AutoIt scripting increasingly used by malware developers

AutoIt, a scripting language for automating Windows interface interactions, is increasingly being used by malware developers thanks to its flexibility and low learning curve, according to security researchers from Trend Micro and Bitdefender.

"Recently, we have seen an uptick in the amount of nefarious AutoIt tool code being uploaded to Pastebin," Kyle Wilhoit, a threat researcher at antivirus vendor Trend Micro, said Monday in a blog post. "One commonly seen tool, for instance, is a keylogger. Grabbing this code, anyone with bad intentions can quickly compile and run it in a matter of seconds."

"In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language," Wilhoit said.

The use of AutoIt in malware development has steadily increased since 2008, Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender said Tuesday via email. The number of malware samples coded in AutoIt has recently peaked at more than 20,000 per month, he said.

"In its early days, AutoIt malware was mostly used for advertising fraud or to create self-propagation mechanisms for IM [instant messaging] worms," Botezatu said. "Nowadays, AutoIt malware ranges from ransomware to remote access applications."

One particularly sophisticated piece of AutoIt-based malware discovered recently was a version of the DarkComet RAT (remote access Trojan program), Wilhoit said. This malware opens a backdoor on the victim's machine, communicates with a remote command and control server and modifies Windows firewall policies, he said.

The DarkComet RAT has been used in targeted, APT-style, attacks in the past, including by the Syrian government to spy on political activists in the country. What's interesting about the variant found by Trend Micro is that it's written in AutoIt and has a very low antivirus detection rate.

The use of scripting languages to develop sophisticated malware is not a widespread practice, because most of these languages require an interpreter to be installed on the machine or produce very large stand-alone executable files, Botezatu said.

However, there have been exceptions. For example, the Flame cyberespionage malware used the LUA scripting language to automate some tasks without being detected by antivirus products, Botezatu said.

AutoIt is extremely intuitive and easy to use, produces compiled binaries that run out of the box on modern Windows versions and is well documented, the Bitdefender researcher said. Also, there is already a lot of malicious AutoIt code available on the Web for reuse, he said.

"Most importantly, malware created in AutoIt is extremely flexible and can be easily obfuscated, which means that a single breed of malware written in AutoIt can be repackaged and re-crafted in a number of ways to prevent detection and extend its shelf life," Botezatu said.

As scripting languages like AutoIt continue to gain popularity, more malware developers are expected to migrate toward them, Wilhoit said. "The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware."

Source:ITworld

Man Suspected of Developing and Distributing SpyEye Malware Extradited to the US

Hamza Bendelladj of Algeria, aka “Bx1,” has been extradited from Thailand – where he was arrested earlier this year while in transit from Malaysia to Egypt – to the US. He is accused of playing a critical role in developing, marketing, distributing and controlling the notorious piece of malware known as SpyEye.

The 24-year-old is charged with one count of conspiring to commit wire fraud and bank fraud, 10 counts of wire fraud, 11 counts of computer fraud, and one count of conspiracy to commit computer fraud.


If found guilty, he could spend up to 30 years in prison for conspiracy to commit wire and bank fraud, up to 5 years for conspiracy to commit computer fraud, up to 20 years for each wire fraud count, and up to 5 or 10 years for each count of computer fraud.

In addition, he could be forced to pay fines totaling $14 million (€10.6 million).

According to the US Department of Justice, between 2009 and 2011, Bendelladj and others allegedly developed, marketed and sold versions of SpyEye to other cybercriminals.

Authorities believe that Bendelladj also operated command and control (C&C) servers for the SpyEye malware.

“No violence or coercion was used to accomplish this scheme, just a computer and an Internet connection. Bendelladj’s alleged criminal reach extended across international borders, directly into victims’ homes,” said US Attorney Sally Quillian Yates.

“In a cyber-netherworld, he allegedly commercialized the wholesale theft of financial and personal information through this virus which he sold to other cybercriminals. Cybercriminals take note; we will find you. This arrest and extradition demonstrates our determination to bring you to justice.”

FBI Special Agent in Charge Mark F. Giuliano of the Atlanta Field Office commented, “The FBI has expanded its international partnerships to allow for such extraditions of criminals who know no borders.”

He added, “The federal indictment and extradition of Bendelladj should send a very clear message to those international cyber-criminals who feel safe behind their computers in foreign lands that they are, in fact, within reach.”

Source:Softpedia

Syrian Electronic Army Hacks “The Onion” Twitter and Facebook Accounts

Hackers of the Syrian Electronic Army have hijacked the social media accounts of yet another news organization. Their latest victim is The Onion, the famous American news satire organization.

The hackers say they’ve hijacked a total of five Twitter accounts – TheOnion, OnionSports, ONN, TheAVClub and OnionPolitics –, and two of the publication’s Facebook accounts.


“Syrian Electronic Army Hacked today Twitter accounts and Facebook pages of The Onion satirical newspaper. And that came after that website published a news that harms the reputation of Syria and its leader,” the hackers wrote on their website.

SyriaNews has caught a glimpse of the messages published by the pro-Assad hackers from the compromised accounts.




“UN’s Ban Ki Moon condemns Syria for being struck by israel: ‘It was in the way of Jewish missiles’,” one of the tweets read.

“UN retracts report of Syrian chemical weapon use: ‘Lab tests confirm it is Jihadi body odor’,” the hackers wrote.

Shortly after recovering their accounts, representatives of The Onion have confirmed the incident, in their own manner.

“Following today’s incident in which the Syrian Electronic Army hacked into The Onion’s Twitter account, sources at America’s Finest News Source confirmed that its Twitter password has been changed to OnionMan77 in order to prevent any future cyber-attacks,” reads an article published on The Onion shortly after the breach.

The Onion has published several satirical posts related to the incident, including “The Onion’s tips on how to prevent your major media site from being hacked” and “Syrian Electronic Army has a little fun before inevitable upcoming deaths at hands of rebels.”

 In addition to compromising The Onion’s social media accounts, the Syrian Electronic Army also appears to have hijacked the email accounts of at least a couple of staff members


Source:Softpedia

State of Louisiana Website Hacked, Spreads Sirefef Malware

The official website of the Board of Regents of the State of Louisiana (regents.la.gov) has been hacked and abused to distribute a variant of the notorious Sirefef malware.

Avast reports that the malware is hosted in the “wp-content” folder of the site and it’s served as an executable to anyone who visits a specific URL. It’s likely that the cybercriminals use spam to distribute the malicious links.

Once infected, computers become part of a peer-to-peer botnet. Such botnets are difficult to disrupt because they don’t have a main communication node that can be disconnected.

This particular botnet has already infected over 300,000 devices, but the number of infection attempts exceeds 800,000.

By compromising the websites of high-profile organizations, cybercriminals increase their campaigns’ chances of success. That’s because many users will likely click a link that appears to point to a .gov website without giving it too much thought.

I've checked the website and, unfortunately, at the time of writing, it still hosted the malware.

Additional technical details of this attack are available on Avast’s blog.

Source:Softpedia

Website of Iran’s Basij Force Taken Down by Cyberattacks

As the presidential elections draw near, tension mounts in Iran both in the real world and in cyberspace. On May 1, the official website of the country’s Basij military branch was taken down after a cyberattack was launched against it.

“Due to the impending vote, elements of the global arrogance have launched a new round of cyberattacks against Basij websites, particularly Basij.ir,” the force’s representatives stated according to Think Progress.

A spokesman revealed that the Basij website had faced numerous attacks over the past three years.

In the meantime, members of the Iranian hacktivist group Ashiyane Digital Security have told Softpedia they’re preparing an operation against governments and media organizations that have spread lies about Iran.

“Our mission is protect Iran from hackers & social media lies,” the group’s leader said.

“They don’t know the truth and when the government lies we will try to take them down. When Social Media lies we will try to take them down,” he added.

Source:Softpedia

Indian Politicians Hire Hackers to Spy on Their Opponents

Some Indian politicians have stopped using their smartphones for important communications after news broke out that hackers were being hired by their political opponents.

Times of India reports that hackers and security experts are being offered Rs 1 lakh ($1,852 / €1,416) and sometimes even more to breach the smartphones of ministers, members of the legislative assembly and members of parliament.

N Nityanand, CTO of Entersoft Information systems at Ameerpet, says that he has been approached on numerous occasions and offered as much money as he wanted to break into the email accounts of top politicians. Nityanand has refused for ethical reasons, but not everyone is like him.

Usually, the hackers are contacted by mediators of the political leaders who don’t name the individuals they represent. They want to be able to intercept phone calls, text messages, emails and anything else that might be of interest.

To gain control of the smartphones of politicians, the hackers send out emails that point to cleverly designed websites. When the links from the emails are clicked, a malicious software is downloaded onto the device.

Source:Softpedia

Hacking Instagram Accounts using OAuth vulnerability

'Nir Goldshlager' known as Facebook hacker and founder of Break Security , who reported many critical bugs in Facebook OAuth mechanism in past few months, today disclose a critical vulnerability in Instagram Oauth that allow an attacker to hack any account. Succesful hack allows attacker to access private photos, ability to delete victim's photos and to edit comments and also the ability to post new photos. Hacker explained that there are two ways to hack Instagram accounts using OAuth, first via Hijack Instagram accounts using the Instagram OAuth or Hijack Instagram accounts using the Facebook OAuth Dialog.




Read more at: http://thehackernews.com/2013/05/hacking-instagram-accounts-using-oauth.html
Copyright © The Hacker News

Botnet Attack Blocker for WordPress Protects Sites Against Brute-Force Attacks

An interesting WordPress plugin released a few days ago could be of great aid to website administrators that want to make sure their sites are protected against the recent brute-force attacks.

Many websites are configured to block out an IP address after too many failed login attempts.

However, the brute-force attacks analyzed by experts rely on a botnet to crack passwords. Since each attempt to break the password can come from a different IP address, 1,000 computers are capable of trying out 5,000 combinations if the failed login attempts limit is set to 5.

This is where the Botnet Attack Blocker steps in. According to its author, the plugin ignores the different IP addresses and blocks attackers even if they use a large number of bots.

For instance, if 5 failed login attempts are set, 1,000 computers will only be allowed to try out 5 passwords, regardless of the fact that they have different IPs.

Users of Botnet Attack Blocker can select the number of allowed login attempts, the time interval between failures, and for how long to block logins. Admins can whitelist their own IP address to make sure they can access the website even during an attack.

Source:Softpedia

Norman Helps Experts Decide If They Should Build or Buy a Malware Analysis Platform

Many IT security professionals are often required to analyze pieces of malware and determine the full extent of the damage they can cause to their organization’s networks, systems and data. The big question is: should they build their own analysis platform or buy a commercial solution?

To help professionals in taking the right decision, security firm Norman has published a new whitepaper called “The Right Testbed for the Job: Building or Buying a Malware Analysis Platform.”

The paper asks a series of questions to determine the nature of the problem, security and compliance requirements, timeframe to productive usage, knowledge transfer and key person reliance, expertise to develop the right solution, and other aspects.

Based on their answers, experts are told which decision would be best. They’re also provided a number of recommendations and tips on what must be done in each scenario.

Source:Softpedia

Hackers accessed personal data of Reputation.com users

Reputation.com , an online reputation management website lost their own reputation when a hacker invade their website and accessed the personal data of users.

Reputation.com on Tuesday sent an email to customers disclosing the security breach. Reputation.com said in the mail that intruders had accessed the personal information including names, email , physical address, phone numbers, date of birth and occupational info.

On top of that, hackers had accessed the encrypted passwords of a small number of users. Reputation.com claimed that the passwords are highly encrypted(Hash+Salt) and "it was highly unlikely that these passwords could ever be decrypted".

One of the EHN's user commented on the issue "You fail at cryptology. The salt is stored with the hash. It doesn't add any strength to the individual hash's resistance to brute-force attacking, it only strengthens hashes from being attacked by pre-built rainbow tables. Even if you used bcrypt with a cost of 16 and 128-bit /dev/random salts, all an attacker has to do is iterate the10,000 most common passwords and they'll hit 98% of internet users. "


Source:EHacking

Chinese Hackers Steal Info from US Defense Contractor for Several Years [Bloomberg]

Starting with 2007, at least 30 US defense contractors have been targeted by the Comment Crew, the notorious hacker collective that’s believed to be funded by the Chinese government. One of these companies was QinetiQ North America.

QinetiQ provides the US government with software used by the military, drones, robots, helicopters, satellites, weapon systems, and many other technologies that contribute to national security.
According to an extensive report from Bloomberg, the hackers targeted the company since at least 2007. Since at least 2009, it’s believed they’d been continuously operating in the organization’s networks, stealing a wide range of classified documents.

In one of the attacks, that took place in 2009, the hackers raided at least 151 machines of the firm’s Technology Solutions Group (TSG) over a 251-day period, stealing 20 gigabytes of data before being blocked.

1.3 million pages of documents, including ones containing highly sensitive military information, were stolen at the time.

In the first two and half years, it’s believed the Comment Crew – whose activities have been detailed in a recent report published by security firm Mandiant – stole over 13,000 internal passwords.

In 2010, HBGary, the security firm hacked in 2011 by Anonymous, was hired by QinetiQ along with Terremark to investigate the attacks. HBGary almost immediately identified malicious software on most of QinetiQ’s computers.

The security companies managed to clean up QinetiQ’s systems, but this only lasted for a couple of months, after which the FBI notified the contractor about another data breach.

Some say China might have already put to good use the information stolen from the firm. In April 2012, the Chinese military unveiled a bomb disposal robot that was very similar to QinetiQ’s Dragon Runner.

The technology for the Chinese robot might have been obtained from the computer of a specialist that focused on the embedded software on microchips that controlled military robots. His computer was among those infected.

Interestingly, in May 2012, QinetiQ was awarded a $4.7 million (€3.6 million) cybersecurity contract from the US Transportation Department.

Source:Bloomberg

Cyber crooks dupe victims with bogus Microsoft security alerts

Webroot has detected a new wave of bogus Microsoft-themed cyber scams, looking to dupe web users with bogus security notifications.

The security firm reported detecting a number of scams targeting users with malware-laden messages masquerading as alerts from Microsoft in a blog post on Tuesday.

"Recently we have seen an increase in fake Microsoft scams, which function by tricking people into thinking that their PC is infected," wrote Webroot's Roy Tobin. He added that the cyber crooks use a variety of techniques to get the messages in front of their victims.

"There are a number of ways to figure out that this is a false alert. The first is that it's a website message and not a program; the second is that location of the website will be a random string of letters," he said.

"These websites will normally only stay active for 24-48 hours before they are pulled down. The websites' primary function is to get you to run a ‘removal tool' called ‘security cleaner'. This file is the infection and, if ran, will infect the PC and start displaying pop-ups."

The Webroot researcher said that the scams are not terribly advanced, and as long as users don't click on the malicious messages they will stay safe.

"At this stage [when the message appears], the PC is not infected so it's safe to close the browser and ignore any alerts from the website. Noting the website that displayed the message is good idea as you can notify the webmaster (if it's a legitimate website)," wrote Tobin.

Microsoft is one of many big brands used by cyber criminals to make the phishing messages look more legitimate. Last month, McAfee detected a cyber scam that used Facebook and LinkedIn to spread malware.

Source:V3

Mozilla accuses Gamma of dressing up dictators' spyware as Firefox

Firefox-maker Mozilla claims spook supplier Gamma International disguises its spyware as the popular web browser - and wants it to stop.

The non-profit software foundation slapped a cease-and-desist demand on UK-based FinFisher developer Gamma. In the legal letter, Mozilla said its Firefox trademark is being violated and that this infringement must end immediately.

Alex Fowler, the Firefox maker's director of privacy and policy, added that Mozilla takes abuse of its Firefox trademark seriously because it hurts users, creates confusion and jeopardises Mozilla’s reputation.

At the centre of the allegations is Gamma’s FinSpy program [PDF], which is deployed by cops and G-men to infiltrate a suspect's PC and allow it to be controlled from a remote server. It is claimed FinSpy masquerades as a harmless copy of the Firefox web browser so that victims who find it installed see no need to remove it.

Mozilla fired off its legal demand following the publication of a Citizen Lab report titled For Their Eyes Only: The Commercialization of Digital Spying (PDF) . See page 108 of the report for a side-by-side comparison of a legitimate install of the Mozilla browser and what the paper's authors say is a copy of FinSpy to be downloaded by the unsuspecting snoopee.

Citizen Lab is based at the Munk School of Global Affairs, at the University of Toronto, Canada, and warned of a FinFisher stealth update in March.

The surveillance software is sold by Gamma as a tool for criminal and intelligence agencies to hoover up emails, chatroom banter, Skype calls and other internet phone conversations, and to harvest a PC's hard drive for material.
'Gamma’s customers violate citizens’ human rights and online privacy'

FinSpy is part of Gamma's FinFisher suite, which El Reg was told earlier this year had been updated to evade detection and had been discovered in 25 countries.

“We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy,” Fowler said.

He stressed FinSpy does not affect Firefox. “Gamma’s software is entirely separate, and only uses our brand and trademarks to lie and mislead as one of its methods for avoiding detection and deletion,” Fowler claimed.

Gamma’s sales literature touts FinSpy as a tool for intelligence and law enforcement work - but Citizen Lab reckons citizens who are critical of the government in Bahrain and supporters of opposition candidates in Malaysia’s elections on 5 May have received emails that attempt to trick them into installing FinSpy on their Windows PCs.

Citizen Lab's writers claimed victims are unaware of what they are downloading because it comes packaged as "Firefox.exe" and sports labelling, version number, product name and copyright and trademark descriptions copies from a legit build of the open-source web browser.

Source: The Register

U.S. Department of Labor website hacked and redirecting to malicious code

During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code.

Clarification:

The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website

“The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository of information gathered from a variety of sources regarding toxic substances present at Department of Energy (DOE) and Radiation Exposure Compensation Act (RECA) facilities covered under Part E of the Energy Employees Occupational Illness Compensation Program Act (EEOICPA)”

As you can see in the following UrlQuery report the website is including code from the malicious server dol[.]ns01[.]us:

Once you visit the website the following file is included:

www[.]sem[.]dol[.]gov/scripts/textsize.js that contains the following code:

Source:alienvault

Practical HTTP Host header attacks

Practical HTTP Host header attacks
Password reset and web-cache poisoning
(And a little surprise in RFC-2616)

Introduction

How does a deployable web-application know where it is? Creating a trustworthy absolute URI is trickier than it sounds. Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP). Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to:
<link href="http://_SERVER['HOST']" (Joomla)

...and append secret keys and tokens to links containing it:
<a href="http://_SERVER['HOST']?token=topsecret"> (Django, Gallery, others)

....and even directly import scripts from it:
<script src="http://_SERVER['HOST']/misc/jquery.js?v=1.4.4"> (Various)

There are two main ways to exploit this trust in regular web applications. The first approach is web-cache poisoning; manipulating caching systems into storing a page generated with a malicious Host and serving it to others. The second technique abuses alternative channels like password reset emails where the poisoned content is delivered directly to the target. In this post I'll look at how to exploit each of these in the presence of 'secured' server configurations, and how to successfully secure applications and servers.
Source:Skeleton

Gaming app ENSLAVES punter PCs in Bitcoin mining ring

A competitive gaming company has admitted that for two weeks in April its software client was hijacking league members' PCs to mine Bitcoins.

In an eyebrow-raising turn of events, the company, ESEA Gaming, admitted on Wednesday that its software client had been running Bitcoin-mining algorithms on customer PCs since April 14, generating over $3,700 worth of the virtual currency – not to mention a likely uptick in the electricity bills of the unwitting punters whose graphics cards' GPUs been forced to mine the virtual currency.
ESEA is a competitive gaming company that lets paying punters play various video games competitively, with the chance of a cash prize as they rise through the ranks. It uses a bespoke software client to prevent cheating, and it was this software client that was loaded with Bitcoin mining routines.

The Bitcoin mining software had been originally rolled out in a test on ESEA Gaming admin accounts, the company's co-founder Eric Thunberg explained in a forum post using the handle lpkane. But the test didn't generate many Bitcoins (two in two days) and was shut down – or so Thunberg thought.

In fact, the miner wasn't shut down. Rather, it was rolled out across ESEA's entire user base.

An ESEA employee who was involved in the tests "has been using the test code for his own personal gain since April 13, 2013," the company wrote in an official statement on Monday. "We are extremely disappointed and concerned by the unauthorized actions of this unauthorized individual. As of this morning, ESEA has made sure that all Bitcoin mining has stopped. ESEA is also in the process of taking all necessary steps internally to ensure that nothing like this ever happens again."

The program used player GPUs to perform the complex mathematical operations required to mine Bitcoins, and generated 29.27627734 Bitcoins for the ESEA employee.

ESEA became aware of the Bitcoin mining after concerned users made posts to the forum complaining of high GPU utilization, even when idle.

The unauthorized two-week long spell of mining apparently took Thunberg by surprise, who wrote in a later post to the forum:

as of the client update released in the last hour, all the btc stuff is out which should solve the gpu and av warnings, and in a blatant attempt to buy back your love (and less likely your trust), i'm going to do the following:

1. 100% of the funds are going into the s14 prize pot, so at the very least your melted gpus contributed to a good cause

2. every user who was premium this month will get a free one month premium code which they can use whenever and for whomever they like, and you'll find the code under manage accounts -> premium codes

Along with the prize pot, ESEA gaming is also donating double the value of the mined Bitcoins – $7,427.10 at current market rates – to the American Cancer Society.

"While it's incredibly disturbing and disappointing that this happened, we’re committed to improving ourselves and rebuilding trust with our community," the company wrote.

The case serves to highlight how the virtual currency's recent dramatic rise in valuation relative to the US dollar has attracted speculators, chancers, and criminals in droves. The ESEA case follows the re-emergence of Bitcoin-mining malware earlier in April, along with a variety of other money-grubbing squint-and-they're-legal schemes.

"If we had found out on our own that the miner was running we would have killed it anyway because a) we'd already decided it wasn't worth it, and b) there are far less shady ways to make money," Thunberg wrote in reply to a forum user

Source:theregister

Hackers open malware backdoor in Apache webservers

A new threat is targeting Apache webservers, which are among the most widely-used webservers in the world, according to researchers at security firms ESET and Sucuri.

The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs.

Researchers have named the backdoor Linux/Cdorked.A, and have described it as the most sophisticated Apache backdoor to date.

“The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified httpd file, the daemon (or service) used by Apache,” said Pierre-Marc Bureau, ESET security intelligence program manager.

“All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."
In addition, Linux/Cdorked.A takes other steps to avoid detection, both on the compromised webserver and web browsers of computers visiting it.
“The backdoor’s configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools,” said Righard Zwienenberg, ESET senior researcher.

“The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex,” he said.

The Blackhole exploit kit is a popular and prevalent exploit kit using zero-day and known exploits, to take control of systems when users visit a site that is comprised and infected by the Blackhole kit.

When someone visits a compromised webserver, they are not simply redirected to a malicious website and a web cookie is set in the browser so the backdoor will not send them there a second time.

The web cookie is not set on the administrator pages. The backdoor checks the visitor’s referrer field and if they are redirected to the webpage from a URL that has certain key words in it, like "admin" or "cpanel", no malicious content is served.

ESET has called on system administrators to check their servers and verify that they are not affected by this threat.

A free detection tool, detailed instructions on how to check for the backdoor and a full technical analysis of Linux/Cdorked.A are available on ESET’s WeLiveSecurity.com site in the Linux/Cdorked blog post.

Source:ComputerWeekley

‘Content spoofing’ a major website vulnerability, study finds

A close look at vulnerabilities in about 15,000 websites found 86% had at least one serious hole that hackers could exploit, and content spoofing was the most prevalent vulnerability, identified in over half of the sites, according to WhiteHat Securitys annual study published today.

Content spoofing is a way to get a website to display content from the attacker, says Jeremiah Grossman, CTO at WhiteHat, an IT security vendor. A criminal might do this to steal sensitive customer information or simply to embarrass the owners of a website. In any event, in content spoofing the fake content is not actually on the website as it would be in a web defacement, but simply appears to be there, Grossman points out.

The Open Web Application Security Project (OWASP) group says content spoofing is also sometimes referred to as content injection or virtual defacement, and its an attack made possible by an injection vulnerability in a web application that does not properly handle user-supplied data.

[SECURITY SCOOP: Phishing tactics and how hackers get away with it]

The content spoofing attack can supply content to a web application that is reflected back to the user, whos presented with a modified page under the context of the trusted domain, according to OWASP. Its said to be similar to a cross-site scripting attack but uses other techniques to modify the page for malicious reasons.

The annual WhiteHat Website Security Statistics Report examined vulnerabilities found over the course of 2012 in the 15,000 websites of 650 companies and government agencies for which it provides web application vulnerability assessments. These range from financial, manufacturing, technology, entertainment, energy to media, and government.

The top 15 vulnerability classes for websites are said to be cross-site scripting; information leakage; content spoofing; cross-site request forgery; brute force; insufficient transport layer protection; insufficient authorization; SQL injection; session fixation; fingerprinting; URL redirector abuse; directory indexing; abuse of functionality; predictable resource location; and HTTP response splitting.Grossman says there were a few unexpected findings related to how quickly organizations fixed vulnerabilities when taking into account how much theyd invested in application security training for their programmers.

Emphasis on training was correlated with 40% fewer website vulnerabilities and a 59% faster rate of resolving them than in organizations that didnt do training. But the actual remediation rate to close all the holes related to the vulnerabilities was 12% less than in organizations without training. Grossman says WhiteHats analysis indicates that the poorest rates of remediation overall are associated with organizations where their regulatory compliance requirements are the No.1 driver for resolving vulnerabilities. If the vulnerability wasnt tied to compliance, it was ignored.

When organizations website vulnerabilities go unresolved, compliance was cited as the #1 reason, closely followed by risk reduction, according to the WhiteHat study. The study also found the best remediation rates occurred when customers or partners demanded it.

Other findings in the website 2012 vulnerability study show:
85% of organizations use some variety of application security testing in pre-production website environments
55% have a Web Application Firewall in some state of deployment
In the event of of a website data or system breach, 79% said the Security Department would be accountable.
23% experienced a data or system breach as a result of an application-layer vulnerability.

Source:Network World

Despite hack, security experts urge no fear of Google Glass

The security risk Google Glass poses to companies is no greater than smartphones or other technology that someone could use to secretly record video and snap pictures, experts say.

Google Glass and its potential security risks came under scrutiny with the recent jailbreaking of the headset that many see as the start of wearable computing as a mass market.

The model rooted by Android and iOS developer Jay Freeman was sold only to developers. Glass is not yet available to the general public.

Freeman cracked Glass in two hours by exploiting a well-known vulnerability in Android 4.0.4, the version of the operating system that ships with the device. Once in, Freeman was able to fully control the device, bypassing the security mechanisms put in place by Google. In general, tech-savvy people will jailbreak a device in order to run applications or to modify it in ways not allowed by the manufacturer.

The Glass break-in did not surprise Tim Bray, developer advocate for Google. "Yes, Glass is hackable. Duh," he said on Twitter.

In an interview with Forbes, Freeman was not yet sure what he could do with the device now that he had access to its software. However, Jason Perlow, senior technology editor for ZDNet, opined that Glass could be modified to secretly record video and take pictures without the user knowing.

As a recording device, the current version of Glass has serious limitations. With roughly 12GB of usable storage, there is not much room for a lot of video, although that is plenty of capacity for pictures.

Battery life is also not great. A person reading email and taking some pictures and short video could get roughly five hours, according to a review on Engadget. The maximum time would fall dramatically if someone took a lot of video.

These limitations would make Glass a weak alternative to small video devices already available if someone wanted to secretly record in an office, Anton Chuvakin, analyst for Gartner said Wednesday.

"It's completely unrealistic, but exciting to talk about," Chuvakin said of using Google Glass in a clandestine operation.

Because of the hardware limitations, jailbreaking the device also did not add much more risk. "To me, the risk of a rooted Glass device is similar to a rooted smartphone," Chuvakin said.

In addition to Glass' weak capabilities as a recorder, it is also far more expensive than much better stealthy video equipment. "Glass could certainly be used for espionage, but it is a very expensive toy to use for that purpose and has little to no advantage over already existing methods," said Chester Wisniewski, a senior security adviser for Sophos.

The bigger security issue with the current version of Glass is not having a mechanism to set a password in order to use the device, Wisniewski said. "But we can assume that a production ready version would not ship with such shoddy security."


Source:CSO

D-Link publishes beta patches for IP camera flaws

D-Link has published beta patches for vulnerabilities in the firmware of many of its IP surveillance cameras, which could allow a hacker to intercept a video stream.

The company said on its support forum that it will publish a full release of the upgraded firmware within a month. Some of D-Link's consumer IP cameras in its Cloud product line will automatically receive the updates.

"We are releasing beta firmware with the security patch for customers who want to manually update their cameras immediately," a D-Link administrator wrote on the company's support forum.

The administrator also posted instructions for how to upgrade the firmware. Users should not upgrade over a wireless connection, as an error could break the camera.

Identical notices were published on the pages for other affected products. The updates come after Core Security published on Monday details of five vulnerabilities in D-Link's firmware, which is used in more than a dozen of its products.

D-Link's IP video cameras can take stills and record video and can be managed through web-based control panels or mobile devices. Core found a range of problems, including hard-coded credentials and authentication issues that could allow an attacker access via the RTSP (real time streaming protocol).

The technical details were posted in the Full Disclosure section of Seclists.org. Some of the products have been phased out by D-Link, according to the company's website.

Source:ComputerWorld