Security News May 2011

Advanced Persistent Tweets: Zero-Day in 140 Characters

Interesting report on “a Chinese hacker”  bragging about zero-day attacks.

Sony Online loses 12,700 credit card account numbers, 24.6 million accounts compromised [update]

A second hack has occurred.

Bruce Schneier’s TED talk on security trade-offs

Bruce always has an interesting view on security. This one discusses how we react and evaluate security.

Crimeware Kit Emerges for Mac OS X

“Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple’s Mac OS X operating system has appeared.”

Best Buy Suffers Second Email Breach

Epsilon hack victim’s customer emails exposed yet again — via a different vendor

“The Best Buy spokesman noted that the second breach was similar to that of Epsilon’s”

The X Factor hit by database breach, leading to quarter of a million personal details being stolen

“The personal details of 250,000 The X Factor hopefuls may have been compromised following a database hack. A Fox network spokesperson confirmed that no financial information was accessed”

Bin Laden Death Triggers Cyber Scams

As expected. There are many other links as well.

Five Biggest Recipients Of Corporate Tax Breaks Spent $8 Million In 2010 Elections (UPDATED)

GE is listed as one of the top 5 companies that received a tax break.

Other references regarding lobbying include

Sony notes deception in their attack

“Hirai went on to claim that the breach occurred at the same time as the DoS attack, which was not immediately detected because of its ‘sheer sophistication’ and because a ‘system software vulnerability’ was exploited.”

An example of  deceptive hacking – Bruce

North Korea hackers blamed for bank crash in South

Michael Stores reports PIN pad attack in Chicago, according to email I just received.

Lastpass forces everyone to change their master password after a hack.

This may not be necessary, but the CEO felt it is best to be conservative regarding security.  – Bruce

Scammers Swap Google Images for Malware

Homeland Security Demands Mozilla Remove Firefox Extension That Redirects Seized Domains

Latvian energy grid hacked? Chinese hacking group claims responsibility all details; keys, rules.

This is the URL to the bragging

The third Sony hack

Vulnerability in Skype exposes MacOS to worm

Congress Bans Scientific Collaboration with China, Cites High Espionage Risks

“The clause prohibits the White House Office of Science and Technology Policy (OSTP) and the National Aeronautics and Space Administration (NASA) from coordinating any joint scientific activity with China.”

Renren (China’s equivalent to Facebook) Changes Key User Figure Before IPO

“Chinese social-networking company Renren Inc., which is hoping to raise $584 million in a public listing on the New York Stock Exchange, revised a key user number in its prospectus, highlighting the murkiness of data in China’s high-flying Internet sector.”

Phishing Becomes More Sophisticated

“Organized cybercrime groups are using convincingly crafted emails to target high-level executives and employees within the organizations they want to attack. In many cases, the phishing emails are personalized, localized and designed to appear as though they originated from a trusted source. ”

Some pen test  experts say they are 70% successful for each individual email. – Bruce

The hackers hacked: main Anonymous IRC servers invaded

OpenID warns of ‘psychic paper’ authentication attack

Baddies can modify cross-site personal data … though no one has yet

Vulnerabilities in Online Payment Systems

Paypal –based authentication flaw with third party

CS2: A Semantic Cryptographic Cloud Storage System

“This paper presents CS2, a cryptographic cloud storage system that provides provable guarantees of confidentiality, integrity, and verifiability without sacrificing utility. In particular, while CS2 provides security against the cloud provider, clients are still able to efficiently access their data through a search interface and to add and delete files. ”

Metasploit 3.7 Takes Aim at Apple iOS

“The Metasploit 3.7 release provides an enhanced session tracking backend that is intended to improve performance. Metasploit 3.7 also provides over 35 new exploit modules for security researchers to test, including new ones designed to test Apple’s iOS mobile operating system security”

Backtrack 5 released

Backtrack is an exploitation distribution. The maintainers said on Twitter that they DoS on server the night before. Bruce

Google’s South Korea Office Raided over Location Privacy

“Google’s South Korean office was raided by police in that country over the use of location data in its AdMob mobile ad platform, which delivers ads on Android handsets and tablets.”

Breach at Michaels Stores extends nationwide. 70 hacked PIN pads found in stores from DC to West Coast

Facebook Applications Accidentally Leaking Access to Third Parties

Unpatched DLL bugs let hackers exploit Windows 7 and IE9, says researcher

Problematic Certificates

Nothing new – just a discussion of the problem with certificates

Two Zero-Day Flaws Used To Bypass Google Chrome Security

French researchers say they hacked their way out of browser’s sandbox, bypassed DES and ASLR

Google responds

NASA, Stanford Hacked by Software Scammers

Shady online salesmen offering cheap Adobe software have hacked into several Web pages belonging to NASA and Stanford University.

Database of Fox Employees’ Passwords and Emails Leaked

Finally Source code of ZeuS Botnet Version: available for Download !

Security Fixes for Microsoft Windows, Office

“Microsoft issued just two updates today to fix at least three security flaws in its Windows and Microsoft Office products, a merciful respite following last month’s record-setting patch push. One of the patches issued today earned a critical rating, the company’s most serious.”

Preventive and protective measures against insider threats in nuclear facility

Facebook worm w/cut&paste javascript

Businesses Need to Look at Security as a Military Operation

“Businesses need to look at security as a military exercise and can benefit from strategies that have proved useful in battle, a former military security expert told an Interop audience this week”

Exposing the Lack of Privacy in File Hosting Services

File hosting services like Rapidshare provide an apparently obscure and secret way to exchange files. Not so. The URL’s are guessable, and being actively examined by third parties.

ActiveX Flaw Affecting SCADA systems

“If you are running a power plant, a refinery or any other system using ICONICS’ GENESIS32 and BizViz software[[…]please patch your plant.” Server Said to Have Been Used in Sony Network Attack

Not surprising, as a stolen credit card can be used to create untraceable accounts.

Critical Flash Player Update Plugs 11 Holes

Final Fantasy maker Square Enix hacked

Hackers have broken into two websites belonging to Japanese video games maker Square Enix.

Pentesting Vulnerable Study Frameworks Complete List

Useful list of tools and links for pentesters – Bruce

More details and theories on the Sony PSN hack

And then it came up, and went down again.

Review of various password managers

Killerbee is an exploitation for 802.15.4/ZigBee sensor networks

Stuxnet: How It Happened

The paper recommendations:

* prevent unauthorized media

* Use host-based firewalls to disable P2P protocols

* Use tripwire, etc. to detect unauthorized changes

Qakbot Virus Causes Possible Data Breach at Mass. Agencies

“An untold number of computers at the Massachusetts Department of Unemployment Assistance and Department of Career Services were compromised in April, leading state officials to warn hundreds of thousands of people that their personal information may have been stolen as part of the attack.”

Code wars

CNBC’s “Code Wars”, hosted by Melissa Lee, takes you onto the frontlines of the war on cyber. Cyber attacks are almost impossible to trace, making cyber crime and acts of cyber warfare the ultimate anonymous crime. So how do we protect our systems whose components are largely manufactured abroad? Can our nation’s infrastructure be protected from cyber attacks? And how can the U.S. win a war in which conventional rules of combat do not apply? CNBC tackles the tough questions in “Code Wars: America’s Cyber Threat.”

TV show is Thursday May 26th

Hack Targets NASA’s Earth Observation System

A hacker is claiming that a security hole in a server at NASA’s Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief.

Executives underestimate cybercrime danger,,15083403,00.html?maca=en-rss-en-top-1022-xml-atom

“However, Ernst & Young found a remarkable contradiction in its poll. While 94 percent of those leaders surveyed talked about the growing danger of cybercrime, 38 percent said they thought the threat to their own firm was rather small.”

SCADA hack talk canceled after U.S., Siemens request

A security research cancelled his talk  by request of DHS and Siemens.

And the related post:

Siemens working on vulnerability that threatens critical infrastructure

Hackers attack Norwegian Defense

U.S. Infrastructure Is Vulnerable to Cyber Attack, but No One Will Do Anything

Protecting Your Industrial Control System from Zero-Day Attacks

NIST publishes BIOS recommendations

Sony hacked again/Phishing

Hackers Infiltrate Sony So-net Subsidiary, Steal $1,125 in Points,2817,2385715,00.asp

“To So-net’s credit, whatever security system the company employs for its point system did manage to hold for quite a bit of time. That, or the hackers really had no other strategies other than what appears to be a brute-force attack on accounts. It allegedly took the attackers more than 10,000 different attempts before they were finally successful in accessing So-net’s system. “

Sony BMG Greece the latest hacked Sony site

This makes the 7th attack on Sony. -Bruce

Common Vulnerability Reporting Framework

Cyber-security legislation sent to Congress by President

and another view:

Congress Just Sold You Out: Leadership Plans To Extend Patriot Act For Four Years With NO Concessions

Credit processors targeted in fight against spam

“The researchers have discovered that the vast majority (95 per cent) of the credit card payments to unlicensed pharmaceutical sites are handled by just three payment processing firms – based in Azerbaijan, Denmark and Nevis, in the West Indies, respectively.”

There is also a 16-page paper “Click Trajectories: End-to-End Analysis of the Spam Value Chain” referenced

Researchers find irreparable flaw in popular CAPTCHAs

Decaptcha pierces, Yahoo!, Digg

“Decaptcha is a two-phase audio-CAPTCHA solver that correctly breaks the puzzles with a 41-percent to 89-percent success rate on sites including eBay, Yahoo, Digg,, and Microsoft’s The program works by removing background noise from the audio files, allowing only the spoken characters needed to complete the test to remain.”

The creator of the “Great Firewall of China” was pelted with shoes

“While many of China’s estimated 477 million internet users appear largely indifferent to the firewall because they use almost solely domestic sites and services, a growing number of young people are frustrated by curbs that not only prevent them accessing foreign news and social media sites, but increasingly make it hard or even impossible to use apparently uncontroversial sites, such as the Internet Movie Database (IMDb).”

Google notes that SSL False Start negotiation increases https connect time by 30%

Google has been verifying this in their Chrome browser.

9th attack on Sony

False Positives – The Dirty Secret of the Web Security Scanning Industry

When using automated tools to test a web application for security, there are large number of false positives which must be manually and tediously examined. If the skill of the white hat pen tester is limited, they may overlook real vulnerabilities by assuming it’s a false positive.

Alienvault announces a SCADS SIEM (Security and Information Event Management)

A demo is coming soon. Alienvault had a VM image of their original SIEM that was impressive.

Senate debates president’s power during cyber-attack

“The Senate Homeland Security and Governmental Affairs Committee held a hearing on the administration’s legislative proposal, announced two weeks ago, that would rely on a pre-World War II radio emergency law to provide the president with authority to protect key computer and communication networks — like those mainly in private hands that run power grids, phone systems and banking services — from a cyber-attack.”

More news about the SCADA/Siemens hack that was cancelled at the last minute

For the next two days speculation swirled as to whether DHS weighed in with a heavy hand to pull the talk, or if Siemens threatened legal action against the security firm. “That’s not what happened here,” says Vik Phatak, chief technology officer at NSS Labs. “Siemens found out, near the last minute, that the mitigation they had planned didn’t work. It could be bypassed,” Phatak says.


The exploits are ready to be released into the Metaspolit framework.

Hotmail Exploit Has Been Silently Stealing E-mail

The latest news is there has been a nasty bug in Hotmail for a while that has been actively exploited allowing malicious senders to snoop on e-mail and even add forwarding rules to the victim account.

negative reaction to Siemens for their reaction to discovery of security flaws in their SCADA equipment.

UPDATE 2-U.S. government warns about Siemens security flaw

“But a spokesman for Siemens denied any fault, saying company officials are in a better position to assess potential security risks than researchers from an outside firm.”

I think this is a grave error on Siemens part, because it erodes confidence in their company – especially their denial of any problem.

Bruce Schneier discusses this here

I believe each company should have a “dry run” exercise to see how they will handle such an event. All public statements regarding security should be carefully managed, to prevent a public relations disaster. There should be a policy, and everyone should know what that policy is.

Vulnerabilities on Cisco Device

Cisco network equipment is still vulnerable to a single security vulnerability flaw nearly two years after the company issued a patch, according to an analysis of network scans by Dimension Data for its 2011 Network Barometer Report.


I haven’t been reporting this, but Apple malware has been in the news. First a IOS Malware generation package was released, along with MacOS plugins for Metasploit, which makes writing malware for IOS easier. Next, Mac users have been tricked to install malware, named “Mac Defender”,  masquerading as an anti-virus package. , Apple,  as their policy, refuses to tell infected users how to remove the malware. Now Apple is issuing an OS update, but the malware authors are modifying the malware to defeat Apple’s response.

And now a Russian company has released a toolkit to decrypt MacOS’s full disk encryption

And now we know more about the people behind the MacDefender malware: ChronoPay

Bank of America Breach,0,1687635.column

An inside employee leaked personal account information that cost $10 million in damages. They have arrested 95 suspects, and apparently it took a year before BofA told their customers that thieves have been siphoning money from the customers  bank accounts.

Microsoft finds 427K email addresses on knocked-out Rustock server

US Cert has released Common Cybersecurity Vulnerabilities in Industrial Control Systems

Vendor backdoors in Siemens, HP, and  Allied Telesis

Lockheed network hit by major disruption: sources,0,5678682.story

Congress approves extension of USA Patriot Act provisions

This entry was posted in Hacking, Politics, Security, Technology. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s