STE WILLIAMS

Hacktivist group Anonymous has been up to its old tricks again, this time briefly taking out the web site of the Russian president as a show of support for the growing opposition to newly re-crowned leader Vladimr Putin.

Like most of the group’s DDoS campaigns, the attack only temporarily disrupted the kremlin.ru site, which is back online now, according to reports.

Anonymous tweeted from its Op_Russia Twitter account on Wednesday, referencing OpDefiance, its new campaign designed to protest against what it claims were unfair elections in Russia which swept former president and prime minister Putin back to power.

The Kremlin should have seen the attack coming really, given that Anonymous broadcast to the world via a YouTube clip at the weekend that it would be supporting Russian protests against Putin’s re-election by “taking down government information resources”.

Russian news site RT claimed that government web sites gov.ru and government.ru were also under attack on Wednesday, but managed to stay online.

The Kremlin released a brief but defiant statement to RT.com.

We received threats from Anonymous several days ago but we can’t confirm it’s exactly this group that attacked the Kremlin.ru website. At the moment we can’t establish who’s behind the attack. Unfortunately we live at a time when technology security threats have mounted, but we have the means to resist them.

It would be fair to expect similar attacks on Russian government sites in the coming days, as long as the protests against Putin continue.

Ironically, the Kremlin itself was accused during the Russian parliamentary election in December of DDoS-ing several critical web sites in a bid to stifle debate about possible electoral fraud. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/10/anonymous_kremlin_ddos_putin/

The developers of PHP have released updates to thwart fresh attacks against systems that use the scripting language to dynamically generate web pages.

All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13, as appropriate, after a serious security bug in PHP-CGI-based setups was disclosed. Developers attempted to fix this long-standing, but only recently discovered, flaw in a new version on 3 May, before deciding the fix was incomplete and releasing a new set of patches on Tuesday, 8 May 8.

This is just as well because the PHP-CGI vulnerability has become the target of a series of attacks against sites hosted by DreamHost and others over recent days. Attempts to exploit the bug were witnessed by net honeypots maintained by security researchers at TrustWave SpiderLabs. The assaults were ultimately designed to plant backdoors on vulnerable web servers, as an advisory by TrustWave explains.

The PHP-CGI remote code execution bug was discovered by German security researchers, who traced the flaw to changes introduced in the codebase way back in 2004. The Eindbazen crew told PHP developers about the bug, and work was going on behind the scenes to develop a fix. However the wheels fell off this project after discussions surrounding the security hole were accidentally made public, exposing the existence of the flaw to world+dog before a patch was ready.

This, in turn, prompted the decision to rush out updates that failed to close the hole before this week’s release of a second set of security updates.

PHP 5.4.3 also addresses a buffer overflow vulnerability in the apache_request_headers, as explained in an advisory here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/09/php_cgi_patch/

A marketing firm accused of running campaigns via a web of unscrupulous affiliates – who flooded Facebook with spam – has agreed to clean up its network. The business’s owners settled a lawsuit brought against them and have denied any wrongdoing.

Delaware-based Adscend Media allegedly made $1.2m (£743k) per month¹ from messages supposedly offering “scandalous or provocative content”.

In reality the attached links often led towards sites that coaxed punters into handing over personal information as part of “online surveys” which then failed to dish the promised dirt.

These polls were allegedly also promoted by the use of “likejacking” in which Facebook users were tricked into clicking on “like” buttons, inadvertently punting sales pitches at their friends.

The allegations prompted a lawsuit by the Washington State Attorney General’s Office against Adscend and its co-owners – Jeremy Bash of Huntington, West Virginia and Fehzan Ali, of Austin, Texas – in January.

The defendants settled the case this week by paying $100,000 (£61k) in attorneys’ costs and fees and agreeing to an injunction prohibiting unethical marketing behaviour – the court decree is here [PDF]. The defendants also agreed to pay for independent monitoring of the firm’s affiliate network.

A statement by the Washington State Attorney General’s Office can be found here.

Last week Facebook dropped a separate lawsuit against Adscend Media.

A detailed discussion of how clickjacking works, along with a discussion of the Adscend Media settlement, can be found in a post on Sophos’ Naked Security blog here. ®

Lootnote

¹ Adscend counters that Washington’s estimates are grossly overestimated without saying what its real revenues were nor admitting any liability on its own part. It blames rogue affiliates for the offending messages.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/09/facebook_clickjacking_lawsuit/

A US government agency is warning travellers to be wary of malware that installs itself via pop-up browser windows on hotel internet connections.

The malicious dialogue boxes typically pose as software updates to legitimate software products, an advisory from the FBI’s Internet Crime Complaint Center (IC3) explains.

“The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel internet connection,” IC3 warns. “[Check] the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack.

“The FBI also recommends that travellers perform software updates on laptops immediately before travelling, and that they download software updates directly from the software vendor’s website if updates are necessary while abroad.”

Reading between the lines, the agency is urging business travellers to safeguard themselves against malware-based attacks that are ultimately aimed at industrial espionage. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/09/hotel_wi_fi_malware_warning/

Twitter has downplayed the significance of a data dump that leaked the login details of 55,000 twits.

Most of the usernames and passwords copied into a string of five Pastebin posts on Monday are either duplicates or belong to blocked spammers, according to the micro-blogging site. A spokesman said it was in the process of resetting the passwords of compromised legitimate accounts.

“We’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other),” Twitter’s Robert Weeks told CNN.

“We are currently looking into the situation. In the meantime, we have pushed out password resets to accounts that may have been affected,” he added.

It’s unclear how the credentials were obtained, although one strong possibility is that hackers slurped the data from a phishing website that tricked users into revealing their login details. The motives of the miscreants who shovelled the passwords onto Pastebin also remain unclear. Airdemon, the site that broke news of the dump, suggested the dump is designed to highlight Twitter’s supposed security shortcomings.

Twitter has reason to be sensitive about data breaches. A pair of digital break-ins back in 2009 resulted in a privacy lawsuit from the FTC, which was settled last year with an undertaking from the micro-blogging service to improve its security practices.

Occupy protest twit faces account occupation

In other Twitter-related news, the messaging service is fighting a court order that would compel it to turn over the personal details and direct messages sent by a tweeter allegedly involved in the Occupy Wall Street protests.

The case surrounds Malcolm Harris, who was charged with disorderly conduct during demonstrations on the Brooklyn Bridge last year. Harris was denied permission to challenge the disclosure order against the @destructuremal profile, a ruling that prompted Twitter to get involved in the case.

The American Civil Liberties Union praised Twitter over its stance, thanking Twitter for standing up for free speech and individual privacy. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/09/twitter_downplays_password_data_dump/

It’ll be all hands to the pumps in IT departments around the globe as Microsoft has issued this month’s round of patches. There are 23 flaws to be fixed.

The seven patches include three critical issues, affecting Microsoft Windows, Office, Silverlight, and the .NET Framework. One patch, MS12-034, is specifically aimed at fixing possible attack vectors for the Duqu malware that Redmond initially blocked in December. It sorts ten flaws, some of which are publicly disclosed.

“Duqu is no longer able to exploit that vulnerability after applying the security update. However, we wanted to be sure to address the vulnerable code wherever it appeared across the Microsoft code base,” blogged Jonathan Ness from Microsoft’s security research center engineering team.

“To that end, we have been working with Microsoft Research to develop a ‘Cloned Code Detection’ system that we can run for every MSRC case to find any instance of the vulnerable code in any shipping product.”

Microsoft’s second highest priority if a critical flaw in Word that allows remote code execution from malware accessed via email and websites. One exploit is in the wild but doesn’t give admin access, and Office 2010 users don’t need to fix this. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/09/microsoft_patch_tuesday_23/

Security researchers have discovered a strain of malware that uses the geolocation service offered by an adult dating website as an easy way to determine the location of infected machines.

Thousands of infected machines in a zombie network all phoned home to the URL promos.fling.com/geo/txt/city.php at the adult hookup site fling.com, security researchers at Websense discovered. Analyst first thought the adult dating site was been abused as a botnet command and control channel.

Not so.

A more detailed look at the traffic from an infected machine revealed that JavaScript code built into the malware is dues to query fling’s systems in order to discover the exact location – state, city, latitude and longitude – of infected PCs.

All indications are that Fling.com is not in on this. Instead, its unsecured geo-location services are being used as a kind of 4Square for zombie PCs. This information is “used by the botmaster for statistics or to give different commands to infected machines in certain countries,” Websense explains. The security firm reports that in more than 4,700 samples of these yet unnamed malware behind the attack have been submitted to its security lab to date.

A blog post by Websense, featuring a Wireshark dump of traffic from a deliberately infected machine, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/08/geo_location_malware/

A post to Cryptome is pointing the finger at Apple for logging plain-text passwords of users of “legacy” Filevault under Lion 10.7.3.

According to David Emery, the February update of Lion turned on a debug switch which, as a result, logs in plain text the password of a user of an encrypted directory tree. “Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012,” the post notes.

It’s not the first time this logging behavior has been spotted, but only with the Cryptome post has it strayed beyond one post to Apple and a thread on Novell’s forums wondering what’s going on.

Emery says the log is accessible via a number of approaches, including opening the machine’s drive in Firewire disk mode, or booting via the recovery partition.

One of the Novell thread posters suggests symlinking /var/logs/secure.log to /dev/null to kill the logging.

While the passwords are only locally available, Emery notes that the logging breaks the “family security” model in which different users of the same machine are kept away from each others’ files. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/06/lion_logging_passwords_by_accident/

Cybercrooks have quit pouring barrels of spam into email inboxes in favour of hassling marks on social networks as an easier way to make money.

The dismantling of remote-controllable armies of compromised PCs, the collapse of some dodgy affiliate advertising networks, and better spam-filtering technology have all resulted in a decrease in traditional email spam delivery.

However, dodgy messaging to promote sites selling knock-off goods, pills to enhance performance beneath the sheets, and other tat, has only been displaced rather than destroyed. Twitter and Facebook have both become primary conduits for spam in the process – and the messages sent usually look far more convincing.

Paul Judge, chief research officer at Barracuda Networks, said that one in 100 tweets on Twitter and one in 60 messages on Facebook were either spam or malicious. The switch from email was an obvious move for crooks because social networks are where the majority of internet users spend their time, Judge told delegates at Barracuda’s technical conference in Munich on Friday.

“Wherever users are attackers will follow,” he explained.

Judge described automated tools used to set up fake accounts on Facebook. These accounts use like-jacking (a form of click-jacking), among other techniques, to trick users into landing on pages that promote survey scams, earning miscreants affiliate revenue in the process. The nuisance level created by fake accounts is not in proportion to their actual number, which Judge admitted was hard to quantify. He compared the situation to the early days of email spam.

“Tools are available to automatically generate a profile and make it look like a real user by adding likes and places of education attended, for example,” Judge explained. Fake profile are very different from legitimate profiles: 97 per cent of fakes are female, compared to 40 per cent of the real population on Facebook, and 58 per cent claim to be bisexual females, compared to 6 per cent of the real female users of the social network who say they like both men and women. Fake profiles also tend to have “more friends”, 726 on average compared to the 130 average for the general Facebook population.

Creating a snowball of spam

Spammers also use fake fan pages, featuring big names such as Harry Potter and Nike, to promote dodgy links – a situation Judge described as “out of control”. Once established, the bogus pages are linked up by the fake profiles through wall posts and photo tagging to gain extra traction and can attract hundreds of thousands of likes from misled punters in just a few days.

“If a person likes a page, they can be tagged in a photo with 50 other people who each have hundreds of friends. Thousands can be reached from one photo, making the process very efficient,” Judge explained. The photo has a comment underneath containing a malicious link that poses as links to more photographs.

“Facebook could make changes to restrict the utility of photo tagging to spammers by, for example, only allowing the photo tagging of someone you are already friends with but this would reduce the overall number of page views.”

Twitter is also extensively used by spammers: fake accounts can be created far more easily than on Facebook via a trivial scripted process that involves submitting only a name, email address and password. Fake accounts either mention legitimate users or comment on trending topics in order trick surfers into following dodgy links. Many fake accounts can be recognised by following a large number of people but having few people following them back.

Stephen Pao, vice president of product management at Barracuda, said that much the same groups involved in email spam have moved over to peppering social networks with junk messages. “It’s the same ecosystems and you can see examples of spam campaigns that start in email moving onto social networks,” he explained.

Exploit kits and “Facebook cloaking tools” are been offered for sale in underground cybercrime marketplaces in much the same way tools that automated the process of email spamming have long been flogged, he added.

Google+ and LinkedIn have also attracted some malicious activity but the lack of software interfaces to automate message sending, and weak popularity in terms of sheer numbers of visitors, have made these less of a target for spammers than either Twitter or Facebook. Spam on Pinterest and Foursquare remains a nascent problem.

“It’s more dangerous than the early days of email spam because you get a link ostensibly sent to you by your friend or mum rather than a bank you don’t do business with,” Pao concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/06/social_network_spam/

Intel and MacAfee have been talking about the fruits of their merger and their plans for a cloud to computer security network that will be built into new systems.

Jason Waxman, general manager of Intel’s Cloud Infrastructure Group, said that over the last year or so he’d been inundated with questions about what Intel was going to do with McAfee since it lashed out $7.68bn for the security firm, during an industry-wide buying spree on cyber-security companies. Chipzilla’s been intentionally quiet on the subject, but was now ready to talk he said.

What Intel is planning is a cloud to desktop security strategy, mixing hardware and software features in a federated framework designed to make cloud computing safer, locking down the desktop and, coincidentally, giving IT managers another reason to specify Intel’s systems during the next upgrade cycle.

“I think, of the public cloud providers, there are many that are doing an excellent job at security,” he said. “In fact, when I look at how enterprises do they are as good if not better. But the reality is that there’s a perception of poor security.”

Intel wants to mate its Trusted Execution Technology (TET) that’s built into the Xeon E5 processor family with software controls from McAfee. The chipset will work with McAfee’s ePolicy Orchestrator to analyze networks and enforce policy while updating and protecting the larger environment.

The two companies also released a new antivirus tool for the cloud, dubbed McAfee Management for Optimized Virtual Environments AntiVirus. This seeks out malware and uses application controls to limit infection spread and downtime, while pushing out updates as and when. A connections manager also monitors data entering and leaving the datacenter for signs of infection.

At the user end Intel is linking in with features in the Core i3, i5 and i7 processor ranges to try and keep systems clean, and there’ll be some integration with the cloud systems, including a single sign-on mechanism.

Intel’s reaching out to the relevant standards organization to pull in other partners, and has announced talks with the Cloud Security Alliance and Open Data Center Alliance. El Reg suspects a lot of people will wait and see how the architecture stands up in the real world before jumping on board. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/05/intel_mcafee_cloud_security/