If you are a user of the messaging software Skype, you know that you can see the location of your contacts in the Skype interface. What you probably do not know is that there is currently a way to display a Skype user’s remote and local IP address as well.
A script has been uploaded to Github that offers these options. According to the page, it can be used to lookup IP addresses of online Skype accounts, and return both the remote and the local IP of that account on a website.
This blog post reveals how the script works. It basically starts an add a Skype contact request but does not complete it. The log file will display the local and remote IP of that Skype user, even if the user is not added to the list of contacts in Skype.
The script is for instance available on this site. Just enter the user name of a Skype user, fill out the captcha, and click the search button to initiate the lookup. You will receive the user’s remote IP and port, as well as the local IP and port.
This works only if the Skype user is online at the time of the lookup, and not if the user is offline. The IP address can reveal the user’s country of origin, and maybe even the town or district. This can be done with the help of tools such as this one. Just enter a public IP address in the form, and you will receive information about the provider of the IP address.
You can also use a tool like IP on Map to display the real world location of an IP address on a map.
We Reported a 0-Day Vulnerability in Hotmail, which allowed hackers to reset account passwords and lock out the account's real owners. Tamper Data add-on allowed hackers to siphon off the outgoing HTTP request from the browser in real time and then modify the data. When they hit a password reset on a given email account they could fiddle the requests and input in a reset they chose.
Microsoft spokesperson confirmed the existence of the security flaw and the fix, but offered no further details: “On Friday, we addressed an incident with password reset functionality; there is no action for customers, as they are protected.”
Later Today another unknown hacker reported another similar vulnerabilities in Hotmail, Yahoo and AOL. Using same Tamper Data add-on attacker is able to Reset passwords of any account remotely. This is somewhat a critical Vulnerability ever exposed, Millions of users can effected in result.
Instructions on how to exploit an unpatched Oracle Database Server vulnerability in order to intercept the information exchanged between clients and databases were published by a security researcher who erroneously thought that the company had patched the flaw.
In an email sent to the Full Disclosure mailing list on April 18, Koret revealed that the vulnerability is located in the Oracle TNS Listener, a component that routes connections from clients to Oracle database servers depending on which database they are trying to reach.
TNS Listener has a default feature, introduced in 1999, that allows clients to register a database service or database instance remotely without authentication, Koret said.
The client sends a remote registration request to the TNS Listener and defines a new service name, its IP address, the database instances under it, and other settings. The TNS Listener then starts routing all client requests that include that service name or database instance.
However, TNS Listener also allows the remote registration of a database instance or service name that is already registered, Koret said. "The TNS listener will consider this newer registered instance name a cluster instance (Oracle RAC, Real Application Clusters) or a fail over instance (Oracle Fail over)," he said.
British web hosting outfit UK2.NET was on the business end of a distributed denial-of-service attack last night that took down customers' websites.
The company's chief operating officer, Martin Baker, told The Register that UK2 had never seen a DDOS attack on this scale before.
"There was a botnet attack last night on our DNS servers. It was intermittent for people so they might see some sites up or down depending on when they're making the requests for pages," he explained. "We saw around 10 million apparently unique IPs attack us."
UK2 saw the peak of the attack at around midnight although customers first started seeing problems with their websites yesterday afternoon.
"We took various actions to trace this back to the IP addresses that they were attacking from so once we identified that we were able to put in mitigating activities to reduce it down and managed to get it off our network by about 3am," Baker said.
"The scale [of the attack] just took us longer than usual to mitigate," he added.
This isn't the first time UK2 has fended off a DDoS attack as the company is seen as a prospective target due to its size, Baker said. He added that customer websites might still be having problems today, but it should all be cleared up by late tonight.
"The way that DNS works is that it's cached elsewhere across the internet so it will take the time that it takes those servers to get refreshed by the internet [to totally clear up], so it could take up to 24 hours for it to refresh all the way through," he said.
Punters had, of course, taken to Twitter to express their outrage as their websites fell off the net, although not in large numbers. Some complained that UK2's service status page wasn't kept up to date.
The most harmful websites in terms of risk from malware infection aren’t, as you might imagine, pornography, but rather religious sites, according to Symantec’s Internet Security Threat Report.
The average number of threats found on religious sites was 115 (mostly fake antivirus software). By contrast, pornographic sites had less than a quarter, at around 25 threats per site. Of course, the number of pornographic sites is vastly greater than religious sites.
According to Greg Day, Symantec’s security CTO for Europe, the Middle East and Africa, while trojans may seem more serious, “if you have installed fake AV you may think you are protected, when in reality you are open to all sorts of attacks.”
Reports about malware infection produced by companies that sell anti-malware software are always going to have an inherent conflict of interest. That said, Symantec’s report, the 17th, has established itself as authoritative within the industry.
Otherwise, the report confirms mostly what we already know:
The threat to mobile devices, almost exclusively on Android, continues to grow, although tiny compared to the PC threat. There are 403 million PC threats, and about 4,000 on mobile.
Targeted attacks are no longer limited to large organizations. Some 50% of such attacks target organizations with fewer than 2,500 employees, and almost 18% target companies with fewer than 250 employees.
Spam is down, largely due to the closure of a Russian spam network, by 20%. However, malware attacks via social networks are up.
The threat overall has continued to grow hugely, mainly due to the commoditization of malware. There was an 81% increase in malicious attacks compared with a year earlier. The number of unique malware variants increased to 403 million.
Mr. Day drew attention to the increased threat to small and medium enterprises from persistent attacks. “When Stuxnet was uncovered in 2010 we saw about three targeted attacks that year. We are now seeing on average 94 a day, and in December 2011 that figure was 154 a day,” he said.
He said there was a misconception that it is senior executives who were targeted. “We are seeing a lot more attacks against people in sales, or HR.” Likewise, the purpose of the attacks is changing. “They could be going for IP, customer contacts, prices and future plans. It is easier to steal than to innovate.”
During a presentation at the B-Sides Conference in London on Wednesday, Robert McArdle, a senior threat researcher at Trend Micro, outlined how the revamped markup language could be used to launch browser-based botnets and other attacks. The new features in HTML5 – from WebSockets to cross-origin requests – could send tremors through the information security battleground and turn the likes of Chrome and Firefox into complete cybercrime toolkits.
Creating botnets by luring punters into visiting a malicious web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.
Additional dangers involve social engineering using HTML5's customisable pop-ups that appear outside the browser to fool users into believing the wording on an alert box. More convincing phishing attacks can be created using the technique, McArdle said.
"The good stuff in HTML5 outweighs the bad," he added. "We haven't seen the bad guys doing anything bad with HTML5 but nonetheless it's good to think ahead and develop defences."
Kaspersky Lab, which released its March 2012 spam report, shows that spam volumes from the total e-mail reduced 3.5% during March 2012 over the previous month of February 2012.
The new spam study reveals that the twenty greatest sources of junk e-mails continued to be same in March 2012, with the same countries as of February 2012 occupying the foremost 6 positions although South Korea and Vietnam interchanged ranks -the latter coming 4th and the former coming 5h.
Maria Namestnikov, security researcher at Kaspersky Lab explained that the first 3 ranks went to India (12.3%), Indonesia (7.5%) and Brazil (6.7%). While spam rates might've declined, the menace continued as severe as before with junk e-mail distributors adopting more-and-more refined techniques of scam, she said. Kaspersky.com published this dated April 19, 2012.
Besides, according to Namestnikov, it was ever-since the Calicos/Hlux network-of-bots' latest version got dismantled that the spam rates declined. During March 2012, Kaspersky Lab in combination with companies namely Dell SecureWorks, CrowdStrike, alongside HoneyNet Project dismantled the Kelihos.B botnet.
The spam study thereafter reveals that the topics most commonly utilized within the spam campaigns all through March 2012 related to Easter, St. Patrick's Day as also iPad3's recent launch.
Of the several spam campaigns related to St. Patrick's Day, security company Kaspersky states that the spammers, for acquiring the notice of e-mail recipients, resort to partner programs that abuse any holiday, celebration or same kind of event. Within the current example, it's Leprechaun-festooned spam websites, which present counterfeit designer watches.
The bulletin rated the severity as “Critical,” based on this description:
A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.
The bulletin says Microsoft fixed the vulnerability on April 20, 2012. The more detailed timeline puts the Vendor Fix/Patch date one day later:
2012-04-06:Researcher Notification & Coordination
2012-04-20:Vendor Notification by VoIP Conference
2012-04-26:Public or Non-Public Disclosure
During at least part of that two-week gap, the vulnerability was widely exploited, one source says.
Philippine government websites are under heavy attack from hackers, apparently from China, amid a tense territorial dispute between the two countries in the South China Sea, officials said Thursday.
While some Philippine hackers have reportedly launched retaliatory attacks, the government appealed to them for restraint, said Roy Espiritu, spokesman of the government's information technology office.
"We've actually detected several attacks, including attempts at distributed denial of service," he said, in which a hacker infiltrates computers with which to attack a single target, such as a website, forcing it to shut down.
"They (hackers) are probing into different (Philippine) government domains so we can't say how many attacks there are. But it is a lot," Espiritu told AFP.
"The signatures (of the hackers) indicate they are from Chinese networks."
Espiritu conceded this could be a ruse and the attacks may have actually originated from other sources.
But he said all the attacks came after Philippine ships faced off with Chinese patrol vessels in April 8 in the disputed Scarborough Shoal in the South China Sea. Before that, there had been no such attacks.
The Chinese vessels initially prevented the Philippine Navy from arresting alleged Chinese poachers in the area. The stand-off is continuing.
The mobile carriers industry trade group, CTIA–The Wireless Association, is objecting to a proposed bill that would require the police to produce a warrant if it wants access to location data on people's mobile phones.
CTIA are calling the legislation "unduly burdensome" to say no to police who arrive without warrants.
The proposed law also states that carriers must publish reports showing the number of disclosures they've made in a given calendar year, including:
how many times each wireless provider disclosed information (and how many times it didn't)
how many times the carrier contested data demands
how many users' data were disclosed.
And this report is to published on the internet by the following April.
On April 12, the CTIA wrote [PDF] to the bill's sponsor, State Senator Mark Leno, saying that CTIA opposes the proposed legislation due to "serious concerns":
"These reporting mandates would unduly burden wireless providers and their employees – who are working day and night to assist law enforcement to ensure the public’s safety and to save lives."
… and that the legislation would "confuse" them.
For example, an issue the carriers would find confusing is the definition of "location information." CTIA say that it is "so sweeping" that it could overlap basic subscriber information:
"Since the implications of this definition are unclear, wireless providers will have difficulty figuring out how to respond to requests for such information. It could place providers in the position of requiring warrants for all law enforcement requests."
Ars Technica's Cyrus Farivar, for one, is confused about why the CTIA is confused.
Importantly, however, some agencies do obtain warrants, showing that law enforcement agencies can protect Americans' privacy while also meeting law enforcement needs.' In short, it seems like law enforcement can stay within the law, even when it takes the trouble to get a warrant—how is that confusing?"
Regarding the cost and labour involved in putting up reports that tell the public how they are releasing our information: well, if it's really all that costly to the poor, cash-strapped wireless providers, perhaps it's time for them to increase the fees they charge law enforcement agencies for the all-you-can-eat buffet of data they provide.
In a sneak attack, the vote on CISPA (America's far-reaching, invasive Internet surveillance bill) was pushed up by a day. The bill was hastily amended, making it muchworse, then passed on a rushed vote. Techdirt's Leigh Beadon does a very good job of explaining what just happened to America:
Previously, CISPA allowed the government to use information for "cybersecurity" or "national security" purposes. Those purposes have not been limited or removed. Instead, three more valid uses have been added: investigation and prosecution of cybersecurity crime, protection of individuals, and protection of children. Cybersecurity crime is defined as any crime involving network disruption or hacking, plus any violation of the CFAA.
Basically this means CISPA can no longer be called a cybersecurity bill at all. The government would be able to search information it collects under CISPA for the purposes of investigating American citizens with complete immunity from all privacy protections as long as they can claim someone committed a "cybersecurity crime". Basically it says the 4th Amendment does not apply online, at all. Moreover, the government could do whatever it wants with the data as long as it can claim that someone was in danger of bodily harm, or that children were somehow threatened—again, notwithstanding absolutely any other law that would normally limit the government's power.
Lawmakers voted to reject a motion to recommit by Rep. Ed Perlmuttter, who sought to add language specifying that nothing in the bill could be construed to allow employers and the government from mandating that employees and job applicants disclose confidential passwords without a court order. The defeated motion also would have added language saying that nothing in the bill could allow the government from blocking access to the Web through “the creation of a national Internet firewall similar to the ‘Great Internet Firewall of China.'
Security researchers are warning about the risk posed by an embarrassing security hole in industrial control software by the firm RuggedCom. A hidden administrative account could give remote attackers easy access to critical equipment that is used to manage a wide range of critical infrastructure, including rail lines, traffic control systems and electrical substations.
The undocumented backdoor account was first revealed on Monday in a post to the Full-disclosure security discussion list by a user with the initials "JC." The account uses the login name "factory" and a dynamically generated password that is based on the device's machine address – or MAC, according to the post.
A Ruggedcom spokesperson said the company was working on a response, but could not immediately comment on the post.
The details of the vulnerability could not be independently confirmed and RuggedCom did not immediately respond to a request for comment from Threatpost. However, the use of hard coded account credentials is common in the industrial control space, where remote, administrative access to devices that are deployed in the field has long been a priority for vendors and customers, alike.
The post's author, "JC" was not able to immediately comment on the details of his post. He was identified as is Justin W. Clarke, an independent security researcher based in San Francisco according to Digital Bond blog, a source for information on security issues in SCADA and industrial control systems.
Cybercrime is big business these days, in fact it's an industry. So it's not a surprise to find that criminals are embracing ecommerce. But I'm sure some will be surprised to discover just how professional and legitimate criminal websites can appear.
For instance, watch the following video to see footage of a website that was selling stolen credit card details.
The UK's Serious Organised Crime Agency (SOCA), working alongside the FBI and the US Department of Justice, has announced that it has seized the domain names of 36 websites used to sell stolen credit card information.
The websites use advanced e-commerce Automated Vending Cart (AVC) platforms to allow them to sell large numbers of credit card and bank details.
Visitors to the websites are now greeted by a message from the authorities:
According to a SOCA statement, two men were arrested early yesterday morning suspected of making large scale purchases of compromised data from websites such as those described above.
Two suspected Taiwanese drug smugglers have been accused of an ambitious plot to smuggle some pretty serious military technology including a US drone out of the States and into China.
Hui Sheng Shen and Huan Ling Chang, who have been in custody since February for allegedly smuggling methamphetamine into the US, will be formally charged with conspiracy to violate the Arms Export Control Act, according to an AP report.
The two were caught in an undercover FBI sting which caught them on tape claiming that their clients in the Chinese government were keen on acquiring US drones as well as stealth technology, anti-aircraft systems and even an E-2 Hawkeye early warning aircraft.
The two reportedly ignored the undercover Feds’ repeated cautioning that they would not like to profit from any kit which would harm US interests, with Shen saying, “I think that all items would hurt America.”
"The people we met, they come from Beijing. … They work for Beijing government … some kind of intelligence company for Chinese government — like C.I.A," Shen reportedly told the agents. "They are spies."
Shen also boasted that he could use scuba divers to transport parts of the kit underwater from Port Newark-Elizabeth Marine Terminal to a ship waiting offshore – a similar technique to that which he allegedly used to smuggle drugs.
Increasingly the president, who was expected to fulfill the dreams of civil libertarians by creating a more open, transparent and less-intrusive government, is instead being viewed as a nightmare.
Many of the complaints are focused on broken promises regarding the aftermath of 9/11: The president pledged to close the military prison at Guantanamo Bay, Cuba, and it remains open. He attacked the Patriot Act as a candidate, but it also remains. And according to his critics, while he slammed President Bush's tactics in the "war on terror," he has now embraced and expanded most of them, including the killing of U.S. citizens abroad who are deemed to be terrorists.
But for cyber-privacy advocates, the major concern is that they believe the Big-Brother and "thought police" nightmare of George Orwell's "1984" could be a reality by 2013, when the National Security Agency's new data center is due to open at the Utah National Guard's Camp Williams, south of Salt Lake City in Bluffdale.
Some in the infosec and privacy community say it is not so much about who is president as it is about the reach, power and inertia of the intelligence establishment. Whatever, the reason, the coming Utah Data Center is expected to give a whole new meaning to the concept of Big Data.
NSA, which already has vast powers to sift and analyze digital communications by people with the bland job description of "traffic analyst," is expanding those powers to the point where, according to James Bamford, writing last month in Wired magazine, it will be able to intercept, store and analyze, "all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails– parking receipts, travel itineraries, bookstore purchases, and other digital 'pocket litter.'"
A critical security flaw affecting Microsoft's Hotmail has been detected almost simultaneously by Vulnerability Lab researchers and a Saudi Arabia hacker and, until a temporary fix has been put in place by Microsoft on Friday last, it has been used by hackers to hijack users' Hotmail/Live account.
"The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password
and bypass in place protections (token based)," explained Vulnerability Lab's researchers.
"The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values '+++)-'. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module."
Naveen Thakur offers a description of the exploit of which he saw videos propagating online: "It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data. All the attacked had to do was to select the 'I forgot my Password' and select 'Email me a reset link' and start the Tamper Data in Firefox and modify the outgoing data."
The bug was to easy to exploit, he says, and it spread like wild fire through the hacking community and forums.
A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.
Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.
But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.
"The differences are very subtle," Peter James, a spokesman for Intego, said in an interview Tuesday. "There's no password request [by Flashback.S]."
Flashback.K used different infection tactics: Even though it exploited the same Java vulnerability — identified as CVE-2012-0507 — it also displayed the standard OS X password-request dialog. If users entered their password, the malware installed itself in a different location, where it was even harder to detect.
Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices.
Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices.
One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow.
Auriemma discovered the issues accidentally. He told Threatpost via email that he was trying to play a trick on his brother. He only wanted to send a remote controller request with a funny message, but he ended up nearly destroying the TV.
To exploit Auriemma’s vulnerabilities requires only that the devices are connected to a wi-fi network.
As background, Auriemma explains that when the device receives a controller packet it displays message informing users that a new ‘remote’ has been detected, and prompts the user to ‘allow’ or ‘deny’ access. Included with this remote packet is a string field used for the name of device. Auriemma found that if he altered the name string to contain line feed and other invalid characters, the device would enter an endless loop.
Auriemma claims that nothing really happens for the first five seconds, but then he lost control of the TV, both manually on the control panel and with the remote. Then after another five seconds, he claims, the TV automaticall restarts. Then the process repeats itself forever, even after unplugging the TV. Eventually, Auriemma managed to reset the TV in service mode. He writes that users can avoid the situation altogether by hitting ‘exit’ when prompted to ‘allow’ or ‘deny’ the new remote device.
Nissan confirmed its computer systems were hacked two weeks ago. The Japanese automaker said that hackers broke into its network and stole employees’ usernames and encrypted passwords. The company said it first noticed an abnormality on its network Friday, April 13, when it discovered a piece of malicious malware had targeted employees’ log-in credentials and was transmitting them back to an outside computer server. Nissan did not say which employees had been targeted, what division they worked in or what the intruders may have been after. The company tracked the intrusions back to an Internet protocol address, but said it did not give much indication of who was behind the attack.
“We do know the I.P. addresses but it really does not tell you a whole lot,” said David Reuter, a Nissan spokesman. “Hackers can bounce things off servers all over the world, so the entry I.P. address is not necessarily where the hack originates. The trail goes cold pretty quickly.”
Nissan said it waited a week to disclose the attack to customers and employees while it closed open holes in its network and cleaned up its systems with the help of outside security consultants. On Friday, Andy Palmer, a Nissan executive vice president, disclosed the attack in a statement and said there was no indication any customer, employee or intellectual property data had been stolen.
April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.
The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available.
VMware's ESX hypervisor source code leak may stem from an attack on a Chinese import-export firm last month in which an anonymous hacker claims to have made off with more than one terabyte of confidential documents.
Hardcore Charlie claims to have obtained the VMware ESX source code after breaching the corporate network of the China National Electronics Import-Export Corporation (CEIEC), a Beijing-based firm. He also broke into and stole documents from the networks of China North Industries Corporation (Norinco) WanBao Mining Ltd, Ivanho and PetroVietnam, according to the Threatpost report.
VMware could not be reached for comment.
In a security bulletin issued earlier on Tuesday, VMware warned that a single file from its ESX server hypervisor source code had been posted online and said it is possible that more proprietary files could be leaked.
The leaked ESX code is from the 2003 to 2004 period, and security experts told CRN the potential impact of the breach depends on how much VMware has changed the code base since then.
VMware said it shares source code with industry partners, but other vendors, including Cisco, have had source code leaks in the past without problems, said Charlie Winckless, senior security architect at Presidio Networked Solutions, Greenbelt, Md.
Still, a zero-day vulnerability in ESX could pose significant problems for VMware and the legions of cloud service providers whose infrastructure runs on the hypervisor. Winckless said the availability of ESX source code could give hackers a better chance to find undiscovered vulnerabilities.
"How serious this exposure is depends on the level of code audit performed," Winckless said. "There almost certainly will be some bugs and issues exposed, but it's far from certain that they are exploitable."
VMware spends a lot of effort guarding against the disaster scenario of attackers compromising multiple virtual servers on a single piece of hardware, which makes it less likely that such an attack could stem from the leaked source code, according to Winckless.
Please consider making your Amazon purchases through our affiliate link. If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side. Or simply use our QR Code Links.
Since last week, we have seen many specially crafted files exploiting CVE-2012-0158, a vulnerability in MSCOMCTL.OCX in Microsoft Office and some other Microsoft products. This exploit can be implemented in a variety of file formats, including RTF, Word, and Excel files. We have already found crafted RTF and Word files in the wild. In the malicious RTF, a vulnerable OLE file is embedded with \object and \objocx tags.
The following image shows an example of a crafted RTF file containing a vulnerable OLE file. You can see the signature of the OLE file in D0CF11E0. …
Upon opening a crafted file with the vulnerable application, as in other document exploit files, we see an innocent file posing as bait, while in the background, the Trojan files are installed. Here are typical malware installation steps triggered by the vulnerable application, Word in this example:
1. The crafted document is opened by a Word process.
2. Exploiting the vulnerability triggers the shellcode in the OLE file.
3. The shellcode installs the Trojan(s) on the victim’s machine. Typically, the Trojan is installed in the following path:
4. The shellcode start a new process of Word and opens as bait an innocent document file embedded in the document. Typically the bait file is dropped at:
5. The shellcode terminates the Word process that opened the crafted document.
Because of steps 4 and 5, users will see Word quit and then immediately relaunch with the bait file. If you see this symptom, check with your system administrator.
DO IT YOURSELF social networking company Ning is reportedly suffering from a slight security problem that could affect 100 million users.
Ning lets people set up their own gasbag social networking channels and is used by people like the pop group Radiohead. According to a Dutch report a problem with its security could leave them wide open to account hijackers.
A Dutch web site called Web Wereld says that two students, Angelo Geels and Alex Brouwer have exploited cookies to gain login control over Ning user accounts. They used a proof of concept that showed they could access 90,000 accounts and 100 million users, but had no intention of exploiting it for malicious purposes.
They did suggest that if others were able to use it then they could take over Ning accounts. "You can build an application that automates acquisition of an identity," said Geels in the report.
The students told Ning about the exploit last month and since then the firm has worked to fix it. This is not the first time that security students have worked with Ning, and last year students reported five vulnerabilities that included the threat of credit card theft.
Researchers have come across another Trojan that fuels such campaigns. The novelty in this scenario is that the control panel that’s being utilized in the scheme has been found.
Identified by Symantec as Trojan.Ransomlock.K, the malicious element communicates with a command and control server from which it receives its orders.
The interface that allows the cybercrooks to communicate with their Trojan is called Silent Locker Control Panel and according to the experts, it is somewhat similar to other control panel used for pieces of malware such as ZeuS and SpyEye.
The Russian variant of the Silent Locker Control Panel found by experts offers a number of options. First of all, it tracks the infected computer’s location and date, information that can be used for billing.
Also based on the location, the cybercriminal can choose what picture the ransomware displays when it takes over a computer. For instance, if the victim resides in the UK, a picture of the Metropolitan Police can be used, the default image being the one shown in the screenshot.
If notifications that rely on the reputation of a law enforcement agency don’t work, the fraudsters can always turn to fake Windows Security Checks or other scams that may convince the victim that his/her device is being blocked for performing illegal activities, or even because of some phony system errors.
Google today dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications.
The search giant boosted the maximum reward from $3,133 to $20,000, and added a $10,000 payment to the program.
The Vulnerability Reward Program (VRP) will now pay $20,000 for vulnerabilities that allow remote code execution against google.com, youtube.com and other core domains, as well as what the company called "highly sensitive services" such as its search site, Google Wallet, Gmail and Google Play.
Remote code flaws found in Google's Web apps will also be rewarded $20,000.
The term "remote code execution" refers to the most serious category of vulnerabilities, those which when exploited allow an attacker to hijack a system and/or plant malware on a machine.
A $10,000 bounty will be paid for SQL injection bugs or "significant" authentication bypass or data leak vulnerabilities, Google said in the revised rules for the program.
Other bugs, including cross-site scripting (XSS) and cross-site request forgery (XSRF) flaws, will be compensated with payments between $100 and $3,133, with the amount dependent on the severity of the bug and where the vulnerability resides.
Iran has been forced to disconnect key oil facilities after suffering a malware attack on Sunday, say reports.
The computer virus is believed to have hit the internal computer systems at Iran's oil ministry and its national oil company.
Equipment on the Kharg island and at other Iranian oil plants has been disconnected from the net as a precaution.
Oil production had not been affected by the attack, said the Mehr news agency.
However, the attack is believed to have been responsible for knocking offline the websites of the Iranian oil ministry and national oil company.
The Ministry website was back in action on Monday but the oil company site has remained unreachable.
An Iranian oil ministry spokesperson was quoted as saying that data about users of the sites had been stolen as a result of the attack. Core data about Iran's oil industry remained safe because it was on computer systems that remain separate from the net, they added.
The terminal on Kharg Island handles about 90% of Iran's oil exports.