Archive for February, 2010

BLADE: Hacking Away at Drive-By Downloads — Krebs on Security

February 24, 2010

BLADE: Hacking Away at Drive-By Downloads — Krebs on Security: “”

(Via .)

Shell’s employee database breached: 170,000 records compromised

February 16, 2010

Shell's employee database breached: 170,000 records compromised: “Oil giant Shell was unpleasantly surprised when it received news of a database containing contact information of some 170,000 of their workers having been emailed to seven non-governmental groups and …”

(Via Help Net Security – News.)

Banks Fail to Provide Effective Online Security

February 16, 2010

Banks Fail to Provide Effective Online Security: “

By Robert Siciliano, ID Theft Expert and Security Consultant to Intelius.com

A Texas bank is suing one of its customers who was hit by an $800,000 online bank theft that could determine who is to be held responsible for protecting their online accounts from fraud.

Computerworld reports Romanian and Italian based criminal hackers launched numerous wire transfers out of the client’s back account. The bank recovered $600,000 of the $800,000.

The victim wanted all its money back and sued the bank to be reimbursed of the $200,000. The bank in turn filed a lawsuit requesting the bank certify it had adequate security that was considered ‘commercially reasonable’.

The bank doesn’t want anything more than to be absolved of the $200,000.

The bank states all transfers originated from unauthorized wire transfer orders that had been placed by someone using valid Internet banking credentials belonging to the victim.

How the victim’s credentials fell into he wrong hands has not been disclosed. It seems it was the victim’s lax security opposed to the banks.

There are numerous ways this can happen. What is evident is there were wire transfers of various dollar amounts ranging from $2500.00 to $100,000 made to different accounts all overseas.

The bases of the victim’s lawsuit are that the bank should have systems in place to detect such activity.

Small businesses and banks are losing money via attacks on their online banking accounts.

It’s very simple: criminal hackers send an e-mail with a link to a malicious site or download to employees who handle their company’s bank accounts.

These malicious links then steal the username and passwords the employees use to log in to their online banking accounts. Done.

So, if my PC is compromised because I don’t have adequate security and $800,000 goes missing from my account, whose fault is it?  At first glance some may say the victims, others may say the banks.

The fact that there are so many ways passwords can be compromised and accounts can be taken over, and banks know this, it should motivate banks to have redundant security in place.

Hacks like this undermine people’s confidence in the system.

Here is a similar story being played out. I’m a big believer in taking action and making sure my systems are secure. And, the bank has some responsibility here too.

I, we the public, have limitations on what we can do to be secure. I bet anything the bank will tighten up regardless of what the outcome of the lawsuit is because they have to see there is a weakness in their system.

If they don’t, they are stupid.

I’ve been trying to transfer money from one bank account to another. My bank has made it difficult to do so. Painful even. It’s a customer service and a security issue.

Ultimately they provide an option to do so and it requires paperwork, online authentication, phone calls and text messages.

It’s not a matter of logging in and transferring money by entering another account. Even with my own login details I’m having a hard time transferring money.

Check to see how easy or difficult your bank makes it. Because if it’s easy peazy, that could be an issue if your PC is hacked.

1. Get a credit freeze. Go online now and search ‘credit freeze’ or ‘security freeze’ and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in  Intelius identity theft protection and prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU. (Disclosures)

3. Make sure your anti-virus is up to date and set to run automatically.

4. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

5. Check your bank statements often, online, at least once a week.

* * *

Stay Informed With ISR News Alerts:

Email:

by FeedBurner

* * *

Robert Siciliano is an expert on personal security and identity theft as the CEO of IDTheftSecurity.com. An American television news correspondent, security analyst, and author of ‘The Safety Minute: How to take control of your personal security and prevent fraud’. Featured on the The Today Show, CBS Early Show, CNN, MSNBC, FOX, CNBC, Inside Edition, EXTRA, Tyra Banks, Stern, and in USA Today, Forbes, Tech Republic, SC, CSO, Search Security, Tech News World, EWeek, SecurityInfoWatch, NY Times, Boston Globe, LA Times, Wash Post, Chicago Tribune, AP, UPI, Reuters, and Entrepreneur.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

(Via Information Security Resources.)

‘Aurora’ Attacks Still Under Way, Investigators Closing In On Malware Creators – DarkReading

February 16, 2010

‘Aurora’ Attacks Still Under Way, Investigators Closing In On Malware Creators – DarkReading: ”

‘Aurora’ Attacks Still Under Way, Investigators Closing In On Malware Creators
Researchers find ‘markers’ associated with authors of Aurora malware used in attacks against Google, others
Feb 10, 2010 | 02:27 PM

By Kelly Jackson Higgins
DarkReading
The targeted attacks that hit Google, Adobe, and other U.S. organizations are still ongoing and have affected many more companies than the original 20 to 30 or so reported by Google and others.”

Malicious Spam Jumps to 3 Billion Messages Per Day

February 16, 2010

Malicious Spam Jumps to 3 Billion Messages Per Day: “

Last year was an interesting year in the security industry in a number of ways, but perhaps none more so than the monstrous increase in the volume of malicious spam. In the second half of 2009, the number of spam messages sent per day skyrocketed from 600 million to three billion, according to new research.

Shorten URL: http://threatpost.com/en_us/3v4. Click to copy to clipboard or post to Twitter

ZeroClipboard.setMoviePath( ‘http://threatpost.com/sites/all/modules/threatpost_tweaks/ZeroClipboard.swf’ );
var clip = new ZeroClipboard.Client();
clip.setHandCursor( true );
clip.setText(‘http://threatpost.com/en_us/3v4’);
clip.glue( ‘short_url_link’ , ‘short_url_cont’ );

(Via threatpost – The First Stop for Security News.)

BSOD after MS10-015? TDL3 authors “apologize”

February 16, 2010

BSOD after MS10-015? TDL3 authors “apologize”: “

On last November we’ve blogged about a new rootkit spreading around the net. That rootkit, called TDL3 or TDSS or Tidserv (there are many different names for the same malware, as often happens between various security companies) was pretty scaring because of the new way it compromised the system, by using both improved and new tricks.

After a couple months, we’re here to raise again the alarm against this threat, which has been improved by their creators.

Fact is that the team of coders behind this rootkit is working hard to improve its creature. During these months they never stopped to update it, by releasing every day – sometimes even more times a day – new updated and rebuilt droppers able to evade generic detection signatures.

All TDL3 droppers have been server-side rebuilt every day during November, December, January and February. This allowed the authors to break weak signatures or badly written generic detection routines. Actually this was the only effective obstacle, otherwise only really few specific anti-rootkits are able to detect the infection when active.

Even the rootkit itself has been updated and armored, to defense itself against the attack of a number of anti-rootkit specific tools. It’s funny following the full story of the rootkit, because it looks like a nice chess game between security vendors and malware authors. It’s one of the few times you can see a team of rootkit writers counteracting almost in real time to security vendors.

We already knew the rootkit is able to infect a system driver and to filter every disk I/O request by applying a strong filtering mechanism. Now the rootkit added a watchdog thread able to prevent any change to the service registry key related to the infected driver.By doing so, it is able to block some basic cleanup tools.

Another self defense feature added to the rootkit is that no one is anymore able to get a handle to the infected driver file. By doing so, the rootkit is preventing some cleanup tools to read the content of the file. Prior versions of the rootkit allowed to read the infected file, though they were showing the clean copy of it. This trick was used by some security tools to recover the original clean copy of the file to restore.

We have some doubts about the real usefulness of this self defense feature. If it’s true that it’s not anymore possible to get the original file content, it’s even true that now is easier to discover the infected driver, because every scanner will get no access at all to the file and this anomaly will be reported.

On last Tuesday Microsoft released a number of Windows updates, some of them critical because they fixed a 17 years old bug. After some users updated their Windows operating systems, they got a scaring and really annoying blue screen of death.

Most of those users were angry with Microsoft, but the problem this time is not related to Microsoft. Indeed a number of the users affected by this BSOD was infected by TDL3/TDSS rootkit.

More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

Sadly the number of users affected by this BSOD is quite high and this means the rootkit infection is quickly spreading.

Moreover, a parallel version of the TDL3 rootkit is spreading too. This one is using an old infection technique, already seen in one of the first versions of TDL3. The injected dll is not anymore called tdlcmd.dll but instead z00clicker.dll.

International law police should really consider about cooperating with security vendors and try to shut down this botnet network by tracking down the gang behind it. They are active, they are able to release updates every day. They already are a serious threat that should be defeated as soon as possible.

If during a scan Prevx reports an infection caused by tdlcmd.dll or z00clicker.dll, please contact Prevx technical support. Our technicians will help our customers to get rid off of the TDL3 infection.

(Via Prevx Blog.)

French judge issues arrest warrant for cyclist Floyd Landis in alleged hacking incident – latimes.com

February 16, 2010

French judge issues arrest warrant for cyclist Floyd Landis in alleged hacking incident – latimes.com: ”

The French national anti-doping lab says its computers were compromised. Landis, who was stripped of his 2006 Tour de France title after failing a drug test, dismisses the idea that he was involved.”

(Via .)

New Banking Trojan Discovered Targeting Businesses’ Financial Accounts – DarkReading

February 15, 2010

New Banking Trojan Discovered Targeting Businesses’ Financial Accounts – DarkReading: “”

(Via .)

Political hacktivism and the exploitation of tragedies is on the rise

February 9, 2010

Political hacktivism and the exploitation of tragedies is on the rise: “A new McAfee report highlights the rise of political hacktivism in countries like Poland, Latvia, Denmark and Switzerland as well as the most significant spam-generating stories in 2009. 2009 averaged…”

(Via Help Net Security – News.)

81% percent of e-mail links to malware

February 9, 2010

81% percent of e-mail links to malware: “81% percent of e-mail links to malware”

(Via Help Net Security – News.)