flaws in last version and how can he exploit it. So if you haven’t upgraded your version, you better start look for alternatives!
4. Add SSL to wp-admin dir:

Do you know what exactly SSL does? Well, most of the times you are hacked because your computer is infected by viruses which constantly monitors everything you type on your keyboard (even your username and passwords) and are sent to the hacker. If you are using a webpage which is SSL enabled, not application can monitor this encrypted traffic. Neither viruses nor anti-viruses. Using SSL, you ensure that your website will not get hacked even though your computer is infected. So enabling SSL to your wp-admin directory is a great idea.

Note -

    Enable SSL on wp-admin will work ONLY if you have a unique IP address.

5. Do not use “something@123″ , 12345 , admin, all guessable password:

This is the MOST common mistake that I have noticed in past year. Since it is globally accepted to use symbols and numbers into your password, almost every one would make change their “password” to “password@123″. Almost every brute forcing tools nowadays uses a technology where they add “@123″ after every dictionary word. So when “they” say use symbols and numbers, use your head and make it complexed!

Ensure your network is secure

Twenty-four hours a day, seven days a week, 365 days each year – it’s happening. Whether you are awake or asleep, in a meeting or on vacation, they are out there probing your network, looking for a way in. A way to exploit you; a way to steal your data, a place to store illegal content, a website they can deface, or any of a hundred other ways to mess with you for the simple joy of it all. And they can do this with relative ease, even in an automated fashion, with simple tools that are readily available to all.

I’m talking about network scanners. The bad guys use them all day every day to assess networks around the world because a network scanner is one of the easiest and most efficient ways to find the cracks in your armor. If you want to see your network the same way an attacker would, then you want to use a network scanner.

Network scanners perform automated tests of systems over the network. They don’t require agents or any other software to be installed on the “target” machines. They assess a system based on what they can get from it over the network. It’s the same sort of reconnaissance that is performed against your network around the clock, and that is why you want to do it too. Here are five checks you should perform regularly using your network scanner.

1. Vulnerability assessments
Network scanners can use databases of known vulnerabilities to check for anything that might present a risk to your systems. Update that database regularly since new vulnerabilities are discovered all the time.

2. Port scans
A port scanner is a very fast way to determine what sort of systems are running on your network, and are probably the most common sort of recon you will see. Determine what should be accessible on your network from the Internet, validate that with a port scanner, and then use a combination of firewall rule cleanup and system hardening to shut down anything that doesn’t belong.

3. Default password access
There’s a reason there are tens of thousands of default password lists on the Internet-they make for a very easy way to get in. Don’t make it easy for an attacker. Make sure everything on your network has been configured with a strong password to prevent unauthorized access.

4. Running services
To compromise a service, it first has to be running. Every server has to run certain services, otherwise it’s just a space heater, but many run unneeded services either because they are on by default, or the admin who set it up didn’t know any better. Use your network scanner to find all running services, and then shut down the ones that are not needed.

5. Remote access
Speaking of default passwords, in about half of the security audits I have performed for customers, I have found remote access software that they didn’t know about, running on systems that made it very easy to get in. Use your network scanner to find all of the Telnet, SSH, RDP, GoToMyPC, LogMeIn, PCAnywhere and other applications that can provide remote access to a system, and shut down all the ones that shouldn’t be there. Finding all those “secret” ways in, and closing up the unapproved ones, will greatly reduce the risks to your network.

Using a network scanner, set up a regular schedule of scanning your systems for these five critical checks. Scan from the outside to see what the firewall cannot stop, and scan from the internal network so you understand just how much damage an inside threat can cause. Knowing your systems the way an attacker will, helps you to ensure everything is safe.

Java exploit advertised in an Underground Internet forum

We continue to recommend users to disable the Java program on their Web browsers, because it remains vulnerable to attacks that could result in identity theft and other cyber crimes. After less than 24 hours after Oracle Sunday released a security update that addresses two critical zero-day vulnerabilities in Java that are being actively exploited by attackers, an online vulnerability seller began offering a brand-new Java bug for sale.

According to a report, a Java exploits was being advertised for $5,000 a piece in an underground Internet forum and the new zero-day vulnerability was apparently already in at least one attacker's hands. The thread has since been deleted from the forum indicating a sale has been made, something sure to bring more concern to Oracle.Oracle can’t predict the future, and its engineers obviously can’t predict what exploits are going to be found in its software.

The most recent hold Java fixed allowed hackers to enter a computer by using compromised websites as the entry-point into Java. Once in the system, they could steal any information, or hook up the computer to a botnet or a string of infected computers that can be used to launch attacks against other computers.

The exploit is valuable because not only is it usable on the most up-to-date version of Java, which could remain vulnerable for weeks, if not months.

Malware Infects US power plants through USB

The US Department of Homeland Security’s Cyber Emergency Response Team has released a report, which stated that two American electrical power plants were compromised late last year and has identified a number of glaring electronic vulnerabilities.

Some unknown malware infected two power plants control systems using unprotected USB drives as an attack vector. The tainted USB drive came in contact with a handful of machines at the power generation facility and investigators found sophisticated malware on two engineering workstations critical to the operation of the control environment.

The report did not say if the computers did or did not have up-to-date antivirus software, but it did say that current software would have found the malware. The other infection affected 10 computers in a turbine control system. It was also spread by a USB drive and resulted in downtime for the impacted systems and delayed the plant restart by approximately three weeks. ICS-CERT recommended that the power facility adopt new USB use guidelines, including the cleaning of a USB device before each use.

Malware a huge threat in Critical Infrastructure

Every time a story emerges up about malware popping up on an industrial control system or someone remotely hacking into some piece of critical infrastructure, there is a reliable and justifiable chorus of experts wagging their fingers and asking, “Why in the world was that system connected to the Internet in the first place?” At this point, pretty much everyone agrees that sensitive control systems should be air-gapped, or completely disconnected from the Internet. In this way, physical, human interaction should be the only way to access such systems, which is a considerable problem for those in the business of conducting cyberwarfare.

In order for the now-infamous Stuxnet malware to infiltrate work-stations at Iran’s Natanz nuclear enrichment facility, which was reportedly air-gapped from the rest of the Internet, some person apparently had to walk into the lab with USB device that had the Stuxnet malware preloaded onto it. This unknown person then had to physically plug the USB stick into a computer connected to the Natanz network, which then used some combination of Microsoft’s auto-run feature, a few forged certificates, multiple zero-days and lines upon lines of malicious code to spin a bunch of centrifuges out of control, causing them to malfunction in some catastrophic way.

This infection mechanism has an overwhelmingly analog feel to it, especially considering that malware itself and the Stuxnet saga as a whole constitute one of the more sophisticated cyberespionage operations known today.

As a number of news outlets have noted, the Natanz incident played an integral role in Microsoft’s decision to disable the AutoRun functionality that automatically executed external media upon detection. More to the point, the Natanz incident sent a warning to the administrators of secure systems all over the world that thumb drives and other external storage devices presented a serious threat, and could potentially render the air-gap defense method useless. Largely because of Stuxnet, Defense claims that USB-storage and similar devices have been banned at Natanz and at the Pentagon, as well as in any number of other facilities containing sensitive systems.

This reality has forced the U.S. military apparatus to look beyond the conventional, analog variety of infecting air-gapped machines. The Department of Defense knows that this sort of 20th century, Cold War-era spy work just won’t jibe with the digital age. So the Pentagon is seeking an electronic way to jump the air-gap, so to speak.

The details of their proposal are of course classified, but sources familiar with the program told Defense News that the Army’s Intelligence and Information Warfare Directorate (I2WD) met with representatives from 60 or so organizations on November 28 of last year. Together they came up with a handful of objectives that will guide their Tactical Electromagnetic Cyber Warfare Demonstrator (TECWD, pronounced ‘techwood’).

Defense News notes that the TECWD program aims to uncover electronic solutions to problems in kinetic warfare as well (the report claims that one objective seeks to develop systems that could mitigate the threat of improvised explosive devices).

However, the more relevant part is about “inserting and extracting data from sealed, wired networks.” According to Defense News, the DoD believes they can inject malicious code via radio frequencies by analyzing electromagnetic field distortions from aircraft and ground vehicles deployed in or around the systems they want to compromise.

The TECWD project isn’t seeking to directly produce systems, according to the report, but is rather designed to be a platform on which to demonstrate a vast swath of emerging electronic warfare and defense capabilities.

Thursday, 17 January 2013

Malware infects power plants

During the past three months, unnamed malware infected two power plants' control systems using unprotected USB drives as an attack vector. At both companies, a lack of basic security controls made it much easier for the malicious code to reach critical networks.
In one instance, according to a recent report from the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), malware was discovered after a power generation plant employee asked IT staff to look into a malfunctioning USB drive he used to back up control systems configurations.
That discovery prompted a more thorough on-site inspection that revealed "a handful of machines that likely had contact with the tainted USB drive." This included two of 13 workstations in an engineering bay tied to critical systems. "Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations," according to the report.
Analysts noted the need for operators of the nation's critical infrastructure networks to follow best practices. In recent years security researchers have tried to draw more attention to SCADA and ICS security (or the lack thereof) as a way of pushing companies, usually privately owned, to invest more resources in protecting their networks from cybercriminal activity.
"While the implementation of an antivirus solution presents some challenges in a control system environment, it could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations," they wrote in this report. The ICS-CERT team also recommended cleaning USB drives after each use or using other media, such as write-once CDs, to help reduce the risk of malware contamination.
"The organization also identified during the course of the investigation that it had no backups for the two engineering workstations. Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact. The recommended practice is to maintain a system of 'hot spares' or other effective backups for all critical systems."
In a separate incident in October, ISC-CERT investigators discovered 10 computers linked to another power company's turbine control system also were infected with a virus via a USB drive during a software update installation. "Unknown to the technician, the USB-drive was infected with crimeware. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks."

Security Issues for Cisco Routers Uncovered

Researchers have uncovered a root exploit zero-day affecting the default installation of an unknown number of Cisco’s Linksys routers. Cisco  has been urged to fix the potentially serious vulnerability before they release the full PoC on BugTraq and Full Disclosure in two weeks, per the vulnerability disclosure policy. The exploit on the Cisco Linksys WRT54GL model  was  performed and believe that other models are vulnerable as well. They aren’t entirely certain how many router models are impacted by the flaw, but they note that Cisco has sold some 70 million Linksys routers. The group claims to have previously reported the vulnerability to Cisco along with its proof-of-concept. Cisco allegedly responded to disclosure, telling them that the bug had been resolved in the most recent firmware update. The group later then tested their PoC again and determined that the current version of the router (4.30.14) and all previous versions remain vulnerable.
A Cisco spokesperson confirmed the vulnerability's existence via email, but claimed that the flaw only affected the Linksys WRT54GL home router, the same model on which the group tested their exploit. The spokesperson for Cisco assured claimed that Cisco has developed and is currently testing a fix for the issue. In the meantime, Cisco advises that customers using the WRT54GL router model stay safe by maintaining a securely configured wireless router.

Turn off Java on your browser

Due to the vulnerability on Java Plugin users have been advised to disable java on their browser. Note that Java is completely different from Java script. Disabling  Javascript thinking is also part of java will yield an unexpected result on the browser because most websites are coded in java script, AJAX. On the browser Javascript helps to craft the look and feel of your website. That doesn't mean there aren't security risks from JavaScript. There are, but they're different to the ones posed by Java, and they're generally fixed or patched directly by your browser vendor. JavaScript is very commonly used in modern websites. In fact, you won't get very far without it on many of the popular sites out there.

On the other hand, Java, made by Oracle, is a software package installed separately from your browser. It can be used for creating and running all sorts of regular-style software: web servers, code editors, word processors and much more. These are called applications, just like any other application such as Microsoft Word or Apple iMovie. Java also provides a plugin system that allows stripped-down Java programs called applets to run inside your browser. They aren't integrated with your browser like JavaScript programs, and their security generally depends on the Java system itself, not on your browser. Nevertheless, there have been several recent and widely-abused bugs in the applet part of Java that make your browser insecure. Time and time again we're seeing examples of cybercriminals exploiting flaws in Java to infect innocent users' computers.

For instance, earlier this year we saw more than 600,000 Macs infected by the Flashback malware because of a Java security flaw. In fact, it has become increasingly common to see malware authors exploiting vulnerabilities in Java - as it is so commonly installed, and has been frequently found to be lacking when it comes to security. Cybercriminals also love Java because it is multi-platform - capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux. As a result it's not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload. Seriously though, stop reading this article now and check if you have disabled Java or not. Chances are that if you don't think that you need Java, you don't need it. Even if you absolutely must use websites that require you to have Java installed, why not disable it in your main browser and have an alternative browser just for visiting that website? What you need to do now is reduce the opportunities for attack. For most people that means disabling Java - and doing it now.

So i recommend that you turn off Java in your browser.

Most recently, in January 2013, a new zero-day flaw affecting Java in web browsers was exploited. Apple and Mozilla are doing things to help fight the problem for their users, but you may decide that you still need to take steps yourself. There will be many pointing fingers at Oracle and arguing that it has not taken the security flaws seriously, but the accusations that are bound to fly aren't actually going to help the millions and millions of vulnerable devices out there. Those devices need a patch from Oracle - but as it may not be available for some time, the best advice I can give you is to disable Java.

Web application and attacks

There is no doubt that web application security is a current and very newsworthy subject. For all concerned, the stakes are high: for businesses that derive increasing revenue from Internet commerce, for users who trust web applications with sensitive information, and for criminals who can make big money by stealing payment details or compromising bank accounts. Reputation plays a critical role: few people want to do business with an insecure web site, and so few organizations want to disclose details about their own security vulnerabilities or breaches. Hence, it is not trivial to obtain reliable information about the state of web application security today. Any security threats arising from hosting a web site related largely to vulnerabilities in web server software (of which there were many). If an attacker compromised a web server, he would not normally gain access to any sensitive information, because the information held on the server was already open to public view. Rather, an attacker would typically modify the files on the server to deface the web site’s contents, or use the server’s storage and bandwidth to distribute “warez.”

Today, the World Wide Web is almost unrecognizable from its earlier form. The majority of sites on the web are in fact applications. They are highly functional, and rely upon two-way flow of information between the
server and browser. They support registration and login, financial transactions, search, and the authoring of content by users. The content presented to users is generated dynamically on the fly, and is often tailored to each specific user. Much of the information processed is private and highly sensitive. Security is therefore a big issue: no one wants to use a web application if they believe their information will be disclosed to unauthorized parties. Web applications bring with them new and significant security threats. Each application is different and may contain unique vulnerabilities. Most applications are developed in-house, and many by developers who have little understanding of the security problems that may arise in the code they are producing. To deliver their core functionality, web applications normally require connectivity to internal computer systems that contain highly sensitive data and are able to perform powerful business functions. Ten years ago, if you wanted to make a funds transfer, you visited your bank and someone performed it for you; today, you can visit their web application and perform it yourself. An attacker who compromises a web application may be able to steal personal information, carry out financial fraud, and perform malicious actions against other users.

Common Web Application Functions
Web applications have been created to perform practically every useful function
one could possibly implement online. Examples of web application functions
that have risen to prominence in recent years include:
  • Shopping (Amazon)
  • Social networking (MySpace)
  • Banking (Citibank)
  • Web search (Google)
  • Auctions (eBay)
  • Gambling (Betfair)
  • Web logs (Blogger)
  • Web mail (Hotmail)
  • Interactive information (Wikipedia)
In addition to the public Internet, web applications have been widely adopted inside organizations to perform key business functions, including accessing HR services and managing company resources. They are also frequently used to provide an administrative interface to hardware devices such as printers, and other software such as web servers and intrusion detection systems. Numerous applications that predated the rise of web applications have been migrated to this technology. Business applications like enterprise resource planning (ERP) software, which were previously accessed using a proprietary thick-client application, can now be accessed using a web browser. Software services such as email, which originally required a separate email client, can now be accessed via web interfaces like Outlook Web Access. This trend is continuing as traditional desktop office applications such as word processors and spreadsheets are migrated to web applications, through services like Google Apps and Microsoft Office Live. The time is fast approaching when the only client software that most computer users will need is a web browser. A hugely diverse range of functions will have been implemented using a shared set of protocols and technologies, and in so doing will have inherited a distinctive range of common security vulnerabilities.

Benefits of Web Applications
It is not difficult to see why web applications have enjoyed such a dramatic rise to prominence. Several technical factors have worked alongside the obvious commercial incentives to drive the revolution that has occurred in the way we use the Internet:
  • HTTP, the core communications protocol used to access the World Wide Web, is lightweight and connectionless. This provides resilience in the event of communication errors and avoids the need for the server to hold open a network connection to every user as was the case in many legacy client-server applications. HTTP can also be proxied and tunneled over other protocols, allowing for secure communication in any network configuration.
  • Every web user already has a browser installed on their computer. Web applications deploy their user interface dynamically to the browser, avoiding the need to distribute and manage separate client software, as was the case with pre-web applications. Changes to the interface only need to be implemented once, on the server, and take effect immediately.
  • Today’s browsers are highly functional, enabling rich and satisfying user interfaces to be built. Web interfaces use standard navigational and input controls that are immediately familiar to users, avoiding the need to learn how each individual application functions. Client-side scripting enables applications to push part of their processing to the client side, and browsers’ capabilities can be extended in arbitrary ways using thick-client components where necessary.
  • The core technologies and languages used to develop web applications are relatively simple. A wide range of platforms and development tools are available to facilitate the development of powerful applications by relative beginners, and a large quantity of open source code and other resources is available for incorporation into custom-built applications.
Web Application Security
As with any new class of technology, web applications have brought with them a new range of security vulnerabilities. The set of most commonly encountered defects has evolved somewhat over time. New attacks have been conceived that were not considered when existing applications were developed. Some problems have become less prevalent as awareness of them has increased. New technologies have been developed that have introduced new possibilities for exploitation. Some categories of flaws have largely gone away as the result of changes made to web browser software. Throughout this evolution, compromises of prominent web applications have remained in the news, and there is no sense that a corner has been turned and that these security problems are on the wane. Arguably, web application security is today the most significant battleground between attackers and those with computer resources and data to defend, and it is likely to remain so for the foreseeable future.
SSL is an excellent technology that protects the confidentiality and integrity of data in transit between the user’s browser and the web server. It helps to defend against eavesdroppers, and it can provide assurance to the user of the identity of the web server they are dealing with. But it does not stop attacks that directly target the server or client components of an application, as most successful attacks do. Specifically, it does not prevent any of the vulnerabilities listed previously, or many others that can render an application critically exposed to attack. Regardless of whether or not they use SSL, most web applications still contain security flaws. flaws /vulnerabilty includes:
  • Broken authentication (67%) — This category of vulnerability encompasses various defects within the application’s login mechanism, which may enable an attacker to guess weak passwords, launch a brute-force attack, or bypass the login altogether.
  • Broken access controls (78%) — This involves cases where the application fails to properly protect access to its data and functionality, potentially enabling an attacker to view other users’ sensitive data held on the server, or carry out privileged actions.
  • SQL injection (36%) — This vulnerability enables an attacker to submit crafted input to interfere with the application’s interaction with back-end databases. An attacker may be able to retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself.
  • Cross-site scripting (91%) — This vulnerability enables an attacker to target other users of the application, potentially gaining access to their data, performing unauthorized actions on their behalf, or carrying out other attacks against them.
  • Information leakage (81%) — This involves cases where an application divulges sensitive information that is of use to an attacker in developing an assault against the application, through defective error handling or other behavior.

Web Application And Security

With today’s web application platforms and development tools, it is possible for a novice programmer to create a powerful application from scratch in a short period of time. But there is a huge difference between producing code that is functional and code that is secure. A development team that begins a project with a complete knowledge of current threats may well have lost this status by the time the application is completed and deployed.
Most web application development projects are subject to strict constraints on time and resources, arising from the economics of in-house, one-off development. It is not usually possible to employ dedicated security expertise in the design or development teams, and due to project slippage security testing by specialists is often left until very late in the project’s lifecycle. In the balancing of competing priorities, the need to produce a stable and functional application by a deadline normally overrides less tangible security considerations. A typical small organization may be willing to pay for only a few man-days of consulting time to evaluate a new application. A quick penetration test will often find the low-hanging fruit, but it may miss more subtle vulnerabilities that require time and patience to identify.
Before the rise of web applications, organizations’ efforts to secure themselves against external attack were largely focused on the network perimeter. Defending this perimeter entailed hardening and patching the services that it needed to expose, and firewalling access to others. The core security problem faced by web applications arises in any situation where an application must accept and process untrusted data that may be malicious. However, in the case of web applications, there are several factors which have combined to exacerbate the problem, and which explain why so many web applications on the Internet today do such a poor job of addressing it.

  • The majority of attacks against web applications involve sending input to the server which is crafted to cause some event that was not expected or desired by the application’s designer. Some examples of submitting crafted input to achieve this objective are as follows: Changing the price of a product transmitted in a hidden HTML form field, to fraudulently purchase the product for a cheaper amount.
  • Modifying a session token transmitted in an HTTP cookie, to hijack the session of another authenticated user.
  • Removing certain parameters that are normally submitted, to exploit a logic flaw in the application’s processing.
  • Altering some input that will be processed by a back-end database, to inject a malicious database query and so access sensitive data.
Note:  Needless to say, SSL does nothing to stop an attacker from submitting crafted input to the server. If the application uses SSL, this simply means that other users on the network cannot view or modify the attacker’s data in transit. Because the attacker controls her end of the SSL tunnel, she can send anything
she likes to the server through this tunnel.

If a vulnerability exists within a web application, then an attacker on the public Internet may be able to compromise the organization’s core back-end systems solely by submitting crafted data from his web browser. This data will sail past all of the organization’s network defenses, in just the same way as does ordinary, benign traffic to the web application. The effect of widespread deployment of web applications is that the security perimeter of a typical organization has moved. Part of that perimeter is still embodied in firewalls and bastion hosts. But a significant part of it is now occupied by the organization’s web applications. Because of the manifold ways in which web applications receive user input and pass this to sensitive
back-end systems, they are the potential gateways for a wide range of attacks, and defenses against these attacks must be implemented within the applications themselves. A single line of defective code in a single web application can render an organization’s internal systems vulnerable.

For an attacker targeting an organization, gaining access to the network or executing arbitrary commands on servers may well not be what they really want to achieve. Often, and perhaps typically, what an attacker really desires is to perform some application-level action such as stealing personal information, transferring funds, or making cheap purchases. And the relocation of the security perimeter to the application layer may greatly assist an attacker in achieving these objectives. For example, suppose that an attacker wishes to “hack in” to a bank’s systems and steal money from users’ accounts. Before the bank deployed a web application, the attacker might have needed to find a vulnerability in a publicly reachable service, exploit this to gain a toehold on the bank’s DMZ, penetrate the firewall restricting access to its internal systems, map the network to find the mainframe computer, decipher the arcane protocol used to access it, and then guess some credentials in order to log in. However, if the bank deploys vulnerable web application, then the attacker may be able to achieve the same outcome simply by modifying an account number in a hidden field of an HTML form.

A second way in which web applications have moved the security perimeter arises from the threats that users themselves face when they access a vulnerable application. A malicious attacker can leverage a benign but vulnerable web application to attack any user who visits it. If that user is located on an internal corporate network, the attacker may harness the user’s browser to launch an attack against the local network from the user’s trusted position. Without any cooperation from the user, the attacker may be able to carry out any action that the user could perform if she were herself malicious. Network administrators are familiar with the idea of preventing their users from visiting malicious web sites, and end users themselves are gradually becoming more aware of this threat. But the nature of web application vulnerabilities means that a vulnerable application may present no less of a threat to its users and their organization than a web site that is overtly malicious. Correspondingly, the new security perimeter imposes a duty of care on all application
owners to protect their users from attacks against them delivered via the application.

While old and well understood vulnerabilities like SQL injection continue to appear, their prevalence is gradually diminishing. Further, the instances that remain are becoming more difficult to find and exploit. Much current research is focused on developing advanced techniques for attacking more subtle manifestations of vulnerabilities which a few years ago could be easily detected and exploited using only a browser.
A second prominent trend is a gradual shift in attention from traditional attacks against the server side of the application to those that target other users. The latter kind of attack still leverages defects within the application itself, but it generally involves some kind of interaction with another user, to compromise that user’s dealings with the vulnerable application. This is a trend that has been replicated in other areas of software security. As awareness of security threats matures, flaws in the server side are the first to be well
understood and addressed, leaving the client side as a key battleground as the learning process continues.While old and well understood vulnerabilities like SQL injection continue to appear, their prevalence is gradually diminishing. Further, the instances that remain are becoming more difficult to find and exploit. Much current research is focused on developing advanced techniques for attacking more subtle manifestations of vulnerabilities which a few years ago could be easily detected and exploited using only a browser.

A second prominent trend is a gradual shift in attention from traditional attacks against the server side of the application to those that target other users. The latter kind of attack still leverages defects within the application itself, but it generally involves some kind of interaction with another user, to compromise that user’s dealings with the vulnerable application. This is a trend that has been replicated in other areas of software security. As awareness of security threats matures, flaws in the server side are the first to be well understood and addressed, leaving the client side as a key battleground as the learning process continues.

Wednesday, 16 January 2013

Java Vulnerability

The security patches, issued by Oracle, correct Java vulnerabilities that have lingered in Web browsers. Two Java security vulnerabilities that can affect Java used within popular Web browsers received emergency patches Jan. 13 from Oracle to prevent unsuspecting users from being affected by malicious processes from attacking Websites.

In a weekend post on The Oracle Software Security Assurance Blog, spokesman Eric P. Maurice wrote that the company released Security Alert CVE-2012-0422 to fix two vulnerabilities in the Java code. A fix for an older issue, CVE-2012-3174, was also included.

"These vulnerabilities do not affect Java on servers, Java desktop applications or embedded Java," Maurice wrote. "These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0," meaning they have the highest severity scores on the Common Vulnerability Scoring System (CVSS) scale used by the National Vulnerability Database, which is maintained by the U.S. Department of Homeland Security. "Oracle recommends that this security alert be applied as soon as possible because these issues may be exploited 'in the wild' and some exploits are available in various hacking tools."

For either vulnerability, a successful attack on users' computers must "trick an unsuspecting user into browsing a malicious Website," Maurice wrote. "The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. These vulnerabilities are applicable only to Java in Web browsers because they are exploitable through malicious browser applets."

As part of the security alert, Oracle is also switching Java security settings to "high" by default, Maurice wrote. "The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed," he wrote. "As a result, unsuspecting users visiting malicious Websites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet."

If users don't patch their Java code immediately, they can also disable Java in their Web browsers by going through the Java Control panel on their computers, he wrote.

"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password," according to the security alert. "To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious Web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity and confidentiality of the user's system."

Both vulnerabilities are found in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries), according to Oracle. "Supported versions that are affected are 7 Update 10 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized operating system takeover including arbitrary code execution."

Mozilla, the organizers of the Firefox Web browser, posted information Jan. 11 on the Mozilla Security Blog to advise users that due to the recent vulnerabilities, Firefox will not automatically load the Java applet for users. Instead, users will have to overrule Firefox on their own to use the Java applet through the "Click to Play" safeguards built into Firefox since last fall, according to the post by Michael Coates, Mozilla's director of security assurance.

Click to Play "ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin," Coates wrote. "This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site."

The Click to Play feature has been activated by Mozilla for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38), he wrote. "Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses."

On Jan. 11, security experts were again calling for computer users to disable the Java Web browser plugin and uninstall the software on their systems, following the discovery of a zero-day vulnerability in the latest version of the Java Runtime Environment.

Information about the vulnerability emerged Dec. 10, after a security professional discovered an exploit using the security hole to compromise systems. The vulnerability, which appears to only affect Java Runtime Environment (JRE) 1.7 and not prior versions, had not previously been known but appears to be similar to other Java security issues found in August 2012.

A security researcher finds that seven exploit kits have added an attack for a previously unreported flaw in the latest version of the Java Runtime Environment.
Security experts are again calling for users to disable the Java browser plug-in and uninstall the software on their systems, following the discovery of a zero-day vulnerability in the latest version of the Java Runtime Environment.

Information about the vulnerability emerged Dec. 10, after a security professional discovered an exploit using the security hole to compromise systems. The vulnerability, which appears to only affect Java Runtime Environment (JRE) 1.7 and not prior versions, had not previously been known but appears to be similar to other Java security issues found in August 2012, said Jaime Blasco, labs manager at security-monitoring provider AlienVault.

The vulnerability allows a piece of Java code to break out, or escape, from the protected software container, or sandbox, that is a critical part of Java's security model, said Blasco, who had verified that the exploit worked.

"The most important thing about this is that it is a sandbox escape, not a memory exploitation or something similar, so most of the mitigations are not effective," he said.

The security professional who published details about the exploit, France-based security manager Charlie Hurel, worried that remaining quiet about the issue could lead to a large number of compromises.

Attacks against ICS industrial Control System on the rise

Industrial control system (ICS) It is a general term that encompasses several types of control systems used in industrial production, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as skid-mounted programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures.

ICSs are typically used in industries such as electrical, water, oil, gas and data. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. Field devices control local operations such as opening and closing valves and breakers, collecting data from sensor systems, and monitoring the local environment for alarm conditions.

Industrial control system technology has evolved over the decades. DCS systems generally refer to the particular functional distributed control system design that exist in industrial process plants (e.g., oil and gas, refining, chemical, pharmaceutical, some food and beverage, water and wastewater, pulp and paper, utility power, mining, metals). The DCS concept came about from a need to gather data and control the systems on a large campus in real time on high-bandwidth, low-latency data networks. It is common for loop controls to extend all the way to the top level controllers in a DCS, as everything works in real time. These systems evolved from a need to extend pneumatic control systems beyond just a small cell area of a refinery.

The PLC (programmable logic controller) evolved out of a need to replace racks of relays in ladder form. The latter were not particularly reliable, were difficult to rewire, and were difficult to diagnose. PLC control tends to be used in very regular, high-speed binary controls, such as controlling a high-speed printing press. Originally, PLC equipment did not have remote I/O racks, and many couldn't even perform more than rudimentary analog controls.

SCADA's history is rooted in distribution applications, such as power, natural gas, and water pipelines, where there is a need to gather remote data through potentially unreliable or intermittent low-bandwidth/high-latency links. SCADA systems use open-loop control with sites that are widely separated geographically. A SCADA system uses RTUs (remote terminal units, also referred to as remote telemetry units) to send supervisory data back to a control center. Most RTU systems always did have some limited capacity to handle local controls while the master station is not available. However, over the years RTU systems have grown more and more capable of handling local controls.

The boundaries between these system definitions are blurring as time goes on. The technical limits that drove the designs of these various systems are no longer as much of an issue. Many PLC platforms can now perform quite well as a small DCS, using remote I/O and are sufficiently reliable that some SCADA systems actually manage closed loop control over long distances. With the increasing speed of today's processors, many DCS products have a full line of PLC-like subsystems that weren't offered when they were initially developed.

This led to the concept of a PAC (programmable automation controller or process automation controller), that is an amalgamation of these three concepts. Time and the market will determine whether this can simplify some of the terminology and confusion that surrounds these concepts today.

 In 2012, energy, water and commercial control systems faced numerous attacks, including the use of a search engine to find thousands of exposed systems.
Industrial control systems came under increasing scrutiny and attack in 2012, with almost 200 documented incidents, according to a report released last week by a component of the U.S. Department of Homeland Security.

Energy firms accounted for more than 40 percent of the 198 incidents reviewed by the Industrial Control Systems (ICS) Cyber Emergency Response Team (CERT), and water utilities took a distant second place with 15 percent of the incidents. While some of the cases were caused by security researchers using the Sentient Hyper-Optimized Data Access Network (SHODAN), a regularly updated directory of ports, to find exposed industrial control systems, the majority were serious breaches, the report stated.

The group took part in responding to almost two dozen attacks on oil and natural gas firms, discovering that sensitive information on the operations of the supervisory control and data analysis (SCADA) systems had been accessed by the attackers.

"Analysis of the targeted systems indicated that information pertaining to the ICS/SCADA environment, including data that could facilitate remote unauthorized operations, was exfiltrated," the report stated.

Researchers and security professionals have focused on threats to industrial control systems and critical infrastructure for nearly a decade. However, the Stuxnet attack on Iranian uranium-processing equipment galvanized the critical-infrastructure industries into taking such threats seriously.

Yet change has come slowly: A year ago, researchers found that systems that use SCADA, an architecture for networked control systems, were still widely vulnerable. In November 2012, two rival vulnerability research firms underscored the issue by finding almost four dozen vulnerabilities in major SCADA products.

Such vulnerabilities seem to be the rule among industrial control products. ICS-CERT coordinated with more than 55 industrial-control system makers to report 171 vulnerabilities. The issues ranged from buffer overflows to input validation issues to cross-site scripting attacks. Products including hard-coded passwords accounted for seven of the security issues, the ICS-CERT report stated.

The group increased the pressure on the suppliers to fix their products' security failings in a timely manner, allowing ICS-CERT to publish details of a partic
ular vulnerability 45 days after notifying the vendor of the issue.

Suppliers were not alone in exposing security problems. One researcher using the SHODAN search engine to find Internet-accessible industrial control systems discovered about 20,000 systems accessible via the Internet.

"A large portion of the Internet facing devices belonged to state and local government organizations, while others were based in foreign countries," the ICS-CERT report stated. "(We) worked with partners as well as 63 foreign CERTs in the effort to notify the identified control system owners and operators that their control systems/devices were exposed on the Internet."

The ICS-CERT noted six incidents involving the nuclear sector but stressed that the group was not aware of any network breaches.

Tuesday, 15 January 2013

is your website secure?

Is you Website Secure?
Some people do ask why will someone hack me?
What will they get from there?
They wont get anything from my site....
So many websites have been defaced in the recent times, some contents have been wiped . Dont wait till you become a victim before you start acting.  A vulnerable site not only affects the confidentiality of data, integrity and Availability for access, but sometimes infests visitors machines with virus. Sometimes attackers are able to control the victims machine after the sites has been successfully hacked.

Website is most accessible asset could be accessed from anywhere from the part of the world so also it could be attacked from any part of the world. Routine checks on your IT infrastructure, websites and In house training for those in IT department will help secure your assests.

If Security of those assets are not implemented, Data recovery and reputation management after such assest are hacked costs alot of money and effort. It will take some time before people can entrust their data and assets in your disposal.

There are several things that we do that cost us our money due to ignorance. Sometimes we say education is expensive but to be realistic ignorance is more expensive.
 How do we beat ignorance? Is educating your self . Attend seminars , read books, share with people who could help you by telling you the right steps to take, give you guidelines.

Data leakage can be prevented if system nd network checks are performed from time to time , and web scans . A thorough Penetration testing on sites and networks. Wireless security is not left out. Wireless network is accessed by an attacker, he could sniff datas, do many malicious activities over the network.

For more stay put more guide lines and tips on how to secure your data, Networks, websites.  You can also contact us at cyberinfocts (at) yahoo (dot) co (dot) uk. We also conduct training on Information Security, ethical hacking, penetration testing, Digital Forensics, cyber security, web application Security.

We also perform penetration Testing on websites, network , wireless devices.
Corporate training and solutions