Slovenian police have arrested four suspects over allegations that they developed the Mariposa botnet malware.

The arrests follow a joint investigation between the FBI and Slovenian police and come after the earlier arrest of three suspects in Spain, who are charged with distributing Mariposa and using it to hack into online bank accounts. The alleged East European VXers are suspected of developing the software for the Spaniards, Slovenian news agency STA reports.

Investigators reckon Mariposa compromised 12.7 million Windows PCs worldwide. Spanish police recovered stolen bank and login credentials of 800,000 people from systems seized during the arrest of three local suspects.



Source: http;//theregister.co.uk

An attack by hackers at 4chan on Gawker left the news blog intermittently unavailable on Wednesday.

4chan's denizens reportedly launched the attack in reprisal to a recent article on Gawker about the alleged harassment of an 11-year-old girl by users of the image board.

The DDOS assault on Gawker began on Tuesday and peaked around Wednesday lunchtime (EST).

Journalist Adrien Chen and editors at Gawker have also been at the receiving end of malicious spam and Facebook messages, some of which have been directed towards their families, the Atlantic Wire reports. One message, sent to a editor's wife, make false claims that he is involved in an extra-marital affair.

Spam email, some containing porn, and threats to reveal personal information have also featured in the attack.

Gawker, whose site is running normally at the time of writing on Thursday, said the attacks were aimed at stopping it from writing about 4chan, a demand it shows no willingness to obey.

    Anarchic internet hangout 4chan sent a little more hate Gawker's way today, launching a denial of service attack against our website, spamming our email accounts and even trying to bother one staffer's spouse. All so we'd stop talking about them. Angry users of 4chan's notoriously freewheeling /b/ forum inundated Gawker Media's servers with traffic around 1:30 pm Eastern, reprising a similar distributed attack the prior day. The attack slowed down sites across the Gawker Media network, including Gawker.com, where the number of active users on the site fell sharply for approximately an hour before normal service was restored.

4chan is the birthplace of the long-running Anonymous campaign against the Church of Scientology, which also featured denial of service attacks during its early days. More recently, pranksters from 4chan took advantage of a vulnerability on YouTube to redirect surfers looking for Justin Bieber video clips to shock sites such as Goatse or false reports that the Canadian singer had died in a car crash.



Source: http://theregister.co.uk

Over the years 4chan has popularised many internet memes, such as lolcats and Rickrolling, among others.

Millions of household routers are susceptible to a flaw that creates a handy means for hackers to hijack surfing sessions or hack into home networks.

Craig Heffner, a researcher at security consultancy Seismic, is due to detail the flaw and release a proof-of-concept tool at the Black Hat conference in Vegas later this month. The DNS rebinding-related security flaw affects kit from Linksys Belkin and Dell, among others.

DNS rebinding have been around for years. Heffner claims he has discovered a new variant of the theme, which initially involves luring a surfer into visiting a website containing malicious code. This code uses a "Jedi-mind trick" to circumvent the same-origin policy, thereby allowing JavaScript-based malware to penetrate private home networks supported by vulnerable hardware.

The sleight of hand discovered by Heffner involves establishing an attack site which runs malicious script that means a visitor's own IP address is presented as one of the site's alternative IP addresses, thereby granting a trusted status to a malign site. Modern browsers are designed to block earlier types of such attacks but not with this particular scenario, for reasons Heffner is due to explain at Black Hat.

The complex attack approach uncovered by Heffner involves either exploiting vulnerable routers or taking advantage of weak (default) hardware passwords, Forbes explains.

A description of Heffner's talk, entitled How to Hack Millions of Routers, on the Black Hat conference website, explains.

    Many consumer routers can be exploited via DNS rebinding to gain interactive access to the router's internal-facing administrative interface. Unlike other DNS rebinding techniques, this attack does not require prior knowledge of the target router or the router's configuration settings such as make, model, internal IP address, host name, etc, and does not rely on any anti-DNS pinning techniques, thus circumventing existing DNS rebinding protections.


A full list of vulnerable networking kit can be found on Notebooks.com here. Notebooks.com also lists some sensible workarounds, such as downloading the latest firmware from manufacturers and using strong (hard to guess) passwords.



Source: http://theregister.co.uk

Windows Shortcut's zero-day attack code has gone public.

The development increases the risk that the attack vector, already used by the highly sophisticated Stuxnet Trojan to attack Scada control systems, will be applied against a wider range of vulnerable systems.

All versions of Windows are potentially vulnerable to the exploit.

Just viewing the contents of an infected USB stick is enough to get pwned, even on systems where Windows Autoplay is disabled. Maliciously-crafted Windows shortcut (.lnk) files might also to be able to push malicious code through other attack routes left open by the vulnerability, such as Windows shares.

The SANS Institute's Internet Storm Centre has responded to the heightened threat by moving onto yellow alert status for the first time in years. "We believe wide-scale exploitation is only a matter of time," writes ISC handler Lenny Zeltser.

"The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far."

Microsoft has acknowledged the problem - and published workarounds deigned to guard against attack - ahead of a possible patch. Going by previous form, and given the seriousness of the flaw and the amount of platforms affected, Microsoft's security gnomes will have their work cut out to release a fix as part of August's Patch Tuesday much less any sooner.

The Siemens SIMATIC WinCC SCADA systems specially targeted by the Stuxnet Trojan use hard-coded admin username / password combinations that users are told not to change. Details of these passwords has been available on underground hacker forums for at least two years, Wired reports.

Worse still, changing Siemens' hard-coded password will crash vulnerable SCADA systems, IDG reports. Siemens is in the process of developing guidelines for customers on how to mitigate against the risk of possible attack.

An overview of the vulnerability and its implications can be found in a blog posting by Rik Ferguson of Trend Micro here.

Two days after Mozilla sextupled the bug bounty paid to security researchers to $3,000, Google has upped the ante for vulnerabilities that are reported in its Chrome browser.

In a continuing play on elite hacker speak, Google will begin paying as much as $3,133.70 for the most critical bugs that are brought to its attention, the company announced Tuesday. Google began paying rewards in January with a sum of $1,337 for the most critical vulnerabilities. At the time, Mozilla was paying only $500 for the most serious flaws brought to its attention.

“It has been approximately six months since we launched the Chromium Security Reward program,” Google's announcement stated. “Although still early days [sic], the program has been a clear success. We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security.”

The bidding war is good news for private security researchers who frequently complain they are uncompensated when they warn software makers of serious bugs that imperil their users. That longstanding arrangement allows the companies to benefit off the work of others and creates a sense that they are entitled to the information, the researchers have said.

To date only a handful of software makers offer security bug bounties. They apply almost exclusively to open-source projects such as Mozilla's Firefox and Daniel J. Bernstein's djbdns. TippingPoint's Zero Day Initiative and VeriSign's iDefense also pay for vulnerabilities with fees topping out at about $10,000. The firms use the details to protect customers who subscribe to their services from the vulnerabilities before they're patched.

So far, Google has paid just one researcher the coveted $1,337 fee, while it has doled out six $1,000 payments and 15 $500 rewards, which are paid for reports of less severe bugs, according to this accounting. The company will continue to pay the lower amount for lower severity bugs, although it will consider offering higher bounties when researchers for “high-quality bug reports,” such as those that include “a careful test case reduction, an accurate analysis of root cause, or productive discussion towards resolution.”




Source: http://theregister.co.uk

THE DUTCH COURTS charged with deliberating the future of the Pirate Bay website have decided to force it to block users in the Netherlands from its website.

The site operators were called to court by the Dutch anti-piracy group, Brein, which asked that the website be blocked.

They won the case and the Pirate Bay crew appealed. Now, according to a report on the Torrent Freak website, the appeal has finished and the site has been ordered to ban Dutch residents from it outright.

According to Torrent Freak, although the court could not find Pirate Bay guilty of copyright infringement, it did find that the website is encouraging the sharing of information about dubious material.

Should the website operators, Fredrik Neij, Gottfrid Svartholm and Peter Sunde, not comply they face fines of up to €50,000 per day.

This is not the first time that the Pirate Bay has been seen in court, and its unlikely that it will be the last. In the meantime, the Bay publishes on its website a rogues gallery of complaints and legal threats for your enjoyment.


Source: http://theinquirer.net/

Starting the 1st of this month, the Mozilla Foundation will reward users who discover and report security vulnerabilities in its software with $3,000 for each vulnerability. Until now the reward, distributed under the Mozilla Security Bug Bounty Program which launched in 2004, has been limited to just $500. Bug finders can now also look forward to receiving a free T-shirt as part of the scheme. Eligible security vulnerabilities must be remotely exploitable (over the web or a local network) and not previously have been publicly documented.

The campaign is limited to the latest version of Firefox, Thunderbird, Firefox Mobile and any other Mozilla service which could allow a hostile takeover of any of these applications. Bugs in third party software such as browser add-ons (also known as extensions) and plug-ins are not eligible.

To prevent dodgy dealings, developers who have contributed to a part of the source code containing a particular bug are excluded from the scheme, as are Mozilla staff members. Linspire and Mark Shuttleworth, the man behind Canonical and Linux distribution Ubuntu, have provided the initial capital for the scheme.

The increased value of the reward is a reaction to developments in the security industry. There has long been a market for previously undiscovered vulnerabilities. Not only are reputable security companies such as TippingPoint and VeriSign interested in them, but vulnerabilities also represent valuable assets for those with criminal intent.

Google has been following the example set by Mozilla since the start of this year and rewarding users who discover previously unknown security vulnerabilities with $500. In particularly serious cases, Google bumps the reward up to $1,337. However, Google is not (yet) offering T-shirts.



Source: http;//h-online.com

POPULAR WEB SITES could be under threat as a security flaw once thought to be innocuous could leave user accounts wide open.

The threat, to be demonstrated at this year's Black Hat conference, is that a basic security flaw in the open source OpenID and Oauth libraries can lead to passwords being cracked. The two authentication libraries are used on numerous sites including Digg and Twitter.

The attack itself isn't new, but rather, the domain where it can be applied is. The method of attack, known as a 'timing attack', is hard to pull off as it generally requires exploitation of the authentication handshake in order to eventually crack passwords. Though primitive, it has been shown to work and apparently it's potentially effective even over the Internet.

In the past network latency was thought to have mitigated the threat of timing attacks over the Internet, however two researchers, Nate Lawson and Taylor Nelson, are going to show that isn't the case. In fact, the two are going to show that cloud-based hosting services like Amazon's EC2 are particularly susceptible to timing attacks.

The problem is more widespread than merely cloud services. Apparently interpreted languages, such as PHP, Perl, Python and Ruby, all commonly used in web development, provide a larger attack interface compared to compiled languages such as Assembler, C and Java. Lawson says that, "For languages that are interpreted, you end up with a much greater timing difference than people thought." It is that increased timing difference that can be exploited.

According to the pair the solution is almost trivial, in most cases requiring only six lines of code to be added to the affected libraries. All the code has to do, according to the researchers, is "Program the system to take the same amount of time to return [a result for] both correct and incorrect passwords."

As the libraries are open source, the race is on to implement the fix. We'd guess that the issue might be resolved with software patches, at least in some authentication systems, before the researchers present their talk at Black Hat.



Source: http://theinquirer.net

Anti-virus specialists report that a new trojan is spreading via USB flash drives, apparently exploiting a previously unknown hole in Windows. According to analyses by Belarusian AV vendor VirusBlokAda, a copy of the trojan managed to infect a fully patched Windows 7 system (32-bit) without having to resort to such common auto-start tools as autorun.inf when a Flash drive carrying the trojan was plugged in. Instead of spreading through auto-start, the malware exploits a flaw in the code for processing short-cuts (.lnk files): Once the relevant icon is displayed in Windows Explorer, malicious code is launched without any further user interaction.

The trojan exploits this to install two drivers with rootkit functions designed to hide its subsequent activities within the system. Interestingly, both drivers are signed with a code-signing key by vendor RealTek and can, therefore, be installed on a system without triggering an alert. Only recently, AV vendor F-Secure pointed out that the amount of signed malware for Windows is increasing. In some cases, digital keys have even been stolen from developers.

An investigation by malware analyst Frank Boldewin has shown that this is not just any old trojan designed to harvest passwords from unsuspecting users. It appears that the malware specifically targets process control systems and their visualisation components. The trojan is, therefore, unlikely to spread on a large scale.

During his investigation, Boldewin came across some database queries the trojan made that point towards the WinCC SCADA system by Siemens. As Boldewin explained in an email to The H's associates at heise Security, a "normal" malware programmer wouldn't have managed to do that. Boldewin continued "As this Siemens SCADA system is used by many industrial enterprises worldwide, we must assume that the attackers' intention was industrial espionage or even espionage in the government area". Frank Boldewin is the author of the feature article "Episode 2: The image of death" in our "CSI:Internet" series.

Microsoft has been informed about the vulnerability, but appears to have problems with reproducing it. Andreas Marx of AV-Test says that every .lnk file is linked to the ID of the newly infected USB Flash drive. This means that the sample trojans found so far can't simply be started on an arbitrary Windows system – the malware will only start in the OllyDbg debugger after some modifications to the code.



Source: http://h-online.com

Mozilla has disabled and block-listed a Firefox add-on containing code that nabs login data sent to any website and reroutes it to a remote server.

The add-on — known as, um, Mozilla Sniffer — was uploaded to the Firefox add-on site on June 6, and the malicious code was discovered on Monday, after which the add-on was block-listed. This means netizens who installed the add-on will be prompted to remove it. Mozilla also says that, yes, anyone who has installed the add-on should change their web passwords tout de suite.


"If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location," Mozilla said in a Tuesday blog post, before adding that the remote server charged with collecting passwords appeared to be down.

According to Mozilla, the Sniffer was downloaded about 1,800 times, and as of Tuesday, there were 334 active users.

The add-on had not been reviewed by Mozilla. It was marked as "experimental", meaning that anyone who attempted to install it received a warning that the code had not been reviewed. Such unreviewed add-ons are merely scanned for viruses, trojans, and other malware.

Mozilla, however, is (slowly) developing a new security model designed to prevent unreviewed add-ons from being served to world+dog. "Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we’re already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site."

The proposed model is described in detail here.

Mozilla also said it had discovered a security vulnerability in version 3.0.1 of a far more popular add-on known as CoolPreviews, which displays previews of webpages when you mouse over links. Version 3.0.1 and earlier versions have been disabled, and a patched add-on has been uploaded to addons.mozilla.org.

According to Mozilla, when the user mouses over a link, the add-on could execute remote JavaScript code with local chrome privileges, giving an attacker control over the user's machine. "If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution," Mozilla said.

About 177,000 users had a vulnerable version of the add-on installed as of Tuesday — less than 25 per cent of total users. Mozilla intends to block-list vulnerable versions "very soon."



Source: http://theregister.co.uk