Friday, May 16, 2008

Daily Report

• New Scientist reports Core Security has discovered a serious vulnerability in a software package called Suitelink that is widely used to automate the operation of power stations, oil refineries, and production lines. (See item 3)

• According to SkyNews, Swiss police say Al Qaeda is planning to attack the Euro 2008 football championships in Switzerland and Austria in June. (See item 36)

Information Technology

30. May 15, IDG News Service – (International) Non-tech criminals can now rent-a-botnet. Online fraudsters that are not highly skilled in the arts of cybercrime can now rent a service that offers an all-in-one hosting server with a built-in Zeus Trojan administration panel and infecting tools, allowing them to create their own botnet. EMC’s security division, the RSA Anti-Fraud Command Centre (AFCC), cited an increase in the use of the Zeus Trojan in attacks against financial institutions in its April online fraud report, claiming the Trojan is “extremely user friendly and easy to operate.” “Fraudsters who execute Zeus attacks simply need to take control of a compromised server or have their own back-end servers; once they have a server in place, they merely need to install the Zeus administration panel, create a user name and password, and start launching their attacks,” the report stated. But the AFCC recently traced a new service that does all of the above for would be botnet barons. The service offers access to a “bullet-proof hosting server with a built-in Zeus Trojan administration panel and infection tools...the service includes all of the required stages in a single package, meaning that all the fraudster now has to do is pay for the service, access the newly hired Zeus Trojan server, create infection points, and start collecting data.” RSA’s banking and finance specialist said that those offering the Zeus package are mirroring what legitimate security vendors are offering -- security-as-a-service -- but in their case they are slinging malware-as-a-service. Source: http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/05/15/Non-tech-criminals-can-now-rent-a-botnet_1.html

31. May 14, Computerworld – (National) Phishing botnet expands by hacking legit sites. A botnet is now using a SQL injection attack tool designed to hack legitimate Web sites, a move meant to add more hijacked PCs to its collection, according to a security researcher. The Asprox botnet, which specializes in sending phishing spam, is pushing an update to the infected PCs it controls, the director of malware research at Atlanta-based SecureWorks Inc. said. The update is an executable file -- “msscntr32.exe” -- that installs as a Windows service dubbed “Microsoft Security Center Extension.” But the executable actually installs an SQL injection attack tool, he said. SQL injection attacks have become widespread as criminals increasingly target legitimate Web sites, figure out a way to hack them, then plant iFrames on those sites to redirect users to malicious servers. Those servers silently attack visitors’ PCs, often trying multiple exploits, and if one works, they download additional code to the machine to hijack it from its rightful owner and add it to an army of infected systems. “There are multiple things out there launching similar attacks,” said the researcher in explaining why there is confusion about how the tool is being spread. Some analysts have mistakenly concluded that the SQL injection tool is using wormlike tactics, according to the research director. “The tool does not spread on its own but relies on the Asprox botnet to propagate to new hosts,” he said. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9085564&source=rss_topic17

32. May 14, ars technica – (International) New international group to become the CDC of cyber security. Next week, the biannual World Congress of IT (WCIT) will be the venue for the launch of a new initiative from an organization that aims to become a platform for international cooperation on cyber security. The group calls itself the International Multilateral Partnership Against Cyber-Terrorism (IMPACT), and its advisory board features numerous tech luminaries. The group’s forthcoming World Cyber Security Summit (WCSS), which will be part of the WCIT 2008, is an effort to raise IMPACT’s profile as an international platform for responding to and containing cyber attacks. On a conference call this morning, one of IMPACT’s principals described the organization’s mission as becoming a kind of “CDC [Centers for Disease Control] for cyber security.” The idea is that it will provide both a forum and an actual communications system for coordinating international responses to cyber attacks, especially when those attacks involve civilian networks as a target, a source, or both. The principal members of IMPACT are governments, but the organization will include experts from academia and the private sector, as well. Indeed, the group is premised on the understanding that universities and corporations own most of the networks and computers that are at increasing risk of cyber attack, and that these entities are also at the forefront of current information security research and development. Source: http://arstechnica.com/news.ars/post/20080514-new-international-group-to-become-the-cdc-of-cyber-security.html

Communications Sector

33. May 14, SecurityFocus – (National) Admins warned of brute-force SSH attacks. Allowing secure shell access to a server tends to attract the occasional attempt to guess a valid username and password for the service. However, a spike in attacks this week has system administrators worried. According to the senior security analyst at UC Berkeley, “Given enough time, any password can be broken, and a lot of them can be broken with relative ease because humans are, to a degree, lazy and will almost always opt for non-random, easy to recall -- and hence easy to guess -- passwords.” Over the weekend, a number of network administrators issued warnings over an order-of-magnitude increase in the number of attempts to guess the username and password of systems running secure shell (SSH), the encrypted access method that replaced the common telnet service. System administrators at universities and some companies have reported login attempts coming from hundreds and thousands of Internet addresses over the past week, a stark increase from the handful of attacks the administrators saw previously. The Internet Storm Center, a network monitoring team supported by the SANS Institute, warned system administrators on Monday to take steps to protect their systems, noting the sharp spike in attacks. Source: http://www.securityfocus.com/news/11518

34. May 14, IDG News Service – (International) Hacker writes rootkit for Cisco’s routers. A security researcher has developed malicious rootkit software for Cisco Systems’ routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet’s traffic. A researcher with Core Security Technologies developed the software, which he will unveil on May 22 at the EuSecWest conference in London. Rootkits are stealthy programs that cover up their tracks on a computer, making them extremely hard to detect. To date, the vast majority of rootkits have been written for the Windows operating system, but this will mark the first time that someone has discussed a rootkit written for IOS, the Internetwork Operating System used by Cisco’s routers. “An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems,” said the developer. Rootkits are typically used to install key-logging software as well as programs that allow attackers to remotely connect with the infected system. A Cisco rootkit is particularly worrisome because, like Microsoft’s Windows, Cisco’s routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm IDC. In the past, researchers have built malicious software, known as “IOS patching shellcode,” that could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS. The new rootkit will be different. “It could work on several different versions of IOS,” he said. The software cannot be used to break into a Cisco router -- an attacker would need to have some kind of attack code, or an administrative password on the router to install the rootkit, but once installed it can be used to silently monitor and control the device. Source: http://www.pcworld.com/businesscenter/article/145898/hacker_writes_rootkit_for_ciscos_routers.html

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)