Aurora Report

Jayson Cavendish

Game server admins arrested for Chinese DNS attacks

By jacqui@arstechnica.com (Jacqui Cheng) on security

A denial of service attack that took down Internet access in parts of China earlier this year has been attributed to an over-enthusiastic game provider trying to take down rivals. Police in Foshan, a city in Guangdong, have announced that they arrested four individuals for the attack, noting that they would go to trial sometime in the mysterious future.

The group was headed up by a 23-year-old factory worker with the surname Bing, according to the police announcement. Bing and his cohorts had set up a number of private servers for gamers to use, but weren't making much money because rivals had been engaging in distributed denial of service (DDos) attacks against them, constantly taking down the service. Bing was apparently angered by this and decided to drop 280,000 yuan (roughly US$41,000) to rent even more servers for the sole purpose of retaliating against his own attackers.

Phishers cut bait, slip on trojans instead

By jacqui@arstechnica.com (Jacqui Cheng) on Symantec

Phishing e-mails have dropped during the first half of 2009, indicating that cybercriminals are looking for other ways to scam unsuspecting users. Researchers from IBM's Internet Security sector, X-Force, revealed in their Mid-year Trend and Risk Report that banking Trojans appear to be taking the place of phishing for financial info. This trend is reflected by other security firms, too, but not everyone agrees on whether this is a true shift or just a temporary dip.

The X-Force team described the drop as "dramatic," noting that phishing only made up about 0.1 percent of all spam during the first six months of the year. Comparatively, phishing e-mails made up close to 1 percent of all spam during the same period in 2008, and an average of 0.5 percent during all of 2008. Of the phishing e-mails that are still floating around in the wild, the large majority of subject lines have to do with PayPal, with the remainder indicating that they are related to banking or other financial accounts.

Snow Leopard includes rudimentary malware protection (Updated)

By chris.foresman@arstechnica.com (Chris Foresman) on Snow Leopard

The malware threat on Mac OS X is infinitesimally small, but it does exist. The biggest threat so far seems to come from trojans that attempt to disguise themselves as legitimate software updates or installers. Though it's not mentioned anywhere in the extensive list of enhancements and refinements on Apple's website, it turns out that Snow Leopard does have some level of protection against such malware.

Security firm Intego turned up the feature, which seems to be an enhancement of the usual "This file is from the Internet, are you sure you want to open it?" warning. If a disk image or installer package contains known malware, Snow Leopard will warn that it can damage your computer. If you don't choose to open the installer anyway (and we recommend you don't), the offending file will be automatically moved to the Trash. Intego hasn't been able to identify exactly how the mechanism works, but several MacRumors forum members confirmed that it does identify known trojans.

Chances are this functionality won't protect against unknown attacks, and it's not clear exactly how Apple might protect against new trojans (yes, new malware definitions would come via Software Update, but when? how often?). The feature also doesn't seem to be as extensive as third-party antivirus software, but we don't know a lot of details at this point. Still, it is an extra safety net to keep you from being the victim of a social engineering hack.

UPDATE: I was pointed towards some information that sheds a little more light on how this feature works. According to Panic developer Cabel Sasser, the malware definitions are in the file /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist. From what's been discovered so far, this file only identifies the iServices and RSPlug trojans. However, it should be fairly trivial for Apple to update this file with new information, though how often those updates would occur is still anyone's guess—Apple has so far not responded to our request for comment. It should also be noted that only files downloaded via e-mail or the Web are scanned—it seems to work with Safari, Firefox, iChat, Entourage, Mail, and Thunderbird—checking external volumes and general file scanning are not implemented.

Botnet traffic bounds back 90% within 48 hours of ISP shutdown

By casey.l.johnston@gmail.com (Casey Johnston) on traffic

A common way of combating spam traffic is to shut down the service provider through which the traffic is being processed. With a new variety of botnets, though, this method is becoming increasingly ineffective. The August report from Message Labs indicates that the shutdown of a Latvian ISP, while initially effective, ultimately did little to quell the malicious activity of one botnet, whose traffic recovered in a matter of days.

Cutwail is one of the largest botnets running amuck on the Internet, and is estimated to be behind 15-20 percent of all spam, including malicious websites, phishing websites, and fake antivirus products. Message Labs noted that Cutwail was conducting a large portion of its dubious business through Real Host, an ISP based in Riga, Latvia. Real Host was allegedly involved with "command-and-control" servers allowing large-scale botnet infection.

Obsessions with Jessica Biel lead to a world of malware hurt

By jacqui@arstechnica.com (Jacqui Cheng) on virus

Admit it: every so often, you pop over to Google to search for a hot celebrity or two (or if you don't, you know somebody who does). If Jessica Biel is at the top of your (or their) list, you might want to exercise a bit more caution, as security firm McAfee has rated the 7th Heaven star as the most likely to net you an infection or two—on your computer, that is.

McAfee performs an annual survey of sites that purport to have information and pictures of A-list celebrities. Paris Hilton and Brad Pitt have both been at the top of the list in the past, but Biel has passed Pitt to become the riskiest star to search for. According to McAfee, fans searching for downloads, wallpapers, screensavers, photos, and videos of Biel have a one-in-five chance of ending up at a site that hosts spyware, malware, viruses, adware, spam, or phishing scams. "Jessica Biel screensavers" in particular were very dangerous—almost half of the downloads coming from those sites were malicious.

Former Symantec exec launches cloud-based, social antivirus

By david@arstechnica.com (David Chartier) on security

Considering that Microsoft feels the need to enter the antivirus market and 12 of the top 35 anti-malware makers failed Virus Bulletin's August 2009 test, one could argue that antivirus products are not where they should be. Former Symantec executive Oliver Friedrichs thinks a different approach is necessary, so he built a new cloud-based, social antivirus product called Immunet Project.

Harnessing what Immunet calls "Collective Immunity," Immunet Project claims to be able instantly fortify all of its users' computers against new virus threats. "Immunet uses a global community to collect anonymous information on applications running across the Immunet population," Friedrichs told Ars Technica. "We extract specific attributes from Windows PE files that are then coalesced in the cloud and classified as good or bad." When Immunet finds a piece of malware on a user's computer, it notifies the rest of the user network, supposedly in real time. Because of this approach, Immunet keeps most of its client infrastructure on its servers; the actual client install takes up less than 5MB of space.

Apache.org Compromised via stolen SSH keys

By Robert A. on IndustryNews

Netcraft is reporting that apache.org has been compromised. The apache blog posted the following message indicating an SSH key compromise. "This is a short overview of what happened on Friday August 28 2009 to the apache.org services. A more detailed post will come at a later time after we complete the...

Article: Bypassing DBMS_ASSERT in certain situations

By Robert A. on Vulns

David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible. From the whitepaper "The DBMS_ASSERT builtin package can be used by PL/SQL developers to protect against SQL injection attacks[1]. In [2] Alex...

Flash Worm - SANS Analysis

By Robert A. on Interviews

Sans has write up about a recent flash worm. "A few days ago a lot of media wrote about a Flash worm. I managed to get hold of samples and analyzed it (thanks to Peter Kruse of CSIS for the samples). First of all, while the exploit code contains Flash, it...

WASC Distributed Open Proxy Honeypot Update - XSS in User-Agent Field

By Robert A. on XSS

"In case you missed it, the WASC Distributed Open Proxy Honeypot Project launched Phase III at the end of July. We have a few sensors online and as we start gathering data, we are starting our analysis. Our goal is to be able to release "events of interest" to the community...

AppSec DC 2009

By Robert A. on IndustryNews

"OWASP Announces International Application Security Conference for 2009 Speaker Agenda Released and Registration Open for 2009's Largest Web Application Security Event Washington DC August 20th, 2009 -- Following in the footsteps of the Open Web Application Security Project's (OWASP, http://www.owasp.org ) immensely successful and popular conferences earlier this year in Australia,...

WASC Threat Classification v2 updates

By Robert A. on WASC

We're nearing the completion of the WASC Threat Classification v2 (2 sections left!) and have added the following new sections since my last couple of posts. Null Byte Injection Integer Overflows We've also heavily updated the following sections Buffer Overflows (in depth discussion of heap vs stack vs integer overflows) SQL...

Accused mastermind of TJX hack to plead guilty

By Michelle Meyers

Albert Gonzalez, the alleged ringleader of one of the largest known identity theft cases in U.S. history, has agreed to plead guilty to all 19 counts of related charges against him, according to court documents filed Friday.

Gonzalez, 28, of Miami, was accused in August 2008 of helping steal ...

Trend Micro's 2010 suite is sharp at the top

By Seth Rosenblatt

Trend Micro released its 2010 security products earlier this week, with three programs offering varying levels of security and service. The comparatively barebones Trend Micro Antivirus + AntiSpyware clocks in at $40, with the basic suite Trend Micro Internet Security available for $10 more and $70 for the premium Trend Micro Internet Security Pro. ...

Originally posted at The Download Blog

Beware fake Snow Leopard sites

By Elinor Mills

People eager to get a copy of the latest version of the Mac operating system, Snow Leopard, should be wary of sites offering free copies because they are likely to get some nasty malware instead, according to antivirus company Trend Micro.

Trend Micro said in a blog posting on Wednesday ...

Originally posted at InSecurity Complex

Facebook ratchets up privacy controls (again)

By Caroline McCarthy

A recent simplification of Facebook's user privacy controls wasn't enough for some policymakers.

On Thursday, in conjunction with the Canadian Privacy Commissioner, Facebook announced a new set of modifications to its user privacy controls as well as its developer API, and the targets of these changes are the ...

Originally posted at The Social

Researchers who hack the Mac OS

By Elinor Mills

Dino Dai Zovi

(Credit: Tehmina Beg)

It was summer 2005. Dino Dai Zovi walked into a Manhattan Starbucks, ordered a coffee, sat down, and opened up his laptop.

Before his coffee was cold he had found a local privilege escalation vulnerability in Mac OS ...

Originally posted at InSecurity Complex

Snow Leopard could level security playing field

By Elinor Mills

Share of the Mac operating system is growing, and with it the number of malware threats targeting the platform.

(Credit: Net Applications)

Friday's release of the new version of the Mac OS, dubbed Snow Leopard, could include some security features that would make ...

Originally posted at InSecurity Complex

ACLU chapter flags Facebook app privacy

By Caroline McCarthy

The Northern California chapter of the American Civil Liberties Union has put out a campaign designed to raise awareness of the privacy implications of Facebook's developer platform. It's focusing specifically on the popular "quiz" applications, like "Which Cocktail Best Suits Your Personality?" and "Which Wes Anderson Movie Character ...

Originally posted at The Social

Report: Antivirus feature for Snow Leopard?

By Tom Espiner

(Credit: Apple)

The next version of Apple's OS X, which is due out Friday, may bundle antivirus capabilities.

Mac security firm Intego said that the latest version of the operating system, Mac OS X Snow Leopard, could have an antimalware feature, according to reports, in a blog post Tuesday. ...

Originally posted at News - Apple

Symantec pulls Norton patch after error reports

By Elinor Mills

This is the error message on the Norton support Web site after users reported that the patch failed to install properly.

(Credit: Symantec)

Symantec is providing a fix for customers who got error messages after a patch deployment went awry for some Norton users, the company said on Tuesday.

The ...

Originally posted at InSecurity Complex

Google patches severe Chrome vulnerabilities

By Stephen Shankland

Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person's computer.

With one attack on Google's V8 JavaScript engine, malicious JavaScript on a Web site could let ...

Originally posted at Deep Tech

Jessica Biel most 'dangerous' celeb in cyberspace

By Lance Whitney

Through no fault of her own, actress Jessica Biel is now the most hazardous celebrity on the Internet.

Jessica Biel

McAfee names Jessica Biel most dangerous celebrity online in 2009.

(Credit: Business Wire)

Fans searching online for Biel have a one-in-five chance of hitting a Web site with malware, according to McAfee'...

Cracking GSM phone crypto via distributed computing

By Elinor Mills

If you are using a GSM phone (AT&T or T-Mobile in the U.S.), you likely have a few more months before it will be easy for practically anyone to spy on your communications.

Security researcher Karsten Nohl is launching an open-source, distributed ...

Originally posted at InSecurity Complex

Cisco wireless LANs at risk of attack, 'skyjacking'

By Elinor Mills

Cisco Systems wireless local area network equipment used by many corporations around the world is at risk of being used in denial-of-service attacks and data theft, according to a company that offers protection for WLANs.

Researchers at AirMagnet, which makes intrusion-detection systems for WLANs, discovered the vulnerability, which affects all ...

Originally posted at InSecurity Complex

Jailed SF network administrator faces fewer charges

By Steven Musil

A judge has dismissed most of the charges against a former San Francisco network administrator accused of hijacking the city's computer network he designed and maintained.

San Francisco Superior Court Judge Kevin McCarthy on Friday tossed three tampering charges against Terry Childs, while preserving a lone charge of denying

...

Apache SSH Key compromised

By Rik Ferguson on web

UPDATE: A post regarding this incident from apache.org is available at https://blogs.apache.org/infra/entry/apache_org_downtime_initial_report ______________________________________________________________________________ As of this moment, Apache.org is reporting that SSH key associated with its US servers has been compromised and are shifting all traffic to their European mirror. Details of the attack/compromise are few at the moment, as this is breaking news. It is worth remembering however [...]

Apple anti-malware? Snow joke!

By Rik Ferguson on malicious code

It looks, on one hand, as it Apple are now alive to the danger that malicious code represents to their users. Reports from beta testers indicate that in the newest version of MacOS Snow Leopard, due for release tomorrow, Apple have included anti-malware technology (although someone needs to tell their marketing department who as previously [...]

SMiShing Time, wish you were here!

By Rik Ferguson on telephone

Earlier this summer, CIFAS, the Fraud Prevention agency warned about a rise in the threat from SMiShing, this warning has recently been echoed by the Guardian Newspaper. SMiShing reports date back to around 2006 when this threat started to become noticeable. Spoofed or otherwise faked SMS messages are used as bait to lure victims to responding via SMS [...]

Mac OS X Snow Leopard Bundled With Malware Detector

By Darknet on snow leopard security

Ah we saw this coming didn’t we, back in June we reported on Apple Struggling With Security & Malware and now they have shown they were paying attention. Even though they tried to do so quietly, they are slipping a ‘malware detector’ into the latest OS X update known as Snow Leopard. The problem is though, it [...]

Trafscrambler – Anti-sniffer/IDS Tool

By Darknet on trafscrambler

Trafscrambler is an anti-sniffer/IDS LKM(Network Kernel Extension) for OSX, licensed under BSD. Features Injection of packets with bogus data and with randomly selected bad TCP cksum or bad TCP sequences Userland binary(tsctrl) for controlling trafscrambler NKE SYN decoy – sends out number of SYN pkts before the original SYN pkt TCP reset attack – sends out RST/FIN pkt with bad [...]

TJX Hacker Albert “Segvec” Gonzalez Indicted By Federal Grand Jury

By Darknet on tjx hacker

We’ve been following the whole TJX saga for quite some time now since way back in September 2007 when the hack became public as the Largest Breach of Customer Data in U.S. History and in August 2008 when the TJX Credit Card Hackers Got Busted. The legal system has ticked along and now they have to [...]

Filtering Network Attacks With A 'Netflix' Method

University of California at Irvine researchers devise new model for blacklisting network attackers

Attack Of The Tweets: Major Twitter Flaw Exposed

UK researcher says vulnerability in Twitter API lets an attacker take over a victim's account -- with a tweet

New IEEE Printer Security Standard Calls For Encryption, Authentication, Electronic "Shredding"

Printers finally get security attention, but locking them down depends on actual implementation, configuration, experts say

IDC Report: Most Insider Leaks Happen By Accident

Unintentional leaks may cause more damage than internal fraud, IDC research study says

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

New best practices aimed at helping retailers -- especially small merchants -- but security experts say skimming risk runs deeper

Newly Discovered Vulnerability Could Threaten Cisco Wireless LANs

Cisco's wireless LANs could be vulnerable to attack through over-the-air provisioning feature, researchers say

Hacker Ring Tied To Major Breaches Just Tip Of The Iceberg

TJX-Heartland attacker and cohorts also reportedly hacked ATM machines in 7-Elevens, but their wide net is likely just one of many

Symantec: Eavesdropping Trojan Targets Skype

In Web 2.0

Symantec has uncovered a Trojan that eavesdrops on conversations and sends the audio files to a server controlled by the attacker.

China Flooding Web with SQL Injection Attacks

In Virus and Spyware

SQL injection attacks remain a serious problem, with new waves of the threats being generated in China over the last month.

Google: Malware Sites on the Upswing

In Virus and Spyware

Google reports that it is seeing a rapid increase in the sheer volume of malware sites it encounters, while returning fewer infected URLs to search users.

IBM Report Examines Online Threats for First Half of 2009

In Vulnerability Research

IBM X-Force released a report Aug. 26 highlighting the most prevalent security risks of the first six months of 2009. The news was a mix of the good, the bad and the ugly.

Survey: Hackers on Vacation Before Q4 Saturation

In Virus and Spyware

Malicious hackers like to take off during Q3, much like their adversaries in IT security, before putting the hammer down over the holidays.

Latest AES Encryption Attack Not the End of the World

In Vulnerability Research

Although recent research on attacks targeting AES-256 encryption are an improvement over past attacks, they do not make the widely-used encryption scheme ineffective. Experts say AES remains secure.

Researchers Warn of Powerful New Data Theft "Cocktail"

In iframe

Researchers have discovered a powerful new blended data theft malware package spreading rapidly through legitimate Web sites.

Bill would give president power to disconnect private networks

A Senate bill proposes giving the president the power to shut down and disconnect any government or private computer network or system that is compromised by a cyberattack.

DHS sets new policy on computer searches at border

DHS issued two new directives that deal with searches of laptop computers and other devices at U.S. borders.

DHS, industry assess risks to IT sector

Government and private-sector experts identify risks to the country's information technology sector's key functions.

FISMA reporting must use automated tool

By Nov. 18, agencies must use a new automated reporting tool to meet their reporting requirements under the Federal Information Security Management Act.

DOD updates IPv6 Standard Profile

The updated IPv6 Standard Profile provides a technical and standards based definition of interoperability requirements for IPv6-capable products to be used in DOD networks.