December, 2010


9
Dec 10

Apple QuickTime Patch Fixes 15 Flaws

Apple this week issued an update that plugs at least 15 security holes in its QuickTime media player.

The patch – which brings QuickTime to version 7.6.9 — quashes several critical bugs that could be exploited to install malicious software were a user to load a poisoned media file. Updates are available for both Mac and Windows versions of the program.

Windows users can grab the update from the bundled Apple Software Update application; Mac users of course can use Software Update. Both OS versions also are available through Apple Downloads.


7
Dec 10

Reintroducing Scanlab (a.k.a Scamlab)

Many sites and services require customers to present “proof” of their identity online by producing scanned copies of important documents, such as passports, utility bills, or diplomas. But these requests don’t really prove much, as there are a number of online services that will happily forge these documents quite convincingly for a small fee.

Services like scanlab.name, for example, advertise the ability to create a variety of forged documents made to look like scanned copies of things like credit cards, passports, drivers licenses, utility bills, birth/death/marriage certificates and diplomas. In fact, Scanlab boasts that it has a large database of templates — 17 gb worth from more than 120 countries — which it can draw upon to forge scanned copies of just about any document you might need.

When Scanlab site first surfaced in 2008, it was a fairly bustling place and had a decent number of clients. That is, until not long after I wrote about them in August 2008, when the site just vanished for some reason. The service reappeared this summer, but it’s tough to tell whether Scanlab 2.0 attracts much business. Maybe that’s why they’re now running Flash banner ads like the one below, which was taken from a popular underground hacker forum.

Scanlab-created Missouri drivers license.

Scanlab created this scan of a fake Missouri drivers license — shown here with the picture and made-up personal details of Wikileaks founder Julian Assange — using a photo from Google images, so the quality could certainly be better. But it’s probably enough to pass for a scan of a real ID for most online services that might ask for one as proof of identity.

Scanlab is definitely targeting a very specific type of clientele. This ad invokes the names of two of the most famous “carders,” individuals engaged in theft and sale of stolen credit cards and identity documents: Vladislav Anatolievich Horohorin, 27 — mentioned in this ad by his nickname “BadB”; and Dmitry Golubov, a carding forum administrator who later started his own political party in Ukraine.

And, like most online services that cater to carders, this one does not accept credit cards: Payments are made through WebMoney, a virtual currency popular in Eastern Europe and Russia.

Have you seen:

Body Armor for Bad Web Sites…Hacked and malicious sites designed to steal data from unsuspecting users via malware and phishing are a dime a dozen, often located in the United States, and are a key target for takedown by ISPs and security researchers. But when online miscreants seek stability in their Web projects, they often turn to so-called “bulletproof hosting” providers, mini-ISPs that specialize in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies.


7
Dec 10

Rap Sheets on Top Software Vendors

A new online resource aims to make it easier to gauge the relative security risk of using different types of popular software, such as Web browsers and media players.

Last month, I railed against the perennial practice of merely counting vulnerabilities in a software product as a reliable measure of its security: Understanding the comparative danger of using different software titles, I argued, requires collecting much more information about each, such as how long known flaws existed without patches. Now, vulnerability management firm Secunia says its new software fact sheets try to address that information gap, going beyond mere vulnerability counts and addressing the dearth of standardized and scheduled reporting of important security parameters for top software titles.

Secunia "fact sheet" on Adobe Reader security flaws.

“In the finance industry, for example, key performance parameters are reported yearly or quarterly to consistently provide interested parties, and the public, with relevant information for decision-making and risk assessment,” the company said.

In addition to listing the number of vulnerabilities reported and fixed by different software vendors, the fact sheets show the impact of a successful attack on the flaw; whether the security hole was patched or unpatched on the day it was disclosed; and information about the window of exploit opportunity between disclosure and the date a patch was issued.

The fact sheets allow some useful comparisons — such as between Chrome, Firefox, Internet Explorer and Opera. But I’m concerned they will mainly serve to fan the flame wars over which browser is more secure. The reality, as shown by the focus of exploit kits like Eleonore, Crimepack and SEO Sploit Pack, is that computer crooks don’t care which browser you’re using: They rely on users browsing the Web with outdated software, especially browser plugins like Java, Adobe Flash and Reader (all links lead to PDF files).


6
Dec 10

What You Should Know About History Sniffing

Researchers have discovered that dozens of Web sites are using simple Javascript tricks to snoop into visitors’ Web browsing history. While these tricks are nothing new, they are in the news again, so it’s a good time to remind readers about ways to combat this sneaky behavior.

The news is based on a study released by University of California, San Diego researchers who found that a number of sites were “sniffing” the browsing history of visitors to record where they’d been.

This reconnaissance works because browsers display links to sites you’ve visited differently than ones you haven’t: By default, visited links are purple and unvisited links are blue. History-sniffing code running on a Web page simply checks to see if your browser displays links to specific URLs as purple or blue.

These are not new discoveries, but the fact that sites are using this technique to gather information from visitors seems to have caught many by surprise: A lawyer for two California residents said they filed suit against one of the sites named in the report — YouPorn — alleging that it violated consumer-protection laws by using the method.

As has been broadly reported for months, Web analytics companies are starting to market products that directly take advantage of this hack.  Eric Peterson reported on an Israeli firm named Beencounter that openly sells a tool to Web  site developers to query whether site visitors had previously visited up to 50 specific URLs.

The Center for Democracy & Technology noted in March that another company called Tealium has been marketing a product taking advantage of this exploit for nearly two years.  “Tealium’s “Social Media” service runs daily searches of a customer’s name for news and blog postings mentioning the customers, and then runs a JavaScript application on the customer’s site to determine whether visitors had previously read any of those stories,” CDT wrote. “The service allows Tealium customers a unique insight into what sites visitors had previously read about the company that may have driven them to the company’s Web site.”

Continue reading →


3
Dec 10

Cable: No Cyber Attack in Brazilian ’09 Blackout

The Nov. 2009 blackout that plunged millions of Brazilians into darkness for up to six hours was not the result of cyber saboteurs, but instead an unusual confluence of independent factors that conspired to cause a cascading power failure, according to a classified cable from the U.S. embassy in Brazil.

The communication, one of roughly 250,000 to be published by Wikileaks.org, provides perhaps the most detailed explanation yet of what may have caused the widespread outage, which severed power to 18 of Brazil’s 27 states, cutting electricity for up to 60 million Brazilians for periods ranging from 20 minutes to six hours. The Nov. 2009 outage was notable because it came just three days after a CBS news magazine 60 Minutes report about a much more severe two-day outage in 2007 that cited unnamed sources claiming that the blackout was triggered by hackers targeting electric control systems.

Reports from Wired.com and other news publications quickly challenged that 60 Minutes segment, pointing to previous investigations that suggested a variety of factors contributed to the 2007 incident, including poorly-maintained electrical insulators. But when another outage hit Brazil three days after the CBS report, the coincidence led to more speculation about whether hackers were once again involved.

The cable relates information shared by executives and engineers from Brazil’s National Operator of the Interconnected Power System (ONS), which “further ruled out the possibility of hackers because, following some acknowledged interferences in past years, [the Government of Brazil] has closed the system to only a small group of authorized operators, separated the transmission control system from other systems, and installed filters.” From the cable:

“Coimbra confirmed that the ONS system is a CLAN network [classified local area network] using its own wires carried above the electricity wires. Oliveira pointed out that even if someone had managed to gain access to the system, a voice command is required to disrupt transmission. Coimbra said that while sabotage could have caused the outages, this type of disruption would have been deadly, and investigators would have found physical evidence, including the body of the perpetrator. He also noted that any internal attempts by system employees to disrupt the system would have been easily BRASILIA 00001383 003 OF 005 traceable, a fact known to anyone with access to the system.”

So what did cause the blackout? The cable suggests there were a range of contributing factors and some very bad timing:

Continue reading →


1
Dec 10

FBI Identifies Russian ‘Mega-D’ Spam Kingpin

Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide.

According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.

Federal agents settled on Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” e-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenues of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.

As part of his guilty plea to spam violations, Atkinson provided investigators information on the top spammers who helped to promote the Affking products. Among them was an affiliate who used the online nickname “Docent,” who earned nearly $467,000 in commissions over a six month period in 2007.

Atkinson told investigators that Docent’s commissions were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the e-mail address “4docent@gmail.com.” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow.

According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the Mega-D malware.

Update: [Nikolaenko was reportedly arrested in the United States recently. See update at the end, after the jump.]

Continue reading →