Hacking Without Exploits

Cybercriminals increasingly are employing no-tech or low-tech techniques for making big money online — no exploits or sophisticated hacker tools required.

The techniques themselves aren’t new — some have been around for nearly a decade. But the Web model has made these schemes that capitalize on so-called business logic flaws more lucrative than ever, according to Jeremiah Grossman, one of the researchers who will pull back the covers on these insidious and often transparent methods of attack at Black Hat USA next week in Las Vegas.

Grossman, CTO and founder of WhiteHat Security, says these increasingly popular methods take advantage of weaknesses in online applications or business processes, and could eventually usurp the ubiquitous SQL injection and cross-site scripting (XSS) vulnerabilities as the biggest threats to the Web. “We find these in Websites all the time,” he says. And all it takes to exploit them is a browser, he says.

“In the last five years, cross-site scripting and SQL injection have been the imminent threat,” he says. “But the bad guys are increasingly looking to monetize [the Web], so we’ll see more of these business logic flaws [being exploited] in the next two years. They are way more difficult to detect.”

Intrusion detection systems (IDS) can’t detect them, nor can Web application firewalls block them, he says, so there’s really no way to know for sure just how prevalent these attacks are today. But Grossman and fellow presenter Trey Ford, director of solutions architecture for WhiteHat, will show some real-world attacks, including some data from WhiteHat’s own clients. “What we do know is that large dollar sums are being lost already,” Grossman says. Some bad guys are making up to seven figures a month using these methods of attack, he says.

Among the more popular venues for these attacks are online auctions and affiliate marketing networks, which help sites attract more traffic by sharing a percentage of the sales they drive to one another. These affiliate models can be easily abused to help pad hit numbers as well as to generate commissions, sometimes without even making a sale, according to Grossman.

Source:
http://www.darkreading.com/document.asp?doc_id=160306

Posted in Internet, Privacy, Security | No Comments

Security researcher publishes exploit toolkit

An Argentinian security researcher has published a security exploit toolkit targeting the update mechanisms of Java, Mac OS X, OpenOffice.org and other software, and relying on man-in-the-middle techniques such as those made possible by the recently disclosed DNS security hole.

The toolkit, ISR-Evilgrade 1.0, was released by Francisco Amato, a researcher with Infobyte Security Research. The initial version includes modules targeting Java, WinZip, WinAmp, Mac OS X, OpenOffice.org, iTunes, LinkedIn Toolbar, the download accelerator DAP, Notepad++ and Speedbit. Amato says in the toolkit’s Readme file that each module supplied with the toolkit implements structures emulating a false update of a specific application or operating system.

He has released a demonstration video in which the toolkit uses a DNS exploit, recently released by H.D. Moore of the Metasploit Project, to target the Java update mechanism and execute attack code on a fully patched Windows system. Amato notes “The framework is multi-platform, it only depends on having the right payload for the target platform to be exploited,”. He says, attack vectors include internal DNS access, ARP spoofing, DNS cache poisoning and DHCP spoofing. He has also released a set of slides – PDF of slide set – detailing the system.

Last week several exploits were released taking advantage of the DNS security problems first revealed by Dan Kaminsky. One of the exploits can not only manipulate the resource records for a particular address, but it can also immediately substitute the complete entry for the nameserver responsible for a particular domain. This gives attackers the opportunity not only to redirect a particular address, such as www.example.com, to their server, but also all of the systems residing on the example.com domain. Both attacks are based on the “birthday-attack” and numerous transaction IDs, as well as adding additional information into replies. According to meticulously commented exploits, the code was successfully tested against BIND 9.4.1 and 9.4.2. Behind the exploits is Metasploit exploit framework author H.D. Moore, who told US media that the tool needed one-to-two minutes to poison a cache. Kaminski, who actually discovered the hole, thinks this can be done in a matter of seconds.

Source:
http://www.heise-online.co.uk/news/Security-researcher-publishes-exploit-toolkit–/111203

Posted in Internet, Networking, Privacy, Security, Software | No Comments

Security update for AVG virus scanner

AVG Technologies’ virus scanner contains a DoS vulnerability that allows attackers to crash the scanner. The crash is caused by division by zero when processing UPX-packed files. The vendor has released update 8.0.156, which fixes the problem.

Also in this version, the Search-Shield components do not scan web sites for malicious content until the user clicks on the link on the search page. Previously, the link scanner pre-scanned all of the sites found by a Google search, for instance – the entire list shown on a search results page. This change is in response to massive criticism by network administrators that the link scanner would use too much bandwidth for its website analysis.

Source:
http://www.heise-online.co.uk/news/Security-update-for-AVG-virus-scanner–/111201

Posted in Internet, Security, Software | 2 Comments

Online Banking: Widespread Security Flaws Revealed

Online bankers, beware. More than 75 percent of bank Web sites surveyed by a research team had at least one design flaw that could make customers vulnerable to cyber thieves.

University of Michigan computer scientist Atul Prakash and his graduate students Laura Falk and Kevin Borders examined the Web sites of 214 financial institutions in 2006 and found design flaws that, unlike bugs, cannot be fixed with a patch.

The security holes stem from the flow and the layout of these Web sites, according to their study. The flaws include placing log-in boxes and contact information on insecure Web pages as well as failing to keep users on the site they initially visited. Prakash said some banks may have taken steps to resolve these problems since this data was gathered, but overall he still sees much need for improvement.

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” Prakash said. “Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”

Source:
http://www.livescience.com/technology/080723-online-banking.html

Posted in Internet, Privacy, Security | No Comments

Blogspot.com is number one host for malware

New research by IT security and control firm Sophos has identified Blogger (www.blogspot.com) as the leading host for malware. The popular blogging service now accounts for 2 percent of all of the world’s malware hosted on the web.

Attacks on Blogger involve hackers either setting up malicious blogs on the service, or introducing dangerous content into innocent blogs in the form of comments.

The Sophos Security Threat Report, examining cybercrime in the first six months of 2008, noticed a drastic increase in threats spread through the web. It is estimated that the total number of unique malware samples in existence now exceeds 11 million.

Research by Sophos showed a website infection rate three times faster in the first half of this year compared to 2007. Over 90 percent of webpages that spread Trojan horses and spyware were found to be legitimate websites belonging to reputable companies such as Sony PlayStation.

Source:
http://www.itp.net/news/526033-blogspotcom-is-number-one-host-for-malware

Posted in Internet, Privacy, Security | No Comments