CSC301 news and notes

Microsoft Releases Software for Hackers

jas891 — Sun, 18 Apr 2010 22:10:04 +0000

IE8 was recently released with some new filters designed to prevent cross-site scripting (XSS) attacks. These filters block XSS attacks by first searching outbound data for malicious code. Any detected code generates a regular expression to match it. This regular expression is used to scan incoming data, and detect a match to the expression. If found, the incoming data is assumed to be malicious. The malicious code is “neutered” using a process that makes a tiny change to part of the code, preventing it from operating correctly. At Black Hat Europe, experts presented a way to use this system to allow an XSS attack, showing several exploits that this filter creates. One way to exploit the system is by generating code matching a legitimate security feature of a website, and making it look malicious. The filter will then block the security feature, leaving the website wide open for an XSS attack. In this way a website that is secure from these types of attacks can be completely vulnerable. Upon notification, Microsoft released a patch to alleviate the problem.

Dark Reading

Cloud Anti-Virus

jas891 — Sun, 18 Apr 2010 21:37:53 +0000

Immunet, a cloud based anti-virus product, is taking a different approach to virus scanning. Immunet is meant to be run alongside other anti-virus programs. This is often considered to be a bad idea because of the system resources required to run two programs. However, users have reported little trouble with Immunet eating up their systems resources. Immunet is designed in part to monitor the malware being found by other anti-virus scanners. It takes that data and combines it with its own scanning engine. All of the malware detected is uploaded to the program in the cloud for use by all Immunet users. This gives the program an advantage over other anti-virus software. This allows users to get updated virus definitions as they are found, while other programs require users to periodically update the definitions. Immunet is capable of running by itself, and many users take this route. It looks like a pretty good addition or alternative to normal anti-virus programs, but the best part is that it is free.

Krebs

ISPs Want to Hide Customer Data

jas891 — Sat, 10 Apr 2010 21:04:29 +0000

Creators of malicious websites are always seeking cheaper and more anonymous ways to get their operations onto an ISP. Lower cost ISPs are used because a criminal loses only a small investment if their website is shut down. A new proposal would allow ISPs to hide the identity of users of their services. The current policy forces ISPs to make customer contact information public. The author of the proposal, Aaron Wendel, chief technical officer at Kansas City based Wholesale Internet Inc., believes this will prevent competing businesses from stealing customers. Security experts are concerned that this policy will protect malicious websites. Under this new policy, a security expert would need a court order to get the contact information from an ISP. The American Registry for Internet Numbers (ARIN) is the organization that makes the rules about publishing customer data. Paypal is opposed to this idea, saying that ARIN should make customer data more public. They believe that more accurate data about customers could also be useful to security experts.

Krebs

Networkads.net Attacks This Website

jas891 — Fri, 09 Apr 2010 21:54:40 +0000

Recently, wordpress.com blog writers have been reporting a serious issue with their site. The problem was with a redirect from users’ blogs to a malicious website. Unfortunately, I did not get to experience this issue firsthand… maybe next time. The common factor between the affected blogs was their web hosting provider, Network Solutions. A spokesperson for Network Solutions has indicated that the problem is being investigated but it seems to be related to a plugin. Undetected by most anti-virus programs, this page attempts to install a malicious ActiveX plugin to Internet Explorer.

Krebs

SpyEye Price Unbeatable

jas891 — Fri, 02 Apr 2010 13:02:07 +0000

There is a growing competition between the Zeus botnet crimekit, and the newer Spyeye crimekit. These kits offer the ability to infect large numbers of computers to create a botnet. The user is given multiple options to help them take control of these systems for identity theft, spam creation, denial of service, and really whatever they want. Spyeye even offers the ability to remove a Zeus infection so that Spyeye can replace it. It is interesting to see a piece of malware carrying code to repair computers. This of course, doesn’t help infected users as one botnet is as bad as another, but it creates an unusual scenario. One could imagine a security company creating a “good” botnet or worm to infect PCs, installing itself everywhere, cleaning out infected computers as it goes, and then eventually deleting itself. The author of Spyeye has begun an anti-Zeus ad campaign. One ad banner to this effect is available on the Krebs blog. The main selling point of Spyeye is its low cost compared to Zeus. Zeus begins at $8000 and has another $8000 to $18000 of upgrades before a criminal has the whole package. The Spyeye is quite a bargain by comparison, at $500. The only add-on that needs to be purchased for Spyeye is a Firefox injection tool that allows criminals to spoof websites on infected computers. Users enter their banking data into these forms because they have no idea that it is a spoof. Security researchers are working on the problems created by Zeus, Spyeye, and other similar products. Hopefully, there will be a solution someday.

Vietnamese Google Attack

jas891 — Fri, 02 Apr 2010 12:30:05 +0000

McAfee has retracted its claim that the recent attacks on Google were all from the same source. Initially, the Aurora attack was thought to originate in China. Now many companies are searching for the true origin of the attacks. McAfee believes that the primary Aurora attack did originate in China, but that there were several other attacks that were coincidentally simultaneous. It is thought that some of these other attacks were caused by Vietnamese hackers building a botnet. The security firm Damballa has hesitated to agree with McAfee. The VP of research at Damballa stated, ” “Based upon our analysis of the C&C’s McAfee are now associating with this Vietnamese malware, I don’t think that such a conclusion can be confirmed by Damballa.” The general idea is that the Vietnamese botnet attacks have a similair Command and Control (C&C) structure to the Aurora attack. This could be coincidence, but it is not certain and Damballa is being cautious in its statements. McAfee has claimed that its earlier mistake was due to the “fog of war” present when investigating these attacks. But more than that, it was due to McAfee’s eagerness to publish its findings. “Initially we were dealing with a number of machines and our goal then was to identify infections in those companies, and we thought it was beneficial to publish as much information out there as possible on those machines,” says Dmitrie Alperovitch, vice president of threat research at McAfee.

Dark Reading

FAA Tests New Security System

jas891 — Thu, 01 Apr 2010 17:31:55 +0000

The Federal Aviation Administration (FAA) will be using IBM’s new InfoSphere Streams system to analyze the huge volume of data that runs through its servers each day. Daily, the FAA takes in a huge volume of security data, making analysis difficult. The InfoSphere Streams will allow the FAA to manage this data as it comes into its servers. This approach should help with early detection of hackers trying to access FAA systems. Currently the FAA is testing the system in a lab to see if it can handle the stresses imposed by the large amount of data it expects to put through the system in practice.

Dark Reading

Anti-Virus Program Causes System Failures

jas891 — Tue, 23 Mar 2010 19:26:17 +0000

BitDefender, a Romanian anti-virus company, has apologized to users for a recent update. The update caused severe system trouble for 64-bit Microsoft users when it decided that many .exe and .dll files were a part of Trojan.FakeAlert.5 . These files were in fact legitimate windows files that are necesary to run many programs, including BitDefender itself. BitDefender has claimed that the update was launched prematurely, implying that it was launched by accident. They are in a difficult position as far as publicity goes, because they must either claim that they accidentally launched a bad update, or that they accidentally launched an update before they meant to. BitDefender has created a patch to repair the problem, and they are committed to work around the clock to help users bring their systems back to normal.

Google Stops Chinese Censorship

jas891 — Tue, 23 Mar 2010 18:59:18 +0000

Google announced on Monday that it has ended its censorship in China. The Chinese government has expressed that self-censorship is a legal requirement for searches in China. Google has decided to redirect Chinese mainland users to its Hong Kong search service allowing access to uncensored searches in simple Chinese. Censorship could still be achieved as the Chinese government is capable of blocking this access. To keep users aware of the access situation in China Google has created a website that will report Chinese access news updates. As of this post Web, Images, News, Ads, and Gmail are accessible to Chinese citizens. However some items are blocked, like YouTube, and others are partially blocked, like Google Docs.

CSC301 news and notes

Microsoft Releases Software for Hackers

Cloud Anti-Virus

ISPs Want to Hide Customer Data

Networkads.net Attacks This Website

SpyEye Price Unbeatable

Vietnamese Google Attack

FAA Tests New Security System

Anti-Virus Program Causes System Failures

Top Google Searches Under Attack

Google Stops Chinese Censorship