October 8th, 2008

Student indicted for Palin e-mail hack

Posted by Ryan Naraine @ 8:20 am

Categories: Browsers, Data theft, Exploit code, Hackers, Malware, Mobile (In)Security, Passwords, Patch Watch, Pen testing, Piracy, Privacy, Spam and Phishing, Vulnerability research

Tags: E-mail, Online Communications, Ryan Naraine

The U.S. Justice Department today announced that a federal grand jury in Knoxville, Tennessee has indicted the 20-year-old son of a state lawmaker in connection with the compromise of Sarah Palin’s Yahoo e-mail account.

David Kernell (left), who was identified for a while as the alleged hacker, is expected to be arraigned today before U.S. Magistrate Judge C. Clifford Shirley.

From the announcement:

Read the rest of this entry »

September 25th, 2008

EA Spore backlash could help end DRM

Posted by Ryan Naraine @ 5:52 am

Categories: Apple, Browsers, Data theft, Digital rights management, Hackers, Kernel-level Exploits, Passwords, Patch Watch, Piracy, Punditocracy, Research, Responsible disclosure, Zero-day attacks, iPhone

Tags: Game, Digital-rights Management, Electronic Arts Inc., Digital Rights Management (DRM), Digital Media, Security, Consumer Electronics, Personal Technology, Ryan Naraine

Guest editorial by Oliver Day

The backlash over DRM has finally started to gather serious momentum.

Everyday consumers started a campaign to give the highly anticipated game Spore one-star ratings on Amazon. Thousands of Amazon users labeled Spore a poor choice because of the SecuROM DRM system that is forced onto PC users machines that purchase the game. EA has backpedaled a bit and eased the restrictions on the number of installs per machine. They have even made a verbal (but unenforceable) promise to disable the DRM system by patch should they ever end of life the product.

Read the rest of this entry »

September 18th, 2008

Norwegian BitTorrent tracker under DDoS attack

Posted by Dancho Danchev @ 3:54 pm

Categories: Black Hat, Botnets, Denial of Service (DoS), Hackers, Malware, Passwords, Piracy, Privacy

Tags: Norway, Norbits, DDoS, BitTorrent, P2P, Dancho Danchev

Norway’s largest BitTorrent tracker Norbits (norbits.net) with approximately 10,000 users, is currently under a DDoS attack launched from a group known as MORRADi, which is also speculating that it has managed to compromise the tracker and is threatening to release personal details of its users including IPs, until the tracker is closed :

“In an NFO file obtained by IT-Avisen, a group called MORRADi takes responsibility for the attack on Norbits. “Once again we show our power! Once again we show your foolishness! This is not the first time we have done it, and it won’t be the last,” they write (translated).

“Enough is enough, you are becoming a real nuisance, and you are also a bunch of idiots that try to hide, so it’s high time we punish you! P2P is not something we want, when will you understand that? Do we have to take it as far as publishing your user database online?””

This is the second time the tracker has been under a DDoS attack for the past two years, and no matter how futile the ambitions of the attackers are in respect to targeting the tracker due to the fact that it’s promoting the use of P2P, the success of Norbits seems to have already pissed off the local warez scene.

Read the rest of this entry »

July 29th, 2008

The Neosploit cybercrime group abandons its web malware exploitation kit

Posted by Dancho Danchev @ 7:27 am

Categories: Anti Virus, Arbitrary Code Execution, Black Hat, Botnets, Browsers, Exploit code, Malware, Open source, Passwords, Piracy, RSA

Tags: Security, Cybercrime, Neosploit, Web Malware, Drive-by Malware Attacks, Dancho Danchev

The end of the Neosploit web malware exploitation kit? RSA’s FraudAction Research Labs recent monitoring of ongoing communications between Neosploit team members and their potential customers indicates so. The Neosploit malware kit has been around since the middle of 2007, with prices varying between $1000 and $3000, whose main differentiation factors next to its popular alternatives such as MPack and Icepack, were its customer support and the constant updates, including new javascript obfuscation routines and exploits as they were made available, its multi-user command and control interface, as well as the improved metrics and filtering of infected hosts.

Is this really the end of Neosploit? Could be, but it’s definitely not the end of web malware exploitation kits in general :

“In mid-July, however, evidence showed that Neosploit’s successful business was running into problems. It is likely that Neosploit was finding it difficult to sustain its new customer acquisition rate, and that its existing customers were not generating enough revenue to sustain the prior rate of development. These problems appear to have been too much of a burden, and we now believe that the Neosploit development team has been forced to abandon its product. Like any responsible business, the Neosploit team is trying to be remembered as a good business that might one day return. Our sources reported that they took the time and effort to part properly with an “out of business” announcement.  Or as the translation goes:

“Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself. We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.”

Let’s discuss their business model, how other cybercriminals disintermediated it thereby ruining it, and most importantly, how is it possible that such a popular web malware exploitation kit cannot seem to achieve a positive return on investment (ROI).

Read the rest of this entry »

January 26th, 2008

Sears picks new online leader; Let's hope he gets the security thing

Posted by Larry Dignan @ 6:58 pm

Categories: Piracy, Responsible disclosure, Uncategorized

Tags: Sears Roebuck & Co., Leader, Sears Holdings, James Barr, Security, Larry Dignan

Sears Holdings is expected to name a Microsoft veteran to head its online business.

According to the Wall Street Journal, Sears will name James Barr, who was the general manager of Microsoft’s MSN Shopping and Marketplaces. Barr will become a senior vice president of Sears Holdings.

Barr’s appointment is part of a broader shakeup at Sears, but let’s hope that the newcomer can bring in a little security know-how. Sears has had its privacy problems. Earlier this month, Sears’ Manage My Home site allowed anyone to find your purchase history. Before that, security researcher Ben Edelman noted that Sears was using ComScore software to track your online browsing and violate privacy standards.

Barr, who will oversee operations, business and technology for Sears’ online units, should be able to inject better project management at Sears. The big question is whether he’ll have the budget to do anything. Microsoft throws money at MSN. Sears isn’t likely to give Barr nearly as many resources.

December 6th, 2007

Researchers map China's underground cybercrime economy

Posted by Larry Dignan @ 4:20 am

Categories: Exploit code, Hackers, Piracy, Spyware and Adware, Uncategorized, Vulnerability research

Tags: Asset, China, Researcher, Trojan Horse, Malware, Web Site, Attack, Web Site Development, Web Technology, Spyware, Adware & Malware

Researchers from Peking University in Beijing and the University of Mannheim in Germany released a paper this week that aims to map the underground cybercrime economy in China.

The paper concludes that 1.49 percent of the 145,000 most popular sites in China “contain some kind of malicious content.” While the Internet boom in China is impressive, the researchers note that “there is also the other side of the coin: targeting the virtual assets owned by the normal Chinese Internet users, malicious attackers, so called blackhats, discover the Web as a new venue for making money by exploiting innocent users.”

The researchers outline the most common attack:

A common theme is to inject malicious code into a bought or cracked website. The injected code exploits an unpatched client-side vulnerability within the visiting web-browser or related application. Each time a user with a vulnerable version of a browser or related application visits this site, his machine is compromised and some kind of malware is automatically installed. This kind of attack is also called drive-by-download attack. The malware is quite often some kind of Trojan Horse that searches for valuable information on the victim’s machine and then sends the information back to the attacker, who in turn can sell this virtual good to other attackers or innocent users.”

Meanwhile, anti-virus software simply can’t keep up with these threats, according to researchers.

More interesting, however, is the paper’s attempt to map China’s underground hacking economy and identify the key players. These players aren’t specific to China per se, but are worth noting.

A few takeaways from the report:

• “The market price of a Trojan is between tens to thousands Renminbi (RMB), and a package of 0-day powerful Trojan generator and evasion service can be up to several ten thousands RMB. 10 RMB is as of November 2007 equivalent to $1.34 US dollar.”

• “The administrators of certain personal websites attract visitors with the help of free goodies, e.g., free movies, music, software, or tools. These websites often betray their visitors: they sell the traffic (i.e., website visits) of their websites to Envelopes Stealers (people that buy traffic and malware) by hosting theWeb-based Trojans. This means that innocent websites visitors are redirected via these malicious websites to other sites that then attack the victims. If the attack is successful, a piece of malware is installed on the victim’s machine.” The going rate: 40 to 60 RMB per 10,000 IP visits.

• Gamers are the linchpin of China’s underground economy. These folks are the victims of virtual asset theft–powers in games and virtual money. Without their demand, hackers wouldn’t have much to sell.

• Bulletin boards are the communications tool of choice. Specifically, Baidu’s bulletin board is popular with hackers. “One of the most prominent places for such markets within China is the Baidu Post Bar, the largest bulletin board community in China but with weak administration. Advertisements can be commonly found on several pertinent post bars at the site post.baidu.com. This system has a keyword-based structure, and there are no other entries to the post bar: if you do not know the keyword to search for, you will not find any malicious entries. The actors within the black market have their own, unique jargon, and thus it is hard for an outsider to find any information about this threat. The actual trading of virtual assets happens on public market places like Taobao. These very common online business platforms within the WWW are used by the cyber criminals to advertise and sell their goods. After a trade was successful and a Player has bought a virtual good, the money is sent commonly via Alipay.”

October 25th, 2007

Trend Micro makes DLP move, Symantec stands pat

Posted by Ryan Naraine @ 8:39 am

Categories: Botnets, Browsers, Data theft, Digital rights management, Exploit code, Hackers, McAfee, Microsoft, Passwords, Patch Watch, Pen testing, Piracy, Privacy, Spam and Phishing, Spyware and Adware, Symantec, Vulnerability research

Tags: Symantec Corp., DLP, Trend Micro Inc., Vontu, Ryan Naraine

Trend Micro has made its move in the red-hot (DLP) data leak prevention business, snapping up Provilla, a two-year-old company that markets DataDNA fingerprinting technology.

Financial terms of the deal were not released.

The Japanese security powerhouse plans to operate Provilla as a subsidiary of its U.S. affiliate and continue to offer Provilla’s stand-alone products for the near term. These include LeakProof, a service that uses “fingerprinting” technology to scan file servers to create document signatures. LeakProof than monitors access and enforces policy — through any port, on every PC, at all times.

Gradually, Trend Micro says it will integrate Provilla’s capabilities into its own enterprise, small and medium business products.

The Trend Micro moves comes in the midst of heavy consolidation — and roll-up speculation — in the DLP space.

Rival McAfee recently shelled out $350 million to buy SafeBoot, $20 million to acquire Onigma and unveiled a new risk management strategy to take advantage of the lucrative market for database protection products.

One company that appears to be standing pat on the acquisition front is Symantec. Speculation on a long-rumored deal for Vontu heightened last week with word that Big Yellow would spend between $300 million and $350 million for Vontu but sources tell me the two sides “couldn’t get close” on the valuation/price tag for the acquisition.

A Symantec/Vontu marriage makes total sense (scuttlebutt has been around since 2006) and the acquisition could still Read the rest of this entry »

October 23rd, 2007

Zero-day flaw in Macrovision DRM app under attack

Posted by Ryan Naraine @ 11:47 am

Categories: Botnets, Browsers, Data theft, Digital rights management, Exploit code, Hackers, Metasploit, Microsoft, Passwords, Patch Watch, Pen testing, Piracy, Privacy, Responsible disclosure, Spyware and Adware, Viruses and Worms, Vulnerability research

Tags: Digital-rights Management, Macrovision Corp., Attack, Flaw, Microsoft Windows, Digital Rights Management (DRM), Operating Systems, Security, Viruses And Worms, Software

Malware authors are actively exploiting a zero-day privilege escalation vulnerability in a copy protection application installed by default in Windows XP and Windows 2003, according to a warning from anti-virus vendor Symantec.

The unpatched vulnerability, confirmed in the Macrovision SafeDisc (secdrv.sys) DRM scheme for online games, can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges.

This facilitates the complete compromise of affected computers.

An advisory from the NVD (National Vulnerability Database) provides the skinny:

Buffer overflow in Macrovision SafeDisc secdrv.sys, as shipped in Microsoft Windows XP and Server 2003, allows local users to overwrite arbitrary memory locations and gain privileges via a crafted argument to a METHOD_NEITHER IOCTL.

Symantec researcher Elia Florio stumbled upon the flaw while reverse engineering an in-the-wild malware sample and successfully tested the exploit against fully patched Windows XP-SP2 and Windows 2003-SP1 machines. Windows Vista does not seem to be affected by the problem, Florio said.

Immediately after Florio went public with his discovery, researchers at Reverse Mode traced the issue to the Macrovision SafeDisc application. Exploit code (.zip file) for this issue is already in circulation.

A functional exploit is commercially available through the CORE IMPACT penetration testing platform.

October 8th, 2007

McAfee snaps up SafeBoot for $350 million

Posted by Ryan Naraine @ 1:40 pm

Categories: Botnets, Browsers, Data theft, Exploit code, Hirings and firings, McAfee, Passwords, Pen testing, Piracy, Privacy, Spam and Phishing, Spyware and Adware, Vulnerability research

Tags: McAfee Inc., Encryption, IPO, Security, Financial Services, Ryan Naraine

McAfee today announced plans to shell out $350 million to buy SafeBoot, a deal that strengthens the anti-virus vendor’s push into the mobile data security market.

The acquisition gives McAfee a pioneer in the encryption, identity management and access/device control business and a solid addition to its own DLP (data loss prevention) offerings.

SafeBoot boasts of having five million active end-user licences worldwide — 4100 customers in 76 countries — including 18 of the top 50 companies in the Forbes Global 2000 list for 2006.

The company recently inked a deal to provide the U.S. Department of Agriculture with device encryption, whole disk encryption and port control solutions across 29 agencies and 180,000 users throughout the United States.

The McAfee purchase comes just one month after SafeBoot announced plans for an IPO (initial public offering) on Euronext Amsterdam. The Dutch firm generated revenues of €28.9 million (US$40.5 million) for the full year ended December, 2006.

October 1st, 2007

HP, Cenzic settle fault injection patent spat

Posted by Ryan Naraine @ 9:03 am

Categories: Botnets, Browsers, Data theft, Exploit code, Open source, Patch Watch, Pen testing, Piracy, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Hewlett-Packard Co., Cenzic Inc., Scanners, Hardware, Peripherals, Ryan Naraine

Web application security firms HP (SPI Dynamics) and Cenzic have called off the dogs in a patent dispute over fault injection technology.

The two companies had sued — and countersued — each other over the use of fault injection in Web application security scanner but, in a brief statement today, HP and Cenzic agreed to dismiss the lawsuits and enter into cross-licensing deals.

The Hewlett-Packard Company (HPQ) and Cenzic Inc. have signed a settlement and cross-license agreement for the patents HP and Cenzic are currently asserting against one another. This agreement settles the outstanding litigations filed by SPI Dynamics (which was acquired by HP) in Federal Court in Georgia and filed by Cenzic in Federal Court in Virginia, and these lawsuits will be immediately dismissed.

Financial terms of the agreements were not released.