[SecurityRatty] tag: recently

Fake Windows XP Activation Trojan Wants Your CVV2 Code

Mon, 06 Oct 2008 15:01:01 +0000

In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software.

Is Google Using Chrome to Index Password Protected Web?

Mon, 06 Oct 2008 07:20:02 +0000

An interesting theory we heard recently is that Google will use Chrome to index the password protected Web. Right now the Chrome Terms of Service prevents Google from indexing private data. But when you consider that Chrome was initially presented as a browser for applications, instead of just web pages, this theory begins to make more sense.

Change your passwords with your smoke detector batteries

Sun, 05 Oct 2008 08:26:43 +0000

If you’ve changed your smoke detector batteries more recently than you’ve changed your passwords, then you should think about changing some of them now. If you can change passwords more often, great. But I realize that some of us have upwards of 25 passwords to manage on a regular basis (click HERE). It’s not fun having [...]

Gloria Jeans Coffee Website, gloriajeans.com, Hacked, Atleast 511 Customers Credit Crads Details Stolen

Fri, 03 Oct 2008 17:49:28 +0000

Earlier this month, gloriajeans.com website was the subject of an attack that allowed an unknown person or persons to obtain the addresses and credit card numbers of 511 of the customers as they were placing orders on the site. According to New Hampshire State Attorney General, Gloria Jeans Coffee (Gloria Jean’s) recently experienced a data [...]

Major Industries Drop The Ball On Data Security

Fri, 03 Oct 2008 10:10:17 +0000

Verizon, recently analyzed "four years of data from over 500 cases worked by the Verizon Business Investigative Response team," to produce a report that gives an in-depth look into how data breaches are occurring in four major industry groups: financial services, food and beverage, retail, and technology services.

XRumer Spambot Cracks Captchas

Fri, 03 Oct 2008 07:40:21 +0000

We’ve known CAPTCHAs are insecure for some time, but now even the CAPTCHA-alternatives (often based on identifying cats from dogs or other animals) have proven insecure. Gmail, Windows Live hotmail and other popular sites were hacked as early as February. Recently another defeat has come in the form of XRumer, a spam bot that posts messages on blogs and through email in order to boost search engine rankings.

What’s the solution? Ars Technica suggests there might not be a good one, in part because malware distributors can go so far as to hire real people to do their dirty work:

Instead of trying to build better CAPTCHA-cracking programs, the malware industry went out and got itself some humans of its own. This effectively bypasses the primary security strength of the CAPTCHA system and leaves it entirely dependent on what we’ll call secondary security characteristics. CAPTCHAs are often complex (particularly these days), which does increase the chance that they’ll be misread (and returned incorrectly), while the font and display of the characters themselves are at least somewhat unfamiliar to the CAPTCHA crackers sitting on the other side of the world.

Sometimes those captcha phrases are pretty incoherent to me too. When I post over at Craigslist sometimes it says I’ve gotten its Captcha wrong, and I end up wondering if secretly I’m a bot?? Apparently not a very smart one either.

Copycat Web Malware Exploitation Kit Comes with Disclaimer

Wed, 01 Oct 2008 22:58:01 +0000

Such disclaimers make you wonder what's the point of including a notice forwarding the responsibility for the upcoming cybercrime activities to the buyer, when the seller himself is offering daily updates with undetected bots, and is promising to include new exploits within the kit.

For the time being, this recently released copycat web exploitation malware kit, includes two PDF exploits, IE snapshot, and naturally MDAC, with a DIY builder for the binary. Here's the disclaimer, greatly reminding us of Zeus's copyright notice :

"Purchasing this product, you hold the full responsibility for its usage and for consequences which may have been caused by incorrect usage or the usage with some evil intent or violation of the usage rules. The author excludes the placement of the scripts somewhere on the Internet, you can only place them on localhost, virtual machine or on a test botnet (minibotnet). WARNING! The usage of this product with evil intent leads to the criminal responsibility!"

What happens when the buyer tries to resell the kit? - "If you try to resell, decode, remove the boundaries, you will lose all the support, updates and guarantees." which is surreal considering that the kit is open source one, and just like we've seen with a recent modification of Zeus if it were to include unique features -- which it doesn't -- others would build upon its foundations.

Going through the exploitation statistics of a sample campaign, you can clearly see that out of the 859 unique visits 250 got exploited with outdated and already patched vulnerabilities. Therefore, diversifying the exploits set would have increased the number of exploited hosts.

With IE6 visitors exploited at 46% as a whole, it would be hard not to notice that just like Stormy Wormy's historical persistence of using outdated vulnerabilities, a great majority of today's botnets have been aggregated using old exploits.

Trying to enforce the intellectual property of a malware kit means you're claiming ownership, and therefore the disclaimer becomes irrelevant.

All Quiet on the CA Front

Wed, 01 Oct 2008 11:31:54 +0000

If you’ve read the blog, you know that we follow the Perils of CA with much amusement. Honestly, you couldn’t make up the stuff that Sanjay Kumar et al were and apparently are still making headlines with “35-day months”, accusations that founder Charles Wang knew and was part of the whole mess, a former US senator involved too, Sanjay’s unbelievable $1 billion in restitution…and the list goes on. (img from NYTimes.com)

But I am reminded that it’s not just the titillating stuff that’s of interest. CA is still one of the Big 4 and up until a couple of years ago making headlines with some major and strategic purchases in our space – such as buying Concord for its e-Health software in 2005 and Wily Technology in 2006.

I recently ran across a 451 Group report, “CA: ghosts of deals past” by Brenon Daly (if you haven’t read one of his takes on the M&A market, you don’t know what you’re missing) that showed quantitatively just how much the acquisitions had slowed down.

2003 – 4

2004 – 3

2005 – 6

2006 – 6

2007 – 0

2008 – 0 (so far)

Two or three years ago (I still have the slide in our presentations), it seemed like you couldn’t go a month or two without hearing about the latest acquisition by the Big 4 – to either fill gaps in their monolithic portfolios or take out a growing threat, which had built some good technology. This should sound very familiar to anyone (like me) who rubbed up against WorldCom. Growth (in revenue and technology) by acquisition. Buy your own revenue and don’t worry about the niggling details like integration.

But we’ve certainly seen the acquisition trend slow across the board. HP, after its mega-purchase of Mercury Interactive in 2005 for $4.5 billion, for example, went relatively silent on the acquisition front in our space. Perhaps, as it turns out, because they were too busy preparing for the even bigger purchase of EDS for $13.9 billion (and the layoffs, 24,600 and counting, which in this worsening economy are probably just starting).

Security + Logging + Virtualization Podcast

Wed, 01 Oct 2008 09:36:00 +0000

Here is a fun podcast a bunch of us (yes, including Chris, of course!) did on security, logging and virtualization (audio, full transcript).

It is actually a fun read / listen, if you are into either/all of these three :-)

Here is the brief blurb on that from the podcaster site: "To help learn about new ways that systems log tools and analysis are aiding the ramp-up to virtualization use, I [Dana Gardner] recently spoke with Charu Chaubal, senior architect for technical marketing, at VMware; Chris Hoff, chief security architect at Unisys, and Dr. Anton Chuvakin, chief logging evangelist and a security expert at LogLogic."

PSS World Medical applicants affected by job boards breach

Tue, 30 Sep 2008 18:41:20 +0000

In a breach notification letter sent to the New Hampshire State Attorney General, PSS World Medical states that the company “recently became aware of an incident involving unauthorized access” to company’s career board website. The unauthorized access resulted in the exposure of personal information belonging to job applicants and others that may have posted their [...]