DDOS Attacks Take the Day Off During Holidays, Study Shows

admin    Hacking, IT News, Security    

Distributed denial-of-service (DDOS) attacks have become a major problem in the past period, but according to a new study presented at the Virus Bulletin 2012 conference, the malicious operations plummet during major holidays.

For instance, CloudFlare researchers noticed a considerable drop in the number of DOS attacks on Earth Day (April 22), Memorial Day weekend (May 29), around the time of the Chinese New Year (January 30), after St. Patrick’s Day (March 20) and before the US Independence Day (June 28).

It’s not easy to demonstrate that there’s a clear connection between the holidays and the fact that DDOS attacks dropped, but it doesn’t seem to be a simple coincidence.

However, if the theory is valid, it means that shutting down a computer is good not only for the environment, but also for the health of the Internet.

“My suspicion is that the Earth Day effect could be real: home botnet computers were turned off and botnet-based attacks declined,” Sophos Senior Technology Consultant Graham Cluley explained.

“If everyone turned off their computers each night, it might not just be good for the environment because of the lower levels of energy being consumed.. it could also mean a reduction in botnet attacks.”

CloudFlare experts have presented other DDOS-related findings during their presentation at Virus Bulletin. They claim that many of the attacks are easy to mitigate because they come from what are called “Martian IP addresses.”

These IP packets appear when IP addresses are spoofed in DOS attacks. They’re IPs such as 192.168.0.0/16, 127.0.0.0/8, or 10.0.0.0/8, which are valid in local area networks, but not on public Internet. This makes them very easy to filter.

Last week, the company’s representatives published an interesting advisory about 65Gbps attacks and how they could be mitigated.

[softpedia]

Profit Motive Powers Boost in Dangerous SQL Injection Website Hack Attacks

admin    Hacking, IT News, Security    

Forget script kiddies hacking into websites just to deface them with flashing “H@X0rs rulez” messages. Todays attacks are all about the very adult business of stealing and intercepting data to generate profit.

New evidence for this trend shows in a sharp rise of SQL injection attacks measured by web hosting company FireHost, which reports that between the first and second quarter of 2012, the number of SQL injection attacks against FireHost’s clients rose 69%.

Attacks Follow the Money

SQL injection attacks use false SQL database commands entered into a site’s Web interface to obtain data not normally available for public consumption – like passwords, personal information, and the holy of holies for hackers: credit card data. They are rapidly becoming the weapon of choice for attackers, FireHost Security Operations Center Manager Greg Tatum said, because that’s where the money is.

“We’re seeing a huge climb in the number of SQL injection attacks from the last quarter and over the past six months,” Tatum explained. “These attacks are monetary-based rather than fame-based.”

SQL injection attacks at FireHost rose from 277,770 in the first quarter to 469,983 in the second quarter of the year. That still ranks SQL injection-type attacks as only the third most popular type of attacks hitting FireHost and its clients, trailing directory traversal and cross-site scripting attacks.

Directory (or path) traversal attacks try to trick a website into providing access to files on the Web server that would otherwise be restricted. Like SQL injection attacks, they work by attacking the Web application itself, but they are also much easier to execute – which explains their top position on FireHost’s list. Once access to a Web server’s restricted files is obtained, intruders can have the run of the website, and can make it do nearly anything they want.

Cross-site scripting is almost as feared as SQL injection attacks, but instead of working on mining data from a website, these attacks flip the vector around and go after individual users. Cross-site scripts embed script tags in URLs and when unsuspecting users to click on those compromised links, malicious Javascript code can be executed on the victim’s machine.

Big Damage When Successful

Even though SQL injections are not as common, they grab bigger headlines because when they’re successful, they can cause a lot of user pain at once.

The 450,000 Yahoo Voices accounts’ password breach on July 11 reportedly used a union-based SQL injection, for instance.

Unless evidence of the attack surfaces after the fact (little clues can help, such as nearly a half-million account passwords suddenly showing up on a hacker community forum), SQL injections are usually very hard to detect, which is the way profit-motivated hackers like it.

Tatum believes that SQL injection attacks will soon become even more common. “As more e-commerce and health care sites come online, these attacks will be more prevalent,” he predicted.

Defacing websites will always remain popular among a certain set of hackers. But the days of the loud and obnoxious attacks being the worst we have to worry about are coming to a close. Now it’s the silent but deadly attacks that Web administrators need to fear the most.

[RWW]

LinkedIn Confirms Hack And Leak Of “Some” User Passwords

admin    Hacking, IT News, Security    

Shortly after it was reported that nearly 6.5 million LinkedIn account passwords were leaked onto the net, LinkedIn leapt into action and mounted their own investigation.

Though most of the morning was spent claiming that they could not confirm a security breach, a new announcement on their blog reveals that at least some of those leaked passwords correspond to LinkedIn accounts.

There are still plenty of unanswered questions here though. The company has yet to offer their official word yet on just how many users were impacted, how the accounts were compromised, or whether or not the email addresses that correspond with those passwords were also leaked. LinkedIn’s Vicente Silveira was quick to note that the investigation is far from over though, and with any luck they’ll soon discover and disclose those details very soon.

In the meantime, the company notes that users who have already changed their passwords (you already did, right?) or created a new account won’t have to worry, as they have recently begun hashing and salting their current password databases.

In case you’re curious about the sorts of passwords that appear in the sizable password hash dump, the team at FictiveKin have launched a tool called LeakedIn that takes a text input, hashes it with the SHA-1 algorithm, and checks it against the leaked file. So far, the usual suspects like “linkedin” and “password” are among those that have been leaked, though with passwords that weak it’s no surprise they were among the first to be cracked.

[techcrunch]

Hack in the Box 2012 Amsterdam Video Overview

admin    Hacking, IT News, Security    

We’re in Amsterdam attending the 2012 edition of the Hack in the Box security conference. It’s a great atmosphere down here so we decided to make a video overview of the event to show everyone what’s happening at the Okura hotel.

The day started with Andy Ellis, Akamai’s Chief Security Officer, who held a speech on “Getting ahead of the security poverty line.” He is a great speaker and he has provided some wonderful examples of what companies should and should not do to keep their infrastructure and assets secure.

Ivo Pooters, a senior digital forensics investigator at Fox-IT, had a great presentation on “Turning Android inside out.” It was based on a scenario in which they analyzed a couple of phones involved in a murder. One of them was owned by the victim, “the dead guy,” and the other one by the criminal, “swiftlogic dude.”

There were a lot of other great speakers, including Sebastien Renaud and Kevin Szkudlapski, Itzhak ‘zuk’ Avraham and Nir Goldshlager, Claudio Guarnieri, Didier Stevens, Juan Pablo Echtegoyen, Arnauld Mascret, Gal Diskin, Jurriaan Bremer, and Marinus Kuivenhoven.

The closing keynote was held by Rop Gonggrijp, the well known hacker and activist who’s on a mission to convince information security experts to help people stay secure.

We’ve also had a few interviews today. We’ve had the honor of talking to Adam Gowdiak, the founder and CEO of Security Explorations, Roberto Suggi Liverani, principal security consultant at Security-Assesments.com, and Georgia Weidman, founder of Bulb Security LLC.

As many of you may know, this edition of HITB Amsterdam features a world premiere. For the first time ever, the members of the Chronic Dev Team and the iPhone Dev Team got together to present their work.

We’ve had the chance to speak to three of them: Joshua Hill, aka @p0sixninja, Cyril, aka @pod2g, and Nikias Bassen, or @pimskeks. You’ll have a opportunity to see the complete interview in a few days from now, but in the meantime we’ll try to provide you with the highlights of our discussions.

For tomorrow, the Apple jailbreak Dream Team has a big surprise planned, so stay tuned.

Another thing worth mentioning, which you can see in the video bellow, is that Google has sent its recruiters in search for fresh talent. Considering that there are a lot of great minds present at the event, we wouldn’t be surprised if they’ve found what they are looking for.

In the meantime, check out the video overview of HITB 2012 Amsterdam and the speaker presentations:

[softpedia]

Global Payments: Hackers Exported 1.5 Million Visa and MasterCard

admin    Hacker, Hacking, IT News, Security    

As many as 1.5 million Visa and MasterCard accounts may have been compromised by the recent Global Payments security breach, the payment processor announced this evening.

Credit card numbers may have been exported, but no customer names, addresses, or Social Security numbers were accessed, the company said in a statement. The company believes the breach, which was revealed Friday, was confined to North America.

The nature of the breach, which was originally pegged at 50,000 accounts, has not been revealed. The company also did not say whether it knew of any fraudulent charges resulting from the breach on Global Payments, which processes payments from credit, debit, and gift cards between merchants and banks.

The company said it believes the incident has been contained and it is working with third parties to investigate the incident and minimize impact on customers, although it did not describe those efforts.

“We are making rapid progress toward bringing this issue to a close,” CEO Paul Garcia said in the statement.

MasterCard and Visa have already sent out notices to their customers who may have been affected, informing them of the possible risk.

As a result of the breach, Visa removed Global Payments from its list of approved service providers. Visa told The Wall Street Journal (subscription required) that the move was in response to “Global Payments’ reported unauthorized access.” Visa said it has invited Global Payments to re-apply for validation by submitting evidence that its security is in compliance with Visa’s standards.

Global Payments is scheduled to hold a conference call at 5 a.m. PT Monday to provide further information on the incident. Check back with CNET for full coverage.

Chrome cracked in hacking contest

admin    Google, Hacking, IT News, Security    

Just ten days after pledging $1 million to hackers able to exploit Chrome, Google’s been forced to put its hand in its pocket.

Last month, it announced that it was launching its own security competition, to run alongside the Pwn2Own contest at the CanSecWest conference.

And now, Russian student Sergey Glazunov has netted himself $60,000 by discovering a new exploit that allowed him to break out of Chrome’s ‘sandbox’ – thus allowing him to take control of a Windows 7 system.

“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry. Looks like it qualifies as a ‘Full Chrome’ exploit, qualifying for a $60k reward,” says senior vice president in charge of Chrome and Google Apps Sundar Pichai on a company blog.

“We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”

Meanwhile, at the Pwn2Own event, Chrome was hacked for a second time – indeed, the researchers, from security firm Vupen, managed it in the first five minutes. They say they have new exploits for Internet Explorer, Safari, and Firefox, too.

Since launching its new bug reward program last November, Google’s paid out over $410,000 in bounties. And while the latest exploits strip Chrome of its reputation for being ‘unhackable’, the company says it’s pleased by the result.

“Google has gotten better and stronger as a result of this work. We get more bug reports, which means we get more bug fixes, which means a safer experience for our users,” says technical program manager Adam Mein.

Anonymous Denies Targeting Facebook on January 28

admin    Hacker, Hacking, IT News, Security    

A video statement allegedly released by Anonymous on January 23 calls supporters to the continuation of Operation Blackout, appointing the next target as being the popular social media website Facebook. However, official Anonymous channels deny the claims, questioning the clip’s legitimacy.

The video looks legitimate at first sight, but the voice and the music theme slightly differs from what the hacktivists accustomed us to.

Supporters are urged to download the popular DDOSing tools HOIC and LOIC and prepare for an attack against Facebook on January 28 in protest for SOPA, PIPA, but also the controversial agreement called the Anti-Counterfeiting Trade Agreement (ACTA).

“While it is true that Facebook has at least 60,000 servers, it is still possible to bring it down. Anonymous needs the help of the people, the people who want to take a stand against the government, the people who want to make a difference,” says the digitized voice.

Shortly after the video had been released, social media websites started buzzing, many users wondering whether the message was legitimate.

“FaceBook, YouTube, Twitter, and Tumblr are not going to be DDoSed. Why would we kill our way to communicate?” came the answer from YourAnonNews.

This is not the first confusing announcement made by Anonymous supporters. Reports came in about a website that allegedly offered Megaupload-like services, requesting donations from users.

The trusted communication channels used by the hacktivists quickly came to deny their support for Anonyupload.

On the other hand, since Anonymous is a loose-knit group, anyone hacking for “the right reasons” can adopt the name and start campaigns and operations.

It’s very likely that after seeing the major success recorded by OpMegaupload, some of the participants in the operation decided to use the same tactic against Facebook.

However, as many hackers have learned, taking down Facebook isn’t something you can do with a DDoS attack.

MegaUpload Ditutup, Anonymous Menyerang Beberapa Website, Termasuk Situs FBI

admin    Deface, Hacking, IT News, Security    

Anonymous nyaris tidak beraksi beberapa minggu terakhir, namun ketika pemerintah Amerika Serikat tiba-tiba menutup situs file-sharing MegaUpload, mereka meluncurkan beberapa serangan ke situs Departemen Kehakiman Amerika Serikat, membuat website itu tidak dapat digunakan.

Tidak hanya situs DepKeh, situs Universal music, RIAA, MPAA, Copyright.gov, USDOJ.gov.com, BMI.com dan bahkan situs FBI.gov, namun tidak lama kemudian situs FBI normal kembali. CNN melaporkan, sumber di dalam Anonymous sendiri mengklaim lebih dari 27 ribu orang terlibat untuk serangan ini.

[teknoup]

NOD32 and Kaspersky Websites Hacked

admin    Hacking, IT News, Security    

Again we are presented with a situation that shows how even companies that should keep us protected are vulnerable to the attacks launched by cybercriminals. This time, NOD32’s website in Ukraine and Kaspersky’s Costa Rican site were defaced.

Kaspersky was hacked by Algerian hackers Over-X, indoushka and Saousha and according to Cyberwarnews, this is not the first time they fail to properly secure their site. The attackers don’t state their reasons for taking down the page, but it’s most likely one of the situations where they want to show how weak its security is.

At the time of writing, Kaspersky’s website (kaspersky.co.cr) is still down, proudly displaying the image placed by the hackers.

On the other hand, NOD32 in Ukraine (nod32.in.ua) acted quickly on restoring their services after being attacked by hackers known as KhantastiC haX0r and Shadow008.

“HellO NoD32. Where is Security ?! Are U Hacked ? Yesh ! U have been Hacked Once Again !!! Everyday Someone Get Hacked Today is your Day. Impossible only means it has not been done…” state the hackers on the defaced page.

The ones responsible for taking down the NOD32 site kept themselves busy over the past few days, making a lot of victims, mostly from India and Bangladesh.

The Zone-H mirrors of their hacks reveal that most of the sites were hosted on government domains, which seem to be the favorite targets of this duo.

A few months back we saw Panda’s website in Pakistan being injected with some arbitrary code, and two days ago we saw how Team Elite proved an attack on the Polish website of ArcaBit, the developers of ArcaVit antivirus.

You can probably imagine that for hackers it’s a great accomplishment to breach the websites of those who are actually in the security business and unfortunately, in some cases it takes more than one cybercriminal operation to get them to patch up all the holes.

[softpedia]

China may have hacked US satellites

admin    Hacking, IT News, Security