BREAKING
Yet another example of why learned helplessness (relying on vendors for the “only” solution to a bug in their product) is bad. So there’s a patch that everyone thinks solved everything and what we see is that those who can work with POC are able change a few things and BOOM! The bug is actually STILL THERE. Of course, thanks to non-disclosure, only the bad guys are figuring this out.
Recently, we also found very frequent, targeted attacks, making use of the patched (not complete ) TIFF vulnerability (CVE-2010-0188).
What is interesting is that these exploits insert the javascript as well as crafted TIFF(exploit.tif) into XML Form, and generate malicious PDF by Adobe livecycle ES. The javascript is embedded within the form, and there is not detected by AV.
I just love how Zeus now gets credit for beating “multi”-factor authentication when in fact, what Zeus beat was the bank’s crappy implementation of multi-factor authentication or, in other cases, the snake-oil javascript sold as “multi”-factor. The only case I am aware of where a real, true, multi-factor authentication has been “defeated” is where the criminals called the victim and had the victim read the numbers off their securID. That’s like “defeating lojack” by conning someone into “loaning” you their car.
So now the snake oil salesmen have done more damage than simply putting a fake cure out on the market – they’ve gone and placed a stigma on the only real solution going today. Now rather than pushing forward into true multi-factor authentication, we’re sitting here as if the direction is now unclear. One more time: You don’t trust the Internet, you use SSL from “point to point”; you don’t trust the PC, you extend that tunnel all the way to the smart card in the level 3 (PIN pad on the) reader.
…”It seems all kinds of authentication methods were being defeated,” Nelson said. “You can't rely on any one control when it comes to these new sophisticated attacks.”
The Zeus Trojan, which cybercriminals have used to steal banking credentials, has the ability to circumvent two-factor authentication. Zeus botnets target small and midsize businesses that originate ACH and wire transfers, Nelson said.
via FDIC: ACH fraud losses climb despite drop in overall cyberfraud losses | HostExploit News.
A pretty ballsy attack here. We’ve long been afraid of backdoors being added to vendor source code – be that OS or Firmware; in the form of an environmental variable, secret user accounts or even the more subtle route of intentional “bugs”. But a standard botnet worm spreading to PCs through phones “right out of the box”? Not very subtle as we can see from how quickly this was discovered and analyzed. Seems like just another vector for the Spanish botnet recently shut down and reported on in HNNCast. The real news here is that unlike P2P, USB and HTML links, THIS vector demonstrates the compromise of Vodafone deep enough inside to actually alter shipping product. What we DON’T know yet is whether this is related to a recent Vodafone website compromise, an unrelated Internet compromise, a physical break-in, an attacker getting “the right job” or what. We think this will become an interesting story as the details get filled in.
Following Energizer’s acknowledgment last week that it had been distributing infected software in conjunction with its DUO USB charger comes a report that malware has been found on a Vodafone HTC Magic running Google’s Android OS.
The malware in question includes code to create a Mariposa bot, the Conficker worm, and a trojan software designed to steal passwords from the game Lineage.
via Mariposa Botnet Malware Found On Vodaphone HTC Magic — InformationWeek.
This guy should be the poster child for anyone who thinks they have a security solution for the Internet. Unless you’ve been doing this for years and have a broad perspective, you might be confident enough to think your solution “tightens everything up” when in fact all you’ve done is “move things around a little bit”. Security is not like functionality – but this guy was so sure they offered a “guarantee” and put his infos up on billboards and in commercials. Suddenly, the genius is the fool.
LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.
In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.
“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.
Microsoft Security Intelligence Report volume 7 (January - June 2009)
tan : March 8, 2010 2:45 am : Breaking News
Every 6 months MS publishes this report. Great graph on pg 52 showing infections by MS OS strain. Looks like XP SP3 vs. Vista is a matter of diminishing returns vs. what you get from applying SP3 to any other XP strain. Plenty to read here, right down to an analysis of what users do with Windows Defender Warnings (Ignore/Allow/Prompt/Quarantine/Remove) and why. It seems users mostly remove or ignore – depending on if the risk is presented as high (almost 80% remove) through low (just over 70% ignore).
LOL – available in PDF format.
Volume 7 of the Microsoft® Security Intelligence Report provides an in-depth perspective on malicious and potentially unwanted software, software exploits, security breaches and software vulnerabilities (both in Microsoft software and in third-party software). Microsoft developed these perspectives based on detailed analysis over the past several years, with a focus on the first half of 2009.
via Download details: Microsoft Security Intelligence Report volume 7 (January – June 2009).
EMC and Secure in the same press release? HA! I guess Solera didn’t bother to check HNN’s Stack of Shame – Tipping Point’s list of all the unfixed security bugs reported through the Zero Day Initiative. If they did maybe they would realize that IBM, HP and EMC are competing for most INsecure in the software industry.
Solera Networks, a leading network forensics products and services company today announced its partnership with EMC Corporation, a worldwide leader in flexible, scalable, and secure information infrastructures…
…
We developed a theoretical attack to the RSA signature algorithm, and we realized it in practice against an FPGA implementation of the system under attack.To perpetrate the attack, we inject transient faults in the target machine by regulating the voltage supply of the system.Thus,our attack does not require access to the victim system’s internal components,but simply proximity to it.
via Security-Shell: Fault-Based Attack of RSA Authentication.
HNN DOES NOT ENDORSE THESE NEWS ARTICLES AS VALID. WE SIMPLY AGGREGATE THE MOST INTERESTING HACKER RELATED NEWS STORIES OF THE DAY IN HOPE OF LETTING THE COMMUNITY SHAPE THE VIEWS THAT GO INTO HNNCAST. FEEL FREE TO LEAVE RESPONSES ON ANY STORY.
