Security

In an excellent blog, the people from Apache did a very good job analyzing and documenting how a security breach happened–going through all the stages of the attack and drawing conclusions. Should you ever become the unfortunate victim of an attack, this blog offers an example of how to document it! I quote:”If you are a user of the Apache-hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised.” So if you are a user, please act accordingly after reading this blog 😉 ...

“Faceparty is a UK based social networking site allowing users to create online profiles and interact with each other using forums and messaging facilities similar to email” – Wikipedia Faceparty does things a little differently to other social networking sites, however. Unlike most places where you register a username and password then start telling people how your farm is doing, to join Faceparty you need to send a text message to the tune of £25 / $38(!) and then enter your one time use password onto this page (warning: quite a few swearwords, because the site is indeed down with the kids). ...

On April 9th, Tavis Ormandy published a proof of concept about how to use the latest version of Java to compromise a pc. You can read about it here. He notified Sun, but they weren’t concerned enough to break their patch cycle, so he published the code. The problem is that when Sun released Java 6, update 10 in April 2008, they introduced a new feature (it’s not a bug, it’s a feature folks) called Java Web Start. In order to make it easier for developers to install software, they created a method to execute a program from a website. ...

Last week we received a mass mailing that at first glance appeared no different from the usual mailbox clutter. The messages were in German and advertised an online casino. Nothing out of the ordinary there – after all, gambling-themed spam is one of the most popular in the German-speaking realms of cyberspace. But after a closer inspection, these messages turned out to be of much more interest – all the links in the messages led to pages created on legitimate sites that had been compromised. The links looked like this: **\*.com/news_.php or *****.com/1500.php. ...

Yesterday evening our spamtraps started receiving the email below in a mass mailing action. The email was immediately flagged as spam even before reaching our spamtraps. No wonder since it has no To:-field, it has a different Reply-to:- than the From:-field and it comes from a DSL line IP address. If the user replies to the email, the return address is set to [email protected]. Nice try, but the email is just to generic to be actually taken seriously by anyone. I expect to see targeted emails in the next days (as we’ve already seen last year). ...

Does anyone really care about opening a zip file to examine an RTF or JPEG file? This task—combined with a dull, unexciting, unstimulating subject line—competes with the content of the email to win a race of worthlessness. Spammers have traditionally used zip files to carry executables, but in most cases the subject line or the content of the message made an effort to encourage users to open the attachment. There are cases of spamming attacks in which HTML attachments opened up a fully functional Web page, capable of carrying sensitive user information back to the fraudsters. However, with this latest spam attack using zipped files, not only have the spammers made an attempt to escape anti-spam filters, they’re missing out on reaching any users as well. The scope of returns for these messages looks to be much less rewarding than other comparable attacks. ...

Of course I’m talking about football. When I say football I mean the game that is played with one ball thas is kicked with the foot, not the other game that is known as football in the US even though it’s played using the hands. Anyway I don’t like football at all, it’s too boring fo me. But, at least in Europe, everyone loves football. And one of the best national championships is the Spanish one, with the 2 biggest teams being Real Madrid and F.C. Barcelona. Every time they play against each other, millions of people watch that game, and news about it are going around all the time. Last Saturday they played in Madrid, and being this such a popular match, cybercriminals couldn’t miss this opportunity. ...

Every once in a while, you find some odd piece of text in a piece of malware. Debugging the TDL 3 rootkit yields some interesting results. Here are messages that dump in the debug window at various times: Fri Apr 9 09:02:37.495 2010 (GMT-4): You people voted for Hubert Humphrey, and you killed Jesus Fri Apr 9 09:03:01.900 2010 (GMT-4): Ah Lou, come on man, we really like this place Fri Apr 9 11:53:08.715 2010 (GMT-4): Dude, meet me in Montana XX00, Jesus (H. Christ) Fri Apr 9 12:18:27.522 2010 (GMT-4): I felt like putting a bullet between the eyes of every panda that wouldn’t screw to save it’s species. I wanted to open the dump valves on oil tankers and smother all those french beaches I’d never see. I wanted to breathe smoke ...

Many patches are announced for tomorrow: The Redmond company expects to release 11 security bulletins. Of those 5 are rated critical, 5 important and 1 moderate. The patches belonging to the bulletins will close 25 security vulnerabilities in Windows, Exchange and in Office. Adobe plans to deliver security updates for critical vulnerabilities in Adobe Reader and Acrobat for all supported platforms tomorrow. Additionally, the automatic updater will be activated with the patches so in future updates get installed silent.

Brian Krebs, in his “Krebs on Security” blog is reporting that a large number of WordPress blog pages have been hacked to redirected visitors to networkads.net that downloads rogue security applications onto their machines. Also, the owners of the blogs are locked out of access. “It’s not clear yet whether the point of compromise is a WordPress vulnerability (users of the latest, patched version appear to be most affected), a malicious WordPress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider,” Krebs wrote. ...